Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Infy Hackers Strike Again With New C2 Servers After Iran's Internet Shutdown Ends

Infy group's new attack tactic  An Iranian hacking group known as Infy (aka Prince of Persia) has advanced its attack tactics to hide it...

All the recent news you need to know
Record DDoS Attack
AISURU Kimwolf botnet Android botnet malware Cloudflare DDoS report hyper volumetric DDoS malware Record DDoS Attack

AISURU/Kimwolf Botnet Behind Record 31.4 Tbps DDoS Attack, Cloudflare Reveals

 

A massive distributed denial-of-service (DDoS) assault reaching an unprecedented peak of 31.4 terabits per second (Tbps) has been attributed to the AISURU/Kimwolf botnet. The attack, which lasted just 35 seconds, is now being described as one of the largest hyper-volumetric DDoS events ever recorded.

Cloudflare said it automatically identified and blocked the activity, noting that the incident was part of a wider surge in hyper-volumetric HTTP DDoS attacks linked to AISURU/Kimwolf during the fourth quarter of 2025. The specific attack occurred in November 2025.

The botnet has also been associated with a separate campaign dubbed The Night Before Christmas, which began on December 19, 2025. According to Cloudflare, attacks observed during this campaign averaged 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps). At their peak, the attacks escalated to 9 Bpps, 24 Tbps, and 205 Mrps.

"DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour," Cloudflare's Omer Yoachimik and Jorge Pacheco said. "In 2025, the total number of DDoS attacks more than doubled to an incredible 47.1 million."

The web infrastructure firm reported mitigating 34.4 million network-layer DDoS attacks throughout 2025, a sharp increase from 11.4 million in 2024. In the final quarter of 2025 alone, network-layer incidents represented 78% of all DDoS activity. Overall, DDoS attacks climbed 31% quarter-over-quarter and rose 58% compared to the previous year. 

Hyper-volumetric DDoS attacks also saw a significant rise, increasing by 40% in Q4 2025 compared to the previous quarter, jumping from 1,304 to 1,824 incidents. Earlier in the year, Q1 2025 recorded 717 such attacks. Alongside the growing frequency, the scale of these attacks expanded dramatically, with sizes increasing by more than 700% compared to large-scale incidents observed in late 2024.

AISURU/Kimwolf is believed to have compromised over 2 million Android devices, largely unbranded Android TVs, which were absorbed into its botnet. Many of these infections were facilitated through residential proxy networks such as IPIDEA. In response, Google recently disrupted the proxy service and initiated legal action to dismantle dozens of domains used to manage infected devices and route proxy traffic.

Google also collaborated with Cloudflare to interfere with IPIDEA’s domain resolution capabilities, significantly weakening the operators’ command-and-control infrastructure.

“As part of the Google-led disruption effort, Cloudflare participated by suspending access to many accounts and domains that were misusing its infrastructure," Cloudflare told The Hacker News over email. "Threat actors were attempting to distribute malware and provide markets for people seeking access to the network of illicit residential proxies."

Investigations suggest that IPIDEA recruited infected devices using at least 600 malicious Android applications embedded with proxy SDKs, along with more than 3,000 trojanized Windows executables masquerading as OneDriveSync tools or Windows updates. The Beijing-based firm has also promoted VPN and proxy applications that covertly transformed users’ Android devices into proxy exit nodes without their awareness or permission.

Additionally, threat actors have been identified operating more than a dozen residential proxy services posing as legitimate businesses. These offerings, despite appearing separate, are all reportedly connected to a centralized infrastructure controlled by IPIDEA.

Cloudflare highlighted several additional trends observed during Q4 2025. Telecommunications companies, service providers, and carriers were the most targeted industries, followed by IT services, gambling, gaming, and software sectors. The most attacked countries included China, Hong Kong, Germany, Brazil, the United States, the United Kingdom, Vietnam, Azerbaijan, India, and Singapore.

Bangladesh overtook Indonesia as the largest source of DDoS traffic globally, with Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru also ranking among the top origins of attack traffic.

