Nothing Like AugurHow It WorksGet AccessLearn More

Threat Flash:

74K MALICIOUS IPs

CONFIRMED IN MARCH

Threat Research Team
Download PDF

April was another strong month for confirmations at Augur. 73,835 malicious IP addresses predicted by our patented predictive threat intelligence were independently confirmed as malicious by third-party intelligence. While it wasn’t a record like in March, it is well above 2025's monthly average, providing further evidence that cyber threats continue to accelerate and continued proof of Augur's ability to surface emerging threat infrastructure well before conventional feeds catch up.

While some preemptive security vendors focus on lower-level risks such as domain lookalikes and basic spoofing activity, Augur targets the operational backbone of more sophisticated cyber campaigns. It identifies the command-and-control servers, exfiltration staging nodes, and delivery infrastructure that advanced threat actors depend on. This includes infrastructure established by nation-state groups, ransomware operators, and organized cybercriminal networks, often well before their activities escalate into public-facing incidents.

Seen in April

The following examples highlight the kinds of malicious operations Augur uncovers and disrupts.

Name Type IP Lead Time
Remus 64-bit info stealer 5[.]231.25.31 80 days
Chaos Linux malware 185[.]28.84.202 300 days
Go2Tunnel SSH tunneling tool 85[.]239.55.134 +360 days
Matanbuchus MaaS Loader 85[.]208.84.242 120 days
IClickFix WordPress Malware 91[.]92.33.149 260 days

If you aren’t already blocking these IP addresses, we highly recommend that you do so.

Augur Highlights

Over the past few months, Augur has uncovered IPs and domains that were later leveraged in high-profile attacks, including the recent Salesforce/Salesloft breach, the SharePoint exploitation campaign, and the DPRK IT Worker scam.

Attack Threat Group Lead Time
Salesforce/Salesloft UNC6040
UNC6395		 212 days
SharePoint Exploit Storm‑2603
Violet Typhoon (AKA APT31)
Linen Typhoon (AKA APT27)		 360+ days
DPRK IT Workers Lazarus Group 360+ days

Not every IP we uncover ends up in the headlines, but the overwhelming majority of the IPs and domains we identify are ultimately weaponized by threat actors to launch real-world attacks.

How Does Augur Work?

Augur uses ML-powered behavioral modeling to detect the buildup of cybercriminal infrastructure online before attacks. We identify thousands of malicious IPs, IP ranges, and domains every month. Augur identifies threats on average 60 days before they’re first reported by traditional sources. Our predictions are highly accurate, with a near-zero false-positive rate (0.01%), providing organizations using Augur with preemptive protection against cyberattacks, zero-days, and novel threats.

The Augur Difference. Let Us Prove It To You.

Experience firsthand the benefits of preemptive cyber defense with a quick proof of value (POV). We can have you up and running in less than a day, and after 30 days, get an Augur report detailing:

  • Threats Augur identified
  • Advance warning timelines
  • Data-driven insight on alert reduction and improved SOC efficiency

Click here to talk to an Augur specialist now.

Augur Security
4660 La Jolla Village Dr. # 100 San Diego, CA 92122 USA
(888) 521-5857
Terms & ConditionsPrivacy Policy
© COPYRIGHT 2026 AUGUR SECURITY