Media Coverage

On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm’s command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads.

This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them.

A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified. Thirteen countries from the Middle East and North Africa took part in Operation Ramz (October 2025 – 28 February 2026) which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses. The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region. In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized. Operation Ramz marked a milestone as the first cyber operation of its scale coordinated by INTERPOL in the MENA region. During this effort, nearly 8,000 pieces of crucial data and intelligence were disseminated among participating countries to initiate and support investigations.

During Operation Ramz, INTERPOL worked closely with its partners, Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru and TrendAI to track illegal cyber activities and identify malicious servers. Operation Ramz received support from the Qatar Ministry of Interior and was partially funded by the European Union and the Council of Europe under the CyberSouth+ project. Participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE.

Ivanti has patched CVE-2026-6973, a high-severity remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) on-prem deployments. The vulnerability has been exploited in the wild – CISA has also added it to the Known Exploited Vulnerabilities (KEV) catalog. The potential scope is significant: as of May 7, 2026, Shadowserver tracks over 800 internet-exposed Ivanti EPMM instances online, with the majority concentrated in Europe and North America.

Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month. Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal. Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed on the Internet, most of them in Asia (2,466) and North America (1,998).

A critical zero-day vulnerability in cPanel and WebHost Manager (WHM) is under massive active exploitation following the public release of a sophisticated proof-of-concept exploit. Tracked as CVE-2026-41940, this flaw has already compromised tens of thousands of servers worldwide. The Shadowserver Foundation, a prominent non-profit security organization, reported intense exploitation activity targeting exposed cPanel instances globally. Their security honeypots detected at least 44,000 unique IP addresses that appear to be successfully compromised.

Over 10,000 Zimbra Collaboration Suite (ZCS) instances exposed online are vulnerable to ongoing attacks exploiting a cross-site scripting (XSS) security flaw, according to nonprofit security organization Shadowserver. Zimbra is a popular email and collaboration software suite used by hundreds of millions of people worldwide, including hundreds of government agencies and thousands of businesses. On Friday, Internet security watchdog Shadowserver also warned that over 10,500 Zimbra servers exposed online remain unpatched, most of them in Asia (3,794) and Europe (3,793).

More than 1,370 Microsoft SharePoint servers remain publicly exposed to an actively exploited spoofing vulnerability, putting countless corporate networks at severe risk. Identified by threat intelligence researchers at The Shadowserver Foundation, these unpatched systems are vulnerable to sophisticated attacks that allow unauthorized individuals to bypass security protocols and compromise network integrity. The Shadowserver Foundation recently deployed version-based scans across the public internet to identify vulnerable SharePoint endpoints. Shadowserver continues to share this IP data daily through its Vulnerable HTTP reporting dashboards.

Nonprofit security organization Shadowserver found that over 6,400 Apache ActiveMQ servers exposed online are vulnerable to ongoing attacks exploiting a high-severity code injection vulnerability. Apache ActiveMQ is the most popular open-source multi-protocol message broker for asynchronous communication between Java applications. Tracked as CVE-2026-34197, the vulnerability was discovered by Horizon3 researcher Naveen Sunkavally using the Claude AI assistant after remaining undetected for 13 years. As threat monitoring service ShadowServer warned on Monday, more than 6,400 IP addresses with Apache ActiveMQ fingerprints exposed online are also vulnerable to CVE-2026-34197 attacks, with most in Asia (2,925), North America (1,409), and Europe (1,334).

The U.S. Justice Department today announced court-authorized actions taken to disrupt some of the world’s leading Distributed Denial of Service (DDoS) Internet of Things (IoT) botnet services. DDoS services, such as those named in this action, allegedly attacked a wide array of victims in the United States and abroad, including schools, government agencies, gaming platforms, critical infrastructure, including Department of War resources, and millions of people.

This law enforcement action was taken in conjunction with Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructures worldwide, and holding accountable the administrators and users of these illegal services. Principal partners in Operation PowerOFF include EUROPOL; the U.S. Attorney’s Offices for the District of Alaska and Central District of California; DCIS; FBI’s Anchorage Field Office; HSI’s Columbus Field Office; the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and International Computer Hacking and Intellectual Property (ICHIP) attorney advisor, who is based at Eurojust in The Hague; Germany’s Bundeskriminalamt (BKA); Netherlands Police; Polish Central Cybercrime Bureau; Japan’s National Police Agency, France’s Police Nationale, and many others.

Assistance was provided by Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Epieos, Google, Hydrolix, PayPal, Registrar of Last Resort and The ShadowServer Foundation, The University of Cambridge and Unit 221B.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure FortiClient Enterprise Management Server (EMS) instances against an actively exploited vulnerability by Friday. Internet security watchdog group Shadowserver currently tracks nearly 2,000 FortiClient EMS instances exposed online, with more than 1,400 IPs in the United States and in Europe. However, there are no details on how many have already been patched or have vulnerable configurations.