TL;DR

Critical Cisco ISE Vulnerability With Public Exploit Spurs Emergency Patching

A recently disclosed critical vulnerability in Cisco Identity Services Engine (ISE), now accompanied by publicly available proof‑of‑concept exploit code, has triggered urgent patching efforts across enterprises that rely on ISE for network access control. The flaw enables unauthenticated remote attackers to execute arbitrary code or gain elevated privileges on vulnerable appliances, directly undermining zero trust and 802.1X enforcement architectures that depend on ISE as a policy decision point.

Overview of Cisco ISE and Its Role in Network Security

Cisco ISE is a centralized policy engine used to authenticate and authorize devices and users connecting to wired, wireless, and VPN networks. It integrates with directory services, certificates, and endpoint posture assessment to make dynamic access control decisions. In many enterprises, it is a foundational component for implementing network segmentation, bring‑your‑own‑device controls, and guest access.

Because ISE acts as a high‑privilege control plane for network access, compromise of an ISE node can allow attackers to bypass access controls, steal credentials, or issue rogue authorization decisions. This makes security flaws in ISE particularly impactful compared to vulnerabilities in ordinary application servers.

Technical Nature of the Vulnerability

The recent vulnerability is a high‑severity flaw in a network‑accessible service exposed by Cisco ISE. The issue is triggered by crafted requests that exploit insufficient input validation and improper privilege separation in the relevant component. In practical terms, an attacker can send malicious traffic to the ISE management or policy service interface and cause arbitrary code execution in the context of a highly privileged service account.

Typical attack chains for this class of bug involve bypassing authentication controls, exploiting insecure deserialization or command construction, or abusing file parsing logic that runs with administrative privileges. Once exploited, adversaries can deploy web shells, modify configuration files, plant backdoors in custom scripts, or alter policy definitions.

Exploitation Prerequisites and Attack Surface

The most critical factor in exploitation is whether the vulnerable ISE interface is reachable from untrusted or minimally trusted networks. In many environments, ISE administrative and policy interfaces are exposed to internal corporate networks and to wireless controller or VPN concentrator segments, but not directly to the public internet.

Nevertheless, attackers who gain a foothold in an internal environment through phishing, credential stuffing, or exploitation of other vulnerabilities can pivot to the ISE management plane. Once within routing distance, they can use automated exploit code to attempt remote code execution without valid credentials.

In some misconfigured deployments, ISE interfaces may be exposed externally for remote administration or integration, dramatically increasing risk. Attackers conducting internet‑wide scans will quickly identify such instances by fingerprinting TLS certificates, HTTP banners, or specific response headers associated with ISE.

Proof‑of‑Concept Exploit and Weaponization

The publication of proof‑of‑concept (PoC) exploit code significantly lowers the barrier to exploitation. The PoC typically demonstrates how to construct the malicious request, handle any required pre‑authentication handshakes, and trigger a payload under controlled conditions. Threat actors can adapt the PoC into reusable modules for exploitation frameworks, embed it into botnets, or incorporate it into automated lateral movement tooling.

In addition, researchers and offensive security practitioners may create reliable exploit chains that handle nuances such as different ISE versions, OS baselines, and localization differences. These refinements make attacks more stable and increase the likelihood that opportunistic attackers will achieve successful code execution.

Impact on Zero Trust and Network Access Control

Compromising Cisco ISE undermines multiple layers of network defense. Attackers who gain control of an ISE node can manipulate authorization policies, silently granting expansive access to compromised devices or user accounts. They can also disable posture checks, effectively turning compliant‑device enforcement into a facade while malicious endpoints roam freely.

In advanced scenarios, attackers may generate rogue certificates, modify RADIUS or TACACS+ policies, or alter downloadable ACLs distributed to network infrastructure. This can lead to persistent, hard‑to‑detect backdoors where specific device attributes or user groups are silently allowed into sensitive VLANs or segments, even after an initial incident response.

