Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft security. Show all posts
Windows Clipper Malware
Clipboard hijacking cryptocurrency theft malware Microsoft security Remote Code Execution Tor-Based C2 USB LNK Worm Windows Clipper Malware

Microsoft Exposes Malware Operation Combining USB LNK Worms and Tor-Based C2 Servers

 


A threat actor will benefit from combining cryptocurrency theft, covert communications, and remote access into a single malware framework in order to increase stealth and persistence. Microsoft has revealed the existence of a Windows-based clipper campaign active since February 2026. The clipper campaign uses a portable Tor client, Windows Script Host, and ActiveX components to communicate with a hidden command-and-control server. 

Besides intercepting and replacing cryptocurrency wallet addresses, the malware also performs continuous clipboard monitoring, captures screenshots, exfiltrates stolen data, and executes remote commands. 

A key characteristic of the operation is that it does not utilize traditional installer mechanisms or publicly exposed C2 servers and instead utilizes Tor-routed traffic as a means of concealing its activity and extends its capabilities to lightweight backdoor functions as well as financial theft. USB-Borne Infection Chain Drives Initial Compromise Upon further investigation, it was revealed that the operation is characterized by a multi-stage infection chain combining removable media propagation with credential and asset theft. 

In Microsoft's opinion, the campaign originated through malicious Windows shortcut (.LNK) files distributed through USB storage devices, enabling the malware to spread without relying on online delivery mechanisms. An infection after being executed deploys two components: a worm that propagates throughout additional removable drives, and a clipper module designed to obtain information about cryptocurrency seed phrases, private keys, and wallets. 

Obfuscation and Persistence Mechanisms Enhance Stealth As part of its propagation mechanism, the worm exploits the trust of users in familiar file formats. When it scans USB devices for commonly accessed document formats like Microsoft Word, Excel, and PDF, it conceals the original filenames and replaces them with malicious shortcuts named identically. 

In addition to increasing user interaction, this strategy masks the infection process by enabling additional payloads to be unpacked into randomly generated directories within the Public Documents path upon execution, and thereafter persistence can be established by scheduling tasks. In order to minimize the possibility of detection, the malware attempts to modify local defenses by creating antivirus exclusions for its staging locations and executable components in order to avoid detection. 

According to Microsoft, extensive efforts have been made to obstruct the process of forensic analysis, such as packaging the installer with PyInstaller and obfuscation with PyArmor, and using JavaScript-based modules with layered encryption as well as runtime decryption. This malware performs an anti-analysis check by searching for Windows Task Manager processes and terminating execution if monitoring is detected, underscoring the operator's emphasis on long-term stealth and evasion. 

Tor-Based Communications Power Clipboard Hijacking Operations Upon clearing the anti-analysis checks and activating the stealer module, the malware enters into a highly automated surveillance phase designed to detect and intercept cryptocurrency-related activity in near real-time. Microsoft observed that a Tor executable named ugate.exe is used by the component to communicate with its hidden command and control infrastructure, enabling all traffic to be routed through anonymized channels as well.

Once the malware has been installed, it periodically checks the system clipboard for a specific set of highly valuable cryptocurrency artifacts, searching for these artifacts every 500 milliseconds. Among these include 12-word and 24-word recovery phrases for Bitcoin, Ethereum private keys, Bitcoin wallet import format keys (WIF), as well as wallet addresses for Tron and Monero in addition to Bitcoin legacy, P2SH, Bech32, and Taproot formats. 

Upon detection of an identical entry, the malware silently replaces it with the address of an attacker's wallet. By carefully selecting substituted addresses to share similar leading characters or numeric patterns with the original destination, the likelihood of detection during visual verification is reduced. During the final stage of the infection, the malware emphasizes the importance of operating concealment and attacker control. 

By launching a renamed Tor executable in the background, the malware is able to identify the compromised host and register it with an external infrastructure without exposing direct network communications to the outside world. 

Upon enrollment, the infected system begins a continuous operational cycle, polling the command-and-control environment for instructions while simultaneously inspecting the clipboard contents at approximately half-second intervals to identify cryptocurrency seed phrases, private keys, and wallets. 

Also, command responses containing the EVAL directive enable the operators to execute attacker-supplied code in real-time, allowing them to expand functionality or take subsequent actions after a compromise. 

