โ† Back to Blog
Security Briefing 12 min read March 14, 2026

INTERPOL Dismantles 45K Malicious IPs, Google Patches 2 Chrome Zero-Days, SocksEscort Botnet Seized

INTERPOL Operation Synergia III takes down 45,000 malicious IPs and arrests 94 across 72 countries. Google emergency-patches 2 Chrome zero-days exploited in attacks. SocksEscort proxy botnet with 369,000 IPs dismantled. Chinese APT CL-STA-1087 targets Southeast Asian militaries. Starbucks discloses employee data breach. Storm-2561 distributes fake enterprise VPN clients. Poland's nuclear research centre targeted by cyberattack.


1. INTERPOL Operation Synergia III: 45,000 Malicious IPs Sinkholed

๐Ÿšจ MAJOR LAW ENFORCEMENT ACTION โ€” 72 Countries, 94 Arrests

INTERPOL has announced the takedown of 45,000 malicious IP addresses and servers used for phishing, malware, and ransomware campaigns as part of Operation Synergia III, the largest coordinated cybercrime crackdown this year.

The operation spanned 72 countries and territories, resulting in 94 arrests with another 110 individuals under active investigation. A total of 212 electronic devices and servers were seized during raids at key locations worldwide.

Notable regional outcomes include:

MetricDetails
IPs/Servers taken down45,000+
Countries involved72
Arrests94 (110 more under investigation)
Devices seized212
ScopePhishing, malware, ransomware infrastructure

Significance: This operation demonstrates the growing effectiveness of international law enforcement coordination against cybercrime infrastructure. However, the sheer scale โ€” 45,000 IPs โ€” underscores how vast the criminal infrastructure remains.


2. Google Patches 2 Chrome Zero-Days Exploited in Attacks

๐Ÿšจ CRITICAL โ€” Emergency Update Required Immediately

Google has released emergency security updates to patch two high-severity Chrome vulnerabilities that were actively exploited as zero-days in real-world attacks before patches were available.

Both vulnerabilities are rated high-severity and were exploited in targeted attacks. Google has withheld specific technical details until a majority of users have updated, following its standard responsible disclosure practice.

This marks Google's continued battle against Chrome zero-day exploitation โ€” following the trend of 90 zero-days tracked in 2025 alone. Chrome remains the world's most-used browser with over 3 billion users, making any zero-day exploitation extremely high-impact.

Action Required: Update Chrome immediately via chrome://settings/help. Restart browser after update. Enterprise admins should push updates via Group Policy or MDM. Consider enabling Chrome's Enhanced Protection mode for high-risk users.


3. SocksEscort Proxy Botnet Dismantled โ€” 369,000 IPs Across 163 Countries

๐Ÿšจ CRITICAL โ€” Massive Criminal Proxy Network Taken Down

A court-authorized international operation has dismantled SocksEscort, a criminal proxy service that enslaved thousands of residential routers into a botnet used for large-scale fraud, offering access to 369,000 IP addresses across 163 countries.

SocksEscort infected home and small business internet routers with malware, then sold proxy access through compromised devices to criminals who needed to mask their true location. The service has been operating since summer 2020.

DetailInformation
Total IPs offered369,000 across 163 countries
Active infected routers~8,000 (as of Feb 2026)
US-based infections2,500
Operating sinceSummer 2020
Service claims"Static residential IPs, unlimited bandwidth"

Action Required: Check home routers for unusual behavior or unknown firmware modifications. If you suspect compromise, factory-reset and update firmware immediately. SMBs should audit all edge network devices.


4. Chinese APT Targets Southeast Asian Militaries with Custom Malware

โš ๏ธ STATE-SPONSORED ESPIONAGE โ€” Multi-Year Campaign Since 2020

A suspected China-linked APT tracked as CL-STA-1087 has targeted Southeast Asian military organizations in a sophisticated cyber espionage campaign running since at least 2020, deploying custom malware dubbed AppleChris and MemFun.

Palo Alto Networks Unit 42 reports the campaign demonstrates "strategic operational patience" โ€” rather than bulk data theft, attackers focused on highly targeted intelligence collection, specifically searching for files related to:

The campaign exhibits hallmarks of advanced persistent threat operations including carefully crafted delivery methods, defense evasion strategies, highly stable operational infrastructure, and custom tooling that avoids detection by commercial security products.

NIS2 Relevance: This campaign highlights the persistent state-sponsored threat to defense and critical infrastructure sectors. Organizations in the EU defense supply chain must ensure their NIS2 incident reporting capabilities can detect and respond to similar long-dwell campaigns.


5. Starbucks Discloses Employee Data Breach

โš ๏ธ DATA BREACH โ€” Employee Partner Central Accounts Compromised

Starbucks has disclosed a data breach affecting hundreds of employees after threat actors gained unauthorized access to Starbucks Partner Central accounts โ€” the company's internal employee portal.

