News & Insights

On Wednesday 24th June 2026, international law enforcement partners announced additional successful cyber crime disruption actions as part of the ongoing Operation Endgame initiative. This time the StealC infostealer and Amadey malware-as-a-service families were targeted. Law enforcement acquired almost 30 million compromised credentials stolen by StealC between 4th July 2025 and 16th June 2026. Shadowserver is sharing elements of this dataset in another one-off Special Report, to allow historical and recently compromised Windows computers to be remediated by system defenders. High level analysis of the stolen credentials is provided.

On Thursday 18th June 2026, international law enforcement partners announced another successful cyber crime disruption action as part of the ongoing Operation Endgame initiative. This time it targeted the SocGholish malware platform and threat actors. Law enforcement acquired credentials for approximately 1.4 million compromised WordPress sites from the period May 2023 to May 2026. Shadowserver is sharing elements of this dataset in another one-off Special Report, to allow historical and recently compromised WordPress credentials to be remediated by system defenders. High level analysis of compromised WordPress sites is provided.

Shadowserver issued a report to inform government leaders, policymakers, and other key stakeholders in ECOWAS Member States in West Africa on the following: a) The ECOWAS region’s cyber threat landscape and attack surface using Shadowserver’s free, actionable cyber threat intelligence, technical analysis, and expert insights b) The region’s institutional and operational cybersecurity deficiencies (“gaps”) that make it increasingly vulnerable to cyber threats c) Recommended actions that can be undertaken at the national and regional levels to address the identified gaps, improve digital security, and enhance cyber resilience in the region d) The potential economic and societal impact should the identified institutional and operational cybersecurity gaps remain unaddressed.

On March 4th 2026, a coalition of Law Enforcement and private sector partners announced a major international public-private disruption operation targeting Tycoon 2FA. This leading phishing-as-a-service platform was used by thousands of cybercriminals to bypass multi-factor authentication and enable large-scale account compromise globally. Details of the operation were shared by partners and a new Shadowserver National CSIRT-only Special Report was run, sharing data about observed Tycoon 2FA infrastructure domains. Analysis of the reported Tycoon 2FA domains is provided.

On Thursday 13th November 2025, international law enforcement partners announced a disruption action against the Rhadamanthys information stealer malware. As part of the ongoing Operation Endgame initiative, law enforcement acquired copies of the threat actor’s databases containing historical Rhadamanthys infections, which covered the period March 2025 to November 2025. These databases contain records of over 86 million stolen data items from over 525,000 Rhadamanthys infections across 226 countries. Shadowserver is sharing elements of this dataset as a one-off Special Report, to allow historical Rhadamanthys infections to be investigated and any secondary malware identified and remediated by system defenders.

On Tuesday 29th August 2023, the US DoJ and FBI, together with other global law enforcement partners, announced a disruption action against the Qakbot botnet. This involved the FBI deleting the Qakbot malware from infected victim computers under US court order. As part of their operation, the FBI acquired a copy of the threat actor’s database of historical Qakbot infections, which covered the period July 2019 to August 2023. This database contains a record of over 700,000 discrete Qakbot bot infections in 230 countries. Shadowserver is sharing elements of this dataset as a one-off Special Report, to allow historical Qakbot infections to be investigated and any secondary malware identified and remediated by system defenders.

We are happy to continue our efforts in collaboration with the UK FCDO, building on our previous global outreach to Africa, Indo-Pacific, Central and Eastern Europe (CEEC), and Association of Southeast Asia Nations (ASEAN) regions to produce a cyber security spotlight on the Gulf Region. For a review of previous UK FCDO supported activities please read a) UK Foreign, Commonwealth & Development Office funds Shadowserver surge in Africa and Indo-Pacific regions, b) Continuing Our Africa and Indo-Pacific Regional Outreach, c) More Free Cyber Threat Intelligence For National CSIRTs and d) Shadowserver’s New Public Dashboard.

Shadowserver has recently been funded by the UK Foreign, Commonwealth & Development Office (FCDO) to provide more detailed and tailored cyber threat insight support to countries in the Association of Southeast Asia Nations (ASEAN), specifically Indonesia, Malaysia, Philippines and Thailand. These activities included obtaining a better understanding of the device makeup of the exposed attack surface in those countries, vulnerability exposure (especially relating to emerging threats) and observed attacks/infected devices - coming both from and directed at the region. The intention is to enrich Shadowserver's free daily threat feeds and public benefit services to the region, providing National CSIRTs and other system defender entities (organizations that are network owners) with a better awareness of their threat and vulnerability landscape, thus helping them to improve their cybersecurity posture.

We are happy to announce multiple enhancements to our public Dashboard, particularly to the Exploited Vulnerability data collected by our server-side honeypot sensors, thanks to funding provided by the UK Foreign Commonwealth and Development Office (FCDO).

We are happy to announce the first major extension to our newly launched Dashboard - the addition of IoT device statistics and server-side attack statistics, data sets that have been collected as part of the HaDEA EU CEF VARIoT project.