Detection and Forensic Considerations

Detecting exploitation requires close examination of ISE logs and surrounding infrastructure telemetry. Indicators may include unusual errors in application logs, unexpected restarts of internal services, or anomalous administrative sessions that originate from atypical IP ranges or times of day. Network monitoring may reveal suspicious HTTP or API call patterns targeting ISE interfaces with malformed or boundary‑testing payloads.

Forensic analysis should focus on web application directories, configuration repositories, custom scripts, and scheduled tasks on the underlying OS. Investigators should look for newly created binaries, modified configuration files, unauthorized changes in policy sets, and anomalous administrative accounts. Correlating ISE activity with directory service and firewall logs can highlight policy manipulations or unusual authorization flows.

Mitigation and Hardening Strategies

Immediate mitigation starts with applying the vendor‑provided patches or updated images that remediate the vulnerability. Where patching cannot be completed rapidly, organizations should restrict network access to ISE management and policy interfaces, limiting them to tightly controlled administrative and infrastructure segments. Network access control lists and firewall rules can be tuned to minimize the reachable attack surface.

Longer‑term, organizations should implement architectural controls that assume potential compromise of the NAC infrastructure. This includes enforcing least privilege in policies, requiring multi‑factor authentication for administrative access, monitoring for policy changes, and regularly reviewing device and user authorization rules for anomalies. Segregating ISE components and using out‑of‑band management networks can further reduce exposure.

OWASP Core Rule Set Charset Validation Flaw Exposes Web Applications

A critical vulnerability in the OWASP Core Rule Set (CRS) used by widely deployed web application firewalls (WAFs) allows attackers to bypass charset validation in multipart form data, enabling payloads that evade detection and potentially leading to successful injection attacks against backend applications. Because CRS underpins many “virtual patching” strategies, the flaw has significant implications for organizations that rely on generic WAF rules instead of fixing application‑level bugs.

Background on OWASP CRS and Its Deployment Model

The OWASP Core Rule Set is a community‑maintained collection of generic attack detection rules for WAF engines, most notably ModSecurity and compatible reverse proxies. These rules are designed to identify SQL injection, cross‑site scripting, remote file inclusion, and other common web attacks without requiring application‑specific signatures. Many cloud and appliance WAF offerings embed CRS as a foundation for their security profiles.

Because of this ubiquity, a flaw in CRS semantics can propagate across numerous platforms and providers. Enterprises may not even be aware that their WAF policies are ultimately powered by CRS, complicating vulnerability assessment and remediation planning.

Root Cause in Charset Handling for Multipart Requests

The vulnerability arises from how CRS processes multipart form data, particularly the interaction between charset declarations and content normalization routines. Multipart requests can specify different charsets for individual parts, and the parsing logic must correctly interpret these encodings before applying pattern‑based detection rules.

In this case, an attacker can craft multipart segments with specific charset attributes and payload encodings that cause the CRS processing pipeline to misinterpret or skip portions of the content when checking for malicious patterns. The result is a mismatch between what the WAF “sees” and what the backend application ultimately receives and processes.

Practical Exploitation Scenarios

Attackers can leverage the charset validation bypass to smuggle SQL injection or cross‑site scripting payloads through a WAF that would normally block such patterns. For example, encoding critical characters or segments of an attack string in a way that the CRS parser mishandles may cause detection rules to fail while the backend framework correctly decodes and executes the payload.

Multipart form endpoints are common in file upload features, rich‑text editors, and complex form submissions. Applications that accept user‑supplied data in these contexts, especially those with known but “virtually patched” vulnerabilities, are prime targets. Adversaries may also use the bypass to test for secondary vulnerabilities, such as insecure deserialization or server‑side template injection, which rely on nuanced payload structures.

Impact on Virtual Patching and Defense‑in‑Depth

Many organizations rely heavily on WAFs and generic rule sets as a compensating control for unpatched or legacy applications. The CRS charset flaw demonstrates the fragility of this model: a subtle parsing weakness can render entire classes of protections ineffective for specific request types, while giving organizations a false sense of security.

In environments where application owners assume that the WAF will block dangerous input, secure coding practices and thorough input validation may be neglected. This vulnerability underscores the need to treat WAFs as an additional layer rather than a substitute for fixing underlying code and logic issues.

