Isitreallydown?
Back to home
Live threat intelligence

Live Cyber Attack Map

Active malware command-and-control (C&C) servers being tracked right now by the abuse.ch FEODO Tracker. Each arc shows a known malicious host targeting major cloud and financial hubs.

Live · abuse.ch FEODO Tracker · Active botnet C&C servers
Live ondownrightnow.app
Legend
High activity origin
Medium activity origin
Low activity origin
Attack target
Live attack arc
Top malware
  • QakBot4
  • Emotet1
Active C&C servers
1
Recently-seen hosts (90d)
5
CISA KEV catalog
1,590
KEV added (30d)
31
Last updated
2026-05-10 17:27 UTC

Top countries hosting active C&C

  1. 1United StatesEmotet, QakBot3
  2. 2United KingdomQakBot1
  3. 3JapanQakBot1

Most active malware families

  1. 1QakBot4
  2. 2Emotet1

Top attack origins · Cloudflare Radar (2026-05-03 → 2026-05-10)

L3/4 (network) attacks

  1. 1Brazil30.16%
  2. 2United States13.51%
  3. 3India5.42%
  4. 4France3.65%
  5. 5Argentina3.30%
  6. 6Germany2.73%
  7. 7Colombia2.70%
  8. 8Poland2.33%
  9. 9Russian Federation1.94%
  10. 10Chile1.93%

L7 (application) attacks

  1. 1United States20.08%
  2. 2Brazil12.77%
  3. 3China6.06%
  4. 4Indonesia5.34%
  5. 5Germany4.08%
  6. 6Netherlands3.92%
  7. 7Singapore3.79%
  8. 8India3.28%
  9. 9Vietnam2.49%
  10. 10United Kingdom2.40%

Top attack TARGETS · Cloudflare Radar (2026-05-03 → 2026-05-10)

L3/4

  1. 1United States52.90%
  2. 2Hong Kong33.87%
  3. 3China8.10%
  4. 4Germany2.39%
  5. 5Brazil1.29%
  6. 6Taiwan0.85%
  7. 7India0.42%
  8. 8United Kingdom0.07%

L7

  1. 1United States42.95%
  2. 2China21.93%
  3. 3Canada6.32%
  4. 4United Kingdom3.35%
  5. 5Malaysia2.62%
  6. 6Hong Kong2.09%
  7. 7Nigeria1.70%
  8. 8France1.43%

Top attack vectors · Cloudflare Radar

L3/4 vectors

  1. 1Mirai (UDP) Flood52.92%
  2. 2UDP Flood28.79%
  3. 3SYN Flood9.38%
  4. 4CLDAP Flood2.60%
  5. 5ACK Flood2.37%
  6. 6other1.24%
  7. 7DNS Flood0.94%
  8. 8TLS Client Hello Flood0.82%

Actively exploited CVEs · CISA KEV

  1. CVE-2026-422082026-05-08
    BerriAI LiteLLM

    BerriAI LiteLLM contains a SQL injection vulnerability that allows an attacker to read data from the proxy's database and potentially modify it, leading to unauthorised access to the proxy and the credentials it manages.

  2. CVE-2026-69732026-05-07
    Ivanti Endpoint Manager Mobile (EPMM)

    Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.

  3. CVE-2026-03002026-05-06
    Palo Alto Networks PAN-OS

    Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

  4. CVE-2026-314312026-05-01
    Linux Kernel

    Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation.

  5. CVE-2026-419402026-04-30
    WebPros cPanel & WHM and WP2 (WordPress Squared)Ransomware

    WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

  6. CVE-2024-17082026-04-28
    ConnectWise ScreenConnect

    ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.

  7. CVE-2026-322022026-04-28
    Microsoft Windows

    Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.

  8. CVE-2025-296352026-04-24
    D-Link DIR-823X

    D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

  9. CVE-2024-73992026-04-24
    Samsung MagicINFO 9 Server

    Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.

  10. CVE-2024-577282026-04-24
    SimpleHelp SimpleHelp

    SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

  11. CVE-2024-577262026-04-24
    SimpleHelp SimpleHelp

    SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.