"DDoS attacks are rapidly growing in sophistication and size, surpassing what was previously imaginable," Cloudflare said. "This evolving threat landscape presents a significant challenge for many organizations to keep pace. Organizations currently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy."
Read more »
Notepad++
Chinese Actors Cyber Attacks Cyberattack Databreach Notepad++

A Quiet Breach of a Familiar Tool, Notepad++

For six months last year the update system of Notepad++, one of the world’s most widely used Windows text editors, was quietly subverted by hackers linked by investigators to the Chinese state. The attackers used their access not to disrupt the software openly, but to deliver malicious versions of it to carefully chosen targets. 

According to a statement published this week on the project’s official website, the intrusion began in June with an infrastructure-level compromise that allowed attackers to intercept and redirect update traffic meant for notepad-plus-plus.org. Selected users were silently diverted to rogue update servers and served backdoored versions of the application. Control over the update infrastructure was not fully restored until December. 

The developers said the attackers exploited weaknesses in how older versions of Notepad++ verified updates. By manipulating traffic between users and the update servers, they were able to substitute legitimate downloads with malicious ones. 

Although update packages were signed, earlier design choices meant those signatures were not always robustly checked, creating an opening for tampering by a well-resourced adversary. Security researchers say the campaign was highly targeted. 

The attackers installed a previously unknown backdoor, dubbed Chrysalis, which Rapid7 described as a custom and feature-rich tool designed for persistent access rather than short-term disruption. Such sophistication suggests strategic objectives rather than criminal opportunism. 

Independent researcher Kevin Beaumont reported that several organisations with interests in East Asia experienced hands-on intrusions linked to compromised Notepad++ installations, indicating that attackers were able to take direct control of affected systems. 

He had raised concerns months earlier after a Notepad++ update quietly strengthened its updater against hijacking. The episode underlines a broader vulnerability in the global software supply chain. Open-source tools such as Notepad++ are deeply embedded in corporate and government systems, yet are often maintained with limited resources. That imbalance makes them attractive targets for state-backed hackers seeking discreet access rather than noisy disruption. 

Notepad++ developers have urged users to update manually to the latest version and large organisations to consider restricting automated updates. The incident also serves as a reminder that even modest, familiar software can become a conduit for serious espionage when its infrastructure is neglected.
Read more »
Exposed Credentials
8-Minute Attack AI Cloud Breach AWS Hijack Cyber Attacks Exposed Credentials

AI Hijacks AWS Cloud in 8 Minutes via Exposed Keys

 

An AI-assisted cyberattack hijacked a company's AWS cloud infrastructure in just eight minutes after attackers discovered exposed test credentials in a public S3 bucket, demonstrating how configuration errors can fuel lightning-fast breaches in the era of automated threats. This incident, uncovered by Sysdig's Threat Research Team on November 28, 2025, exposed vulnerabilities in cloud access management and the growing role of large language models (LLMs) in offensive operations.

The breach began with a simple oversight: credentials named with "AI" references sat openly in an S3 bucket, ripe for discovery during routine scans. Despite a ReadOnlyAccess policy limiting initial access, the intruder launched a massive enumeration campaign, probing Secrets Manager, RDS databases, and CloudWatch logs to blueprint the entire environment without raising alarms. This reconnaissance phase set the stage for rapid escalation, underscoring how even restricted keys can serve as footholds for deeper intrusions.

Attackers then pivoted to code injection on Lambda functions, iteratively tampering with one called EC2-init until they commandeered an account named "frick," granting full administrative privileges. They compromised 19 distinct AWS principals, enabling abuse of Bedrock AI models like Claude 3.5 Sonnet and DeepSeek R1, alongside attempts to launch a "stevan-gpu-monster" GPU instance that could have racked up £18,000 ($23,600) in monthly costs. Sysdig researchers identified LLM hallmarks, including Serbian-commented code, hallucinated AWS IDs like "123456789012," and phantom GitHub references, confirming AI's hand in accelerating the assault.

To evade detection, the threat actor cycled through an IP rotator and 19 identities, attempting lateral movement via default roles like OrganizationAccountAccessRole in a multi-account setup. This stealthy persistence highlights evolving tactics where AI not only speeds execution but also enhances obfuscation, turning minutes-long attacks into prolonged threats if undetected.

