Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Record DDoS Attack
AISURU Kimwolf botnet Android botnet malware Cloudflare DDoS report hyper volumetric DDoS malware Record DDoS Attack

AISURU/Kimwolf Botnet Behind Record 31.4 Tbps DDoS Attack, Cloudflare Reveals

 

A massive distributed denial-of-service (DDoS) assault reaching an unprecedented peak of 31.4 terabits per second (Tbps) has been attributed to the AISURU/Kimwolf botnet. The attack, which lasted just 35 seconds, is now being described as one of the largest hyper-volumetric DDoS events ever recorded.

Cloudflare said it automatically identified and blocked the activity, noting that the incident was part of a wider surge in hyper-volumetric HTTP DDoS attacks linked to AISURU/Kimwolf during the fourth quarter of 2025. The specific attack occurred in November 2025.

The botnet has also been associated with a separate campaign dubbed The Night Before Christmas, which began on December 19, 2025. According to Cloudflare, attacks observed during this campaign averaged 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps). At their peak, the attacks escalated to 9 Bpps, 24 Tbps, and 205 Mrps.

"DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour," Cloudflare's Omer Yoachimik and Jorge Pacheco said. "In 2025, the total number of DDoS attacks more than doubled to an incredible 47.1 million."

The web infrastructure firm reported mitigating 34.4 million network-layer DDoS attacks throughout 2025, a sharp increase from 11.4 million in 2024. In the final quarter of 2025 alone, network-layer incidents represented 78% of all DDoS activity. Overall, DDoS attacks climbed 31% quarter-over-quarter and rose 58% compared to the previous year. 

Hyper-volumetric DDoS attacks also saw a significant rise, increasing by 40% in Q4 2025 compared to the previous quarter, jumping from 1,304 to 1,824 incidents. Earlier in the year, Q1 2025 recorded 717 such attacks. Alongside the growing frequency, the scale of these attacks expanded dramatically, with sizes increasing by more than 700% compared to large-scale incidents observed in late 2024.

AISURU/Kimwolf is believed to have compromised over 2 million Android devices, largely unbranded Android TVs, which were absorbed into its botnet. Many of these infections were facilitated through residential proxy networks such as IPIDEA. In response, Google recently disrupted the proxy service and initiated legal action to dismantle dozens of domains used to manage infected devices and route proxy traffic.

Google also collaborated with Cloudflare to interfere with IPIDEA’s domain resolution capabilities, significantly weakening the operators’ command-and-control infrastructure.

“As part of the Google-led disruption effort, Cloudflare participated by suspending access to many accounts and domains that were misusing its infrastructure," Cloudflare told The Hacker News over email. "Threat actors were attempting to distribute malware and provide markets for people seeking access to the network of illicit residential proxies."

Investigations suggest that IPIDEA recruited infected devices using at least 600 malicious Android applications embedded with proxy SDKs, along with more than 3,000 trojanized Windows executables masquerading as OneDriveSync tools or Windows updates. The Beijing-based firm has also promoted VPN and proxy applications that covertly transformed users’ Android devices into proxy exit nodes without their awareness or permission.

Additionally, threat actors have been identified operating more than a dozen residential proxy services posing as legitimate businesses. These offerings, despite appearing separate, are all reportedly connected to a centralized infrastructure controlled by IPIDEA.

Cloudflare highlighted several additional trends observed during Q4 2025. Telecommunications companies, service providers, and carriers were the most targeted industries, followed by IT services, gambling, gaming, and software sectors. The most attacked countries included China, Hong Kong, Germany, Brazil, the United States, the United Kingdom, Vietnam, Azerbaijan, India, and Singapore.

Bangladesh overtook Indonesia as the largest source of DDoS traffic globally, with Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru also ranking among the top origins of attack traffic.

"DDoS attacks are rapidly growing in sophistication and size, surpassing what was previously imaginable," Cloudflare said. "This evolving threat landscape presents a significant challenge for many organizations to keep pace. Organizations currently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy."
Read more »
social engineering attacks
Android Android Spyware Cloud Infrastructure Abuse Hugging Face Abuse malware Mobile Credential Theft Mobile Security Threats Remote Access Trojan social engineering attacks

Threat Actors Leverage Hugging Face to Spread Android Malware at Scale


 

Initially appearing as a routine security warning for mobile devices, this warning has evolved into a carefully engineered malware distribution pipeline. Researchers at Bitdefender have identified an Android campaign utilizing counterfeit security applications that serve as the first stage droppers for remote access Trojans, known as TrustBastion. 

The operators have opted not to rely on traditional malware hosting infrastructure, but have incorporated their delivery mechanism into Hugging Face's public platform, allowing it to conceal malicious activity through its reputation and traffic profile. 

Social engineering is used to drive the infection chain, with deceptive ads and fabricated threat alerts causing users to install the malware. The app silently retrieves a secondary payload from Hugging Face once it has been installed on the device, providing persistence via extensive permission abuse. 

At scale, the campaign is distinguished by a high degree of automation, resulting in thousands of distinct Android package variants, thereby evading signature-based detection and complicating attribution, thus demonstrating the shift toward a more industrialized approach to mobile malware. 

Using this initial foothold as a starting point, the campaign illustrates how trusted developer infrastructure can be repurposed to support a large-scale theft of mobile credentials. As a consequence, threat actors have been using Hugging Face as a distribution channel for thousands of distinct Android application packages that were designed to obtain credentials related to widely used financial, banking, and digital payment services.

Generally, Hugging Face is regarded as a low-risk domain, meaning that automated security controls and suspicion from users are less likely to be triggered by this site's hosting and distribution of artificial intelligence, natural language processing, and machine learning models.

Despite the fact that the platform has previously been abused to host malicious AI artifacts, Bitdefender researchers point out that its exploitation as a delivery channel for Android malware constitutes an intentional attempt to disguise the payload as legitimate development traffic. It has been determined that the infection sequence begins with the installation of an application disguised as a mobile security solution known as TrustBastion. 

Using scareware-style advertisements, the app presents fake warnings claiming that the device has been compromised, urging immediate installation to resolve alleged threats, including phishing attempts, fraudulent text messages, and malware. 

Upon deployment, the application displays a mandatory update prompt which is closely similar to that of Google Play, thereby reinforcing the illusion of legitimacy. In lieu of embedding malicious code directly, the dropper contacts infrastructure associated with the trustbastion[.]com domain, which redirects the user to a repository containing Hugging Face datasets. 

After retrieving the final malicious APK via Hugging Face's content delivery network, the attackers complete a staged payload delivery process that complicates detection and allows them to continuously rotate malware variants with minimal operational overhead, complicating detection. This stage demonstrates why Hugging Face was purposefully integrated into the attacker's delivery chain during this phase of the operation. 

It is common for security controls to flag traffic from newly registered or low-reputation domains quickly, causing threat actors to route malicious activity through well-established platforms that blend into normal network behavior, resulting in the use of well-established platforms.

TrustBastion droppers are not designed to retrieve spyware directly from attacker-controlled infrastructure in this campaign. Rather than hosting the malware itself, it initiates a request to a website associated with the trustbastion[. ]com domain, which serves as an intermediary rather than as a hosting point for it.

The server response does not immediately deliver a malicious application package. The server returns a HTML resource that contains a redirect link to a Hugging Face repository where the actual malware can be found. By separating the initial contact point from the final malware host, the attackers introduce additional indirection, which makes static analysis and takedown efforts more challenging. 

According to Bitdefender, the malicious datasets were removed after being notified by Hugging Face before publication of its findings. Telemetry indicates the campaign had already reached a significant number of victims before the infrastructure was dismantled, despite the swift response. Furthermore, analysis of the repositories revealed unusually high levels of activity over a short period of time. 

A single repository accumulated over 6,000 commits within a month, indicating that it was fully automated. A new payload was generated and committed approximately every 15 minutes, according to Bitdefender. A number of repositories were taken offline during the campaign, but the campaign displayed resilience by reappearing under alternative redirect links, using the same core codebase and only minor cosmetic changes to the icons and application metadata. 

The operators further undermined traditional defense effectiveness by utilizing polymorphic techniques throughout the payloads they used. The uploaded APKs were freshly constructed, retaining identical malicious capabilities while introducing small structural changes intended to defeat hash-based detection. 

