Shadowserver Archives

Authorities takedown global proxy network SocksEscort

The botnet, which compromised routers and IoT devices in 163 countries, claimed about 369,000 victims and $5.8 million from its cybercriminal customers, officials said.

2 days ago By Matt Kapko

Microsoft and authorities dismantled Tycoon 2FA's infrastructure. A seizure notice is displayed on of the phishing platform's domains March 4, 2026. (Microsoft) — Microsoft and authorities dismantled Tycoon 2FA’s infrastructure. A seizure notice is displayed on of the phishing platform’s domains March 4, 2026. (Microsoft)

Global coalition dismantles Tycoon 2FA phishing kit

Microsoft, which led the effort, said it seized 330 domains that powered the phishing platform’s core infrastructure. The alleged creator was also named in a civil complaint.

Mar 4, 2026 By Matt Kapko

A logo sign outside of the headquarters of Ivanti in South Jordan, Utah. (Kristoffer Tripplaar / Alamy Stock Photo)

Fallout from latest Ivanti zero-days spreads to nearly 100 victims

Shadowserver scans have identified 86 compromised instances, and researchers warn multiple threat groups are involved.

Feb 9, 2026 By Matt Kapko

Ivanti’s EPMM is under active attack, thanks to two critical zero-days

Limited attacks occurred prior to Ivanti’s disclosure, followed by mass exploitation by multiple threat groups. More than 1,400 potentially vulnerable instances remain exposed.

Feb 3, 2026 By Matt Kapko

Abstract binary code rippling on waving ribbons. (Getty Images)

MongoBleed defect swirls, stamping out hope of year-end respite

The high-severity vulnerability is under active exploitation and affects many versions of MongoDB, a nearly ubiquitous open-source database.

Dec 29, 2025 By Matt Kapko

Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims

Researchers warn that half of the exposed vulnerable instances remain unpatched as in-the-wild exploitation grows rapidly.

Dec 10, 2025 By Matt Kapko

A still from a cartoon used to depict the takedown of Rhadamanthys info stealer. (Operation Endgame)

Operation Endgame targets malware networks in global crackdown

Rhadamanthys, VenomRAT, and the Elysium botnet were targeted in the takedowns.

Nov 13, 2025 By Greg Otto

(Photo by John Smith/VIEWpress/Getty Images)

Attackers bypass patch in deprecated Windows Server update tool

Microsoft addressed the critical vulnerability earlier this month, but had to issue an emergency update to resolve issues it previously missed.

Oct 27, 2025 By Matt Kapko

Authorities arrested 1,209 alleged cybercriminals during Operation Serengeti 2.0. (Interpol)

Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses

Operation Serengeti 2.0 dismantled almost 11,500 malicious infrastructures between June and August. Officials arrested more than 1,200 alleged cybercriminals.

Aug 22, 2025 By Matt Kapko

Botnet serving as ‘backbone’ of malicious proxy network taken offline

Lumen Technology’s Black Lotus Labs took the ngioweb botnet and NSOCKS proxy offline Tuesday.

Nov 19, 2024 By Greg Otto