Using ELK & interested in automating ingestion of our threat intel for your network/constituency? . We have added support for Elasticsearch Custom Logs integration for our free daily reports API. Check it out at

Links to Raptor Train nCSIRT advisories, Indicators of Compromise and remediation guidance available here:.

Current daily Flax Typhoon Raptor Train country level sinkhole statistics available on our public Dashboard:. Tree map:. World map:.

Live Flax Typhoon Raptor Train botnet sinkholing data now available through @shadowserver free daily Sinkhole Event and Sinkhole HTTP Event network reports:. events tagged as "raptor-train". Remediate current infections!

Country level statistics for one-off Special Report on historical Flax Typhoon Raptor Train botnet infections available via @shadowserver public Dashboard:. Treemap:. World map:.

New Special Report run in collaboration with LE partners on historical Flax Typhoon Raptor Train botnet infections:. Filename prefix: 2025-07-07-special. 732545 events, 179539 IPs, 2750 ASNs, 143 countries. Check your reports for historical compromises

IP data shared in our Vulnerable HTTP report - Tree map view of CVE-2025-5777: Tree map view of CVE-2025-6543:.

We are scanning for Citrix NetScaler CVE-2025-5777 (since 19/06) & CVE-2025-6543 (since 27/06) vulnerabilities. 1289 & 2100 IPs still seen unpatched as of 2025-06-29. Top: US & DE. Tracker: Advisories:.

RT @LondonCyber: 🇬🇧 Cyber Resilience Programmes joined #OpSerengeti2 kick-off in Seychelles with @INTERPOL_Cyber, @AFRIPOLOfficial & @Shado….

Shadowserver, a member of the Common Good Cyber secretariat, is proud to help launch the Common Good Cyber Fund announced today. Special thanks to the UK and Canada for investing in the Fund and continuing to provide their steadfast support.

NVD entry (CVSS 9.9 from MITRE):

Make sure to update to versions 1.6.11 or 1.5.10: Public exploit PoC is available. Dashboard map view: CVE-2025-49113 tracker: . IP data in our Vulnerable HTTP report:

For the last few days, we are reporting out Roundcube CVE-2025-49113 vulnerable instances (allows remote code execution by authenticated users). Roundcube vulnerabilities have been frequently used for targeted attacks by possible state actors. We see ~84K unpatched worldwide.

We are happy to support our LE partners!.

Data can be viewed on our Dashboard by selecting the source 'special' with the date 2025-05-28. Dashboard tree map country breakdown:

Check your reports! IP data shared with '2025-05-28-special' file prefix for your constituency. Please see the Special Report page on Latrodectus Historical infections: . Operation Endgame Season 2.0 (announced 23rd May 2025):

We have shared a Special Report on IPs infected with Latrodectus malware during 2025-04-26 to 2025-05-20. This is one of the results of the continued international Law Enforcement action called Operation Endgame Season 2.0. Over 44K infected IPs seen:

RT @OEA_Cyber: 🌐 @OEA_Cyber llevó a cabo la Reunión Regional de Comunidades de Ciberseguridad en América Latina y el Caribe, junto a @Shado….

You can also track CVE-2025-4427 exploitation attempts as seen by our honeypot sensors on our Dashboard:

If you receive an alert, please make sure to review for any compromise - CVE-2025-4427/CVE-2025-4428 are exploited in the wild. Patch info from Ivanti: Background on vulnerabilities: