| Website | https://www.spamhaus.org |
| Threat Intel Community | https://submit.spamhaus.org |
| https://www.linkedin.com/company/the-spamhaus-project | |
| https://twitter.com/spamhaus |
With a +338% ⬆️ increase, 🇨🇳 China-based telecoms provider “chinamobile[.]com” ranks #1 for hosting IP space associated with exploited devices, with 277,765 detections over the last 30 days.
Detections on the Exploits Blocklist began rising on April 19th, with a sharp spike between April 23rd and April 24th, increasing by over 40,000 detections (from 71,377 to 111,514).
👉 https://www.spamhaus.org/reputation-statistics/networks/exploit/
.bond (#6) operated by ShortDot S.A. continues to display patterns of high churn, with new domain registrations (1.13 million) almost equal to its total zone count (1.15 million) - 10–20% of new domains is considered unusually high.
But this reporting period .bond is not alone…
Three quarters of the Top 20 exceed this threshold 😱 - find out which ones in the latest Spamhaus Domain Update:
👉 https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/
Good news: over the past 30 days, activity has declined across almost all of the Top 20 countries hosting IPs associated with exploited devices.
Only four countries saw increases:
🇨🇳 #1 China (+19%)
🇮🇩 #6 Indonesia (+9%)
🇩🇿 #7 Algeria (+9%)
🇪🇬 #20 Egypt (+11%)
For a full picture of where activity is rising and falling globally, dig deeper into Spamhaus Reputations Statistics here ⤵️⤵️
https://www.spamhaus.org/reputation-statistics/countries/exploit/
We've identified additional suspicious routes (see image):
AS22521 and AS4183: Verizon Business 🇺🇸
AS22541: MEGALINK S.R.L. 🇧🇴
AS20940: Akamai International B.V.
AS18734: Operbes S.A. de C.V. 🇲🇽
They all lead back to Chicago. https://www.youtube.com/watch?v=gvKs2VLmVnY ⬇️
🌐 OUT NOW | Spamhaus Domain Report Oct 2025 - March 2026!
⬆️ 46.9 million new domains
⬇️ 2.15 million malicious domain detections
⬆️ Domains associated with botnet C&C’s (+289%) & malware (+206%)
🔄 .bond (and many more!) see high churn of new registrations
And find out which TLD has a massive 17.5% of its zone file listed 😱!
Read the full domain report here 👉 https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-oct-2025-mar-2026/
📢 FINAL REMINDER | From tomorrow we will start to restrict access to Oracle IP addresses querying our DNSBLs. To stay protected by the data, register for Spamhaus Technology's FREE Data Query Service - changes to config take minutes.
Sign up here 👇
https://www.spamhaus.com/data-access/free-data-query-service/
We've recently observed some unusual large-scale routes appearing on the internet (see image), involving the following networks:
AS393232: Comcast Cable Communications 🇺🇸
AS36429: Charter Communications 🇺🇸
AS41128: Orange 🇫🇷
AS13335: Cloudflare 🇺🇸
AS17072: Total Play Telecommunications 🇲🇽
AS270118: Soluciones, Analíticos Y Servicios Team (Stratosphere Technology Latam) 🇲🇽
AS199524: Gcore Labs 🇱🇺
The label "path (fixed)" indicates that identical paths were observed by several probes across the internet. This strongly suggests that AS199524 is the central pivot point behind these announcements.
While the first four paths have since disappeared, the most recent three remain active. ⬇️
💪 Contributor "mugufinder" has shared 2,731 domains over the past 30 days 🔥 That’s a +1,969% increase, landing them in the Top10 on the domain leaderboard! Incredible work!
Your ongoing support and submissions are what keep the threat intelligence flowing, thank you. ❤️🙏
Got malicious or suspicious IPs, domains, URLs, or raw source to share?
👉 Join the fight against cybercrime: https://submit.spamhaus.org/submit/
#CyberSecurity #ThreatIntelligence #ThreatHunting #Infosec #Community
📆 From next week we will start to restrict access to Oracle IP addresses querying our DNSBLs. To stay protected by the data register for Spamhaus Technology's FREE Data Query Service - it takes minutes to change config 👇
https://www.spamhaus.com/data-access/free-data-query-service/