Detection, Testing, and Validation

Security teams should update their WAF rule sets to versions that address the charset handling issue and then validate protections using targeted penetration testing. Crafting multipart requests with varied charset declarations and payload encodings can help confirm whether the updated CRS correctly normalizes and inspects content.

Log analysis plays a key role in identifying potential exploitation attempts. Unusual multipart requests with atypical charset values, oversized boundary segments, or repeated failed uploads may signal probing activity. Correlating WAF logs with backend application logs can reveal cases where anomalous requests produced server‑side errors or suspicious behavior despite a lack of WAF alerts.

Mitigation Strategies and Longer‑Term Controls

Immediate mitigations include applying the latest CRS release, tuning anomaly scoring thresholds, and deploying additional custom rules for high‑risk endpoints that process multipart data. Where feasible, security teams can temporarily restrict or sanitize certain charset parameters until they are confident in the robustness of the updated parsing logic.

Longer‑term, organizations should prioritize remediation of application vulnerabilities that are currently covered only by generic WAF rules. Adopting secure development practices, implementing strict server‑side validation and encoding, and conducting regular code reviews can reduce reliance on virtual patching. Continuous integration pipelines should incorporate automated security testing that validates both application behavior and WAF effectiveness against regression scenarios similar to this charset flaw.

Trend Micro Apex Central Remote Code Execution Flaws Threaten Centralized Security Management

Multiple severe vulnerabilities in Trend Micro Apex Central, the on‑premises management platform for Trend Micro endpoint and security products, enable remote code execution and denial‑of‑service attacks against centralized security infrastructure. Successful exploitation can give attackers control of the very system responsible for policy distribution, alerting, and telemetry, allowing them to disable defenses, push malicious configurations, or tamper with incident visibility at scale.

Role of Apex Central in Enterprise Security Architectures

Apex Central serves as a central console for managing Trend Micro endpoint protection, server security, and related products across an organization. Administrators use it to define policies, distribute updates, aggregate logs, and monitor security events. The platform often holds high‑privilege credentials and possesses the capability to execute actions on managed endpoints.

Because of this central position, compromise of Apex Central can effectively neutralize endpoint security controls. An attacker who gains administrative access can disable protections, whitelist malicious binaries, or push attacker‑controlled scripts directly to thousands of systems.

Technical Description of the Vulnerabilities

The disclosed issues include a combination of authentication‑related flaws and unsafe handling of user‑supplied data within web interfaces or APIs exposed by Apex Central. Typical weaknesses in this category include improper input validation, insecure deserialization, or command injection in backend processes that run with high privileges.

In some cases, attackers can exploit a pre‑authentication vulnerability to achieve arbitrary code execution on the Apex Central server, while in others they must first obtain low‑privilege access and then escalate through a chained series of weaknesses. Both scenarios are dangerous, given that Apex Central often resides on internal networks but is accessible to many administrative users and integrated systems.

Attack Vectors and Threat Scenarios

Attackers who compromise a user account through phishing, password reuse, or credential theft can target the Apex Central web console or management APIs to exploit the vulnerabilities and elevate privileges. Alternatively, if a pre‑auth flaw is present, they may only need network‑level access to the console, which can be obtained via lateral movement or exploitation of other internal services.

Once they achieve code execution on the server, adversaries can implant persistent backdoors, modify configuration databases, or replace update packages with trojanized versions. This effectively transforms the legitimate management platform into a distribution mechanism for malware or ransomware, reaching endpoints that would otherwise be difficult to compromise individually.

Potential Business and Operational Impact

A compromised Apex Central instance can lead to widespread endpoint compromise, destruction of forensic visibility, and the disabling of security alerts just prior to or during an attack. Organizations may experience simultaneous malware outbreaks, coordinated ransomware deployment, or silent credential theft extending across their entire fleet of managed systems.

In regulated environments, tampering with centralized security controls can also jeopardize compliance obligations, as required logging, alerting, and control mechanisms may be silently disabled or altered. Recovery becomes more complex when the primary control plane must be rebuilt or validated before trust can be restored in endpoint telemetry.

