Weekly Report for 2026-05-15 to 2026-05-22
May 22, 2026
Weekly Reports
STIX2 Threat Intelligence Feeds (41,111 indicators this week)
Weekly Intelligence Summary
49.9KAttacking IPs This Week
171Source Countries
1.3KPhishing Domains
27.9KProxy/Anon IPs
3.4KWeb Exploit Events
18CVEs Exploited
258OpenCLAW Events
Weekly Comparison
Attacks by Destination
Attacks By Country & ASN
Attacks By Protocol
SSH (21,419 IPs)
FTP (29 IPs)
SIP (74 IPs)
TELNET (613 IPs)
MSSQL (190 IPs)
MYSQL (64 IPs)
REDIS (99 IPs)
Cloud Provider Abuse
Top Attacking Networks
Attack Classification Tags
Phishing Domains by Category
Top SSH Bruteforce Usernames
Infrastructure Analysis
Tor Exit Nodes (2,341 total)
Infrastructure Type
Anonymous Proxy Hosts (27,894 total)
Emerging Threats (Last 24h)
| IP Address | Threat Score | Country | Tags |
|---|---|---|---|
| 107.189.8.65 | 100 | Luxembourg | attack Bruteforce Brute-Force cowrie cve202229266 cyber security |
| 185.94.111.1 | 100 | Russia | Alaska cowrie ddos denial of service IPs Attacking Alaskan Hosts malicious |
| 193.107.216.228 | 100 | Hong Kong | bruteforce cyber security digital ocean Energy ICS ioc |
| 193.46.255.60 | 100 | Romania | awsau awsbah awsindia awsjap blacklist botnet |
| 92.63.196.25 | 100 | Russia | admin blacklist botnet brute force Energy green |
| 92.63.196.61 | 100 | Russia | admin blacklist botnet brute force Energy green |
| 89.248.165.202 | 100 | Netherlands | Alaska auto-generated security botnet green IPs Attacking Alaskan Hosts kfsensor |
| 5.61.11.123 | 100 | Russia | blacklist botnet cyber security Energy green ICS |
| 154.89.5.86 | 100 | Hong Kong | cyber security ioc malicious Nextray phishing Scanner |
| 183.136.226.3 | 100 | China | brute force cyber security Energy green ICS ioc |
| 183.136.226.4 | 100 | China | bruteforce cyber security digital ocean Energy green ICS |
| 176.192.99.26 | 100 | Russia | attack awsau bruteforce cyber security Energy green |
| 144.172.118.37 | 100 | United States | attack cve202229266 cyber security description description ip indicator |
| 209.141.34.39 | 100 | United States | Bruteforce Brute-Force cowrie cyber security ioc LokiBot |
| 45.146.165.165 | 100 | Russia | Bot Exploit IOC Malware Nextray Scanner |
| 45.143.203.3 | 100 | Ukraine | admin blacklist botnet green Malicious IP mirai |
| 89.248.163.140 | 100 | United Kingdom | auto-generated security Brute force count cyber security ioc kfsensor |
| 104.16.18.94 | 100 | 0 report 10357 aaaa abuse contact accept access ta0001 | |
| 45.143.200.50 | 100 | Russia | admin Alaska alienvault blacklist botnet cyber security |
| 80.254.126.75 | 100 | Russia | cyber security green ioc kfsensor malicious Nextray |
Highest Risk Networks
| Network | Risk Score | IPs | Risk Level |
|---|---|---|---|
| AS60729 zwiebelfreunde e.v. | 85 | 16 | |
| AS210731 forening for dotsrc | 84 | 11 | |
| AS4224 the calyx institute | 81 | 21 | |
| AS208294 cia triad security llc | 69 | 116 | |
| AS396507 emerald onion | 62 | 34 | |
| AS1101 surfnet bv | 59 | 38 | |
| AS57724 ddos guard ltd | 53 | 20 | |
| AS15736 mobile business solution mbs llp | 49 | 11 | |
| AS138740 citylink broadbnad services pvt ltd | 48 | 13 | |
| AS137280 kingsoft cloud corporation limited | 48 | 102 | |
| AS38345 internet domain name system beijing engineering resrarch center ltd. | 47 | 14 | |
| AS206264 amarutu technology ltd | 46 | 11 | |
| AS39351 31173 services ab | 45 | 15 | |
| AS58541 qingdao 266000 | 45 | 176 | |
| AS263333 vipturbo comrcio & servios de informtica ltda | 45 | 32 |
Web Exploit Detection Summary
3.4KExploit Events
871Unique Attacker IPs
47Rules Triggered
18CVEs Observed
| Source | Rule | Events | Unique IPs | CVEs |
|---|---|---|---|---|
| ET | ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity | 1,190 | 580 | — |
| ET | ET WEB_SERVER Suspected FOXSHELL Variant Webshell Activity | 1,190 | 580 | — |
| ET | ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML | 867 | 66 | — |
| ET | ET WEB_SERVER WEB-PHP phpinfo access | 313 | 24 | CVE-2002-1149 |
| ET | ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt | 191 | 26 | CVE-2019-5418 |
| LOCAL | LOCAL OpenWRT Luci CGI RCE Attempt (CVE-2023-1389) | 168 | 3 | CVE-2023-1389 |
| ET | ET WEB_SERVER Possible DROP SQL Injection Attempt | 80 | 42 | — |
| LOCAL | LOCAL Spring Boot Actuator Sensitive Endpoint Probe | 73 | 25 | — |
| ET | ET WEB_SPECIFIC_APPS SonicWall SonicOS Unauthenticated Stack-Based Buffer Overflow (CVE-2022-22274) M1 | 72 | 14 | CVE-2022-22274 CVE-2023-0656 |
| LOCAL | LOCAL AWS Credentials File Grab Attempt | 56 | 31 | — |
| ET | ET SCAN Google Webcrawler User-Agent (Mediapartners-Google) | 51 | 50 | — |
| ET | ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI | 51 | 24 | — |
| ET | ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt | 47 | 24 | — |
| ET | ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) | 45 | 2 | — |
| LOCAL | LOCAL PHP Source Backup File Grab Attempt | 41 | 7 | — |
| ET | ET WEB_SERVER /etc/passwd Detected in URI | 36 | 4 | — |
| ET | ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207) | 36 | 20 | CVE-2021-31207 |
| ET | GPL WEB_SERVER 403 Forbidden | 36 | 29 | — |
| ET | ET WEB_SERVER Possible SQL Injection Obfuscated by REVERSE function in HTTP Request Body | 35 | 4 | — |
| ET | ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function in HTTP URI | 35 | 4 | — |
CVE Exploitation Activity
CVE-2002-1149 CVE-2019-5418 CVE-2023-1389 CVE-2022-22274 CVE-2023-0656 CVE-2021-31207 CVE-2021-26855 CVE-2021-41773 CVE-2021-42013 CVE-2021-22005 CVE-2021-22893 CVE-2000-0868 CVE-2024-21887 CVE-2019-19781 CVE-2022-1388 CVE-2019-0193 CVE-2002-0953 CVE-2022-22965
OpenCLAW Dashboard Intelligence
258Total Events
25Unique Attackers
8Days Active
Attack Types
| Type | Count | Share | |
|---|---|---|---|
| generic-probe | 310 | 98.7% | |
| admin-scan | 4 | 1.3% |
Severity Distribution
| Severity | Count | Percentage |
|---|---|---|
| medium | 4 | 1.3% |
| low | 310 | 98.7% |