Media Coverage

Over 44,000 IP addresses were infected with dangerous Latrodectus malware, which is used to deploy banking trojans, before a law enforcement takedown during this month’s Operation Endgame, new data reveals. Operation Endgame is an ongoing, long-term oriented, large-scale operation conducted jointly by law enforcement agencies around the world. Shadowserver Foundation, a nonprofit security organization, has shared a special report on its tracking of the infected machines. ShadowServer shares the report with internet service providers, network owners, and other organizations, which helps to clean up infected devices.

“The data in this IcedID/Latrodectus Historical Bot Infections Special Report was provided to Shadowserver by the Operation Endgame Law Enforcement partners to disseminate to National CERTs/CSIRTs and network owners globally, to maximize remediation efforts,” Shadowserver explains.

A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization controlled and deployed, infecting more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damage. According to the indictment and complaint, DanaBot malware used a variety of methods to infect victim computers, including spam email messages containing malicious attachments or hyperlinks.

As part of today’s operation, Defense Criminal Investigative Service (DCIS) agents effected seizures and takedowns of DanaBot command and control servers, including dozens of virtual servers hosted in the United States. The U.S. government is now working with partners including the Shadowserver Foundation to notify DanaBot victims and help remediate infections.

Security researchers at The Shadowserver Foundation have identified active exploitation attempts targeting a critical zero-day vulnerability in Ivanti’s Enterprise Mobility Management (EPMM) platform. The Shadowserver Foundation has deployed specialized honeypot sensors to track and analyze exploitation attempts targeting these vulnerabilities in real-time. Shadowserver Foundation continues to provide updated statistics and monitoring data to help security teams and researchers track this evolving threat landscape and better protect vulnerable systems from exploitation. The collected data is made publicly available through Shadowserver’s Dashboard, which displays time-series information about exploitation attempts, including source IP addresses, attack frequency, and targeting patterns.

Nonprofits and NGOs serve as the backbone of social progress, often working on the frontlines of critical global challenges. Yet as they champion human rights, health, education, and humanitarian aid, they are increasingly vulnerable to cyber threats that can jeopardize their missions. Fortunately, a growing network of nonprofit cybersecurity organizations is stepping up to protect those who protect us—with free, affordable, and tailored solutions that respond directly to these challenges.

Together, Shadowserver and CyberPeace Institute are demonstrating how affordable, proactive, and tailored cybersecurity support can be both scalable and deeply impactful—especially when rooted in local partnerships and a shared mission to protect civil society.

SAP patched a security vulnerability in SAP Netweaver on Friday. It later emerged that this leak is already being attacked in the wild. The vulnerability allows attackers from the network to inject and execute arbitrary code without prior login. IT researchers at the Shadowserver Foundation have discovered hundreds of vulnerable systems that are still accessible.

In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.

Top contributors to disclosing exploitation evidence publicly included: Shadowserver (31), GreyNoise (17), CISA KEV (12), Microsoft (12), Sentinel One (10), Cyble (9), Patchstack (6) and Secure List (5).

Hackers retain access to over 14,000 Fortinet VPNs, public scans by Shadowserver Foundation have revealed. And they could’ve been lurking for years, leaving sensitive data at risk. Fortinet explains that threat actors are using a post-exploitation technique to create malicious files from previously known Fortinet vulnerabilities, including CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475. Fortinet also said it performed scans to identify compromised devices using internal telemetry and in collaboration with third-party organizations. The company also communicated directly with identified customers.

Shadowserver Foundation scans discovered around 14,300 infected Fortinet devices publicly exposed to the internet. Most of them, around 1,500, are in the US, followed by Japan (600), Taiwan (600), China (500), France (500). Over three hundred compromised FortiOS devices were also discovered in Thailand, Turkey, Israel, Italy, Canada, India, Spain, Indonesia, and Malaysia.

“It is critically important for all organizations to keep their devices up to date. A variety of government organizations have reported that state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities,” Fortinet warns.

Over 5,113 Ivanti Connect Secure VPN appliances remain unpatched and vulnerable to the active exploitation of CVE-2025-22457, a critical stack-based buffer overflow vulnerability that enables remote code execution (RCE). The Shadowserver Foundation’s recent scans revealed widespread exposure, with devices spanning multiple countries, including the United States, Japan, China, and Australia. They highlight numerous organizations that remain vulnerable despite available patches and active exploitation.

A recently disclosed security vulnerability in CrushFTP, identified as CVE-2025-2825, has become the target of active exploitation attempts following the release of publicly available proof-of-concept (PoC) exploit code. Shadowserver Foundation, a reputable cybersecurity monitoring organization, disclosed the alarming surge in attacks based on the PoC via their official announcement on X. Shadowserver’s dashboard tracking shows a spike in exploitation attempts globally, reflecting the widespread interest among attackers in leveraging the vulnerability. Shadowserver’s analysis serves as a wake-up call for organizations using CrushFTP to patch their systems promptly and strengthen their defensive measures.

A record five million devices, mostly Android TV boxes, are running malware that can no longer call back to hackers after authorities cut off their controllers. However, the devices are still dangerous, and owners should replace them.

Shadowserver Foundation, a UK government-funded internet security platform, tracks around five million IP addresses “sinkholed” every day. Just weeks ago, the number was closer to 2.5 million, representing a two-fold jump since the beginning of March. Sinkholing is a technique where malicious servers are taken over, or connections are redirected to a benign listener, preventing bots from communicating with their operators. Shadowserver tracks the numbers across 400 different malware family variants.