Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DDOS Attacks. Show all posts
malware
Aisuru botnet Android Malware Black Lotus Labs command and control servers cybersecurity research DDOS Attacks Kimwolf botnet Lumen security malware

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks

 

Lumen Technologies’ Black Lotus Labs has successfully disrupted more than 550 command-and-control (C2) servers connected to the Aisuru and Kimwolf botnets, a large-scale malicious infrastructure widely used for distributed denial-of-service (DDoS) attacks and residential proxy abuse.

Aisuru operates as a DDoS-for-hire platform and deliberately avoids targeting government and military entities. However, broadband service providers have borne the brunt of its activity, with attacks surpassing 1.5Tb/sec originating from compromised customer devices, causing severe service interruptions.

Similar to other TurboMirai-based botnets, Aisuru includes enhanced DDoS capabilities alongside multifunctional features. These allow threat actors to engage in a range of illegal operations such as credential stuffing, AI-powered web scraping, spam campaigns, phishing attacks, and proxy services.

The botnet launches assaults using UDP, TCP, and GRE flood techniques, leveraging medium-sized packets with randomized ports and flags. Traffic volumes exceeding 1Tb/sec from infected customer premises equipment (CPEs) have disrupted broadband networks, while packet floods surpassing 4 billion packets per second have led to router line card failures.

Kimwolf, a recently identified Android-based botnet closely associated with Aisuru, has compromised more than 1.8 million devices and generated over 1.7 billion DDoS commands, according to cybersecurity firm XLab.

Primarily targeting Android TV boxes, the Kimwolf botnet is built using the Android NDK and includes capabilities such as DDoS attacks, proxy forwarding, reverse shell access, and file management. To conceal its operations, it encrypts sensitive information using a simple Stack XOR method, employs DNS over TLS for communication obfuscation, and verifies C2 commands through elliptic curve digital signatures. Newer variants also use EtherHiding, leveraging blockchain-based domains to evade takedown efforts.

Kimwolf variants follow a consistent naming convention of “niggabox + v[number],” with versions v4 and v5 currently observed in the wild. Researchers who seized control of a single C2 domain recorded interactions from approximately 2.7 million IP addresses within three days, reinforcing estimates that infections exceed 1.8 million devices. The botnet’s globally distributed infrastructure, multiple C2 servers, and varied versions make precise infection counts difficult.

Although Kimwolf borrows elements from the Aisuru codebase, its operators significantly modified it to avoid detection. While traffic proxying is its primary function, the botnet is capable of executing large-scale DDoS campaigns. This was evident during a three-day window between November 19 and 22, when it issued 1.7 billion attack commands.

Lumen observed daily bot traffic to Aisuru C2 servers rise sharply from 50,000 to 200,000 connections in September 2025. Upon validating the emergence of a new botnet, the company blocked the traffic and null-routed more than 550 C2 servers.

By examining C2 infrastructure and residential proxy traffic, researchers traced links to Canadian IP addresses and shared this intelligence with law enforcement agencies.

“The Canadian IPs in question were using SSH to access 194.46.59[.]169, which resolved to proxy-sdk.14emeliaterracewestroxburyma02132[.]su. In short order, we would learn that the Aisuru backend C2 we were tracking adopted the domain name client.14emeliaterracewestroxburyma02132[.]su, a similarity that further tied these servers together” reads the report published by Lumen.

In early October, Black Lotus Labs detected infrastructure shifts signaling the rise of the Kimwolf botnet. Its growth was rapid, adding hundreds of thousands of infected devices within weeks, largely through exploitation of insecure residential proxy services. By mid-October, infections had reached approximately 800,000 devices, with the botnet actively scanning proxy networks to accelerate expansion.

Black Lotus Labs initiated disruption efforts against Kimwolf in October by swiftly null-routing its C2 servers. While operators were able to reestablish operations within hours, Lumen persistently blocked new infrastructure as it surfaced. Through continuous monitoring, collaboration with industry partners, and integration of threat indicators into its security products, Lumen worked to reduce the botnet’s operational capacity over time.

“To date, we have null-routed over 550 Aisuru/Kimwolf servers in 4 months as part of our efforts to combat this botnet, leading its operators to some distress, as noted in Xlabs’ post, showing the actors addressing Lumen with profanity in one DDoS payload” concludes the report.


Read more »
France
Bank Data Bank Security Banking Cyberattack Cyber Attacks DDoS DDOS Attacks France

France Postal and Banking Services Disrupted by Suspected DDoS Cyberattack

 

France’s national postal and banking services faced major disruption following a suspected distributed denial-of-service (DDoS) attack that affected key digital systems. La Poste, the country’s postal service, described the incident as a significant network issue that impacted all of its information systems, forcing the temporary suspension of several online services. The disruption affected both postal and banking operations at a national level. 

As a result of the incident, La Poste’s website, mobile application, online mail services, and digital banking platforms were taken offline. While online access was unavailable, the company stated that customers could still carry out postal and banking transactions in person at physical locations. The outage caused inconvenience for users who rely on digital services for routine tasks such as checking account balances, paying bills, or managing mail. 

La Banque Postale, the banking subsidiary of La Poste, also confirmed the cyber incident. The bank reported that the attack temporarily prevented customers from accessing its mobile banking app and online banking services. Both La Poste and La Banque Postale said technical teams were actively working to restore services, although no clear timeline for full recovery was provided.  

A Russian hacktivist group claimed responsibility for the attack, but French authorities have not confirmed who was behind it. Officials have not publicly attributed the incident to any specific group and continue to investigate the source and method of the attack. This uncertainty highlights the broader challenge of identifying and verifying perpetrators behind DDoS attacks, which are often difficult to trace due to their distributed nature. 

The disruption at La Poste comes amid a wider series of cybersecurity concerns in France. In recent weeks, the French government has dealt with multiple digital security incidents, including the discovery of remotely controllable software reportedly planted on a passenger ferry. These events have raised concerns about the security of critical infrastructure and essential public services. 

In a separate incident, the French Interior Ministry disclosed a data breach involving unauthorized access to email accounts and the theft of sensitive documents, including criminal records. Authorities later announced the arrest of a 22-year-old suspect in connection with that breach, though no name was released. It remains unclear whether the attack on La Poste is linked to this or other recent cybersecurity incidents. French officials have not indicated whether the recent attacks share common origins or motives. 

However, the growing number of incidents has increased scrutiny of national cybersecurity defenses and intensified concerns about the rising frequency and impact of cyberattacks on vital public services.
Read more »
Vulnerability Exploits
AWS Cloud Outage Risks Cyber Threats DDOS Attacks Firmware Security IOT Security malware Mirai Network Defense ShadowV2 Botnet Vulnerability Exploits

ShadowV2 Botnet Activity Quietly Intensified During AWS Outage

 


The recently discovered wave of malicious activity has raised fresh concerns for cybersecurity analysts, who claim that ShadowV2 - a fast-evolving strain of malware that is quietly assembling a global network of compromised devices - is quietly causing alarm. It appears that the operation is based heavily upon Mirai's source code and is much more deliberate and calculated than previous variants. The operation is spread across more than 20 countries. 

Moreover, ShadowV2 has been determined to have been created by actors exploiting widespread misconfigurations in everyday Internet of Things hardware. This is an increasingly common weakness in modern digital ecosystems and it is aimed at building a resilient, stealthy, and scaleable botnet. The campaign was discovered by FortiGuard Labs during the Amazon Web Services disruption in late October, which the operators appeared to have been using to cover up their activity. 

During the outage, the malware spiked in activity, an activity investigators interpret to be the result of a controlled test run rather than an opportunistic attack, according to the report. During its analysis of devices from DDWRT (CVE-2009-2765), D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915), DigiEver (CVE-2023-52163), TBK (CVE-2024-3721), TP-Link (CVE-2024-53375), and DigiEver (CVE-2024-53375), ShadowV2 was observed exploiting a wide range of CVE-2024-53375. 

A campaign’s ability to reach out across industries and geographies, coupled with its precise use of IoT flaws, is indicative of a maturing cybercriminal ecosystem, according to experts. This ecosystem is becoming increasingly adept at leveraging consumer-grade technology to stage sophisticated and coordinated attacks in the future. 

ShadowV2 exploited a variety of vulnerabilities that have been identified for a long time in IoT security, particularly in devices that have already been retired by manufacturers. This report, which is based on a research project conducted by NetSecFish, identified a number of vulnerabilities that could be affecting D-Link products that are at the end of their life cycle. 

The most concerning issue is CVE-2024-10914, which is a command-injection flaw affecting end-of-life D-Link products. In November 2024, a related issue, CVE-2024-10915, was found by researchers in a report published by NetSecFish. However, after finding no advisory, D-Link later confirmed that the affected devices had reached end of support and were unpatched. 

The vendor responded to inquiries by updating an existing bulletin to include the newly assigned CVE and issuing a further announcement that has directly related to the ShadowV2 campaign, reminding customers that outdated hardware will no longer receive security updates or maintenance, and that security updates will not be provided on them anymore. 

During the same period, a vulnerability exploited by the botnet, CVE-2024-53375, was revealed. This vulnerability has been reported to have been resolved through a beta firmware update. Considering that all of these lapses are occurring together, they serve as an excellent illustration of the fact that aging consumer devices continue to serve as a fertile ground for large-scale malicious operations long after support has ended, as many of these devices are left running even after support has ended. 

Based on the analysis of the campaign, it seems as though ShadowV2's operators use a familiar yet effective distribution chain to spread its popularity and reach as widely as possible. By exploiting a range of vulnerable IoT vulnerabilities, the attackers are able to download a software program known as binary.sh, which is located at 81[.]88[.]18[.]108, which is the command server's location. As soon as the script is executed, it fetches the ShadowV2 payload - every sample is identified by the Shadow prefix - which is similar to the well-known Mirai offshoot LZRD in many ways.

A recent study examining the x86-64 build of the malware, shadow.x86_64, has found that the malware initializes its configuration and attack routines by encoding them using a light-weight XOR-encoding algorithm, encrypting them with one byte (0x22) to protect file system paths, HTTP headers, and User-Agent strings using a single byte key. 

As soon as these parameters are decoded, the bot connects with its command-and-control server, where it waits for instructions on how to launch distributed denial-of-service attacks. While aesthetically modest in nature, this streamlined design is a reflection of a disciplined and purpose-built approach which makes it easy for deployment across diverse hardware systems without attracting attention right away. 

According to Fortinet, a deeper analysis of the malware—which uses XOR capabilities to encrypt configuration data and compact binaries—underscores that ShadowV2 shares many of the same features as the LZRD strain derived from Mirai. This allows ShadowV2 to minimize its visibility on compromised systems in a similar fashion. 

An infection sequence that has been observed across multiple incidents follows a consistent pattern: attackers are the ones who break into a vulnerable device, then they download the ShadowV2 payload via 81[.]88[.]18[.]108, and then they proceed to install it. The malware connects to its command server at silverpath[.]shadowstresser[.]info immediately after it has been installed, allowing it to be part of a distributed network geared towards coordinated attacks. 

Once installed, the malware immediately resides on the compromised device. In addition to supporting a wide range of DDoS techniques, including UDP, TCP, and HTTP, the botnet is well suited for high-volume denial-of-service operations, including those associated with for-hire DDoS services, criminal extortion, and targeted disruption campaigns. 

Researchers claim that ShadowV2's initial activity window may have been purposefully chosen to be the right time to conduct its initial operations. It is perfectly possible to test botnets at an early stage in the early stages of their development during major outages, such as the AWS disruption of late October, as sudden traffic irregularities are easily blended into the broader instability of the service. 

By targeting both consumer-grade and enterprise-grade IoT systems, operators seem to be building an attack fabric that is flexible and geographically diffuse, and capable of scaling rapidly, even in times of overwhelming defensive measures. While the observation was brief, analysts believe that it served as a controlled proof-of-concept that could be used to determine if a more expansive or destructive return could occur as a result of future widespread outages or high-profile international events. 

Fortinet has issued a warning for consumers and organizations to strengthen their defenses before similar operations occur in the future, in light of the implications of the campaign. In addition to installing the latest firmware on all supported IoT and networking devices, the company emphasizes the importance of decommissioning any end-of-life D-Link or other vendor devices, as well as preventing unnecessary internet-exposed features such as remote management and UPnP, to name just a few. 

Additionally, IoT hardware should be isolated within segmented networks, outbound traffic and DNS queries are monitored for anomalies, and strong, unique passwords should be enforced across all interfaces of all connected devices. As a whole, these measures aim to reduce the attack surface that has enabled the rapid emergence of IoT-driven botnets such as ShadowV2 to flourish. 

As for ShadowV2's activity, it has only been limited to the short window of the Amazon Web Services outage, but researchers stress that it should act as a timely reminder of the fragile state of global IoT security at the moment. During the campaign, it is stressed that the continued importance of protecting internet-connected devices, updating firmware regularly, and monitoring network activity for unfamiliar or high-volume traffic patterns that may signal an early compromise of those devices has been underscored. 

Defendants will benefit from an extensive set of indicators of compromise that Fortinet has released in order to assist them with proactive threat hunting, further supporting what researcher Li has described as an ongoing reality in cybersecurity: IoT hardware remains one of the most vulnerable entry points for cybercriminals. When ShadowV2 emerged, there was an even greater sense of concern when Microsoft disclosed just days later, days after its suspected test run, that Azure had been able to defend against what they called the largest cloud-based DDoS attack ever recorded. 

As a result of this attack, attributed to the Aisuru botnet, an unprecedented 15.72 Tbps was reached, resulting in nearly 3.64 billion packets per second being delivered. Despite the attack, Microsoft reported that it had successfully been absorbed by its cloud DDoS protection systems on October 24, thus preventing any disruptions to customer workflows. 

Analysts suggest that the timing of the two incidents indicates a rapidly intensifying threat landscape in which adversaries are increasingly preparing to launch large-scale attacks, often without much advance notice. Analysts are pointing out that the ShadowV2 incident is not merely an isolated event, but should also be considered a preview of what a more volatile era of botnet-driven disruption might look like once the dust settles on these consecutive warning shots. 

Due to the convergence of aging consumer hardware and incomplete patch ecosystems, as well as the increasing sophistication of adversaries, an overlooked device can become a launchpad for global-scale attacks as a result of this emergence. According to experts, real resilience will require more than reactive patching: settings that embed sustained visibility into their networks, enforcing strict asset lifecycle management, and incorporating architectures that limit the blast radius of inevitable compromises are all priorities that need to be addressed. 

Consumers also play a crucial role in preventing botnets from spreading by replacing unsupported devices, enabling automatic updates, and regularly reviewing router and Internet-of-Things configurations, which collectively help to reduce the number of vulnerable nodes available to botnets. 

In the face of attacks that demonstrate a clear willingness to demonstrate their capabilities during times of widespread disruption, cybersecurity experts warn that proactive preparedness must replace event-based preparedness as soon as possible. As they argue, the ShadowV2 incident serves as a timely reminder that strengthening the foundations of IoT security today is crucial to preventing much more disruptive campaigns from unfolding tomorrow.
Read more »
trending news
CloudFlare cyber attack Cyber Attacks DDOS Attacks trending news

Cloudflare Blocks Largest DDoS Attack in History as Global Cyber Threats Surge

Cloudflare announced on Wednesday that it has detected and stopped the largest distributed denial of service (DDoS) attack ever recorded. 

The attack peaked at 29.7 terabits per second and lasted 69 seconds. The company said the traffic came from a botnet-for-hire called AISURU, which has been behind several extreme DDoS incidents over the past year. Cloudflare did not reveal the name of the targeted organization. 

AISURU has repeatedly targeted telecommunication companies, gaming platforms, hosting providers and financial services. 

Cloudflare said it also blocked another massive attack from the same botnet that reached 14.1 billion packets per second. Security researchers estimate that AISURU is powered by one to four million infected devices across the world. 

According to Cloudflare, the record-breaking event was a UDP carpet bombing attack that hit around 15,000 ports per second. The attackers randomised packet properties to get past defences, but Cloudflare’s automated systems detected and neutralised the traffic. Cloudflare has recorded 2,867 AISURU attacks since the beginning of 2025. 

