Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber attack. Show all posts
Hackers
crypto theft 2025 cryptocurrency theft cyber attack Cyber Attacks Hackers

Crypto Thefts Hit Record $2.7 Billion in 2025

 

Hackers stole more than $2.7 billion in cryptocurrency in 2025, setting a new annual record for crypto-related thefts, according to data from multiple blockchain monitoring firms. 

The losses were driven by dozens of attacks on cryptocurrency exchanges and decentralized finance projects during the year. The largest incident was a breach at Dubai-based exchange Bybit, where attackers made off with about $1.4 billion worth of digital assets. 

Blockchain analysis firms and the FBI have attributed the attack to North Korean state-backed hackers, who have become the most prolific crypto thieves in recent years. 

The Bybit breach was the biggest known cryptocurrency theft to date and ranks among the largest financial heists on record. Previous major crypto hacks include the 2022 attacks on Ronin Network and Poly Network, which resulted in losses of $624 million and $611 million, respectively. 

Blockchain analytics firms Chainalysis and TRM Labs both estimated total crypto thefts at around $2.7 billion in 2025. Chainalysis said it also tracked an additional $700,000 stolen from individual crypto wallets. 

Web3 security firm De.Fi, which maintains the REKT database of crypto exploits, reported a similar total. North Korean hackers accounted for the majority of losses, stealing at least $2 billion during the year, according to Chainalysis and Elliptic. 

Elliptic estimates that North Korean-linked groups have stolen roughly $6 billion in cryptocurrency since 2017, funds that analysts say are used to support the country’s sanctioned nuclear weapons program. 

Other significant incidents in 2025 included a $223 million hack of decentralized exchange Cetus, a $128 million breach at Ethereum-based protocol Balancer, and a theft of more than $73 million from crypto exchange Phemex. 

Crypto-related cybercrime has continued to rise in recent years. Hackers stole about $2.2 billion in digital assets in 2024 and roughly $2 billion in 2023, underscoring persistent security challenges across the cryptocurrency ecosystem.
Read more »
DIG AI
cyber attack CyberCrime Darknet AI Tool DIG AI

Darknet AI Tool DIG AI Fuels Automated Cybercrime, Researchers Warn

 

Cybersecurity researchers have identified a new darknet-based artificial intelligence tool that allows threat actors to automate cyberattacks, generate malicious code and produce illegal content, raising concerns about the growing criminal misuse of AI. 

The tool, known as DIG AI, was uncovered by researchers at Resecurity and first detected on September 29, 2025. Investigators said its use expanded rapidly during the fourth quarter, particularly over the holiday season, as cybercriminals sought to exploit reduced vigilance and higher online activity. 

DIG AI operates on the Tor network and does not require user registration, enabling anonymous access. Unlike mainstream AI platforms, it has no content restrictions or safety controls, researchers said. 

The service offers multiple models, including an uncensored text generator, a text model believed to be based on a modified version of ChatGPT Turbo, and an image generation model built on Stable Diffusion. 

Resecurity said the platform is promoted by a threat actor using the alias “Pitch” on underground marketplaces, alongside listings for drugs and stolen financial data. The tool is offered for free with optional paid tiers that provide faster processing, a structure researchers described as a crime-as-a-service model. 

Analysts said DIG AI can generate functional malicious code, including obfuscated JavaScript backdoors that act as web shells. Such code can be used to steal user data, redirect traffic to phishing sites or deploy additional malware. 

While more complex tasks can take several minutes due to limited computing resources, paid options are designed to reduce delays. Beyond cybercrime, researchers warned the tool has been used to produce instructions for making explosives and illegal drugs. 

The image generation model, known as DIG Vision, was found capable of creating synthetic child sexual abuse material or altering real images, posing serious challenges for law enforcement and child protection efforts. 

Resecurity said DIG AI reflects a broader rise in so-called dark or jailbroken large language models, following earlier tools such as FraudGPT and WormGPT. 

Mentions of malicious AI tools on cybercrime forums increased by more than 200% between 2024 and 2025, the firm said. 

Researchers warned that as AI-driven attack tools become easier to access, they could be used to support large-scale cyber operations and real-world harm, particularly ahead of major global events scheduled for 2026.
Read more »
VPN attack
Cisco cyber attack State Sponsored Hackers VPN attack

China-linked Hackers Exploit Critical Cisco Zero-day as VPN Attacks Surge

 

A China linked advanced persistent threat has been exploiting a previously unknown vulnerability in Cisco email security appliances, while a separate wave of large scale brute force attacks has targeted virtual private networks from Cisco and Palo Alto Networks, security researchers said. 

Cisco said on Wednesday it had identified a threat group it tracks as UAT 9686 that has been abusing a critical zero day flaw in appliances running its AsyncOS software. The vulnerability, tracked as CVE 2025 20393, carries a maximum severity score of 10 and remains unpatched. 

AsyncOS powers Cisco Secure Email Gateway and Secure Email and Web Manager products, which are used to protect organisations from spam and malware and to centrally manage email security systems. The flaw affects systems where the Spam Quarantine feature is enabled and accessible from the internet. 

Under those conditions, attackers can bypass normal controls, gain root level access and run arbitrary commands on the appliance and potentially connected systems. Cisco said the activity dates back to at least late November. 

According to Cisco Talos, UAT 9686 used the vulnerability to deploy multiple tools after gaining access, including the open source tunnelling utility Chisel and a custom malware family known as Aqua. 

The main backdoor, AquaShell, is a lightweight Python implant that is delivered as encoded data and hidden within existing system files. It is accompanied by tools designed to erase logs and maintain persistent remote access through encrypted connections. 

Talos said the group’s infrastructure and techniques overlap with known Chinese cyber espionage actors such as APT41 and UNC5174. Cisco said it has advised customers to disable internet access to the Spam Quarantine feature as a temporary measure and is working on a permanent fix. 

Separately, researchers observed a sharp spike in brute force attacks against VPN services shortly after Cisco detected the email security campaign.

GreyNoise said that within a 16 hour window, more than 10,000 unique IP addresses generated about 1.7 million authentication attempts against Palo Alto Networks GlobalProtect VPNs. 

The activity largely targeted organisations in the United States, Mexico and Pakistan. The following day, similar attacks shifted to Cisco VPN endpoints, with a significant rise in automated login attempts. 

The campaign relied on standard SSL VPN login flows and appeared aimed at identifying weak or reused credentials. The activity stopped as abruptly as it began. GreyNoise said such short lived, high volume attacks are often used to quickly map exposed systems before defenders can respond. 

The firm advised organisations to review edge device security, enforce strong passwords and enable multifactor authentication, noting that operational complexity and fear of disruption often delay such measures despite their importance.
Read more »
Zero Click Exploit
APT28 Cloud Data Theft cyber attack GRU Hackers Malware Chain Attack Sandworm APT44 Task Scheduler Flaw Vulnerabilities and Exploits Windows Vulnerability Zero Click Exploit

Russian Threat Actors Deploy Zero-Click Exploit in High-Impact Attack on France


 

The end of 2025 and global cybersecurity assessments indicated that one of the most formidable state-aligned hacking units in Russia has changed its tactics significantly. It has been widely reported that state-sponsored threat actors linked to the GRU's cyber-operations arm, widely known by various nicknames such as Sandworm, APT44, and Microsoft's Seashell Blizzard cluster, are recalibrating their approach with noticeable precision as they approach their target market. 

A group that once was renowned for exploiting zero-day vulnerabilities and newly disclosed ones with high-profile and disruptive effects, the group has now shifted into a quieter, yet equally strategic approach, systematically targeting weaknesses resulting from human and network misconfigurations rather than exploits resulting from cutting-edge techniques.

The analysis published by Amazon Threat Intelligence, based on findings obtained by Amazon’s Threat Intelligence division, illustrates this shift, revealing that the cluster is increasingly concentrating on exploiting incorrectly configured network edge devices, suggesting a deliberate move away from overt zero-day or zero-n-day intrusion techniques to the use of sustained reconnaissance and exploitation of exposed infrastructure at the digital perimeter, signaling an intentional shift away from overt zero-day or n-day intrusion techniques. 

An intrusion campaign that lasted only a few weeks, but was exceptionally powerful, was uncovered in early October by investigators attributed to RomCom, a Russia-connected advanced persistent threat group that has also been identified by Storm 0978, Tropical Scorpius, and UNC2596. 

The ESET cybersecurity researchers found malicious files on a Russian-managed server on October 8, and they traced the availability of these malicious files back to October 3, just five days before they were discovered by the researchers. 

The technical analysis revealed that both of these files exploited two previously unknown zero-day vulnerabilities, one of which affected Mozilla browsers used both in Firefox and Tor environments, while the other was targeted at a Windows operating system vulnerability. 

By combining these weaknesses, it became possible for RomCom to deliver a silent backdoor to any device accessing a compromised website without the visitor interacting with them, consenting to them, or even clicking a single button. 

Although attackers initially had the capability of executing arbitrary code globally on a global scale, the exposure window remained narrow even though attackers had the capability. Romain Dumont, a malware researcher for ESET, noted that while the operation was constrained by quick defensive actions, highlighting that even though the vulnerabilities were severe, they were patched within days, sharply limiting the likelihood of mass compromises occurring. 

A deliberate and multilayered attack chain was used to perpetrate the intrusion in a manner that was designed for both reach and discretion. It was the first part of the campaign where a browser-level vulnerability was exploited to gain access to a target computer by invoking it, and this setup created the conditions for a secondary breach that was made possible via a critical flaw within the Windows Task Scheduler service known as CVE-2024-49039. 

An insufficient ability to handle permissions enabled malicious tasks to execute without being detected by security prompts or requiring the user's consent. As a result of linking the two vulnerabilities, the attackers were able to achieve a zero-click compromise by granting complete system control when a victim loaded a booby-trapped webpage, eliminating traditional interaction-based warnings. 

There is a concealed PowerShell process in the payload that connects to a remote command server, downloads malware and deploys it aggressively in rapid succession, so the infection timeline can be compressed to near on-the-spot execution as a result. 

As researchers noted, the initial distribution vector of the attack is unclear, but the operational design strongly emphasized automation, persistence, and a minimal forensic footprint, which reduced visible indications of compromise and complicated the investigation of the incident afterward.

There has been a continuous coordination of Russian-aligned cyber units across geopolitical targets during the same monitoring period, with the country of Ukraine experiencing most sustained pressure during the period. 

Despite the fact that Gamaredon appears to have been linked with Russia's Federal Security Service and has been tracked by several security indices such as Primitive Bear, UNC530, and Aqua Blizzard, it continues to be the most active hacker targeting Ukrainian government networks. As well as improving malware obfuscation frameworks, the group deployed a cloud-enabled file stealer called PteroBox that used legitimate services like Dropbox to extract data. 

Fancy Bear, a cyber-intelligence division of the GRU reportedly responsible for APT28, expanded Operation RoundPress at the same time, refining its exploitation of cross-site scripting vulnerabilities within webmail platforms. 

The attacker leveraged the zero-day vulnerability in the MDaemon Email Server (CVE-2024-11182) to exploit the penetration of Ukrainian private-sector systems using a zero-day exploit. One of the clusters linked to GRU, Sandworm, was also indexed under APT44 and has traditionally been associated with disruptive campaigns that targeted Ukrainian energy infrastructure, exploiting weaknesses in Active Directory Group Policies, which enabled it to deploy ZEROLOT, a new tool designed to destroy networks. A parallel investment in high-impact exploit development was demonstrated at RomaCom, a company operating within a broader Russian-aligned threat ecosystem.

It chained zero-day vulnerabilities across widely used software platforms, including Firefox and Windows, confirming that zero-interaction intrusion methods are gaining traction, reinforcing the trend toward zero-interaction intrusion methods. In addition to putting these operations into a global context, ESET’s intelligence reports also identified persistent activity from state-backed groups in the context of the operations. 

APT actors aligned with China, such as Mustang Panda, have continued a campaign against governments and maritime transportation companies by using Korplug loaders and weaponized USB vectors, while PerplexedGoblin has deployed the NanoSlate espionage backdoor against a government network in Central Europe.

The operations of North Korea-aligned threat actors, such as Kimsuky and Konni, increased significantly in early 2025 after a temporary decline in late 2024 as they shifted their attentions from South Korean institutions to in-country diplomatic personnel. Andariel reappeared after nearly a year of being out of the game, when an industrial software provider in South Korea was breached, while DeceptiveDevelopment continued to conduct social engineering operations to spread the multi-platform WeaselStore malware.

This led to the spreading of fraudulent cryptocurrency and finance job postings, which enabled the malware to be distributed on multiple platforms. The APT-C-60 group also uploaded to VirusTotal in late February 2025 a VHDX archive containing an encrypted downloader and a malicious shortcut, which is internally called RadialAgent and uploaded through a Japan-based submission to the web security company. 