It was noted by Bitdefender that this approach increased evasion against signature-driven tools, but that the malware variants maintained consistent behavioral patterns, permission requests, and network communication traits, which made them more susceptible to behavioral and heuristic analysis in the future. 

After installation, the malware presents itself as a benign "Phone Security" feature and guides users through the process of enabling Android Accessibility Services. This step allows the remote access trojan to obtain extensive information about user activity and on-screen activity. In order to monitor activity in real time, capture sensitive screen content, and relay information to the malware's command and control servers, additional permissions are requested. 

By impersonating legitimate financial and payment applications, such as Alipay and WeChat, this malware enhances the threat. By intercepting credentials and collecting lock-screen verification information, it becomes a full-spectrum tool to collect credentials and spy on mobile devices. 

In a defensive perspective, this campaign reminds us that trust in popular platforms can be strategically exploited if security assumptions are not challenged. By combining legitimate developer infrastructure abuse with high levels of automation and polymorphic payload generation, traditional indicators alone cannot detect these types of attacks. 

For Bitdefender's users, the findings reinforce the importance of identifying such threats earlier in the infection chain through behavioral analysis, permission monitoring, and anomaly-based network inspection. Users are advised to take precautions when responding to unsolicited security alerts or applications requesting extensive system privileges based on the findings.

Additionally, the operation highlights the growing adoption of cloud-native distribution models by malicious mobile malware actors, emphasizing the importance of platform providers, security vendors, and enterprises collaborating more closely to monitor abuse patterns and respond quickly to emerging misuses of trusted ecosystems.
Read more »
malware
APT41 China cybersecurity Southeast Asia Cyberthreats malware

China-Linked Hackers Step Up Quiet Spying Across South-East Asia

Threat actors linked to China have been blamed for a new wave of cyber-espionage campaigns targeting government and law-enforcement agencies across South-East Asia during 2025, according several media reports. Researchers at Check Point Research said they are tracking a previously undocumented cluster, which they have named Amaranth-Dragon, that has targeted Cambodia, Thailand, Laos, Indonesia, Singapore and the Philippines. 

The activity shows technical and operational links to APT41, a well-known Chinese hacking ecosystem.  
“Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” Check Point said. “By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content.” 

The firm described the operations as tightly scoped and deliberately restrained, suggesting an effort to establish long-term access rather than cause disruption. Infrastructure was configured to communicate only with victims in specific countries, reducing the risk of discovery. 

A key technique involved exploiting CVE-2025-8088, a now-patched flaw in WinRAR that allows arbitrary code execution when a malicious archive is opened. Check Point said the group began exploiting the vulnerability within days of its public disclosure in August. “The speed and confidence with which this vulnerability was operationalised underscores the group’s technical maturity and preparedness,” the researchers said. 

Although the initial infection vector remains unclear, analysts believe spear-phishing emails were used to distribute malicious RAR files hosted on cloud services such as Dropbox. Once opened, the archive launches a loader using DLL side-loading, a tactic frequently associated with Chinese groups. The loader then retrieves an encryption key from one server, decrypts a payload from another location and executes it directly in memory. 

The final stage deploys Havoc, an open-source command-and-control framework. Earlier versions of the campaign relied on ZIP files containing Windows shortcuts and batch files, while a separate operation in Indonesia delivered a custom remote-access trojan known as TGAmaranth RAT. That malware used a hard-coded Telegram bot for command and control and supported functions such as taking screenshots, running shell commands and transferring files. 

Check Point said the command infrastructure was shielded by Cloudflare and restricted by geography, accepting traffic only from targeted countries. Compilation times and working patterns pointed to operators based in China’s time zone. 

“In addition, the development style closely mirrors established APT41 practices,” the company said, adding that overlaps in tools and techniques suggest shared resources within the ecosystem. The findings come as another Chinese group, Mustang Panda, was linked to a separate espionage campaign uncovered by Dream Research Labs. The operation, dubbed PlugX Diplomacy, targeted officials involved in diplomacy, elections and international coordination between December 2025 and mid-January 2026.  

“Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” Dream said. 

Victims were lured into opening files disguised as diplomatic or policy documents, which triggered infection automatically. The files installed a modified version of PlugX, a long-used Chinese espionage tool, through a multi-step process involving Windows shortcuts, PowerShell scripts and DLL search-order hijacking using a legitimate signed executable. A decoy document was shown to victims while the malware quietly embedded itself in the system. 

