The 30-day view points to a clear conclusion: activity does not spread evenly, it concentrates around a small set of countries with strong corroboration. Notmining's latest Attack Correlation Report identifies 159 clusters, 23503 correlated publications, 2761 actors or users, and 183 countries, with a visible layer where public-facing exposure, defacement, DDoS, and ransomware coexist.
Strategic reading
The report runs in Many TA -> One Target mode and uses country as the primary dimension. That does more than count posts: it shows where different actors converge on the same geography and when that convergence starts to look like sustained operational pressure.
The first useful reading of the month is this: out of 159 detected clusters, only 10 enter the visible layer and 149 remain outside it because of thresholding. That matters. It means there is plenty of background activity, but the real analytical weight concentrates in a much smaller set of priority nodes.
- 159 clusters matched the current thresholds.
- 23503 publications were grouped into correlated activity.
- 2761 actors or users were represented in the visible sample.
- 183 countries were linked to clustered activity.
- 12042 points was the highest score in the current result set.
The report is not meant to provide final attribution. Its value lies in prioritization. When multiple sources, authors, and incident types accumulate around the same country, the output is not a final verdict, but it is far more valuable than a single isolated post or a flat chronological feed.
Countries under highest pressure
Montenegro leads the 30-day window with a score of 12042, 667 linked actors, 2536 supporting publications, and confirmed activity until 2026-05-28 15:53. The striking detail is not just cluster leadership, but persistence: on its own, it concentrates roughly 11% of all clustered publications in scope.
Behind Montenegro, pressure remains especially visible in several countries that combine volume, recurrence, and author diversity:
- United States: score 8860, 490 actors, and 1947 publications, mixing Ransomware, General Intel, Defacement, and DDoS Target.
- Russia: score 7718, 427 actors, and 1235 publications, with strong weight from General Intel and Defacement.
- Colombia: score 4234, 233 actors, and 1461 publications, where General Intel, Defacement, Ransomware, and DDoS Target stand out.
- British Indian Ocean Territory: score 3316, 182 actors, and 751 publications, with a mix of General Intel, Ransomware, Defacement, and DDoS Target.
Taken together, Montenegro, the United States, Russia, and Colombia account for 7179 publications, roughly 31% of all clustered activity in scope. That makes the picture far more interesting than any isolated number: a significant share of the month is concentrated around just a handful of geographies.
Dominant patterns
The most recurrent operational themes in the visible clusters were General Intel, Defacement, DDoS Target, and Ransomware. That matters because the month does not leave a single dominant storyline. Instead, it shows a mixed pressure surface where public-facing exposure, demonstrative activity, disruptive attacks, and extortion coexist.
The interesting detail here is that DDoS Target no longer sits at the edge of the visible output. Over 30 days, it enters the priority layer, suggesting that pressure against exposed assets and visible targets gains consistency when the temporal window is expanded. Excluding Alliance still makes sense: useful context, but not a decisive operational driver by itself.
When the same country appears with hundreds of actors, thousands of publications, and very recent activity, the right reading is not “more noise” but “more signal density”. That density is what turns accumulation into a pattern worth following.
What Stands Out Most
If the report is reduced to four useful takeaways, these are the ones that stand out most in the 30-day window:
- Montenegro clearly dominates the monthly sample and acts as the main concentration node of the period.
- The United States and Russia form a strong second layer of pressure with enough volume and diversity to rule out isolated spikes.
- Colombia and the British Indian Ocean Territory enter the visible top with unusual strength, widening the geographic reading beyond the countries that usually dominate the conversation.
- The combined weight of Defacement, DDoS, and Ransomware shows that the visible layer is not just exposure or chatter, but a mix of disruption, extortion, and reputational pressure.
Overall, the 30-day window reflects a landscape where pressure does not disappear: it consolidates around a few very visible nodes. That is what makes the report interesting. Not the absolute volume by itself, but the way that volume concentrates, repeats, and ends up drawing a much clearer operational map.