Back to Threat Intelligence

Threat Intelligence Report April 2026

30 days of threat data. 15 critical CVEs. 138,000+ threat events from 84 countries. This is what our sensors picked up across enterprise infrastructure worldwide.

138,302 threat events
3,126 unique attacker IPs
196 confirmed exploit attempts
84 countries
33,639 credential stuffing attacks

What we observed

  • Exploitation of Fortinet FortiGate, Ivanti Connect Secure, Citrix NetScaler, and React/Next.js platforms
  • Targeted CVEs: CVE-2025-64446, CVE-2024-55591, CVE-2024-21762, CVE-2026-24858, CVE-2025-24472, CVE-2025-22457, CVE-2025-0282, CVE-2026-0778, CVE-2026-0779, CVE-2023-3519, CVE-2025-5777, CVE-2025-7775, CVE-2026-3055, CVE-2026-4368, CVE-2025-55182
  • High-confidence TTPs: Iranian Go Bot credential stuffing and login brute force, SAML exploitation (CVE-2026-3055), path traversal, unauthorized user creation attempts
  • 3 botnets identified including two Iranian State-Sponsored campaigns (suspected APT35/Charming Kitten)
  • Significant geographic concentration: Germany accounts for 37% of all attack traffic, with Contabo GmbH as top threat source
  • 191 adversary IPs targeted multiple vulnerability classes (cross-platform threat activity)
  • 100 ransomware victims across 18 groups, with apt73 leading (34 victims)
  • TLS fingerprint intelligence: Monitoring 97 known malware signatures including Tofsee (45 variants)
  • React2Shell honeypot detected active worm propagation (apache.selfrep) with C2 infrastructure
Loading PDF viewer...