Nothing Like AugurHow It WorksGet AccessLearn More

Threat Flash:

TREND CONTINUES vs 2025

52K MALICIOUS IPs

CONFIRMED IN MAY

Threat Research Team
Download PDF

March and April weren’t anomalies. In May, 52,000 IP addresses flagged by Augur's patented predictive threat intelligence were verified as malicious by independent third-party sources, exceeding the May 2025 total by more than 30%. 

The data reinforces two things: the pace of malicious infrastructure deployment isn't slowing down, and Augur continues to surface emerging threats long before traditional intelligence feeds.

While some preemptive security vendors focus on lower-level risks such as domain lookalikes and basic spoofing activity, Augur targets the operational backbone of more sophisticated cyber campaigns. It identifies the command-and-control servers, exfiltration staging nodes, and delivery infrastructure that advanced threat actors depend on. This includes infrastructure established by nation-state groups, ransomware operators, and organized cybercriminal networks, often well before their activities escalate into public-facing incidents.

Let’s take a look at what Augur saw in May:

Most Active Threat Actors

Shinyhunters (data theft) - 247 confirmations (read more)

APT 26 (espionage, aka Bronze Express, Turbine Panda)  - 142 confirmations

APT 30 (espionage, aka Lotus Panda, Raspberry Typhoon) - 115 confirmations

APT 9 (Biotech/Pharma data theft, aka Nightshade Panda, Red Pegasus - 64

UNC5537 (Financially motivated, aka Scattered Spider) - 51 (read more)

Threats Seen in April

The following examples highlight the kinds of malicious operations Augur uncovers and disrupts.

Name Type IP Lead Time
Vshell OST Framework 89[.]125.244.117 120 days
Angler Malware Exploit Kit 94[.]125.103.191 20 days
Trojan Agent Malware 185[.]21.11.20 90 days
AdaptixC2 Pen Testing Toolkit 83[.]171.227.230 240 days
Pure Rat Remote Access Tool 153[.]80.249.20 53 days

If you aren’t already blocking these IP addresses, we highly recommend that you do so.

Augur Highlights

Over the past few months, Augur has uncovered IPs and domains that were later leveraged in high-profile attacks, including the recent Salesforce/Salesloft breach, the SharePoint exploitation campaign, and the DPRK IT Worker scam.

Attack Threat Group Lead Time
Salesforce/Salesloft UNC6040
UNC6395		 212 days
SharePoint Exploit Storm‑2603
Violet Typhoon (AKA APT31)
Linen Typhoon (AKA APT27)		 360+ days
DPRK IT Workers Lazarus Group 360+ days

Not every IP we uncover ends up in the headlines, but the overwhelming majority of the IPs and domains we identify are ultimately weaponized by threat actors to launch real-world attacks.

How Does Augur Work?

Augur uses ML-powered behavioral modeling to detect the buildup of cybercriminal infrastructure online before attacks. We identify thousands of malicious IPs, IP ranges, and domains every month. Augur identifies threats on average 60 days before they’re first reported by traditional sources. Our predictions are highly accurate, with a near-zero false-positive rate (0.01%), providing organizations using Augur with preemptive protection against cyberattacks, zero-days, and novel threats.

The Augur Difference. Let Us Prove It To You.

Experience firsthand the benefits of preemptive cyber defense with a quick proof of value (POV). We can have you up and running in less than a day, and after 30 days, get an Augur report detailing:

  • Threats Augur identified
  • Advance warning timelines
  • Data-driven insight on alert reduction and improved SOC efficiency

Click here to talk to an Augur specialist now.

Augur Security
4660 La Jolla Village Dr. # 100 San Diego, CA 92122 USA
(888) 521-5857
Terms & ConditionsPrivacy Policy
© COPYRIGHT 2026 AUGUR SECURITY