The mixture of scripting abuse, removable media propagation, and Tor-based communications indicates Microsoft's recommendation that behavioral detection strategies should be prioritized. These strategies include monitoring PowerShell-driven screen capture activity, suspicious use of WScript and CScript, and script-engine processes spawning unexpected executables, including curl, cmd.exe, PowerShell, or other unexpected executables.

Besides disabling AutoRun and AutoPlay for removable media, Group Policy controls can also be used to restrict the execution of LNK from USB devices, limiting unnecessary access to scripting engines, and monitoring clipboard monitoring and screen capture behavior on systems involving cryptocurrency or other sensitive financial transactions closely. 

Remote Code Execution Expands Malware Capabilities Researchers discovered that the campaign's data collection capabilities go beyond clipboard manipulation. A number of screenshots were taken and transferred to the command-and-control server through the native curl utility, providing operators with continuous insight into the activity of the victims. 

Furthermore, it integrates remote code execution functionality, thereby extending the framework's operational scope beyond a conventional cryptocurrency clipper. By using the EVAL command, operators can instruct the malware to retrieve additional JavaScript payloads, save them locally as cfile files, and execute them directly on the compromised host by instructing the malware to do so. 

Essentially, this capability allows the infection to become an on-demand access platform that is capable of deploying new functionality after initial compromise. Because the malware is highly obfuscated and continuously evolving, Microsoft noted that behavioral indicators offer a more reliable detection opportunity than static signatures. There are several indications that security teams should monitor suspicious activity associated with wscript.exe and cscript.exe, unexpected executions of curl, PowerShell, and cmd.exe, as well as anomalous child process chains. 

Additionally, connections directed to localhost:9050 and other indications of Tor proxy usage may provide valuable indications that this campaign was compromised. Microsoft's campaign illustrates how traditional malware techniques can be combined with anonymous infrastructure and scripting-based execution to create threats that are not only difficult to detect but also highly adaptable as cybercriminal operations continue to evolve. 

In environments characterized by removable media and digital asset transactions, the findings underscore the importance of monitoring behavioral indicators in conjunction with conventional security controls. In order to identify attacks that prioritize stealth over scale, defenders must continue to have access to unusual script activity, Tor-related communications, and clipboard manipulation.
Read more »
Microsoft security
Credential Security Cyber Phishing Cyber Security Data protection data security Microsoft Microsoft security

Microsoft Warns Users About Rising QR Code Phishing and Quishing Scams

 

Microsoft’s cybersecurity researchers have uncovered a growing wave of phishing scams using QR codes hidden inside emails, PDF files, and fake CAPTCHA pages. Instead of clicking suspicious links, victims scan QR codes that secretly redirect them to fraudulent websites designed to steal login credentials and session data. The attacks spread quickly because they bypass many traditional security filters and often appear harmless at first glance. 

Known as “quishing,” these scams hide malicious links inside QR codes, avoiding the usual warning signs tied to suspicious URLs. Emails often create urgency through fake compliance notices, security alerts, or missed-message warnings, encouraging users to scan the code without carefully checking the sender. According to Microsoft, attackers are impersonating HR teams, IT departments, managers, and office administrators to make messages appear legitimate. 

Once scanned, users are routed through several webpages before landing on counterfeit login portals built to capture usernames, passwords, and even live session tokens capable of bypassing some two-factor authentication protections. Researchers say more than 35,000 users across approximately 13,000 organizations worldwide have already been targeted, with cases continuing to rise. Many people trust QR codes because they are commonly used for menus, payments, and sign-ins, making them less likely to question the risks behind scanning one. 
Cybercriminals are exploiting that familiarity to trick users into exposing sensitive information. A recent case highlighted by Digit.in demonstrated how convincing these scams can be. Employees reportedly received emails appearing to come from an Office 365 administrator claiming several messages were awaiting approval. Instead of links, the email included a QR code directing users elsewhere. Investigators tested the QR code using a freshly wiped mobile device across Android and iOS platforms to minimize potential risks. 

While the QR codes in that case did not install malware or alter device settings, the test showed how easily similar scams could deceive unsuspecting users. Security professionals warn that scanning unfamiliar QR codes on devices containing banking apps, work credentials, personal photos, or confidential files can expose users to serious threats without obvious warning signs. Experts recommend avoiding QR codes sent through unsolicited emails, verifying senders carefully, and checking linked addresses before entering passwords. 

