Criminal IP Threat Intelligence Reports

Maintenance Period v1.99.0: 2026.04.16 (05:00-10:00 UTC) Summary 📃 Version 1.99.0 introduces the new Phishing Scan mode for URL/Domain scanning, providing users with a dedicated detection capability to identify phishing sites and fraudulent web pages. This update expands Criminal IP’s threat detection coverage, empowering security teams to proactively identify and respond to phishing infrastructure with greater speed and accuracy. […] The post Introducing the New Phishing Scan Mode appeared first on CIP Blog.

In April 2026, a remote code execution (RCE) vulnerability, CVE-2026-34197, was disclosed in Apache ActiveMQ Classic, remaining undiscovered for over 13 years. Rated 8.8 (High) under CVSS v3.1, this vulnerability stems from a complex interaction between the Jolokia management API, VM Transport, and the Spring XML initialization mechanism. Unlike typical vulnerabilities, this issue cannot be easily identified by analyzing […] The post CVE-2026-34197: Apache ActiveMQ RCE Vulnerability Analysis appeared first on CIP Blog.

International sporting events are highly effective social engineering lures for attackers. In particular, globally recognized events such as the FIFA World Cup are repeatedly abused in phishing campaigns impersonating ticket purchases, official reservations, and event participation pages, because they make it easier to attract user clicks. The 2026 FIFA World Cup is scheduled to take […] The post Analyzing a FIFA-Themed Phishing Campaign: Tracking Suspicious 2026 World Cup-Related Domains and Infrastructure appeared first on CIP Blog.

In late March 2026, a zero-day vulnerability, CVE-2026-3502, was disclosed in the TrueConf Windows Client and confirmed to have been actively exploited in the wild. The vulnerability stems from a structural flaw in the update process, where integrity validation is not properly enforced when downloading update packages. If an attacker gains control over an on-premise TrueConf server, they […] The post CVE-2026-3502: Supply Chain Attack via TrueConf Update Mechanism appeared first on CIP Blog.

In March 2026, a critical remote code execution (RCE) vulnerability, CVE-2026-32746, was disclosed in the Telnet daemon (telnetd) of GNU InetUtils. The vulnerability is rated 9.8 (Critical) under the CVSS v3.1 scoring system and stems from a structural flaw that allows attackers to execute arbitrary code remotely prior to authentication. What makes this vulnerability particularly dangerous […] The post CVE-2026-32746: Analysis of Pre-Authentication RCE Vulnerability in GNU InetUtils telnetd appeared first on CIP Blog.

Maintenance Period v1.98.0: 2026.04.02 (05:00-10:00 UTC) Summary 📄 Version 1.98.0 introduces the newly redesigned Criminal IP website, along with key enhancements to the ASM experience and expanded access to cybersecurity intelligence through the CIP News feature. This update focuses on improving usability, streamlining asset management workflows, and empowering users with broader visibility into global threat intelligence. […] The post Criminal IP Renewal & Key Feature Improvements appeared first on CIP Blog.

When analyzing external assets in a security environment, the focus is typically placed on elements such as open ports, running services, and known vulnerabilities. While this approach is effective for understanding the technical state of an asset, it has limitations when it comes to fully understanding real-world internet exposure. Internet-exposed assets contain more than just […] The post Unstructured Data-Based Asset Exposure Analysis: Structuring Identifiers with Privacy Exposure Scanner appeared first on CIP Blog.

A recently discovered information disclosure vulnerability in Wing FTP Server (CVE-2025-47813) has been confirmed to be actively exploited in real-world attacks, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to the Known Exploited Vulnerabilities (KEV) catalog. Although this vulnerability is rated CVSS 4.3 (Medium), it poses risks beyond simple information leakage, as it can expose […] The post Wing FTP Server Vulnerability Analysis: Exposed Service Leading to an RCE Attack Chain appeared first on CIP Blog.

In security operations environments, many security alerts are not the beginning of an attack but rather the result of activity that has already occurred. For example, consider the following scenarios: Malware detection by an EDR Detection of a phishing site connection through URL filtering An administrator account login event When such events occur, it often implies that […] The post Event-Driven Threat Validation and Automated Blocking: An IP Risk Verification Pipeline Using Criminal IP Data appeared first on CIP Blog.

As geopolitical tensions in the Middle East continue to escalate, related activity has also increased in cyberspace. In particular, following recent military actions by the United States and Israel, movements linked to Iranian cyber operations have been observed, prompting warnings from multiple security organizations. Among the groups frequently mentioned in this context is MuddyWater, one of […] The post Analysis of Iran-Linked APT MuddyWater Activity: Tracking Recent Campaigns and Attack Patterns appeared first on CIP Blog.