Live Cyber Attack Map
Active malware command-and-control (C&C) servers being tracked right now by the abuse.ch FEODO Tracker. Each arc shows a known malicious host targeting major cloud and financial hubs.
- QakBot1
Top countries hosting active C&C
- 1United StatesQakBot1
Most active malware families
- 1QakBot1
Top attack origins · Cloudflare Radar (2026-06-23 → 2026-06-30)
L3/4 (network) attacks
- 1Brazil20.80%
- 2United States14.23%
- 3Argentina5.06%
- 4France3.46%
- 5India3.45%
- 6Bangladesh3.02%
- 7Germany2.84%
- 8Russian Federation2.78%
- 9Chile2.35%
- 10Hong Kong2.32%
L7 (application) attacks
- 1United States22.83%
- 2Brazil8.39%
- 3China5.91%
- 4Indonesia4.53%
- 5Germany4.34%
- 6India3.90%
- 7Singapore3.26%
- 8France3.23%
- 9Netherlands3.15%
- 10Vietnam2.39%
Top attack TARGETS · Cloudflare Radar (2026-06-23 → 2026-06-30)
L3/4
- 1Hong Kong54.40%
- 2United States25.91%
- 3China7.15%
- 4India5.42%
- 5Brazil5.34%
- 6Germany0.90%
- 7Korea, South0.60%
- 8Israel0.11%
L7
- 1United States46.58%
- 2China11.87%
- 3Canada9.52%
- 4Malaysia2.71%
- 5Curaçao2.30%
- 6France2.23%
- 7United Kingdom2.16%
- 8Ukraine2.15%
Top attack vectors · Cloudflare Radar
L3/4 vectors
- 1UDP Flood40.52%
- 2Mirai (UDP) Flood35.07%
- 3SYN Flood13.37%
- 4SFU Flood2.17%
- 5DNS Amplification1.86%
- 6TLS Client Hello Flood1.79%
- 7other1.58%
- 8DNS Flood1.55%
Actively exploited CVEs · CISA KEV
- CVE-2026-485582026-06-29SimpleHelp SimpleHelp
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.
- CVE-2026-125692026-06-25PTC Windchill and FlexPLM
PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.
- CVE-2026-202302026-06-25Cisco Unified Communications Manager
Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.
- CVE-2025-670382026-06-23Lantronix EDS5000
Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
- CVE-2026-349102026-06-23Ubiquiti UniFi OS
Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.
- CVE-2026-349092026-06-23Ubiquiti UniFi OS
Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
- CVE-2026-349082026-06-23Ubiquiti UniFi OS
Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.
- CVE-2026-202532026-06-18Splunk Enterprise
Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
- CVE-2026-489072026-06-16Widget Factory Joomla Content Editor
Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.
- CVE-2026-544202026-06-15LiteSpeed cPanel Plugin
LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
- CVE-2026-202622026-06-15Cisco Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
- CVE-2026-352732026-06-12Oracle PeopleSoft Enterprise PeopleToolsRansomware
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Top attacked ports · SANS DShield (2026-07-01)
Most active attacker IPs
- 172.253.216.232 attacks
- 104.248.115.1131 attacks
- 49.118.13.2291 attacks
- 46.203.111.881 attacks
- 46.202.243.891 attacks
- 220.198.247.2541 attacks
Cybersecurity news · Hacker News
- 22x memory amp DoS in Anthropic's buffa protobuf decoder (CVE-2026-55407)
- Huntress CEO: employee used 'poor judgment' in alerting criminal
- Insurance giant Aflac discloses data breach after subsidiary hack
- Show HN: SUNWÆE – your life's AI OS
- Data breach exposes up to 14.2M email logins at six ISPs
- Show HN: Marmot, context layer for agents and humans
- ProtonVPN is AI support only. 4 days no human, made me BOTNET. Begging for help
- One million passports leaked online
- Teens who hacked TfL were known to police years before cyber-attack
- LastPass notifies users of yet another data breach
- Tata Electronics confirms cyberattack as hackers leak data
- Show HN: Net worth tracker to replace your spreadsheet, E2E, no bank logins
Recently observed threats
| IP | Country | Malware | Hosting / ASN | Last online |
|---|---|---|---|---|
| 50.16.16.211:443 | US | QakBot | AMAZON-AES | 2026-03-12 |
About this map
This map visualizes active command-and-control (C&C) servers being tracked in real time by abuse.ch FEODO Tracker, a long-running threat intelligence project that tracks botnets like Emotet, QakBot, IcedID, TrickBot, and Dridex. Each point on the globe is the geolocation of a host that has been observed serving malware or coordinating infected machines.
We refresh the feed every ten minutes. Arcs from each source country are drawn to common attack targets (major cloud, financial, and government hubs), these are illustrative of where malicious traffic is most likely to land, not literal observed attack paths.
DownRightNow uses signals like these alongside our own probe network to spot the difference between a normal outage and one with abnormal network activity. Want alerts when this hits services you depend on? See how monitoring works →