“The correlation between actual diplomatic events and the timing of detected lures suggests that analogous campaigns are likely to persist as geopolitical developments unfold,” Dream concluded.
Read more »
malware
active exploitation Bug Exploit CrossCurve EYWA malware

CrossCurve Bridge Hit by $3 Million Exploit after Smart Contract Flaw


CrossCurve, a cross-chain bridge formerly known as EYWA, has suffered a major cyberattack after hackers exploited a vulnerability in its smart contract infrastructure, draining about $3 million across multiple blockchain networks. The CrossCurve team confirmed the incident on Sunday, saying its bridge infrastructure was under active attack and urging users to immediately stop interacting with the protocol. “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a post on X. 

“Please pause all interactions with CrossCurve while the investigation is ongoing.” Blockchain security account Defimon Alerts said the exploit stemmed from a gateway validation bypass in CrossCurve’s ReceiverAxelar contract. According to the analysis, the contract was missing a critical validation check, allowing attackers to call the expressExecute function using spoofed cross-chain messages. 

By abusing this flaw, the attackers were able to bypass the intended gateway validation logic and trigger unauthorized token unlocks on the PortalV2 contract, resulting in the loss of funds. The exploit affected CrossCurve deployments across several blockchain networks. 

Data from Arkham Intelligence, shared by Defimon Alerts, shows that the PortalV2 contract balance fell from roughly $3 million to nearly zero around Jan. 31. Transaction records indicate the attack unfolded across multiple chains rather than a single network. 

CrossCurve operates a cross-chain decentralized exchange and liquidity protocol built in partnership with Curve Finance. The system relies on what it describes as a Consensus Bridge, which routes transactions through multiple validation layers, including Axelar, LayerZero, and the EYWA Oracle Network. In its documentation, CrossCurve had described this architecture as a security advantage, stating that “the probability of several crosschain protocols getting hacked at the same time is near zero.” 

The incident, however, showed that a single smart contract flaw can still compromise a broader system. The project has backing from prominent figures in decentralized finance. Michael Egorov invested in the protocol in September 2023, and CrossCurve later said it had raised $7 million from venture capital firms. Following the exploit, Curve Finance warned users with exposure to EYWA-related pools to reassess their positions. 

“Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” Curve Finance said on X. 

Security researchers said the attack echoes earlier bridge exploits, drawing comparisons to the 2022 Nomad bridge hack, in which about $190 million was drained after attackers discovered a faulty validation mechanism.
Read more »
RedKitten
Campaign Iran hackers Iranian state malware RedKitten

Iran-Linked Hackers Target Human Rights Groups in Redkitten Malware Campaign

A Farsi-speaking threat actor believed to be aligned with Iranian state interests is suspected of carrying out a new cyber campaign targeting non-governmental organizations and individuals documenting recent human rights abuses in Iran, according to a report by HarfangLab. 

The activity, tracked in January 2026 and codenamed RedKitten, appears to coincide with nationwide unrest that erupted in Iran in late 2025 over soaring inflation, rising food prices, and currency depreciation. The protests were followed by a severe security crackdown, mass casualties, and an internet blackout. 

“The malware relies on GitHub and Google Drive for configuration and modular payload retrieval, and uses Telegram for command-and-control,” HarfangLab said. 

Researchers said the campaign is notable for its apparent use of large language models to help develop and coordinate its tooling. The attack chain begins with a 7-Zip archive bearing a Farsi filename, which contains malicious Microsoft Excel files embedded with macros. 

The XLSM spreadsheets purport to list details of protesters who died in Tehran between Dec. 22, 2025, and Jan. 20, 2026. Instead, the files deploy a malicious VBA macro that acts as a dropper for a C# implant known as AppVStreamingUX_Multi_User.dll using a technique called AppDomainManager injection. HarfangLab said the VBA code itself shows signs of being generated by an LLM, citing its structure, variable naming patterns, and comments such as “PART 5: Report the result and schedule if successful.”  
Investigators believe the campaign exploits the emotional distress of people searching for information about missing or deceased protesters. Analysis of the spreadsheet data found inconsistencies such as mismatched ages and birthdates, suggesting the content was fabricated. The implanted backdoor, dubbed SloppyMIO, uses GitHub as a dead drop resolver to obtain Google Drive links hosting images that conceal configuration data using steganography. This data includes Telegram bot tokens, chat IDs, and links to additional modules. 