As cybercriminals increasingly rely on social engineering instead of direct hacking, simple actions like scanning a QR code are becoming new entry points for digital attacks.
Read more »
Windows Vulnerabilities
AI cybersecurity Kernel Security MDASH AI Microsoft security Patch Tuesday Remote Code Execution Threat Detection Vulnerabilities and Exploits Windows Vulnerabilities

MDASH AI Helps Microsoft Detect 16 Critical Windows Security Flaws


 

The company has reported that the MDASH framework, developed internally by Microsoft for agentic artificial intelligence, was instrumental in identifying 16 security vulnerabilities affecting core Windows networking and authentication components, including four critical vulnerabilities that can be exploited remotely. 

According to the discovery, which was addressed during Patch Tuesday's security rollout of May 2026, autonomous AI systems are not limited to the generation of code in defensive cybersecurity engineering. In addition to analyzing complex software environments, tracing insecure logic paths, and identifying exploitable weaknesses before threats can weaponize them, these tools are increasingly being used to analyze complex software environments. 

Microsoft's Autonomous Code Security team developed MDASH, which is currently being tested by a select number of customers in a private preview program. MDASH is now actively supporting internal security engineering operations and is part of the company's wider effort to integrate AI-driven vulnerability research into enterprise-scale software assurance and development processes. 

The MDASH framework is at the core of this initiative. It is an internally developed framework that works independently of any single language model while coordinating specialized AI agents tailored to specific vulnerability classes, a framework that is uniquely engineered for this purpose. By utilizing a combination of frontier-scale and distilled AI models, the platform distributes tasks across more than 100 purpose-built agents instead of relying on a conventional one-model scanning architecture. 

Using the system, Taesoo Kim, Microsoft's vice president of agentic security, enables the detection of end-to-end vulnerabilities by autonomously identifying suspicious code behavior, challenging each other's findings, and independently validating exploitability before escalated results that are confirmed. MDASH is an analysis pipeline that consists of multiple stages. 

After ingesting source code, MDASH constructs an internal threat model and maps the attack surface, and then dedicated agents conduct audits to identify possible vulnerabilities such as insecure logic, memory corruption, authentication vulnerabilities, and other exploitable conditions. In addition to eliminating false positives, a secondary layer of "debater" agents also performs adversarial reasoning workflows to verify technical validity and eliminate false positives. 

As a result of the correlation between semantically similar findings, consolidating overlapped detections, and providing proof-based validation, the framework is able to demonstrate that vulnerabilities can be exploited practically. Using Microsoft's architecture, Microsoft says complex security analysis can be performed using state-of-the-art reasoning models, distilled models for large-scale validation tasks, and a high-capability, independent counteranalysis model. 


Through layered reviews, Microsoft hopes to improve detection accuracy and reliability across enterprise-scale codebases including Windows. In addition to the TCP/IP networking stack, IKEEXT IPsec, HTTP.sys, Netlogon, DNS resolution mechanisms, and the legacy Telnet client, MDASH uncovered a number of deeply embedded Windows components that were susceptible to remote attack surfaces. These vulnerabilities underscore how wide a range of attacks can be conducted on modern operating systems. 

According to Microsoft, ten of the identified vulnerabilities affect kernel-mode components and six affect user-mode services. Under realistic deployment scenarios, most of these vulnerabilities are remotely accessible without authentication. In total, four vulnerabilities were rated Critical, including CVE-2026-338277, an unauthenticated use-after-free issue in tcpip.sys, and CVE-2026-338248, a remotely exploitable double-free issue in the IKEv2 protocol over UDP port 500. 

It is reported that MDASH demonstrated unusually high precision during validation exercises, in that all 21 intentionally seeded vulnerabilities were detected without generating false positives during internal testing. It was further stated by Microsoft that the framework recalled 96 percent of the five years of confirmed cases of the Microsoft Security Response Center for CLFS.sys and covered tcpip.sys in full, as well as scoring 88.45 percent on the CyberGym benchmark containing 1,507 real-world vulnerabilities, which is the highest score in the industry. 

The broader research initiative continues to be closely tied to Microsoft's offensive and defensive security engineering ecosystems. Currently, the platform is deployed across Microsoft's engineering environments and is currently being evaluated by limited customers through a private preview program. A team led by Autonomous Code Security worked in collaboration with Windows Attack Research and Protection specialists who specialized in advanced offensive Windows research to spearhead development efforts. 

A number of researchers involved in this project previously served as members of Team Atlanta, the team recognized for winning the DARPA AI Cyber Challenge using a system for discovering and patching vulnerabilities autonomously. The company stated that the implementation of autonomous auditing at an enterprise level can pose unique operational difficulties due to the proprietary nature of the Windows codebase and the absence of public training datasets. 

In addition, low-tolerance production environments prevent inaccurate detections from occurring. These constraints can be addressed by MDASH by providing extensible plugins capable of injecting highly specialized contextual knowledge into the analysis pipeline. These include kernel calling conventions, synchronization rules, interprocess communication trust boundaries, and file-system structures that are not reliably inferred by general-purpose models. 

A particular extension, developed for the Common Log File System (CLFS), generates triggering log artifacts from candidate findings automatically, allowing the framework to go beyond theoretical detection and provide proof-based vulnerability validation that engineering teams can use to remedy vulnerabilities directly. 

Using CVE-2026-33827 as an example of advanced flaws that conventional single-model AI systems routinely fail to identify, Microsoft highlighted that vulnerability. In order to address this vulnerability, Microsoft implemented a strict source and record route processing process that improperly managed a reference-counted Path object during the Windows IPv4 receive path.

It is possible that the affected function reused the same pointer under alternate execution flow conditions after releasing its owned reference through a dereference operation, therefore causing a race-driven use-after-free scenario in kernel memory. 

Due to the fact that the vulnerable code path processes attacker-controlled packet metadata and executes within an elevated networking context, a remote attacker could potentially exploit this flaw by sending specially crafted IPv4 packets containing SSRR options to their hosts. A Microsoft representative explained that the problem became significantly more dangerous as a result of the concurrency behavior of multiple independent cleanup subsystems that were capable of reclaiming the object before further reuse. 

According to the company, single-model artificial intelligence systems often fail to detect such vulnerabilities since ownership violations are not readily apparent locally and are instead dependent on correlating reference semantics, branching conditions, concurrency interactions, and analogous patterns spread across distinct code paths to determine the violation. 

The MDASH system was reported to have successfully analyzed the behavior of objects during their lifetimes, compared implementation inconsistencies elsewhere in the codebase, and assembled a coherent exploitation chain by using staged reasoning and adversarial verification through specialized agents. During Patch Tuesday in April 2026, the flaw was addressed. 

Furthermore, Microsoft disclosed CVE-2026-33824, a critical double-free vulnerability affecting IKEEXT, a key exchange service for IPsec authentication. Remotely accessible via UDP port 500, the vulnerability is capable of triggering against systems configured as IKEv2 responders, such as RRAS VPNs, DirectAccesss, Always-On VPNs, and hosts with IPsec security policies that govern inbound connections. There was a vulnerability caused by an ownership handling error during fragment reassembly, which caused a packet receive context to be duplicated by using shallow memory copy operations. 

A deterministic heap corruption condition was created within the LocalSystem svchost.exe process when teardown routines released the same memory region twice, resulting in reference to and assumption of ownership of the same heap allocation linked to a security realm identifier controlled by an attacker.

The vulnerability is particularly severe from a defensive perspective, as it only requires two crafted UDP packets without race conditions or precise timing requirements, making exploitation particularly easy. During analysis of the codebase, the company identified that the flaw extended across six separate source files, and that the vulnerability was triggered by subtle differences between ownership handling patterns that were incorrect and correctly implemented elsewhere.

Microsoft has stated that multiple file aliasing and lifecycle vulnerabilities are routinely evaded by conventional automated analysis because a single execution context does not expose the entire exploitation chain at once. MDASH's multi-agent debate and verification architecture is specifically credited for identifying those fragmented relationships and confirming the exploit path before publication. 

The issue was also patched as part of April 2026 Patch Tuesday. There is a notable shift in how large-scale software security auditing will evolve in enterprise environments with the emergence of MDASH. Modern operating systems are becoming increasingly complex and difficult to assess through traditional manual methods alone.

The Microsoft AI platform combines autonomous reasoning, adversarial validation, and exploit-focused analysis in a coordinated multi-agent framework, enabling AI to not merely serve as a productivity tool, but also to provide an operational security layer capable of detecting deeply buried vulnerabilities within critical infrastructure code. 

A growing number of threat actors are leveraging automation in offensive campaigns, and the company’s latest findings suggest that defensive research may become increasingly dependent on AI-driven systems capable of identifying exploitable weaknesses before they become operational.
Read more »
WireGuard
cybersecurity risk Kernel Level Security Microsoft security Open Source Security Software Supply Chain VeraCrypt VPN security Windows Driver Signing WireGuard

Open Source Security Tools impacted by Microsoft Account Suspensions


 

Several widely trusted security tools have been affected by the disruption beyond routine enforcement, including the distribution pipelines. Microsoft suspended developer accounts associated with VeraCrypt, WireGuard, and Windscribe without any prior technical clarification, effectively preventing them from accessing Microsoft's code signing and update delivery systems. 

Practically, this disruption hinders the delivery of authenticated binaries, delays incremental updates, and restricts timely responses to emerging vulnerabilities. Since Windows environments are reliant on timely security updates to maintain their security, such a halt can pose a serious risk to users who utilize these tools for encryption, tunneling, and secure communication. 

As a result of the incident, open-source maintainers and contributors have stepped up to respond, raising concerns over opaque enforcement mechanisms and the lack of transparency in the remediation process. Microsoft acknowledges the issue in public forums following the escalation. A representative has stated that internal teams are actively reviewing the suspensions and working towards restoring the affected accounts. 

Still, there has been no clear indication of a timeline for doing so. This initial disruption set the stage for a deeper pattern that soon began to unfold across multiple projects. As the scope of the disruption became clearer, what initially appeared to be isolated enforcement actions began to reveal a broader and more coordinated pattern affecting multiple high-impact projects. 

Timeline of Account Suspension and Developer Impact

The sequence of events provides critical insight into how the disruption unfolded and why it quickly escalated beyond a routine compliance issue. Rather than being an isolated administrative action, the sequence of events underpinning the suspensions suggest a systemic enforcement anomaly. There was no preceding warning, audit flag, or remediation notice given to the maintainers of critical open-source security projects as to the sudden access restrictions across their Microsoft developer accounts in early April 2026. 

VeraCrypt's lead developer, Mouhinir Idrassi, first reported the problem, which involved the termination of his long-standing account that had previously been used to sign Windows drivers and bootloaders. The pattern became more evident as similar constraints began to surface across other critical projects. 

A similar barrier arose for Jason Donenfeld, the architect of WireGuard, as he attempted to push a significant Windows update that had been in development for a long time. Several similar accounts surfaced over the course of several years. As similar access loss confirmed by Windscribe, attention quickly shifted to the systems that govern these access controls.

While the timeline highlights the outward symptoms of the disruption, the underlying cause appears to originate from internal policy enforcement mechanisms. 

Policy Enforcement and Verification Breakdown

It is Microsoft's Windows Hardware Program, a critical trust framework governing kernel-mode driver distribution that is at the core of the disruption. 

Unless Windows systems are signed with cryptographic signatures, low-level drivers cannot be loaded, effectively halting deployment within the operating system. This dependency effectively places a centralized control layer over the distribution of low-level software, amplifying the impact of any disruption within the system. 

Developers have consistently denied receiving any formal notification regarding identity verification, despite statements made by Scott Hanselman that multiple communication attempts had been made over the preceding months, as a result of a policy revision introduced in late 2023. However, this assertion contrasts sharply with developer accounts, where no actionable or verifiable communication trail was observed. 

A notable point is that Donenfeld completed the required validation workflow through Microsoft’s designated third-party provider, which confirmed successful validation. However, his account remains inaccessible, raising concerns about inconsistencies between verification status and enforcement actions in Microsoft’s developer identity infrastructure. 

The inconsistencies further heightened scrutiny of the implementation of enforcement policies. Clarification emerging around the incident indicates the suspensions were not arbitrary, but linked to a tightening of Microsoft's compliance enforcement within its developer identity framework, even though critical communication and verification reconciliation gaps appear to have been exposed during the execution. 

Some maintainers have claimed that either the mandated verification steps were already complete or that no actionable notification was ever received, so affected parties have been forced to go through an extended appeals process that has reportedly lasted several weeks. As concerns escalated publicly, senior leadership intervention became necessary to address the growing uncertainty within the developer community.

As the situation became public, Pavan Davuluri responded directly, acknowledging the issue and informing us that internal teams are working on remediation. The enforcement is tied to an October policy update of the Windows Hardware Program, which required partners who had not re-verified their accounts since April 2024 to re-verify their identities. 

In spite of Microsoft's claims that multiple notification channels, including email alerts and in-platform prompts, were used to signal the transition, the company has concurrently conceded these mechanisms failed to reliably reach all stakeholders, particularly within open-source projects that have high impact. 

Moreover, Davuluri stated that Microsoft has contacted VeraCrypt and WireGuard developers directly in order to restore account access, framing the episode as a lapse in operational processes that will inform future policy changes. Despite the ongoing restoration efforts, signing capabilities are expected to be restored shortly, so users can resume getting security patches promptly.

However, beyond policy and process, the technical consequences of this disruption began to raise more immediate concerns. 

Security Implications and Systemic Risk Exposure 

It is important to note that the incident, in addition to interrupting update pipelines immediately, introduces a more consequential risk vector related to trust anchors and certificate lifecycle management within the Windows ecosystem. 

As Microsoft plans to revoke the certificate authority used to sign the VeraCrypt bootloader, existing trusted binaries may be invalidated, affecting system integrity. Users of VeraCrypt are facing a significant threat to system integrity. As a consequence of the revocation, encrypted systems may experience boot-time failures once the update takes effect unless timely access is provided to re-sign and redistribute an updated boot component, effectively locking users out of their environments.

Having highlighted the severity of this scenario, Mounir Idrassi notes that the inability to restore a valid trust chain could render the software non-viable for deployment on Windows. This marked the first publicly visible indication that the issue was not limited to routine account enforcement, but potentially rooted in deeper systemic controls. 

Moreover, the implications of the breach extend beyond encryption alone, extending into network security dependencies as a whole. This exposure is similar within the networking stack, since WireGuard underpins a wide range of privacy-focused services, including Mullvad, Proton VPN, and Tailscale implementations. It has been highlighted by Jason Donenfeld that any emerging security vulnerabilities within the Windows driver layer would not be patchable under current constraints, leaving a substantial user base at risk. 

While alternative platforms, such as Linux and macOS, are unaffected by the incident due to their independent distribution and signing models, the concentration of users on Windows greatly magnifies the effect, effectively isolating critical security updates from the largest segment of the install base. These risks together indicate a deeper architectural dependency within the Windows ecosystem, and more broadly, underscore a structural dependency embedded within the Windows security architecture. 

During kernel mode execution, compliance with Microsoft's driver signing requirements is enforced via centralized infrastructure and developer account controls through centralized infrastructure. MemTest86, a tool that goes beyond encryption and VPN software, suggests a systemic vulnerability rather than a domain-specific vulnerability. Any disruption within the Partner Center or associated identity systems may cascade into a complete halt to software deployment at the kernel level, which is incapable of returning to normal operation. 

For security practitioners, this reinforces a long-standing concern that critical open-source tools remain operationally dependent on a single vendor-controlled distribution and trust pipeline, despite being decentralized in development. In turn, this structural dependency frames the incident's broader impact on the industry as a whole. 

A wider reassessment of how critical security tools interact with centralized platform controls is likely to follow the episode, particularly in environments where a single security authority controls execution at the deepest layers of the system. Developers and security teams should be aware of the importance of operational resilience strategies, including diversifying distribution channels and contingency signing arrangements, as well as establishing clearer audit visibility into compliance status within vendor ecosystems. 

The rule also places renewed responsibility on platform providers to ensure that enforcement mechanisms are not only technically effective but also operationally transparent, with verifiable communication trails and fail-safe recovery mechanisms. In the midst of remediation, the industry's longer-term success will depend on whether these disruptions lead to structural improvements that balance platform security with the continuity of the tools that are designed to safeguard it.
Read more »
Microsoft security
Azure Azure Attack Botnet Botnet attack Cyber Attacks Microsoft Microsoft Azure Microsoft security

Aisuru Botnet Launches 15.72 Tbps DDoS Attack on Microsoft Azure Network

 

Microsoft has reported that its Azure platform recently experienced one of the largest distributed denial-of-service attacks recorded to date, attributed to the fast-growing Aisuru botnet. According to the company, the attack reached a staggering peak of 15.72 terabits per second and originated from more than 500,000 distinct IP addresses across multiple regions. The traffic surge consisted primarily of high-volume UDP floods and was directed toward a single public-facing Azure IP address located in Australia. At its height, the attack generated nearly 3.64 billion packets per second. 

