Media Coverage

Europol together with partners from across the globe today announces a landmark blow to cybercriminal networks as part of Operation Endgame, a sweeping international operation targeting the criminal infrastructure behind ransomware and malware like SocGholish, Amadey, and StealC. In coordinated actions over the past two weeks, key components of these malicious toolkits were dismantled as part of a public-private effort. The main common goal was to disrupt the “assembly lines” cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure. Crypto assets of criminal origin currently valued at over EUR 41 million (USD 47 million) were identified, flagged, and thereby restricted from use. Moreover, as many as 27 million stolen login credentials have been recovered as part of this operation.

Participating countries and agencies in the action week against the three botnets: Canada: Royal Canadian Mounted Police (RCMP), Denmark: Danish Police (Politi), Germany: Federal Criminal Police Office (BKA), Netherlands: National High Tech Crime Unit (NHCTU), United Kingdom: National Crime Agency (NCA), United States, Europol and Eurojust.

Private Partners: Microsoft, the Shadowserver Foundation, Registrar of Last Resort (RoLR), Proofpoint, IBM X-Force, Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned (HIBP), Spamhaus.

In Operation Endgame, a major operation this week disrupted a key infection chain used by cybercriminals. Within an international cooperation, 14,971 websites infected with SocGholish malware were remediated. This malware is used by a criminal group that plays a pivotal role in international cybercrime, namely: Evil Corp. SocGholish exploits hacked legitimate WordPress sites to spread malware to visitors, with the aim of gaining unauthorized access to their computer systems. WordPress is the world’s most widely used platform for building websites.

In the past few days, the Netherlands (NHCTU), Canada (RCMP), the United States (FBI) and Germany (BKA), with support from Europol and Eurojust, delivered a major blow to SocGholish’s criminal infrastructure during a joint action week. Victim notification for owners of WordPress sites whose leaked login credentials were identified by the police, via HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, The Shadowserver Foundation and NCSC (Netherlands).

Attackers have begun backdooring internet-exposed Ivanti Sentry appliances, the nonprofit security watchdog Shadowserver confirmed on June 11, 2026 — less than 48 hours after patches and a public proof-of-concept exploit script became available. The Ivanti Sentry vulnerability tracked as CVE-2026-10520 carries the maximum CVSS score of 10.0 and gives any unauthenticated, internet-connected attacker the ability to execute arbitrary operating system commands as root on the appliance — no credentials, no prior foothold required.

Shadowserver reported seeing 19 vulnerable instances in its scans, with at least two already backdoored following a tip from Saudi Arabia’s National Cybersecurity Authority. The organization cautioned that the true number of affected appliances is likely higher, as many Sentry deployments block internet scanning tools by default.

Over 900 automatic tank gauge (ATG) systems across the United States, used to monitor fuel and chemical storage tanks across various critical infrastructure sectors, have been found exposed online and are vulnerable to ongoing attacks. In light of CISA’s advisory, Internet security watchdog Shadowserver warned today that over 1,000 ATG systems were exposed online, with the vast majority (909 devices) in the United States.

Non-profit cybersecurity organisations are a foundational part of the global cyber ecosystem, yet their role remains systematically under-recognised and underfunded. This new HCSS report argues that these organisations provide essential public-interest security functions that governments and commercial providers cannot fully deliver on their own.

The report by Hans Horan, Ron Stoop and Jan Feldhusen finds that non-profit cybersecurity actors play a critical role in threat intelligence sharing, incident response coordination, standards development, capacity-building, and support for vulnerable communities. Their work helps reduce harm, strengthen cyber resilience, and sustain the shared infrastructure and protocols underpinning the global digital economy. The report warns that continued underfunding risks weakening critical cyber resilience functions worldwide. It recommends that governments establish dedicated multi-year funding streams, formally integrate non-profit actors into national cybersecurity strategies, and create rapid-response funding mechanisms for major cyber crises. It also calls on industry to adopt standing norms for financially supporting the sector.

Threat intelligence services can also generate substantial value. The most notable example would be Shadowserver, a non-profit that scans the global internet for vulnerabilities, malware, and active threats, and alerts affected organisations and governments. Single organisations such as ShadowServer and CIS account for market-equivalent values of USD 830M–980M and USD 354M, respectively. Shadowserver delivers this at an operating cost of USD 5.5 to 6 million per year: a leverage ratio of approximately 170 to 200 USD of economic value per dollar spent.

On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm’s command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads.

This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them.

A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified. Thirteen countries from the Middle East and North Africa took part in Operation Ramz (October 2025 – 28 February 2026) which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses. The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region. In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized. Operation Ramz marked a milestone as the first cyber operation of its scale coordinated by INTERPOL in the MENA region. During this effort, nearly 8,000 pieces of crucial data and intelligence were disseminated among participating countries to initiate and support investigations.

During Operation Ramz, INTERPOL worked closely with its partners, Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru and TrendAI to track illegal cyber activities and identify malicious servers. Operation Ramz received support from the Qatar Ministry of Interior and was partially funded by the European Union and the Council of Europe under the CyberSouth+ project. Participating countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE.

Ivanti has patched CVE-2026-6973, a high-severity remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) on-prem deployments. The vulnerability has been exploited in the wild – CISA has also added it to the Known Exploited Vulnerabilities (KEV) catalog. The potential scope is significant: as of May 7, 2026, Shadowserver tracks over 800 internet-exposed Ivanti EPMM instances online, with the majority concentrated in Europe and North America.

Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month. Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal. Internet threat watchdog Shadowserver now tracks over 5,400 PAN-OS VM-series firewalls exposed on the Internet, most of them in Asia (2,466) and North America (1,998).

A critical zero-day vulnerability in cPanel and WebHost Manager (WHM) is under massive active exploitation following the public release of a sophisticated proof-of-concept exploit. Tracked as CVE-2026-41940, this flaw has already compromised tens of thousands of servers worldwide. The Shadowserver Foundation, a prominent non-profit security organization, reported intense exploitation activity targeting exposed cPanel instances globally. Their security honeypots detected at least 44,000 unique IP addresses that appear to be successfully compromised.