ESET's leadership explained that the disclosures were only a small portion of the intelligence data gathered during that period, however they did represent a broad tactical trajectory that was reflected in the disclosures. To increase the effectiveness of their operations, threat actors have increasingly prioritized stealth, infrastructure exposure, malware modularity, and long-range intrusion campaigns that align with active geopolitical fault lines in order to increase their operational efficiency. 

It remains unclear how the exploit chain is likely to impact the victims as well as the precise scope of damages caused. The identities of the victims who may have been affected remain unclear. This underscores the difficulty of uncovering campaigns that are designed for speed and opacity. 

A pronounced concentration of targets has been observed across North America and Europe based on ESET's telemetry. Investigators have been able to confirm this based on ESET's telemetry. The Czech Republic, France, Germany, Poland, Spain, Italy, and the United States are among the notable clusters, and New Zealand and French Guiana have been identified as having a smaller number of dispersed cases. 

There was no evidence of compromise among any of the victims tracked by ESET that had used the Tor browser even though the exploit theoretically was capable of reaching users accessing the web from privacy-hardened environments. According to Damien Schaeffer, a senior malware researcher at ESET, it may have been the configuration differences between Tor and standard Firefox, particularly the default permission settings, that disrupted the exploit's execution path, an idea that is reinforced by the target profile of the exploit. 

In the period between RomCom's activities and the period after it, it seemed that its activities were focused primarily on corporate networks and commercial infrastructure, environments that tended not to use Tor, limiting the exploit's viability in those channels. The two vulnerabilities in the chain, Mozilla's CVE-2024-9680 and Windows Task Scheduler's CVE-2024-49039, were remediated and fixed since then. In the case of the attack, the payload was triggered by a permissions error in the Windows Task Scheduler service that caused it to connect to a remote command server and retrieve malicious software without generating security prompts or requiring the user to authorize the process. 

This allowed the attack to execute. Infections had a consistent exposure point - loading a compromised or counterfeit website - which led to the deployment sequence running to completion within seconds. There were very few observable indicators and it was very difficult to detect an endpoint once the infection had been installed. In the middle of October, Mozilla released browser patches for Firefox and Tor, followed by a Thunderbird security update on October 10. 

The vulnerability disclosure was received about 25 hours after Thunderbird's security update was released. A Microsoft security update on Windows was released on Nov. 12, which effectively ended the exploit chain, effectively severing any systemic exposure before it could be widespread. 

As researchers have acknowledged, the original distribution vector used in seeding the infected URLs has yet to be identified, further raising concerns about the group's preference for automated campaigns over traceability campaigns. 

It is important to note that even though the operation was ultimately limited by the rapid vendor response, cybersecurity specialists continue to emphasize the importance of routinely verifying software updates and to urge users and businesses to ensure that all necessary browser patches are applied. Additionally, industry experts are advocating a more rigorous validation of digital touchpoints, particularly in corporate environments, warning that infrastructure exposure, rather than novelty software, is increasingly becoming the weakest link in high-impact intrusion chains, which, if not removed, will lead to increased cyber-attacks. 

As 2025 dawned on us, a stark reminder was in front of us that today's cyber conflict is no longer simply defined by the discovery of rare vulnerabilities, but by the strategic exploitation of overlooked ones, as well. In spite of the fact that RomCom and the broader Russia-aligned threat ecosystem have been implicated in a number of incidents, operational success has become increasingly dependent on persistence, infrastructure visibility, and abuse of trust - whether through network misconfiguration, poisoned policy mechanisms, or malware distribution without interaction. 

There has been a limited amount of disruption since Mozilla and Microsoft released their patches, but there remains some uncertainty around initial link distribution, victim identification, and possible data impact, which illustrates a broader truth: even short access to powerful exploit chains can have lasting consequences that go far beyond their lifetime. 

There is a growing awareness among security experts that defense must evolve at the same pace as offense, so organizations should implement layered intrusion monitoring systems, continuous endpoint behavior analyses, stricter identity policy audits, and routinely verifying the integrity of software as a replacement for updating only providing security. 

A greater focus on the external digital assets, supply chains, and risks of cloud exfiltration will be critical in the year to come. As a result of the threat landscape in 2025, there is clear evidence that resilience can be built not only by applying advanced tools, but also through disciplined configuration hygiene, rapid incident transparency, and an attitude towards security that anticipates rather than reacts to compromise.
Read more »
State sponsored groups
cyber attack Cyber Attacks data security State sponsored groups

Chinese-linked Browser Extensions Linked to Corporate Espionage Hit Millions of Users

 

A Chinese-linked threat actor has been tied to a third large-scale malicious browser extension campaign that has compromised data from millions of users across major web browsers, according to new findings by cybersecurity firm Koi Security. 