Out of these, 1,304 hyper volumetric attacks happened in the third quarter of this year alone. In total, the company blocked 8.3 million DDoS attacks during the same period. That number is 15 percent higher than the previous quarter and 40 percent higher than the same period last year. 

So far in 2025, Cloudflare has mitigated 36.2 million DDoS attacks, and the year is not yet over. The company highlighted a rapid increase in network layer attacks, which now make up 71 percent of all recorded attacks. 

Meanwhile, HTTP DDoS attacks declined in comparison. The report also shows major changes in the global DDoS landscape. The number of attacks that went above 100 million packets per second jumped by 189 percent quarter over quarter. In addition, 1,304 attacks exceeded one terabit per second. 

Cloudflare noted that most attacks last for less than 10 minutes, which leaves very little time for manual intervention and can still cause long service disruptions. 

The list of attack sources is dominated by Asia. Indonesia has remained the world’s biggest source of DDoS attacks for an entire year, followed by other locations such as Thailand, Bangladesh, Vietnam, India, Hong Kong and Singapore. Ecuador, Russia and Ukraine make up the remaining top ten. 

Several industries have seen major increases in targeting. Attacks against the mining, minerals and metals sector rose sharply and pushed it to the 49th most attacked industry worldwide. The automotive industry experienced the largest jump and is now the sixth most attacked. 

DDoS attacks targeting artificial intelligence companies rose by 347 percent in September alone. Across all sectors, information technology and services faced the most attacks. Telecommunications, gambling, gaming and internet services were also among the hardest hit. 

The most attacked countries this year include China, Turkey, Germany, Brazil, the United States and Russia. Cloudflare said the scale and sophistication of current DDoS activity marks a turning point for global cybersecurity. 

The company warned that many organizations are struggling to keep up with attackers who now operate with far more power and speed than ever before.
Read more »
malware
cryptocurrency DanaBot DDOS Attacks Law Enforcement malware

DanaBot Malware Network Disrupted After Researchers Discover Key Flaw

 



In a major breakthrough, cybersecurity experts uncovered a major weakness in the DanaBot malware system that ultimately led to the disruption of its operations and criminal charges against its operators.

DanaBot, which has been active since 2018, is known for being sold as a service to carry out cybercrimes like banking fraud, stealing personal information, carrying out remote attacks, and launching distributed denial-of-service (DDoS) attacks. The malware remained a persistent threat until recent enforcement actions successfully targeted its infrastructure.


Discovery of the DanaBot Weakness

Researchers from Zscaler’s ThreatLabz team identified a serious flaw in DanaBot’s system in a version released in June 2022. This flaw, later called "DanaBleed," exposed the internal workings of the malware to security professionals without the attackers realizing it.

The issue stemmed from changes made to DanaBot’s communication system, known as the command and control (C2) protocol. The updated system failed to properly handle random data in its responses, accidentally revealing leftover information stored in the malware’s memory.

Because of this memory leak, security experts were able to repeatedly collect sensitive fragments from DanaBot’s servers over time. This flaw is similar to the infamous HeartBleed vulnerability that affected OpenSSL in 2014 and caused serious security concerns worldwide.


What the Flaw Exposed

Through careful analysis, researchers were able to access highly valuable information, including:

• Details about the malware operators, such as usernames and IP addresses

• Locations of DanaBot’s servers and websites

• Stolen victim data, including login credentials

• Records of malware updates and internal changes

• Private cryptographic keys used for security

• Internal system logs and SQL database activity

• Parts of the malware’s management dashboard

For more than three years, DanaBot continued to operate with this hidden security hole, giving investigators a rare opportunity to quietly monitor the criminals and gather detailed evidence.


Law Enforcement Action

After collecting enough proof, international law enforcement teams launched a coordinated operation called "Operation Endgame" to shut down DanaBot’s network. This effort led to the takedown of key servers, the seizure of over 650 domains connected to the malware, and the recovery of nearly $4 million in cryptocurrency.