Detection and Response Considerations

Monitoring Apex Central for unusual administrative actions, new or modified policies, and unexpected package deployments is critical. Indicators such as sudden mass changes to endpoint exclusions, large decreases in alert volume, or the creation of previously unseen administrative accounts can signal compromise or misuse.

Incident response should include a thorough review of Apex Central system logs, database records, and file integrity on critical binaries and configuration files. Where tampering is suspected, organizations may need to rebuild the platform from trusted media, redeploy clean agents, and re‑baseline policies to ensure that attacker‑introduced artifacts are removed.

Mitigation, Patching, and Hardening

Organizations should apply the vendor’s security updates that address the identified vulnerabilities as a priority, scheduling downtime if necessary to ensure comprehensive remediation. Prior to patching, reducing network exposure of the Apex Central console, enforcing strict access control lists, and requiring strong multi‑factor authentication for administrative accounts can reduce the attack surface.

Hardening measures should include segmenting the management network, limiting direct user access, and implementing continuous monitoring and alerting for administrative actions within the platform. Regular security reviews of centralized management systems, including configuration audits and penetration tests, can help identify weaknesses before attackers exploit them.

Undertow HTTP Server Vulnerability Puts Java Application Sessions at Risk

A critical vulnerability in the Undertow HTTP server core, widely used in Java application servers such as WildFly and JBoss EAP, allows attackers to hijack user sessions under certain conditions. By manipulating low‑level HTTP handling, adversaries can bypass expected isolation between clients and gain unauthorized access to authenticated sessions, threatening confidentiality and integrity across millions of Java‑based web applications.

Undertow’s Role in the Java Ecosystem

Undertow is a flexible, high‑performance web server and servlet container written in Java, often embedded as the HTTP engine within broader application server platforms. It handles request parsing, connection management, and routing to application components. Many enterprise applications and microservices rely on Undertow for HTTP and WebSocket transport.

Because Undertow can be embedded and configured programmatically, its behavior often depends on both server defaults and application‑specific configuration. A security flaw in its core request handling logic therefore has the potential to affect a diverse range of deployments, from monolithic enterprise portals to lightweight microservices.

Nature of the Session Hijacking Flaw

The vulnerability involves incorrect association or reuse of session identifiers or connection state under specific conditions, such as concurrent or pipelined requests, error handling paths, or protocol edge cases. When certain sequences of requests are processed, Undertow may inadvertently allow session data or identifiers to be visible or reusable by a different client connection than originally intended.

An attacker can exploit this behavior by carefully crafting request patterns that interfere with normal session handling, potentially causing the server to bind an authenticated user’s session to the attacker’s connection or to leak session tokens in responses. The exact preconditions can depend on deployment configuration, including whether HTTP/2, keep‑alive, or reverse proxy layers are in use.

Exploitation Strategies and Constraints

Exploitation generally requires network‑level access to the vulnerable HTTP interface and some ability to influence timing or ordering of requests. Attackers may attempt to induce race conditions, exploit predictable session ID assignment, or use malformed HTTP sequences that trigger the flawed code paths.

In scenarios where the attacker shares a network path with victims, such as in multi‑tenant environments, open Wi‑Fi, or local network segments, combining this vulnerability with traffic observation or injection can increase the likelihood of successful hijacking. Reverse proxies and load balancers can either mitigate or exacerbate the issue depending on how they handle connection reuse and header rewriting.

Impact on Authentication and Authorization

Once an attacker successfully hijacks a session, they inherit the authenticated identity and permissions of the victim user. This can allow access to sensitive data, execution of privileged operations, or manipulation of transaction workflows. In enterprise applications, hijacked sessions associated with administrative or high‑privilege accounts are particularly damaging.

Session hijacking also complicates forensic investigations, as logs may show legitimate user identities performing malicious actions, obscuring attribution. Without detailed network and server telemetry, distinguishing between an actual user’s activity and that of an attacker using a stolen session can be difficult.

Detection and Monitoring Techniques

Security teams should monitor for unusual patterns in session usage, such as sessions that appear to be active from multiple IP addresses or user agents within short timeframes, or abrupt changes in client characteristics associated with a single session ID. Application logs that record session identifiers, client metadata, and authentication events can help in identifying anomalies.

