Cybersecurity Threats

Active threat infrastructure + known-exploited vulnerabilities

Author

Sam Caldwell

This report tracks two complementary cybersecurity signals:

  1. Active threat infrastructure — IP addresses currently used for malicious purposes (botnet C2s, malware hosts, phishing kits) drawn from public feeds and geolocated to the city/province level.
  2. Known-exploited vulnerabilities — the CISA KEV catalog, enriched with FIRST EPSS scores (initial vs current) and NVD CVSS scores so you can see not just which CVEs are being exploited but how their predicted-exploit probability is moving.

Daily snapshots accumulate over time so we can show trends, not just the “as of right now” view.

Hosting location ≠ attacker location. Attackers routinely use rented hosting in countries with weak attribution. This report shows where malicious infrastructure is, not where its operators sit.

Today’s snapshot

Active threat IPs
107
As of 2026-04-20
Botnet C2 hosts
5
FeodoTracker, currently online
Provinces affected
45
Across 25 countries
Top malware family
Vidar
Most-reported in today's snapshot
Daily snapshots stored
1
Each one a 24-hour view; cache grows daily
KEV CVEs (in-wild)
1,577
+26 added in last 30 days

What’s in here

  • Threat sources → — World map of every active threat IP geolocated to its city/province; province aggregation table; top ASNs.
  • Botnet hosts → — FeodoTracker C2 infrastructure specifically; malware-family breakdown; online vs offline.
  • CVEs in the wild → — CISA KEV catalog with initial vs current EPSS, CVSS v3, and “in wild” flag. Sorted by current EPSS.
  • Methodology → — Sources, attribution, refresh cadence, caveats.

Update cadence

The CI pipeline fetches all four feeds once daily:

Feed What License Cadence
Abuse.ch FeodoTracker Active botnet C2 IPs CC0 Continuous; we snapshot daily
Abuse.ch ThreatFox Recent IoCs incl. C2 IPs CC0 Recent-window CSV; snapshot daily
CISA KEV Known-exploited CVEs Public domain When CISA updates (≈weekly)
FIRST EPSS Daily exploit-probability per CVE CC-BY-SA Daily
ip-api.com IP→province geolocation Free non-commercial On-demand for new IPs

Per-IP geolocations are looked up once and cached forever, so daily runs only resolve newly-seen IPs.