  12. CVE-2026-399872026-04-23
    Marimo Marimo

    Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.

Top attacked ports · SANS DShield (2026-05-10)

  1. 1:6842 sources · 46 targets110,200
  2. 2:234,938 sources · 119 targets108,775
  3. 3:328927,858 sources · 12 targets62,098
  4. 4:22221,862 sources · 120 targets58,311
  5. 5:01,277 sources · 45 targets24,264
  6. 6:222,072 sources · 116 targets20,619
  7. 7:4431,809 sources · 115 targets11,919
  8. 8:801,316 sources · 110 targets9,131
  9. 9:53529 sources · 108 targets7,449
  10. 10:9200417 sources · 115 targets7,115
  11. 11:526426 sources · 8 targets6,455
  12. 12:578414 sources · 4 targets6,438

Most active attacker IPs

  • 89.248.163.2009,396 attacks
  • 185.94.111.17,310 attacks
  • 66.240.205.344,671 attacks
  • 207.90.244.64,525 attacks
  • 80.82.77.334,497 attacks
  • 80.82.77.1394,488 attacks

Cybersecurity news · Hacker News

  1. CPanel's Black Week: 3 New Vulnerabilities Patched After Attack on 44k Servers
    copahost.com132731d agoby ggallas
  2. Nvidia confirms GeForce NOW data breach affecting Armenian users
    bleepingcomputer.com211d agoby Brajeshwar
  3. Canvas outage tied to cyberattack wreaked havoc on colleges' final exam season
    apnews.com201d agoby 1vuio0pswjnm7
  4. Canvas Data Breach; DeepSeek V4 Flash Boosts LLM Inference 4.3x
    presciente.com201d agoby sebastianperezr
  5. International cyber attack disrupts swathe of universities and schools
    bbc.com201d agoby 1vuio0pswjnm7
  6. Chaos erupts as cyberattack disrupts learning platform Canvas amid finals
    arstechnica.com301d agoby joozio
  7. Cyberattack hits Canvas system used by schools as finals loom
    politico.com212d agoby 1vuio0pswjnm7
  8. Canvas outage delays college finals across the country
    axios.com212d agoby 1vuio0pswjnm7
  9. We mapped the nationwide Instructure breach
    data.dailycal.org302d agoby notmysql_
  10. International cyber attack disrupts swathe of universities and schools
    bbc.com102d agoby neversaydie
  11. CISA gives feds four days to patch Ivanti flaw exploited as zero-day
    bleepingcomputer.com102d agoby Brajeshwar
  12. CPanel's 30-Day Security Storm
    news.ycombinator.com102d agoby panelica
Sourced from Hacker News (cyberattack, ransomware, breach, zero-day).

Recently observed threats

IPCountryMalwareHosting / ASNLast online
50.16.16.211:443USQakBotAMAZON-AES2026-03-12
162.243.103.246:8080USEmotetDIGITALOCEAN-ASN2026-03-07
27.133.154.218:443JPQakBotSAKURA-B SAKURA Internet Inc.2026-03-05
34.204.119.63:443USQakBotAMAZON-AES2026-03-01
178.62.3.223:443GBQakBotDIGITALOCEAN-ASN - DigitalOcean, LLC2026-02-18

About this map

This map visualizes active command-and-control (C&C) servers being tracked in real time by abuse.ch FEODO Tracker, a long-running threat intelligence project that tracks botnets like Emotet, QakBot, IcedID, TrickBot, and Dridex. Each point on the globe is the geolocation of a host that has been observed serving malware or coordinating infected machines.

We refresh the feed every ten minutes. Arcs from each source country are drawn to common attack targets (major cloud, financial, and government hubs) — these are illustrative of where malicious traffic is most likely to land, not literal observed attack paths.

DownRightNow uses signals like these alongside our own probe network to spot the difference between a normal outage and one with abnormal network activity. Want alerts when this hits services you depend on? See how monitoring works →