Additionally, elevated rates of malformed or incomplete HTTP requests targeting Undertow‑based endpoints may indicate probing activity attempting to discover exploitable request sequences. Network‑level telemetry and web application firewalls can assist in identifying and blocking suspicious traffic patterns.

Mitigation, Patching, and Defense‑in‑Depth

Patching Undertow to a version that corrects the session handling logic is the primary mitigation. Application servers that embed Undertow must be updated or reconfigured with the fixed core libraries, and deployments should be validated to ensure that the patched components are active in production.

Defense‑in‑depth measures include enforcing strict session management practices, such as binding sessions to client attributes, using secure cookies with appropriate flags, and implementing anomaly detection for session behavior. Where possible, deploying proxy layers that normalize HTTP traffic and enforce protocol compliance can reduce exposure to low‑level HTTP edge cases that might trigger similar vulnerabilities.

Pre‑Authentication Remote Code Execution in SmarterMail Threatens Email Infrastructure

A critical pre‑authentication remote code execution vulnerability in SmarterTools SmarterMail, rated with the highest severity, allows attackers to take complete control of vulnerable mail servers by sending crafted network requests without valid credentials. With public proof‑of‑concept code available, organizations running exposed SmarterMail instances face an elevated risk of compromise to email data, credentials, and supporting infrastructure.

SmarterMail’s Role and Typical Deployment Patterns

SmarterMail is a mail server platform that provides SMTP, IMAP, POP3, and webmail functionality, often used by hosting providers, small to mid‑sized enterprises, and managed service providers. It commonly operates with direct internet exposure to support inbound and outbound email, as well as webmail access over HTTPS.

Because email systems handle sensitive communications and often integrate with directory services and authentication providers, compromise of a mail server can lead to widespread credential theft, internal phishing, and exposure of confidential information.

Technical Overview of the Vulnerability

The vulnerability resides in a network‑accessible component that processes unauthenticated requests, likely within the webmail or service management surface. A lack of proper input validation or unsafe handling of serialized or structured data allows an attacker to inject payloads that are executed in the context of the SmarterMail service or underlying operating system.

As a pre‑authentication issue, the flaw can be exploited by any remote attacker who can reach the vulnerable service, without needing to guess or steal credentials. This significantly expands the pool of potential attackers and facilitates automated mass exploitation campaigns.

Exploitation and Weaponization

Public proof‑of‑concept exploit code demonstrates how to construct the malicious request and trigger the vulnerability reliably. Attackers can integrate this into scanning frameworks that identify SmarterMail instances on the internet, test for vulnerability, and deploy payloads that establish persistent access.

Typical payloads may include web shells implanted into the webmail interface, reverse shells that connect back to attacker infrastructure, or scripts that enumerate user mailboxes and extract credentials. In some cases, attackers may also manipulate mail routing and filtering rules to facilitate further phishing or data exfiltration.

Potential Impact on Email Security and Business Operations

A compromised SmarterMail server provides attackers with access to stored messages, attachments, and address books, as well as the ability to intercept or alter email traffic in transit. This can enable highly convincing spear‑phishing campaigns against internal users and external partners, as messages originate from legitimate accounts and infrastructure.

Operationally, attackers may deploy ransomware, disrupt mail delivery, or abuse the server for spam and malware distribution, leading to blacklisting of the organization’s mail domains and IP addresses. Recovery efforts must address both technical remediation and reputational damage resulting from compromised communications.

Detection, Logging, and Forensics

Administrators should review web server and SmarterMail logs for anomalous requests, particularly those containing unusual parameters, large or malformed payloads, or patterns consistent with known exploit attempts. Unexpected spikes in error responses, failed login attempts followed by unusual administrative actions, or sudden changes in configuration can also indicate compromise.

Forensic analysis should focus on web root directories, configuration files, scheduled tasks, and operating system startup mechanisms to identify potential backdoors. Mailbox access logs and message tracking data can help determine whether attackers accessed or altered specific accounts or messages.