Experts warn that mundane errors like exposed keys—not novel exploits—drive such incidents, urging organizations to ditch static credentials for short-lived IAM roles, harden automated accounts, and monitor for anomalous enumeration spikes. As breaches shrink from days to minutes, AI-aware defenses must match this pace to protect cloud assets effectively.
Read more »
social engineering attacks
Android Android Spyware Cloud Infrastructure Abuse Hugging Face Abuse malware Mobile Credential Theft Mobile Security Threats Remote Access Trojan social engineering attacks

Threat Actors Leverage Hugging Face to Spread Android Malware at Scale


 

Initially appearing as a routine security warning for mobile devices, this warning has evolved into a carefully engineered malware distribution pipeline. Researchers at Bitdefender have identified an Android campaign utilizing counterfeit security applications that serve as the first stage droppers for remote access Trojans, known as TrustBastion. 

The operators have opted not to rely on traditional malware hosting infrastructure, but have incorporated their delivery mechanism into Hugging Face's public platform, allowing it to conceal malicious activity through its reputation and traffic profile. 

Social engineering is used to drive the infection chain, with deceptive ads and fabricated threat alerts causing users to install the malware. The app silently retrieves a secondary payload from Hugging Face once it has been installed on the device, providing persistence via extensive permission abuse. 

At scale, the campaign is distinguished by a high degree of automation, resulting in thousands of distinct Android package variants, thereby evading signature-based detection and complicating attribution, thus demonstrating the shift toward a more industrialized approach to mobile malware. 

Using this initial foothold as a starting point, the campaign illustrates how trusted developer infrastructure can be repurposed to support a large-scale theft of mobile credentials. As a consequence, threat actors have been using Hugging Face as a distribution channel for thousands of distinct Android application packages that were designed to obtain credentials related to widely used financial, banking, and digital payment services.

Generally, Hugging Face is regarded as a low-risk domain, meaning that automated security controls and suspicion from users are less likely to be triggered by this site's hosting and distribution of artificial intelligence, natural language processing, and machine learning models.

Despite the fact that the platform has previously been abused to host malicious AI artifacts, Bitdefender researchers point out that its exploitation as a delivery channel for Android malware constitutes an intentional attempt to disguise the payload as legitimate development traffic. It has been determined that the infection sequence begins with the installation of an application disguised as a mobile security solution known as TrustBastion. 

Using scareware-style advertisements, the app presents fake warnings claiming that the device has been compromised, urging immediate installation to resolve alleged threats, including phishing attempts, fraudulent text messages, and malware. 

Upon deployment, the application displays a mandatory update prompt which is closely similar to that of Google Play, thereby reinforcing the illusion of legitimacy. In lieu of embedding malicious code directly, the dropper contacts infrastructure associated with the trustbastion[.]com domain, which redirects the user to a repository containing Hugging Face datasets. 

After retrieving the final malicious APK via Hugging Face's content delivery network, the attackers complete a staged payload delivery process that complicates detection and allows them to continuously rotate malware variants with minimal operational overhead, complicating detection. This stage demonstrates why Hugging Face was purposefully integrated into the attacker's delivery chain during this phase of the operation. 

It is common for security controls to flag traffic from newly registered or low-reputation domains quickly, causing threat actors to route malicious activity through well-established platforms that blend into normal network behavior, resulting in the use of well-established platforms.

TrustBastion droppers are not designed to retrieve spyware directly from attacker-controlled infrastructure in this campaign. Rather than hosting the malware itself, it initiates a request to a website associated with the trustbastion[. ]com domain, which serves as an intermediary rather than as a hosting point for it.

The server response does not immediately deliver a malicious application package. The server returns a HTML resource that contains a redirect link to a Hugging Face repository where the actual malware can be found. By separating the initial contact point from the final malware host, the attackers introduce additional indirection, which makes static analysis and takedown efforts more challenging. 

According to Bitdefender, the malicious datasets were removed after being notified by Hugging Face before publication of its findings. Telemetry indicates the campaign had already reached a significant number of victims before the infrastructure was dismantled, despite the swift response. Furthermore, analysis of the repositories revealed unusually high levels of activity over a short period of time. 