The malware supports multiple modules that allow attackers to run commands, collect and exfiltrate files, establish persistence through scheduled tasks, and launch processes on infected systems. “The malware can fetch and cache multiple modules from remote storage, run arbitrary commands, collect and exfiltrate files and deploy further malware with persistence via scheduled tasks,” HarfangLab said. “SloppyMIO beacons status messages, polls for commands and sends exfiltrated files over to a specified operator leveraging the Telegram Bot API for command-and-control.” 

Attribution to Iranian-linked actors is based on the use of Farsi-language artifacts, protest-themed lures, and tactical overlaps with earlier operations, including campaigns associated with Tortoiseshell, which previously used malicious Excel documents and AppDomainManager injection techniques. The use of GitHub as part of the command infrastructure mirrors earlier Iranian-linked operations. In 2022, Secureworks, now part of Sophos, documented a campaign by a sub-group of Nemesis Kitten that also leveraged GitHub to distribute malware. 

HarfangLab noted that reliance on widely used platforms such as GitHub, Google Drive, and Telegram complicates traditional infrastructure-based attribution but can also expose operational metadata that poses risks to the attackers themselves. The findings follow recent disclosures by U.K.-based Iranian activist and cyber investigator Nariman Gharib, who detailed a separate phishing campaign using a fake WhatsApp Web login page to hijack victims’ accounts. 

“The page polls the attacker’s server every second,” Gharib said. “This lets the attacker serve a live QR code from their own WhatsApp Web session directly to the victim.” That phishing infrastructure was also designed to request access to a victim’s camera, microphone, and location, effectively turning the page into a surveillance tool. The identity and motive of the operators behind that campaign remain unclear. 

Separately, TechCrunch reporter Zack Whittaker reported that related activity also targeted Gmail credentials using fake login pages, impacting around 50 victims across the Kurdish community, academia, government, and business sectors. The disclosures come amid growing scrutiny of Iranian-linked cyber groups following a major data leak affecting Charming Kitten, which exposed details about its operations and a surveillance platform known as Kashef. Gharib has also highlighted leaked records tied to Ravin Academy, a cybersecurity school linked to Iran’s Ministry of Intelligence and Security, which was sanctioned by the United States in 2022.
Read more »
Trusted Update Abuse
Antivirus Update Breach command and control servers Compromised Code Signing Cybersecurity Infrastructure Endpoint security eScan Malware Incident malware Supply Chain Attack Trusted Update Abuse

eScan Antivirus Faces Scrutiny After Compromised Update Distribution


MicroWorld Technologies has acknowledged that there was a breach of its update distribution infrastructure due to a compromise of a server that is used to deliver eScan antivirus updates to end users, which was then used to send an unauthorized file to end users. 

It was reported that the incident took place within a narrow two-hour window on January 20, 2026, in a regional update cluster. It affected only a small fraction of customers who had downloaded updates during that period, and was confined to that cluster. 

Following the analysis of the file, it was confirmed that it was malicious, and this demonstrates how even tightly controlled security ecosystems can be compromised when trust mechanisms are attacked. 

Despite MicroWorld reporting that the affected systems were swiftly isolated, rebuilt from clean baselines, and secured through credential rotation and customer remediation within hours of the incident, the episode took place against the backdrop of escalating cyber risks that are continually expanding. 

An unprecedented convergence of high-impact events took place in January 2026, beginning with a major supply chain breach involving a global antivirus vendor, followed by a technical assault against a European power grid, and the revelation of fresh vulnerabilities in artificial intelligence-driven systems in the first few weeks of January 2026. 

There are a number of developments which have led to industry concerns that the traditional division between defensive software and offensive attack surfaces is eroding, forcing organizations to revisit long-standing assumptions about where trust begins and ends in their security architectures as a result. 

According to further technical analysis, eScan's compromised update channel was directly used to deliver the previously unknown malware, effectively weaponizing a trusted distribution channel that had been trusted. 

