Downrightnow
Back to home
Live threat intelligence

Live Cyber Attack Map

Active malware command-and-control (C&C) servers being tracked right now by the abuse.ch FEODO Tracker. Each arc shows a known malicious host targeting major cloud and financial hubs.

Live · abuse.ch FEODO Tracker · Active botnet C&C servers
Live ondownrightnow.app
Legend
High activity origin
Medium activity origin
Low activity origin
Attack target
Live attack arc
Top malware
  • QakBot1
Active C&C servers
1
Recently-seen hosts (90d)
1
CISA KEV catalog
1,630
KEV added (30d)
22
Last updated
2026-07-01 00:14 UTC

Top countries hosting active C&C

  1. 1United StatesQakBot1

Most active malware families

  1. 1QakBot1

Top attack origins · Cloudflare Radar (2026-06-23 → 2026-06-30)

L3/4 (network) attacks

  1. 1Brazil20.80%
  2. 2United States14.23%
  3. 3Argentina5.06%
  4. 4France3.46%
  5. 5India3.45%
  6. 6Bangladesh3.02%
  7. 7Germany2.84%
  8. 8Russian Federation2.78%
  9. 9Chile2.35%
  10. 10Hong Kong2.32%

L7 (application) attacks

  1. 1United States22.83%
  2. 2Brazil8.39%
  3. 3China5.91%
  4. 4Indonesia4.53%
  5. 5Germany4.34%
  6. 6India3.90%
  7. 7Singapore3.26%
  8. 8France3.23%
  9. 9Netherlands3.15%
  10. 10Vietnam2.39%

Top attack TARGETS · Cloudflare Radar (2026-06-23 → 2026-06-30)

L3/4

  1. 1Hong Kong54.40%
  2. 2United States25.91%
  3. 3China7.15%
  4. 4India5.42%
  5. 5Brazil5.34%
  6. 6Germany0.90%
  7. 7Korea, South0.60%
  8. 8Israel0.11%

L7

  1. 1United States46.58%
  2. 2China11.87%
  3. 3Canada9.52%
  4. 4Malaysia2.71%
  5. 5Curaçao2.30%
  6. 6France2.23%
  7. 7United Kingdom2.16%
  8. 8Ukraine2.15%

Top attack vectors · Cloudflare Radar

L3/4 vectors

  1. 1UDP Flood40.52%
  2. 2Mirai (UDP) Flood35.07%
  3. 3SYN Flood13.37%
  4. 4SFU Flood2.17%
  5. 5DNS Amplification1.86%
  6. 6TLS Client Hello Flood1.79%
  7. 7other1.58%
  8. 8DNS Flood1.55%

Actively exploited CVEs · CISA KEV

  1. CVE-2026-485582026-06-29
    SimpleHelp SimpleHelp

    SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.

  2. CVE-2026-125692026-06-25
    PTC Windchill and FlexPLM

    PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.

  3. CVE-2026-202302026-06-25
    Cisco Unified Communications Manager

    Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.

  4. CVE-2025-670382026-06-23
    Lantronix EDS5000

    Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

  5. CVE-2026-349102026-06-23
    Ubiquiti UniFi OS

    Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.

  6. CVE-2026-349092026-06-23
    Ubiquiti UniFi OS

    Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.

  7. CVE-2026-349082026-06-23
    Ubiquiti UniFi OS

    Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

  8. CVE-2026-202532026-06-18
    Splunk Enterprise

    Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

  9. CVE-2026-489072026-06-16
    Widget Factory Joomla Content Editor

    Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.

  10. CVE-2026-544202026-06-15
    LiteSpeed cPanel Plugin

    LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.

  11. CVE-2026-202622026-06-15
    Cisco Catalyst SD-WAN Manager

    Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

  12. CVE-2026-352732026-06-12
    Oracle PeopleSoft Enterprise PeopleToolsRansomware

    Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

Top attacked ports · SANS DShield (2026-07-01)

    Most active attacker IPs

    • 172.253.216.232 attacks
    • 104.248.115.1131 attacks
    • 49.118.13.2291 attacks
    • 46.203.111.881 attacks
    • 46.202.243.891 attacks
    • 220.198.247.2541 attacks

    Cybersecurity news · Hacker News

    1. 22x memory amp DoS in Anthropic's buffa protobuf decoder (CVE-2026-55407)
      endorlabs.com202h agoby bugvader
    2. Huntress CEO: employee used 'poor judgment' in alerting criminal
      theregister.com304h agoby romaniitedomum
    3. Insurance giant Aflac discloses data breach after subsidiary hack
      bleepingcomputer.com109h agoby Brajeshwar
    4. Show HN: SUNWÆE – your life's AI OS
      news.ycombinator.com2011h agoby dvdxnss
    5. Data breach exposes up to 14.2M email logins at six ISPs
      bleepingcomputer.com3741d agoby Brajeshwar
    6. Show HN: Marmot, context layer for agents and humans
      marmotdata.io1742d agoby bschaatsbergen
    7. ProtonVPN is AI support only. 4 days no human, made me BOTNET. Begging for help
      news.ycombinator.com202d agoby protonisafk
    8. One million passports leaked online
      theverge.com4032333d agoby jruohonen
    9. Teens who hacked TfL were known to police years before cyber-attack
      bbc.co.uk305d agoby edent
    10. LastPass notifies users of yet another data breach
      9to5mac.com5262376d agoby mooreds
    11. Tata Electronics confirms cyberattack as hackers leak data
      bleepingcomputer.com306d agoby Brajeshwar
    12. Show HN: Net worth tracker to replace your spreadsheet, E2E, no bank logins
      usequantive.app116d agoby pedromlsreis
    Sourced from Hacker News (cyberattack, ransomware, breach, zero-day).

    Recently observed threats

    IPCountryMalwareHosting / ASNLast online
    50.16.16.211:443USQakBotAMAZON-AES2026-03-12

    About this map

    This map visualizes active command-and-control (C&C) servers being tracked in real time by abuse.ch FEODO Tracker, a long-running threat intelligence project that tracks botnets like Emotet, QakBot, IcedID, TrickBot, and Dridex. Each point on the globe is the geolocation of a host that has been observed serving malware or coordinating infected machines.

    We refresh the feed every ten minutes. Arcs from each source country are drawn to common attack targets (major cloud, financial, and government hubs), these are illustrative of where malicious traffic is most likely to land, not literal observed attack paths.

    DownRightNow uses signals like these alongside our own probe network to spot the difference between a normal outage and one with abnormal network activity. Want alerts when this hits services you depend on? See how monitoring works →