Media Coverage

Shadowserver in the news

Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer

The Hacker News, October 3, 2025

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish. Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.

48+ Cisco Firewalls Hit by Actively Exploited 0-Day Vulnerability

GB Hackers, October 1, 2025

Cisco has confirmed two serious vulnerabilities impacting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls. Tracked as CVE-2025-20333 and CVE-2025-20362, both issues allow attackers to run arbitrary code on unpatched devices. Cisco security advisories warn that exploits for both flaws are already in the wild. Shadowserver’s daily vulnerable HTTP report now includes a live list of ASA/FTD instances susceptible to these 0-day bugs. On September 29, security researchers discovered 48,800+ publicly reachable IPs still running outdated firewall versions. Network teams should subscribe for daily updates and cross-check their public IP ranges against Shadowserver’s list.

Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet

Bleeping Computer, September 19, 2025

Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files. Security analysts at the nonprofit Shadowserver Foundation are monitoring over 470 GoAnywhere MFT instances. However, it is unclear how many of these have already been patched or have their admin console exposed online.

Hackers use new HexStrike-AI tool to rapidly exploit n-day flaws

Bleeping Computer, September 3, 2025

Hackers are increasingly using a new AI-powered offensive security framework called HexStrike-AI in real attacks to exploit newly disclosed n-day flaws. According to ShadowServer Foundation’s data, nearly 8,000 endpoints remain vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week. This activity is reported by CheckPoint Research, which observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of newly disclosed Citrix vulnerabilities.

Over 28,000 Citrix instances remain exposed to critical RCE flaw CVE-2025-7775

Security Affairs, August 27, 2025

Experts at the Shadowserver Foundation warn that more than 28,200 Citrix instances are vulnerable to the vulnerability CVE-2025-7775, which is under active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Citrix NetScaler flaw to its Known Exploited Vulnerabilities (KEV) catalog. Shadowserver Foundation researchers reported that most of the vulnerable instances are located in the United States (10,100), followed by Germany (4,300), the United Kingdom (1,400), the Netherlands (1,300), and Switzerland (1,300).

African authorities dismantle massive cybercrime and fraud networks, recover millions

INTERPOL, August 22, 2025

In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims. The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation. Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC).

The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively. Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.

Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.

Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.

Attacks on N-able N-central ongoing, more than 1000 systems unpatched

Heise Online, August 19, 2025

Two security vulnerabilities have been discovered in the remote monitoring and management software (RMM) N-central from N-able, which allow attackers to inject commands into the operating system or execute malicious code that has been smuggled in. The Shadowserver Foundation published an evaluation of the Internet scans for X on the weekend. According to this, 1077 IP addresses were vulnerable to the vulnerabilities CVE-2025-8875 and CVE-2025-8876 last Friday. Last week, the US IT security authority CISA included the vulnerabilities in the “Known Exploited Vulnerabilities” catalog.

Surge in Scans From Hacked Cisco, Linksys, and Araknis Routers

GB Hackers, August 19, 2025

Cybersecurity researchers have identified a significant increase in malicious scanning activities originating from compromised consumer and enterprise networking equipment, with particular focus on Cisco, Linksys, and Araknis router models. The Shadowserver Foundation, a prominent threat intelligence organization, has reported observing unusual scanning patterns that suggest widespread compromise of these networking devices.

Over 28,000 Microsoft Exchange Servers Exposed Online to CVE-2025-53786 Vulnerability

GB Hackers, August 9, 2025

The cybersecurity community faces a significant threat as scanning data reveals over 28,000 unpatched Microsoft Exchange servers remain exposed on the public internet, vulnerable to a critical security flaw designated CVE-2025-53786. The vulnerability affects Microsoft Exchange Server hybrid deployments, with scanning data from The Shadowserver Foundation identifying the United States, Germany, and Russia as the top three countries harboring the highest concentrations of exposed vulnerable servers. The Cybersecurity and Infrastructure Security Agency (CISA) has assessed this as a high-severity vulnerability with significant implications for enterprise security.

17K+ SharePoint Servers Exposed to Internet – 840 Servers Vulnerable to 0-Day Attacks

Cyber Security News, July 31, 2025

A massive exposure of Microsoft SharePoint servers to internet-based attacks has been identified, with over 17,000 servers exposed and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770, according to new findings from Shadowserver Foundation.

Several U.S. federal agencies have been confirmed as victims, including the Department of Energy’s National Nuclear Security Administration, the Department of Homeland Security, the Department of Health and Human Services, and the Department of Education. State and local government agencies have also been impacted across the country.