A report indicated that multiple security platforms detected and blocked attempted attacks associated with the malicious file the day of its distribution, prompting a quick external scrutiny to take place. It was MicroWorld Technologies who indicated to me that the incident was identified internally on January 20 through a combination of monitoring alerts and customer reports, with the affected infrastructure isolated within an hour of being identified. 

The company issued a security advisory the following day, January 21, as soon as the attack was under control and the situation had been stabilised. In spite of the fact that cybersecurity firm Morphisec later revealed that it had alerted eScan during its own investigation, MicroWorld maintains that containment efforts were already underway when the communication took place. 

The company disputes any suggestion that customers were not informed of the changes, claiming proactive notifications and direct outreach as part of the remediation process to address any concerns. 

A malicious update was launched by a file called Reload.exe, which set off a multi-stage infection sequence on the affected systems through the use of a file called Reload.exe. 

The researchers that conducted the initial analysis reported that the executable modified the local HOSTS file to prevent the delivery of corrective updates from eScan update servers and that this led to a number of client machines experiencing update service errors. 

As part of its persistence strategy, the malware created scheduled tasks, such as CorelDefrag, and maintained communication with external command-and-control infrastructure to retrieve additional payloads, in addition to disrupting operations. 

During the infection process, there was also a secondary malicious component called consctlx.exe written to the operating system, which further embedding the threat within the system. A further detail provided by Morphisec, an endpoint security company, provided a deeper technical insight into the underlying mechanism and intent of the malicious update distributed through the trusted infrastructure of eScan. 

As Morphisec stated in its security bulletin, the compromised update package contained a modified version of the eScan update component Reload.exe that was distributed both to enterprise environments and consumer environments via legitimate update channels. 

Despite the binary's appearance of being signed with eScan's code signing certificate, validation checks conducted by Windows and independent analysis platforms revealed that the signature was not valid. Morphisec's analysis revealed that the altered Reload.exe functions as a loader for a malware framework that consists of several stages. This raises concerns about certificate integrity and abuse of trusted signing processes. 

When the component is executed, it establishes persistence on infected machines, executes arbitrary commands, and alters the Windows HOSTS file to prevent access to eScan's update servers, preventing eScan from releasing updates by using routine update mechanisms.

Additionally, the malware started communicating outwards with a distributed command-and-control infrastructure, thus allowing it to download additional payloads from a variety of different domains and IP addresses in order to increase its reach.

According to Morphisec, the final stage of the attack chain involved the deployment of a second executable, CONSCTLX.exe. This secondary executable acted as both a backdoor and a persistent downloader.

A malicious component that was designed to maintain long-term access created scheduled tasks with benign-sounding names like CorelDefrag that were designed to avoid casual inspection while ensuring that the task would execute across restarts as well. 

The company MicroWorld Technologies developed a remediation utility in response to the incident that is specifically intended to identify and reverse unauthorized changes introduced by the malicious update. Using this tool, the company claims that normal update functionality is restored, a successful cleanup has been verified, and the process only requires a standard reboot of the computer to complete. 

Several companies, including eScan and Morphisec, have advised customers to take additional network-level security measures to protect themselves from further malicious communications during the recovery phase of the campaign by blocking the command-and-control endpoints associated with it. 

In addition, the incident has raised concerns about the recurring exploitation of antivirus update mechanisms, which have caused an increase in industry concern. There was an incident of North Korean threat actors exploiting eScan’s update process in 2024 to install backdoors inside corporate networks, illustrating again how security infrastructure remains one of the most attractive targets for state-sponsored attacks, particularly those aiming for high volumes of information. 

As this breach unfolds, it is part of a wider pattern of consequential supply chain incidents that have taken place in early 2026. These incidents range from destructive malware targeting European energy systems to large-scale intellectual property theft coupled with soon-to-appear AI-driven assault tactics. 

The events highlighted by these events also point to a persistent strategic reality in that organizations are increasingly dependent on trusted vendors and automated updates pipelines. If trust is compromised across the digital ecosystem, defensive technologies can become vectors of systemic risk as a result of a compromise in trust. 

In an industry context, the incident is notable for the unusual method of delivery used by the perpetrators. In spite of the fact that software supply chain compromises have been a growing problem over the past few years, malware is still uncommonly deployed through the security product’s own update channel. 

