Weekly Report for 2026-05-01 to 2026-05-08

STIX2 Threat Intelligence Feeds (82,577 indicators this week)

Weekly Intelligence Summary

Weekly Comparison

Threat Score Distribution

Average threat score across all tracked IPs: 18.3/100

Attacks by Destination

Attacks By Country & ASN

Attacks By Protocol

MITRE ATT&CK Techniques

Cloud Provider Abuse

Top Attacking Networks

Attack Classification Tags

Phishing Domains by Category

Top SSH Bruteforce Usernames

Infrastructure Analysis

Anonymous Proxy Hosts (27,061 total)

Highest Risk Networks

Network	Risk Score	IPs	Risk Level
AS60729 zwiebelfreunde e.v.	85	16
AS210731 forening for dotsrc	84	11
AS4224 the calyx institute	81	21
AS208294 cia triad security llc	69	116
AS396507 emerald onion	62	34
AS1101 surfnet bv	59	38
AS57724 ddos guard ltd	53	20
AS15736 mobile business solution mbs llp	49	11
AS138740 citylink broadbnad services pvt ltd	48	13
AS137280 kingsoft cloud corporation limited	48	102
AS38345 internet domain name system beijing engineering resrarch center ltd.	47	14
AS206264 amarutu technology ltd	46	11
AS39351 31173 services ab	45	15
AS58541 qingdao 266000	45	176
AS263333 vipturbo comrcio & servios de informtica ltda	45	32

Web Exploit Detection Summary

Source	Rule	Events	Unique IPs	CVEs
ET	ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity	1,723	697	—
ET	ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity	1,723	697	—
ET	ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML	575	47	—
ET	ET WEB_SERVER WEB-PHP phpinfo access	335	38	CVE-2002-1149
ET	GPL WEB_SERVER 403 Forbidden	169	52	—
ET	ET WEB_SERVER Possible DROP SQL Injection Attempt	140	72	—
ET	ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)	134	31	CVE-2021-31207
LOCAL	LOCAL Spring Boot Actuator Sensitive Endpoint Probe	131	31	—
ET	ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt	94	30	CVE-2019-5418
ET	ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)	75	75	—
LOCAL	LOCAL AWS Credentials File Grab Attempt	63	48	—
ET	ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1	63	2	CVE-2021-22893
ET	ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt	44	21	—
ET	ET WEB_SERVER PHP Possible https Local File Inclusion Attempt	38	36	CVE-2002-0953
ET	ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)	38	36	—
LOCAL	LOCAL Microsoft Exchange ECP Admin Probe (ProxyShell/ProxyLogon)	31	10	CVE-2021-26855
ET	ET WEB_SERVER Possible SQL Injection Obfuscated by REVERSE function in HTTP Request Body	29	4	—
ET	ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function in HTTP URI	29	4	—
ET	GPL WEB_SERVER DELETE attempt	25	1	—
ET	ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2	22	21	CVE-2021-41773

CVE Exploitation Activity

OpenCLAW Dashboard Intelligence