Back to Threat Intelligence

Threat Intelligence Report June 2026

30 days of threat data. 15 critical CVEs. 48,000+ threat events from 86 countries. This is what our sensors picked up across enterprise infrastructure worldwide.

48,957 threat events
2,207 unique attacker IPs
142 confirmed exploit attempts
86 countries
1,806 credential stuffing attacks

What we observed

  • Exploitation of Fortinet FortiGate, Ivanti Connect Secure, Citrix NetScaler, and React/Next.js platforms
  • Targeted CVEs: CVE-2025-64446, CVE-2024-55591, CVE-2024-21762, CVE-2026-24858, CVE-2025-24472, CVE-2025-22457, CVE-2025-0282, CVE-2026-0778, CVE-2026-0779, CVE-2023-3519, CVE-2025-5777, CVE-2025-7775, CVE-2026-3055, CVE-2026-4368, CVE-2025-55182
  • High-confidence TTPs: Iranian Go Bot login brute force and credential stuffing, SAML exploitation (CVE-2026-3055), curl download attempts
  • 3 botnets identified including two Iranian State-Sponsored campaigns (suspected APT35/Charming Kitten)
  • Significant geographic concentration: Germany accounts for 37% of all attack traffic, with Contabo GmbH as top threat source
  • 3 Tor exit nodes observed conducting reconnaissance or exploitation attempts
  • 100 ransomware victims across 31 groups, with qilin leading (14 victims)
  • TLS fingerprint intelligence: Monitoring 97 known malware signatures including Tofsee (45 variants)
  • React2Shell honeypot detected active worm propagation (apache.selfrep) with C2 infrastructure
Loading PDF viewer...