Mitigation and Hardening Recommendations

Applying the vendor’s security update that corrects the vulnerability is essential, and organizations should prioritize patching internet‑exposed instances. Where immediate patching is not possible, temporary mitigations may include restricting access to administrative and webmail interfaces via VPN or IP allowlists, and implementing web application firewalls with rules tuned to block exploit patterns.

Longer‑term hardening strategies include limiting the services exposed directly to the internet, enforcing strong authentication (including multi‑factor authentication) for webmail access, and implementing robust backup and recovery processes for mail data. Regular external attack surface scanning can help identify exposed SmarterMail instances and other internet‑reachable services that require closer security scrutiny.

Surge in Attacks Targeting AI Infrastructure Highlights Emerging Operational Risks

Security researchers have reported a sharp increase in coordinated attacks against artificial intelligence infrastructure, with more than ninety thousand malicious sessions detected over a recent three‑month window targeting model endpoints, orchestration layers, and supporting cloud resources. The activity illustrates that AI deployments are rapidly becoming a mainstream target class, with attackers probing for data extraction, model manipulation, and abuse of compute resources.

Characteristics of AI Infrastructure in Modern Environments

AI infrastructure typically includes model inference endpoints exposed via APIs, data pipelines feeding training and fine‑tuning workflows, vector databases, and orchestration components that manage scaling and routing. These systems often run in cloud environments, integrate with sensitive internal data sources, and are accessed by both applications and human users.

Because AI services are relatively new in many organizations, security controls and monitoring around them may lag behind those applied to traditional web and database systems. Misconfigurations, weak authentication, and excessive permissions are common early in adoption cycles.

Observed Attack Techniques and Tactics

The documented malicious sessions include large volumes of automated probing, such as sending crafted prompts or inputs designed to reveal system prompts, configuration details, or underlying data. Attackers also attempt injection attacks where they embed instructions aimed at altering model behavior, escalating privileges, or exfiltrating secrets from connected tools and data sources.

In addition to prompt‑level attacks, adversaries target the surrounding infrastructure by scanning for exposed administrative endpoints, default credentials, insecure API keys, and misconfigured identity and access management policies. Some campaigns focus on hijacking compute resources to run unauthorized workloads, including cryptocurrency mining or distributed password cracking.

Risks of Data Exfiltration and Model Abuse

AI systems often process sensitive training and inference data, including proprietary documents, source code, and customer information. Successful attacks can exfiltrate this data either directly via model output or by abusing integrations that allow models to retrieve files, database records, or secrets. Even without full data theft, attackers may learn enough about training data distributions to infer confidential business information.

Model abuse extends beyond data theft, encompassing misuse of AI capabilities to generate malicious content, automate social engineering, or assist in vulnerability discovery. Compromised AI endpoints can be leveraged as internal tools for attackers, accelerating their operations inside the victim environment.

Detection and Monitoring of AI‑Focused Threats

Effective monitoring of AI infrastructure requires logging at multiple layers: API gateways, model serving frameworks, orchestration systems, and underlying cloud resources. Indicators of attack include unusually high volumes of adversarial or malformed inputs, repeated attempts to access system‑level instructions, and sequences of requests that systematically explore capabilities and boundaries.

Telemetry that correlates AI service usage with identity information, network locations, and downstream data access can help distinguish legitimate heavy usage from suspicious automation. Alerting on anomalous resource consumption, such as sudden spikes in GPU usage or outbound data transfer, is critical for detecting abuse of compute and exfiltration.

Mitigation Strategies for Securing AI Deployments

Organizations should treat AI endpoints as high‑value assets, enforcing strong authentication, rate limiting, and network segmentation around them. Implementing input validation and filtering for prompts, as well as guardrail mechanisms that constrain model actions and integrations, can reduce the impact of prompt injection and related attacks.

Hardening should extend to the data and control planes: restricting access to training data, adopting least privilege for tools and connectors, and isolating experimentation environments from production systems. Regular security testing of AI applications, including red teaming and adversarial evaluation, can help identify weaknesses unique to AI workloads and prioritize remediation efforts.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC