LAST UPDATED: 2026-06-26
DEFAULT SEVERITY LEVEL: CRITICAL
This Special Report contains information about compromised devices referenced on the Fortibleed threat actors infrastructure and shared with us by SpyCloud. They wrote about their findings here: https://spycloud.com/blog/what-spycloud-found-inside-the-fortibleed-threat-actor-infrastructure/
This dataset comes in addition to IPs listed in the Fortibleed dataset shared by SOCRadar which was reported out in our Compromised Website report on 2026-06-18. The exception is a part of the dataset where the attackers ran credential sniffing via SSH on the compromised devices. The Special Report dated 2026-06-26 contains data collected at 2026-06-17. The full extent of the time period for all events is unclear.
Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24-hour time period. Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24-hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24-hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and, hopefully, acting on the retrospective data.
If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.
Note that the data shared across Special Reports may differ on a case by case basis, hence the report formats for individual Special Reports may be different.
Note that exact timestamps were not available for individual events, so the timestamp field is set to “2026-06-26 00:00:00”.
This Special Report has severity level CRITICAL set on all events. Severity levels are described here.
Filename prefix: 2026-06-26-special. Note: these are accessible in the API using 2026-06-26 as the search date.