A single repository accumulated over 6,000 commits within a month, indicating that it was fully automated. A new payload was generated and committed approximately every 15 minutes, according to Bitdefender. A number of repositories were taken offline during the campaign, but the campaign displayed resilience by reappearing under alternative redirect links, using the same core codebase and only minor cosmetic changes to the icons and application metadata. 

The operators further undermined traditional defense effectiveness by utilizing polymorphic techniques throughout the payloads they used. The uploaded APKs were freshly constructed, retaining identical malicious capabilities while introducing small structural changes intended to defeat hash-based detection. 

It was noted by Bitdefender that this approach increased evasion against signature-driven tools, but that the malware variants maintained consistent behavioral patterns, permission requests, and network communication traits, which made them more susceptible to behavioral and heuristic analysis in the future. 

After installation, the malware presents itself as a benign "Phone Security" feature and guides users through the process of enabling Android Accessibility Services. This step allows the remote access trojan to obtain extensive information about user activity and on-screen activity. In order to monitor activity in real time, capture sensitive screen content, and relay information to the malware's command and control servers, additional permissions are requested. 

By impersonating legitimate financial and payment applications, such as Alipay and WeChat, this malware enhances the threat. By intercepting credentials and collecting lock-screen verification information, it becomes a full-spectrum tool to collect credentials and spy on mobile devices. 

In a defensive perspective, this campaign reminds us that trust in popular platforms can be strategically exploited if security assumptions are not challenged. By combining legitimate developer infrastructure abuse with high levels of automation and polymorphic payload generation, traditional indicators alone cannot detect these types of attacks. 

For Bitdefender's users, the findings reinforce the importance of identifying such threats earlier in the infection chain through behavioral analysis, permission monitoring, and anomaly-based network inspection. Users are advised to take precautions when responding to unsolicited security alerts or applications requesting extensive system privileges based on the findings.

Additionally, the operation highlights the growing adoption of cloud-native distribution models by malicious mobile malware actors, emphasizing the importance of platform providers, security vendors, and enterprises collaborating more closely to monitor abuse patterns and respond quickly to emerging misuses of trusted ecosystems.
Read more »
Orchid security
Audit Cyber Security IAM identity Online Authentication Orchid security

Orchid Security Launches Tool to Monitor Identity Behavior Across Business Applications

 



Modern organizations rely on a wide range of software systems to run daily operations. While identity and access management tools were originally designed to control users and directory services, much of today’s identity activity no longer sits inside those centralized platforms. Access decisions increasingly happen inside application code, application programming interfaces, service accounts, and custom login mechanisms. In many environments, credentials are stored within applications, permissions are enforced locally, and usage patterns evolve without formal review.

As a result, substantial portions of identity activity operate beyond the visibility of traditional identity, privileged access, and governance tools. This creates a persistent blind spot for security teams. The unseen portion of identity behavior represents risk that cannot be directly monitored or governed using configuration-based controls alone.

Conventional identity programs depend on predefined policies and system settings. These approaches work for centrally managed user accounts, but they do not adequately address custom-built software, legacy authentication processes, embedded secrets, non-human identities such as service accounts, or access routes that bypass identity providers. When these conditions exist, teams are often forced to reconstruct how access occurred after an incident or during an audit. This reactive process is labor-intensive and does not scale in complex enterprise environments.

Orchid Security positions its platform as a way to close this visibility gap through continuous identity observability across applications. The platform follows a four-part operational model designed to align with how security teams work in practice.

First, the platform identifies applications and examines how identity is implemented within them. Lightweight inspection techniques review authentication methods, authorization logic, and credential usage across both managed and unmanaged systems. This produces an inventory of applications, identity types, access flows, and embedded credentials, establishing a baseline of how identity functions in the environment.

Second, observed identity activity is evaluated in context. By linking identities, applications, and access paths, the platform highlights risks such as shared or hardcoded secrets, unused service accounts, privileged access that exists outside centralized controls, and differences between intended access design and real usage. This assessment is grounded in what is actually happening, not in what policies assume should happen.

