Media Coverage

Security researchers at The Shadowserver Foundation have identified a massive internet-facing attack surface, discovering more than 511,000 End-of-Life Microsoft Internet Information Services (IIS) instances currently active online. Shadowserver has made this telemetry available to network owners and national Computer Emergency Response Teams to facilitate targeted remediation efforts. Security professionals can track this data through Shadowserver’s live dashboard maps. The dashboards provide a stark visual representation of both the standard EOL servers and the more critically exposed EOS instances that have exceeded their extended lifecycle

The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.

The operation was conducted simultaneously to law enforcement actions conducted in Canada (Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP) and Sûreté du Québec (SQ)) and Germany (Bundeskriminalamt (BKA) Cyber and Public Prosecutor’s Office in Cologne (ZAC NRW)) which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.

DoDIG DCIS is investigating the case, with assistance from the FBI Anchorage Field Office. Additionally, the U.S. Justice Department thanks Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Epieos, Google, Hydrolix, Lumen, Nokia, Okta, Oracle, PayPal, Registrar of Last Resort, The Shadowserver Foundation, Sony Interactive Entertainment, SpyCloud, Synthient, Team Cymru, Unit 221B, XLAB and Netherlands Politie and EUROPOL’s PowerOFF team for their assistance provided during this investigation and operation.

The Cyber Security Agency (CSA) has organised a capacity-building workshop for members of Vice-Chancellors’ Ghana (VCG) in Accra to strengthen cybersecurity leadership and resilience within Ghana’s tertiary education sector. It was organised in partnership with the Shadowserver Foundation and the Forum of Incident Response and Security Teams (FIRST) to enhance understanding of the evolving cybersecurity landscape affecting higher education institutions.

Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office are investigating the case. Investigators and prosecutors from several jurisdictions provided assistance, including Europol, Eurojust, and authorities in the following countries: Austria, Bulgaria, France, Germany, Hungary, Netherlands and Romania.

Additionally, the Department of Justice offers its thanks to Lumen’s Black Lotus Labs and the Shadowserver Foundation for the assistance provided by each during the investigation and the operation.

A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers.

The action was carried out by law enforcement partners and private sector stakeholders working hand in hand, coordinated by Europol’s European Cybercrime Centre (EC3). Law enforcement authorities: Latvia: State Police, Lithuania: Criminal Police Bureau, Portugal: Judicial Police, Poland: Central Cybercrime Bureau, Spain: National Police and Guardia Civil, United Kingdom: National Crime Agency. Private partners engaged through Europol: Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud, Trend Micro.

The Cyber Intelligence Extension Programme (CIEP) strengthens public-private cooperation in tackling cybercrime by enabling private-sector partners to contribute actionable intelligence to support operational outcomes. This Europol programme – a first of its kind – brings together experts from the private sector to work temporarily side by side in The Hague on specific projects with EC3 analysts and investigators.

A critical RCE vulnerability (CVE-2025-14500) in IceWarp, an EU-made business communication and collaboration platform, may be exploited by attackers to gain unauthorized access to exposed unpatched servers. According to the Shadowserver Foundation, there are currently over 1,200 internet-facing instances that have yet to receive a fix, and the organization is sending out alerts to the owners, urging them to update.

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.

The Common Good Cyber Fund (CGCF) is a multi-year funding initiative designed to strengthen global digital cybersecurity by supporting nonprofit organizations that deliver critical services underpinning the Internet’s core infrastructure and protecting civil society actors at high risk, including NGOs, journalists, and human rights defenders.

In late 2025, the Internet Society Foundation launched a pilot of the Common Good Cyber Fund grant strategy to serve as a proof of concept for the fund and to address urgent financial needs in the global cybersecurity nonprofit ecosystem. A small group of nonprofit cybersecurity-focused organizations was invited to apply for the pilot grants: Access Now, CyberPeace Institute, Forum of Incident Response and Security Teams (FIRST), Internet Security Research Group (ISRG), and The Shadowserver Foundation.

CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks. The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113, which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.

Hackers have launched an unprecedented scanning operation, employing tens of thousands of IP addresses to hunt for vulnerable Ivanti Endpoint Manager Mobile (EPMM) instances. Dozens of organizations have already been compromised. Shadowserver reports over 1,200 exposed Ivanti EPMM instances worldwide without vulnerability assessment – it’s unclear how many remain vulnerable. Most instances are likely not directly exposed to the internet, as network administrators typically deploy them behind corporate firewalls.

“The massive attempt, via a botnet or residential proxy network, maybe, is quite unprecedented,” Piotr Kijewski, CEO at The Shadowserver Foundation, told Cybernews.