While the full scope of compromised data has not been disclosed, Partner Central typically contains employee personal information, pay details, schedules, and benefits data. Starbucks is notifying affected employees and providing credit monitoring services.

Key Takeaway: Internal employee portals remain high-value targets. Organizations should enforce MFA on all employee-facing systems, implement anomalous login detection, and regularly audit access patterns โ€” especially for portals containing PII and financial data.


6. Fake Enterprise VPN Sites Steal Corporate Credentials

โš ๏ธ ACTIVE CAMPAIGN โ€” Storm-2561 Targeting Enterprise Networks

A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet through convincing lookalike download sites to steal VPN credentials from unsuspecting corporate users.

The campaign targets employees searching for VPN client downloads or troubleshooting connection issues. Fake sites closely mimic legitimate vendor download pages, and the malicious installers function as real VPN clients while simultaneously harvesting credentials in the background.

Action Required:


7. Poland's Nuclear Research Centre Targeted by Cyberattack

Poland's National Centre for Nuclear Research (NCBJ) has confirmed that hackers targeted its IT infrastructure in a cyberattack that was detected and blocked before causing any impact. While details are limited, the targeting of nuclear research facilities represents a critical escalation in the threat to European critical infrastructure.

This incident follows a broader pattern of nation-state actors targeting nuclear and energy infrastructure across Europe โ€” particularly concerning given the current geopolitical climate and NIS2 requirements for critical infrastructure operators.

NIS2 Implication: Nuclear facilities fall under NIS2's "essential entities" classification with the strictest requirements. This incident will likely accelerate compliance enforcement across the EU energy sector.


8. FBI Seeks Victims of Malicious Steam Games

The FBI is asking gamers who installed Steam titles containing malware to provide information as part of an ongoing investigation into eight malicious games uploaded to the popular gaming platform.

The games were uploaded to Steam's marketplace and contained hidden malware that compromised player systems. While Valve has removed the titles, anyone who installed them may have been compromised. The FBI is building cases against the developers behind these malicious uploads.

Action Required: If you installed any suspicious Steam games recently removed from the platform, run a full malware scan and contact the FBI's IC3 portal. Organizations should ensure gaming platforms are restricted on corporate devices.


More Headlines

StoryImpact
VENON Rust Banking MalwareFirst Rust-based banking trojan targets 33 Brazilian banks with credential-stealing overlays
Microsoft Outlook Sync IssuesClassic Outlook desktop client experiencing email synchronization and connection problems
Windows 11 Samsung C: Drive BugFebruary 2026 updates cause Samsung laptop users to lose C: drive access
Loblaw Customer Data BreachCanadian retail giant forces all customer account logouts after security incident

How KENSAI Protects You

โœ… Threat Intelligence Feeds โ€” Correlate your attack surface against INTERPOL-flagged infrastructure and known malicious IPs in real-time

โœ… Browser Vulnerability Tracking โ€” Instant alerts for Chrome and browser zero-days affecting your organization's endpoints

โœ… Edge Device Scanning โ€” Detect compromised routers and network appliances before they're enrolled in criminal proxy networks

โœ… VPN Security Validation โ€” Verify VPN client integrity and detect credential-harvesting lookalike infrastructure

โœ… NIS2 Compliance Monitoring โ€” Continuous compliance tracking for critical infrastructure entities including nuclear, energy, and defense sectors


Recommended Actions

  1. Immediate: Update Google Chrome to latest version. Verify VPN clients were downloaded from official sources only. Check routers for SocksEscort indicators.
  2. Today: Brief security teams on Storm-2561 fake VPN campaign. Review employee portal MFA enforcement. Audit network edge devices.
  3. This Week: Cross-reference threat feeds with INTERPOL-flagged IPs. Restrict Steam/gaming installs on corporate devices. Review critical infrastructure incident response plans.
  4. Ongoing: Monitor for state-sponsored APT indicators targeting defense supply chains. Maintain NIS2 incident reporting readiness. Track VENON malware evolution for banking sector clients.

Protect Your Organization with KENSAI

AI-powered vulnerability scanning and continuous security monitoring. Start your free scan today.

Start Free Scan โ†’

Stay secure. Stay vigilant.

๐Ÿ—ก๏ธ KENSAI Security Team

๐Ÿ›ก๏ธ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free โ†’

Related Articles

INTERPOL dรฉmantรจle 45 000 IPs malveillantes SentinelOne ุชุฑุณู… ุณู„ุณู„ุฉ ุงุฎุชุฑุงู‚ ู…ู† 8 ู…ุฑุงุญู„ุŒ SANS ุชูุจู„ุบ ุนู† ุฅุนุงุฏุฉ ุชุดูƒูŠู„ ุงู„ุฐูƒุงุก ุงู„ุงุตุท trending-posts