News & Insights

On March 4th 2026, a coalition of Law Enforcement and private sector partners announced a major international public-private disruption operation targeting Tycoon 2FA. This leading phishing-as-a-service platform was used by thousands of cybercriminals to bypass multi-factor authentication and enable large-scale account compromise globally. Details of the operation were shared by partners and a new Shadowserver National CSIRT-only Special Report was run, sharing data about observed Tycoon 2FA infrastructure domains. Analysis of the reported Tycoon 2FA domains is provided.

On Thursday 13th November 2025, international law enforcement partners announced a disruption action against the Rhadamanthys information stealer malware. As part of the ongoing Operation Endgame initiative, law enforcement acquired copies of the threat actor’s databases containing historical Rhadamanthys infections, which covered the period March 2025 to November 2025. These databases contain records of over 86 million stolen data items from over 525,000 Rhadamanthys infections across 226 countries. Shadowserver is sharing elements of this dataset as a one-off Special Report, to allow historical Rhadamanthys infections to be investigated and any secondary malware identified and remediated by system defenders.

A review of Shadowserver’s 20th year as the world’s largest provider of free, timely, actionable, daily cyber threat intelligence. Covering the latest improvements in our public benefit services, responses to emerging cyber threats, and detection and reporting of the latest vulnerabilities to National CSIRTs and system defenders globally. We provide highlights of our cybersecurity capacity building efforts, plus successful outcomes from our free support to Law Enforcement in major cybercrime disruption operations.

A non-profit consortium – consisting of The Hague Humanity Hub, the CyberPeace Institute (CPI), Connect2 Trust Foundation and The Shadowserver Foundation, co-funded by Rijksdienst voor Ondernemend Nederland (RVO), will produce a national level assessment of the cyber threat landscape for NGOs, while measuring the impact and harm of cyber threats on the sector.

To make it easier for organizations to consume and prioritize on our daily reports we are introducing report and event severity levels. Each report type and event in the report will have a severity level assigned. This will make it possible to filter all our daily reporting based on the severity of the actual event being reported.

On Tuesday 29th August 2023, the US DoJ and FBI, together with other global law enforcement partners, announced a disruption action against the Qakbot botnet. This involved the FBI deleting the Qakbot malware from infected victim computers under US court order. As part of their operation, the FBI acquired a copy of the threat actor’s database of historical Qakbot infections, which covered the period July 2019 to August 2023. This database contains a record of over 700,000 discrete Qakbot bot infections in 230 countries. Shadowserver is sharing elements of this dataset as a one-off Special Report, to allow historical Qakbot infections to be investigated and any secondary malware identified and remediated by system defenders.

On Tuesday 29th August 2023, the US Department of Justice (DoJ) and US Federal Bureau of Investigations (FBI) - along with law enforcement partners in France, Germany, the Netherlands, and the United Kingdom - announced a disruption action against the very long running Qakbot botnet. The outcomes from the coordinated law enforcement action included deleting the Qakbot malware from infected victim computers (to reduce the risk of further harm), taking down the Qakbot technical infrastructure and seizing $8.6M of alleged illicit cryptocurrency profits. The Shadowserver Foundation is happy to support our law enforcement partners in this major cybercrime disruption operation.

The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. The summary below is based on collaboration with the individual compromised organizations, as well as their commercial incident response teams. All timestamps in this write-up are in UTC timezone, and they have all been slightly adjusted to not disclose the actual times. If you own a Citrix NetScaler or have those in your constituency, please follow the detection and hunting advice for signs of compromise and webshells!

We are happy to announce the addition of the support for multiple languages in our public Dashboard. Five different languages have been added: Arabic, Indonesian (Bahasa Indonesia), Malaysian (Bahasa Melayu), Filipino (Tagalog), Thai. This work was kindly supported by the UK Foreign, Commonwealth & Development Office (FCDO). If you are a National CSIRT or network owner who would like to see your own language added, please contact us to discuss helping to make that happen. Likewise, if you are a user with language/technical feedback on these translations, please do get in touch with suggestions and improvements.

We are happy to continue our efforts in collaboration with the UK FCDO, building on our previous global outreach to Africa, Indo-Pacific, Central and Eastern Europe (CEEC), and Association of Southeast Asia Nations (ASEAN) regions to produce a cyber security spotlight on the Gulf Region. For a review of previous UK FCDO supported activities please read a) UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions, b) Continuing Our Africa and Indo-Pacific Regional Outreach, c) More Free Cyber Threat Intelligence For National CSIRTs and d) Shadowserver’s New Public Dashboard.