Microsoft said the activity was linked to Aisuru, a botnet categorized in the same threat class as the well-known Turbo Mirai malware family. Like Mirai, Aisuru spreads by compromising vulnerable Internet of Things (IoT) hardware, including home routers and cameras, particularly those operating on residential internet service providers in the United States and additional countries. Azure Security senior product marketing manager Sean Whalen noted that the attack displayed limited source spoofing and used randomized ports, which ultimately made network tracing and provider-level mitigation more manageable. 

The same botnet has been connected to other record-setting cyber incidents in recent months. Cloudflare previously associated Aisuru with an attack that measured 22.2 Tbps and generated over 10.6 billion packets per second in September 2025, one of the highest traffic bursts observed in a short-duration DDoS event. Despite lasting only 40 seconds, that incident was comparable in bandwidth consumption to more than one million simultaneous 4K video streams. 

Within the same timeframe, researchers from Qi’anxin’s XLab division attributed another 11.5 Tbps attack to Aisuru and estimated the botnet was using around 300,000 infected devices. XLab’s reporting indicates rapid expansion earlier in 2025 after attackers compromised a TotoLink router firmware distribution server, resulting in the infection of approximately 100,000 additional devices. 

Industry reporting also suggests the botnet has targeted vulnerabilities in consumer equipment produced by major vendors, including D-Link, Linksys, Realtek-based systems, Zyxel hardware, and network equipment distributed through T-Mobile. 

The botnet’s growing presence has begun influencing unrelated systems such as DNS ranking services. Cybersecurity journalist Brian Krebs reported that Cloudflare removed several Aisuru-controlled domains from public ranking dashboards after they began appearing higher than widely used legitimate platforms. Cloudflare leadership confirmed that intentional traffic manipulation distorted ranking visibility, prompting new internal policies to suppress suspected malicious domain patterns. 

Cloudflare disclosed earlier this year that DDoS attacks across its network surged dramatically. The company recorded a 198% quarter-to-quarter rise and a 358% year-over-year increase, with more than 21.3 million attempted attacks against customers during 2024 and an additional 6.6 million incidents directed specifically at its own services during an extended multi-vector campaign.
Read more »
Security Flaws
Cyber Security Extension Malware Detection Malwares Marketplace Microsoft Microsoft security Ransomwares Security Flaws

Ransomware Found in VSCode Extensions Raises Concerns Over Microsoft’s Security Review

 

Cybersecurity experts have discovered ransomware hidden within two Visual Studio Code (VSCode) Marketplace extensions, raising concerns about Microsoft’s ability to detect malicious software in its platform. The compromised extensions, named “ahban.shiba” and “ahban.cychelloworld,” were downloaded by users before security researchers flagged them and they were subsequently removed. 

Despite Microsoft’s security measures, the extensions remained publicly accessible for a significant period, highlighting potential gaps in the company’s review process. The “ahban.cychelloworld” extension was first uploaded on October 27, 2024, followed by “ahban.shiba” on February 17, 2025. The VSCode Marketplace, designed to provide developers with additional tools for Microsoft’s popular coding platform, has come under scrutiny for failing to identify these threats. 

Researchers at ReversingLabs determined that both extensions included a PowerShell script that connected to a remote Amazon Web Services (AWS) server to download further malicious code. This secondary payload functioned as ransomware, though evidence suggests it was still in a testing phase. 

Unlike traditional ransomware that encrypts entire systems, this malware specifically targeted files stored in C:\users%username%\Desktop\testShiba.  Once the encryption was complete, victims received a Windows notification stating: “Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them.” However, no further instructions or payment details were provided, suggesting the malware was not yet fully developed.  

Although Microsoft eventually removed the extensions, security researcher Italy Kruk from ExtensionTotal disclosed that their automated detection system had identified the malicious code much earlier. Kruk stated that they had alerted Microsoft about the issue but received no response. Further analysis revealed that the initial version of “ahban.cychelloworld” was clean, but the ransomware was introduced in version 0.0.2, which was released on November 24, 2024. ExtensionTotal flagged this version to Microsoft on November 25, yet the extension remained available for months. 

During this time, five more versions were uploaded, all containing the same ransomware. This case has intensified concerns about Microsoft’s ability to monitor third-party extensions effectively. The security lapse within the VSCode Marketplace highlights the risk developers face when downloading extensions, even from official sources. Microsoft has previously faced criticism for both slow responses to security threats and for mistakenly removing non-malicious extensions. 