While the core group of attackers, mainly located in Russia, has been formally charged, no arrests have been reported so far. However, the removal of DanaBot’s infrastructure has significantly reduced the threat.


Final Thoughts

This case highlights the importance of careful cybersecurity monitoring and how even well-established criminal groups can be exposed by overlooked technical mistakes. Staying updated on the latest security research is essential, as malware groups often release new versions and fixes that may change the threat landscape quickly.

Read more »
Russia-Ukraine War
Cyber Attacks DDoS DDOS Attacks DDoS Threats Hacker attack Hacktivist group NCSC Pro-Russian Hackers Russia-Ukraine War

Russian Hacktivists Disrupt Dutch Institutions with DDoS Attacks

 

Several Dutch public and private organizations have experienced significant service outages this week following a wave of distributed denial-of-service (DDoS) attacks linked to pro-Russian hacktivists. The Netherlands’ National Cyber Security Center (NCSC), part of the Ministry of Justice, confirmed that the attacks affected multiple sectors and regions across the country.  

The NCSC disclosed that both government and private entities were targeted in what it described as large-scale cyber disruptions. While the full scope is still being assessed, municipalities and provinces including Groningen, Noord-Holland, Drenthe, Overijssel, Zeeland, Noord-Brabant, and cities like Nijmegen, Apeldoorn, Breda, and Tilburg reported that public portals were intermittently inaccessible. 

A pro-Russian threat group calling itself NoName057(16) has claimed responsibility for the cyberattacks through its Telegram channel. Though the NCSC did not confirm the motive, the group posted that the attacks were a response to the Netherlands’ recent €6 billion military aid commitment to Ukraine, as well as future support amounting to €3.5 billion expected in 2026. Despite the widespread disruptions, authorities have stated that no internal systems or sensitive data were compromised. 

The issue appears confined to access-related outages caused by overwhelming traffic directed at the affected servers — a hallmark of DDoS tactics. NoName057(16) has been a known actor in the European cybersecurity landscape since early 2022. It has targeted various Western governments and institutions, often in retaliation for political or military actions perceived as anti-Russian. The group also operates DDoSIA, a decentralized platform where users can participate in attacks in exchange for cryptocurrency payments. 

This model has enabled them to recruit thousands of volunteers and sustain persistent campaigns against European targets. While law enforcement in Spain arrested three alleged DDoSIA participants last year and confiscated their devices, key figures behind the platform remain unidentified and at large. The lack of major indictments has allowed the group to continue its operations relatively unimpeded. 

The NCSC has urged organizations to remain vigilant and maintain strong cybersecurity protocols to withstand potential follow-up attacks. With geopolitical tensions remaining high, experts warn that such politically motivated cyber operations are likely to increase in frequency and sophistication. 

As of now, restoration efforts are ongoing, and the government continues to monitor the digital landscape for further signs of coordinated threats.
Read more »
Vo1d
Android TV DDOS Attacks malware Vo1d

Malware Attack on Android TV Devices Affects Over 1.6 Million Users

 



Cybersecurity researchers have discovered a new form of malware that is spreading through Android TV devices across the globe. This malware, known as Vo1d, has already infected over 1.6 million devices, turning them into remote-controlled bots used for illegal activities without the owners’ knowledge.  

The Vo1d malware has existed for a while, but researchers at XLab recently identified a stronger, more advanced version that makes it harder to detect and remove. This upgraded variant has been designed to avoid being analyzed or controlled by cybersecurity experts, making it a serious concern for Android TV users.  


How the Vo1d Malware Works  

Once Vo1d malware enters an Android TV device, it secretly connects it to a network controlled by hackers, known as a botnet. This allows the attackers to control thousands of devices at once without the owners realizing it. These devices are then used to carry out illegal activities like DDoS attacks and ad click fraud.  

In a DDoS (Distributed Denial of Service) attack, a large number of devices flood a website or service with so many requests that it crashes, making it inaccessible. On the other hand, ad click fraud involves the infected devices automatically clicking on online ads, creating fake revenue for dishonest advertisers. Both of these activities can cause financial losses to companies and harm online platforms.  