The latest campaign, dubbed DarkSpectre, has affected about 2.2 million users of Google Chrome, Microsoft Edge and Mozilla Firefox, the researchers said. 

DarkSpectre has now been linked to two earlier campaigns known as ShadyPanda and GhostPoster, bringing the total number of impacted users across all three operations to more than 8.8 million over a period exceeding seven years. 

Koi Security said the activity appears to be the work of a single Chinese threat actor that it tracks under the name DarkSpectre. The campaigns relied on seemingly legitimate browser extensions that were used to steal data, hijack search queries, manipulate affiliate links and conduct advertising fraud. 

ShadyPanda, which Koi disclosed earlier this month, was found to have affected about 5.6 million users through more than 100 malicious or compromised extensions across Chrome, Edge and Firefox. Some of these extensions remained benign for years before being weaponised through updates. 

One Edge extension waited three days after installation before activating its malicious code, a tactic designed to evade store review processes. The second campaign, GhostPoster, primarily targeted Firefox users with utilities and VPN-style add-ons that injected malicious JavaScript to hijack affiliate traffic and carry out click fraud. 

Investigators also identified related extensions on other browsers, including an Opera add-on masquerading as a Google Translate tool that had close to one million installs. The newly attributed DarkSpectre campaign, also referred to by researchers as the Zoom Stealer operation, involved at least 18 extensions designed to collect sensitive data from online meetings. 

These extensions harvested meeting links, embedded passwords, meeting IDs, topics, schedules and participant details from platforms such as Zoom, Google Meet, Microsoft Teams, Cisco WebEx and GoTo Webinar. 

Researchers said the extensions posed as tools for recording or managing video meetings but quietly exfiltrated corporate meeting intelligence in real time using WebSocket connections. 

The stolen data also included details about webinar hosts and speakers, such as names, job titles, company affiliations and promotional materials. 

“This isn’t consumer fraud, this is corporate espionage infrastructure,” Koi Security researchers Tuval Admoni and Gal Hachamov said in media. They warned that the information could be sold to other threat actors or used for targeted social engineering and impersonation campaigns. 

Koi Security said indicators linking the activity to China included the use of command and control servers hosted on Alibaba Cloud, Chinese-language artifacts in the code, and registrations tied to Chinese provinces. 

Some fraud activity was also aimed at Chinese e-commerce platforms. The researchers cautioned that additional extensions linked to the same actor may still be active but dormant, building trust and user bases before being turned malicious through future updates.
Read more »
Cyberspace Threats
Check Point research cyber attack Cyber Attacks Cyberspace Threats

Initial Access Brokers Now Central to Cyberattacks: Report

 

The market for initial access brokers has expanded rapidly over the past two years, creating a system that allows advanced threat actors to outsource the early stages of an intrusion, according to new research from Check Point. The report says this growth has made it easier for both nation-state groups and criminal actors to breach a larger number of targets. 

Check Point notes that the rise of the IAB economy coincides with the growing use of cyberspace by governments as a tool for projecting power. The firm is urging policymakers and businesses to strengthen identity security, secure software supply chains and improve the resilience of operational technology systems. 

“Once considered peripheral players, IABs have become a critical node in the cyber-criminal supply chain, lowering barriers to entry for sophisticated operations and enabling rapid campaign scaling,” Check Point said. 

By paying IABs to handle initial access at scale, threat actors can move faster and avoid the risks associated with the early stages of an attack. According to the report, “state-backed groups and sophisticated criminal actors can reduce operational risk, accelerate execution timelines, and scale their campaigns across dozens of targets simultaneously.” 

This growing reliance on brokers also complicates attribution. When an IAB is involved, IT teams and investigators often struggle to determine whether an attack was carried out by a government-backed group or by a criminal operation. 

For this reason, Check Point says that “IAB activity is no longer a peripheral criminal phenomenon but a force multiplier in the broader offensive ecosystem, one that directly supports espionage, coercive operations, and potential disruption of U.S. government and critical infrastructure networks.” 

The report also highlights a sharp rise in IAB activity targeting essential sectors. Healthcare saw nearly 600 percent more IAB-related attacks in 2024 compared with 2023. Government, education and transportation networks were also significantly affected. 

Check Point says these increases reflect both higher demand from adversaries for access to sensitive environments and the growing professionalisation of the IAB marketplace, where access to critical systems is treated as a commodity. 

The research links this broader trend to rising geopolitical tensions and the changing role of nation-state hacking. “Cyber operations have evolved from opportunistic disruptions and intelligence-gathering into deliberate, coordinated campaigns designed to achieve political, economic, and strategic outcomes,” the report says. 

According to Check Point, the line between geopolitics and cyber activity has largely disappeared. State-aligned groups are using digital operations to shape crises, signal intent and impose costs on rivals, often below the threshold of open conflict. 

The firm notes that spikes in geopolitical risk are closely followed by spikes in targeted cyberattacks against U.S. government systems. “Cybersecurity is no longer just a technical issue; it is a strategic imperative,” Check Point said. The report argues that resilience, deterrence and rapid recovery must now be treated as national security priorities on the same level as traditional defence planning.
Read more »
Vulnerability
cyber attack React2Shell Vulnerabilities and Exploits Vulnerability

React2Shell Exploited Within Hours as Firms Rush to Patch

 

Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public. 

The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers. 

The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately. According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems. 

AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors. Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia. 

Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware. 

AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers. 

Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems. 

A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages. 

The company stressed that the outage was not the result of a cyberattack. The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix. 

Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation. Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default. 

Cybersecurity firms and cloud providers are urging organizations to take action immediately: 


  1. Apply official patches for React, Next.js and related RSC frameworks.
  2. Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel.
  3. Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior.

Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale. 
Read more »
trending news
CloudFlare cyber attack Cyber Attacks DDOS Attacks trending news

Cloudflare Blocks Largest DDoS Attack in History as Global Cyber Threats Surge

Cloudflare announced on Wednesday that it has detected and stopped the largest distributed denial of service (DDoS) attack ever recorded. 

The attack peaked at 29.7 terabits per second and lasted 69 seconds. The company said the traffic came from a botnet-for-hire called AISURU, which has been behind several extreme DDoS incidents over the past year. Cloudflare did not reveal the name of the targeted organization. 

AISURU has repeatedly targeted telecommunication companies, gaming platforms, hosting providers and financial services. 

Cloudflare said it also blocked another massive attack from the same botnet that reached 14.1 billion packets per second. Security researchers estimate that AISURU is powered by one to four million infected devices across the world. 

According to Cloudflare, the record-breaking event was a UDP carpet bombing attack that hit around 15,000 ports per second. The attackers randomised packet properties to get past defences, but Cloudflare’s automated systems detected and neutralised the traffic. Cloudflare has recorded 2,867 AISURU attacks since the beginning of 2025. 

Out of these, 1,304 hyper volumetric attacks happened in the third quarter of this year alone. In total, the company blocked 8.3 million DDoS attacks during the same period. That number is 15 percent higher than the previous quarter and 40 percent higher than the same period last year. 

So far in 2025, Cloudflare has mitigated 36.2 million DDoS attacks, and the year is not yet over. The company highlighted a rapid increase in network layer attacks, which now make up 71 percent of all recorded attacks. 

Meanwhile, HTTP DDoS attacks declined in comparison. The report also shows major changes in the global DDoS landscape. The number of attacks that went above 100 million packets per second jumped by 189 percent quarter over quarter. In addition, 1,304 attacks exceeded one terabit per second. 

Cloudflare noted that most attacks last for less than 10 minutes, which leaves very little time for manual intervention and can still cause long service disruptions. 

The list of attack sources is dominated by Asia. Indonesia has remained the world’s biggest source of DDoS attacks for an entire year, followed by other locations such as Thailand, Bangladesh, Vietnam, India, Hong Kong and Singapore. Ecuador, Russia and Ukraine make up the remaining top ten. 

Several industries have seen major increases in targeting. Attacks against the mining, minerals and metals sector rose sharply and pushed it to the 49th most attacked industry worldwide. The automotive industry experienced the largest jump and is now the sixth most attacked. 

DDoS attacks targeting artificial intelligence companies rose by 347 percent in September alone. Across all sectors, information technology and services faced the most attacks. Telecommunications, gambling, gaming and internet services were also among the hardest hit. 

The most attacked countries this year include China, Turkey, Germany, Brazil, the United States and Russia. Cloudflare said the scale and sophistication of current DDoS activity marks a turning point for global cybersecurity. 

The company warned that many organizations are struggling to keep up with attackers who now operate with far more power and speed than ever before.
Read more »
Subscribe to: Comments (Atom)