A notable example involved two popular VSCode themes, ‘Material Theme – Free’ and ‘Material Theme Icons – Free,’ which were taken down due to suspected obfuscated JavaScript. However, after further review, Microsoft determined the extensions were safe, reinstated them, and apologized, promising improvements to its security screening process. The presence of ransomware in widely used developer tools underscores the need for stronger security measures. Developers must stay cautious, regularly update security protocols, and carefully evaluate third-party extensions before installing them, even when they come from official platforms like the VSCode Marketplace.
Read more »
Microsoft security
ASP.NET cryptographic keys Cyber Crime Fraud Management Microsoft security

Hackers Exploit Exposed Security Keys to Inject Code into Websites

 



Cybercriminals are exploiting leaked cryptographic keys to manipulate authentication systems, decode protected data, and install harmful software on vulnerable web servers. These attacks can give hackers unauthorized control over websites and would allow them to maintain access for long periods.  


How Hackers Use Publicly Available Keys

Microsoft's cybersecurity experts have recently detected a new wave of Internet threats in which attacking groups use exposed ASP.NET machine keys to break into web applications. These keys are sometimes kept private, but they were nonetheless discovered in public code repositories so that hackers could easily gain access to and misuse them.  

Once the criminal possess this key, he would be able to manipulate ViewState, a methodology in ASP.NET Web Forms considered to store and manipulate user data between page interactions. If ViewState data with malicious content is injected by the attacker, the web server would then validate it and process it, allowing the hacker to execute harmful commands on that system.  

Microsoft, on its part, is tracking that more than 3,000 machine keys have been publicly leaked, putting numerous web applications at risk of code injection attacks.  


The Godzilla Malware Threat

In December 2024, evidence was found that an unidentified hacker group installed the military-grade malware Godzilla in a compromised machine with long-term access and control through an exposed ASP.NET machine key:  

Once this malware makes its way into the compromised system, the hackers can:  

- Run unauthorized commands on the web server.  

- Install additional malware to expand their control.  

- Maintain access even if initial security gaps are patched.  

Microsoft states these attacks are particularly concerning since leaked keys are available to the public, thus allowing many attackers to take advantage of this vulnerability.  


Why Publicly Exposed Machine Keys Are Dangerous

Previously, attackers sold stolen cryptographic keys in underground markets, but Microsoft now finds this case to be many freely exposed keys on public sites. It sure enhances the risks of exploitation.  

The threats include:  

- Developers could unwittingly copy exposed keys into genuinely existing projects, thereby rendering their applications exploitable.  

- Attackers could set up a script to carry out attacks against the known keys, which would allow for widespread exploitation.  

- One compromised key can cause a breach in multiple applications.  


Recommendations From Microsoft Security

To defend against these attacks, Microsoft thus recommends that organizations carry out the following:  

- Never use publicly available machine keys; generate application-specific keys at all times.  

- To limit the risks of long-term exposure, regular updates and rotations to cryptographic keys should be put into practice.  

- Check for exposed keys using Microsoft security tools and revoke any that are found.  

- Securely upgrade ASP.NET applications to the most recent version, preferably ASP.NET 4.8, which will have the strongest security protections.  

- Strengthening Windows Servers from persistent malwares through enabling security modules like Antimalware Scan Interface (AMSI) and attack surface reduction rules.  


What to Do If a System Has Been Compromised

If an organization feels its servers are under attack, it is insufficient to merely replace machine keys to avert any subsequent attacks. Microsoft suggests:  

1. To pay for a complete security investigation in order to search for backdoors and unauthorized users.  

2. Clear all malicious scripts and files from the system.  

3. Rebuild the server if necessary, to clear any other prospects of threats.  

Organizations using ASP.NET applications in web farms should replace remaining machine keys with automatically generated values that are securely stored in the system registry.  

Over 3,000 exposed cryptographic keys entail a major concern for cybersecurity since attacking groups can easily compromise web applications. Such a breach also becomes dreadful because it allows hackers to stay undetected in the system for long-spanning periods of time.  

Thus, in a bid to stay safe, businesses and developers ought to avoid using public keys, update their security settings regularly and harden defenses against malware. Every step above can assist the organizations in keeping unauthorized people out thus securing their web applications against exploitation.




Read more »
Subscribe to: Posts (Atom)