Back to Threat Intelligence

Threat Intelligence Report May 2026

30 days of threat data. 15 critical CVEs. 58,000+ threat events from 89 countries. This is what our sensors picked up across enterprise infrastructure worldwide.

58,689 threat events
2,243 unique attacker IPs
139 confirmed exploit attempts
89 countries
33,639 credential stuffing attacks

What we observed

  • Exploitation of Fortinet FortiGate, Ivanti Connect Secure, Citrix NetScaler, and React/Next.js platforms
  • Targeted CVEs: CVE-2025-64446, CVE-2024-55591, CVE-2024-21762, CVE-2026-24858, CVE-2025-24472, CVE-2025-22457, CVE-2025-0282, CVE-2026-0778, CVE-2026-0779, CVE-2023-3519, CVE-2025-5777, CVE-2025-7775, CVE-2026-3055, CVE-2026-4368, CVE-2025-55182
  • High-confidence TTPs: Iranian Go Bot credential stuffing and login brute force, SAML exploitation (CVE-2026-3055), curl download attempts, unauthorized user creation attempts
  • 3 botnets identified including two Iranian State-Sponsored campaigns (suspected APT35/Charming Kitten)
  • Significant geographic concentration: United Kingdom accounts for 31% of all attack traffic, with Akamai Connected Cloud and Contabo GmbH as top threat sources
  • 7 Tor exit nodes observed conducting reconnaissance or exploitation attempts
  • 100 ransomware victims across 27 groups, with qilin leading (17 victims)
  • TLS fingerprint intelligence: Monitoring 97 known malware signatures including Tofsee (45 variants)
  • React2Shell honeypot detected active worm propagation (apache.selfrep) with C2 infrastructure
Loading PDF viewer...