The malware has been particularly active in countries like Argentina, Brazil, China, Indonesia, South Africa, and Thailand. However, since it is spreading rapidly, users in other countries should also remain cautious.  


Why This Malware Is Difficult to Detect  

One of the main challenges with the new Vo1d variant is that it uses advanced encryption methods, which prevent cybersecurity professionals from studying or controlling it. It also hides deep within the device’s system, making it nearly impossible for regular antivirus software to detect and remove it.  

This ability to stay hidden allows the malware to operate silently for long periods, allowing hackers to keep using the device for illegal purposes. As a result, users may remain unaware that their device has been compromised.  


How to Protect Your Android TV Device  

To reduce the chances of your Android TV being infected by Vo1d, consider following these precautionary steps:  

1. Buy From Trusted Sources: Always purchase Android TV devices from well-known brands or official retailers. Avoid buying from unknown sellers, as some devices may already be compromised before purchase.  

2. Update Regularly: Install all firmware and security updates provided by the device manufacturer. These updates often fix vulnerabilities that malware exploits.  

3. Download Apps Carefully: Only download apps from official platforms like the Google Play Store. Avoid installing apps from third-party websites, as they may carry hidden malware.  

4. Watch for Unusual Activity: If your Android TV starts slowing down, overheating, or using too much data without reason, it may be infected. In such cases, reset your device and consider installing a trusted antivirus app.  

5. Secure Your Network: Make sure your home Wi-Fi has a strong password and activate firewall settings to reduce the chances of remote attacks.    


The rapid spread of Vo1d malware has raised concern among cybersecurity experts. With over 1.6 million devices already infected, users need to stay alert and take protective measures. By purchasing devices from verified sources, keeping software updated, and avoiding untrusted apps, users can reduce their risk of falling victim to such malware attacks.  

Staying informed about new threats and remaining cautious with device usage is the best way to keep your Android TV safe from harmful malware like Vo1d.

Read more »
Telecom
Beeline Cyber Attacks DDOS Attacks Internet Russia Telecom

Russian Telecom Company "Beeline" Hit, Users Face Internet Outage

Russian Telecom Company "Beeline" Hit, Users Face Internet Outage

Internet outage in, telecom provider attacked

Users in Russia faced an internet outage in a targeted DDoS attack on Russian telecom company Beeline. This is the second major attack on the Moscow-based company in recent weeks; the provider has over 44 million subscribers.

After several user complaints and reports from outage-tracking services, Beeline confirmed the attack to local media.

According to Record Media, internet monitoring service Downdetector’s data suggests “most Beeline users in Russia faced difficulties accessing the company’s mobile app, while some also reported website outages, notification failures and internet disruptions.” 

Impact on Beeline

Beeline informed about the attack on its Telegram channel, stressing that the hacker did not gain unauthorized access to consumer data. Currently, the internet provider is restoring all impacted systems and improving its cybersecurity policies to avoid future attacks. Mobile services are active, but users have cited issues using a few online services and account management features.

Rise of threat in Russia

The targeted attack on Beeline is part of a wider trend of cyberattacks in Russia; in September 2024, VTB, Russia’s second-largest bank, faced similar issues due to an attack on its infrastructure. 

These attacks highlight the rising threats posed by cyberattacks cherry-picking critical infrastructures in Russia and worldwide.

Experts have been warning about the rise in intensity and advanced techniques of such cyberattacks, damaging not only critical businesses but also essential industries that support millions of Russian citizens. 

Telecom companies in Russia targeted

How Beeline responds to the attack and recovers will be closely observed by both the telecom industry and regulators. The Beeline incident is similar to the attack on Russian telecom giant Megafon, another large-scale DDoS attack happened earlier this year. 

According to a cybersecurity source reported by Forbes Russia, the Beeline attack in February and the Megafon incident in January are the top hacktivist cyberattacks aiming at telecom sectors in 2025. 

According to the conversation with Forbes, the source said, “Both attacks were multi-vector and large-scale. The volume of malicious traffic was identical, but MegaFon faced an attack from 3,300 IP addresses, while Beeline was targeted via 1,600, resulting in a higher load per IP address.”

Read more »
Subscribe to: Comments (Atom)