Third, the platform supports remediation by integrating with existing identity and security processes. Teams can rank risks by potential impact, assign ownership to the appropriate control teams, and monitor progress as issues are addressed. The goal is coordination across current controls rather than replacement.

Finally, because discovery and analysis operate continuously, evidence for governance and compliance is available at all times. Current application inventories, records of identity usage, and documentation of control gaps and corrective actions are maintained on an ongoing basis. This shifts audits from periodic, manual exercises to a continuous readiness model.

As identity increasingly moves into application layers, sustained visibility into how access actually functions becomes essential for reducing unmanaged exposure, improving audit preparedness, and enabling decisions based on verified operational data rather than assumptions.

Read more »
Wi-Fi security tips
Firmware Updates home security cameras IoT hacking risks protect smart devices smart home security Technology Wi-Fi security tips

Smart Homes Under Threat: How to Reduce the Risk of IoT Device Hacking

 

Most households today use some form of internet of things (IoT) technology, whether it’s a smartphone, tablet, smart plugs, or a network of cameras and sensors. Learning that nearly 120,000 home security cameras were compromised in South Korea and misused for sexploitation footage is enough to make anyone reconsider adding connected devices to their living space. After all, the home is meant to be a private and secure environment.

Although all smart homes carry some level of risk, widespread hacking incidents are still relatively uncommon. Cybercriminals targeting smart homes tend to be opportunistic rather than strategic. Instead of focusing on a particular household and attempting to break into a specific system, they scan broadly for devices with weak or misconfigured security settings that can be exploited easily.

The most effective way to safeguard smart home devices is to avoid being an easy target. Unfortunately, many of the hacking cases reported in the media stem from basic security oversights that could have been prevented with simple precautions.

How to Protect Your Smart Home From Hackers

Using weak passwords, neglecting firmware updates, or leaving Wi-Fi networks exposed can increase the risk of unauthorized access—even if the overall threat level remains low. Below are key steps homeowners can take to strengthen smart home security.

1. Use strong and unique passwords
Hackers gaining access to baby monitors and speaking through two-way audio is often the result of unchanged default passwords. Weak or reused passwords are easy to guess, especially if they have appeared in previous data breaches. Each smart device and account should have a strong, unique password to make attacks more difficult and less appealing.

2. Enable two-factor or multi-factor authentication
Multi-factor authentication adds an extra layer of protection by requiring a second form of verification beyond a password. Even if login credentials are compromised, attackers would still need additional approval. Many major smart home platforms, including Amazon, Google, and Philips Hue, support this feature. While it may add a small inconvenience during login, the added security is well worth the effort.

3. Secure your Wi-Fi network
Wi-Fi security is often overlooked but plays a critical role in smart home protection. Using WPA2 or WPA3 encryption and changing the router’s default password are essential steps. Limiting who has access to your Wi-Fi network also helps. Creating separate networks—one for personal devices and another exclusively for IoT devices—can further reduce risk by isolating smart home hardware from sensitive data.

4. Keep device firmware updated
Manufacturers regularly release firmware updates to patch newly discovered vulnerabilities. Enabling automatic updates ensures devices receive these fixes promptly. Keeping firmware current is one of the simplest and most effective ways to close security gaps.

5. Disable unnecessary features
Features that aren’t actively used can create additional entry points for attackers. If remote access isn’t needed, disabling it can significantly reduce exposure—particularly for devices with cameras. It’s also advisable to turn off Universal Plug and Play (UPnP) on routers and decline unnecessary integrations or permissions that don’t serve a clear purpose.

6. Research brands before buying
Brand recognition alone doesn’t guarantee strong security. Even well-known companies such as Wyze, Eufy, and Google have faced security issues in the past. Before purchasing a smart device, it’s important to research the brand’s security practices, data protection policies, and real-world user experiences. If features like local-only storage are important, they should be verified through reviews, forums, and independent evaluations.

Smart homes offer convenience and efficiency, but they also demand responsibility. By following basic cybersecurity practices and making informed purchasing decisions, homeowners can significantly reduce risks and enjoy the benefits of connected living with greater peace of mind.
Read more »
Subscribe to: Comments (Atom)

Featured