An analysis of the implants involved indicates that a significant amount of preparation has been performed and that the target environment is well known. A successful operation would have required attackers to have acquired access to eScan’s update infrastructure, reverse engineering aspects of its update workflow, and developing custom malware components designed specifically to function within that ecosystem in order to be successful.

Such prerequisites suggest a deliberate, resource-intensive effort rather than a purely opportunistic one. In addition, a technical examination of the implanted components revealed resilience features that were designed to ensure that attacker access would not be impeded under adverse conditions. 

There were multiple fallback execution paths implemented in the malware, so that continuity would be maintained even if individual persistence mechanisms were disrupted. In one instance, the removal of a scheduled task used to launch a PowerShell payload was not sufficient to neutralize the infection, since the CONSCTLX.exe component would also be able to invoke the same functionality. 

Furthermore, blocking the command-and-control infrastructure associated with the PowerShell stage did not completely eliminate an attacker's capabilities, as CONSCTLX.exe retained the ability to deliver shellcode directly to affected systems, as these design choices highlight the importance of operational redundancy, which is one of the hallmarks of well-planned intrusion campaigns. 

In spite of the sophistication evident in the attack's preparation, the attack's impact was mitigated by its relatively short duration and the techniques used in order to prevent the attack from becoming too effective. 

Modern operating systems have an elevated level of trust when it comes to security software, which means that attackers have theoretically the possibility to exploit more intrusive methods, including kernel-mode implants, which provide attackers with an opportunity to carry out more invasive attacks. 

In this case, however, the attackers relied on user-mode components and commonly observed persistence mechanisms, such as scheduled tasks, which constrained the operation's stealth and contributed to its relatively quick detection and containment, according to analysts. 

It is noteworthy that the behavioral indicators included in eScan's advisory closely correspond with those found by Morphisec independently. Both parties deemed the incident to have a medium-to-high impact on the enterprise environments in question. Additionally, this episode has revealed tensions between the disclosures made by vendors and researchers. 

As reported by Bloomberg News, MicroWorld Technologies has publicly challenged parts of Morphisec's public reporting, claiming some of it was inaccurate. It is understood that they are seeking legal advice in response to these claims. 

It was advised by eScan to conduct targeted checks to determine whether the systems were affected from an operational perspective, including reviewing schedule tasks for anomalous entries, inspecting the system HOSTS file for blocked eScan domains, and reviewing update logs from January 20 for irregularities. 

A remediation utility has been released by the company and is available through its technical support channels. This utility is designed to remove malicious components, reverse unauthorized changes, and restore normal update functionality. 

Consequently, customers are advised to block known command-and-control addresses associated with this campaign as a precaution, reinforcing the lesson of the incident: even highly trusted security infrastructure must continually be examined as potential attack surfaces in a rapidly changing threat environment.
Read more »
Web Infrastructure Security
BadIIS Malware China Linked Threats Cybercrime Operations data theft attacks IIS Server Attacks malware SEO Fraud Campaign UAT-8099 Web Infrastructure Security

BadIIS Malware Used in Coordinated Attacks on Asian Web Servers


 

There was an ongoing quiet, methodical campaign unfolding across many sections of the web infrastructure in Asia by the spring of 2025, a campaign which did not rely on loud disruptions or overt destruction, but instead relied on subtle manipulation of trust. 

Cisco Talos researchers have discovered evidence that a Chinese-speaking threat group known as UAT-8099 has been systematically infiltrating vulnerable Microsoft Internet Information Services (IIS) servers that hold established credibility within their region's digital eco-systems as a result of ongoing campaign of spam attacks. 

In contrast to targeting any system that could be compromised indiscriminately, the attackers opted for high-reputation servers, leveraging the ranking of such servers to manipulate search engine results and generate illicit revenue rather than targeting every exposed system. 

With a specialized SEO fraud operation, UAT-8099 also combined its manipulation with deeper post-compromised activity by accessing compromised systems with Remote Desktop Protocol access and searching for sensitive certificates, credentials, configuration files, and logs, assets which could be repurposed in follow-on attacks or aquired quietly into underground markets, making it a powerful enterprise.

In this instance, it underscores the persistent threat posed by exposing, internet-facing infrastructure, especially in cases where critical services are exposed, and are vulnerable to compromise. According to Cisco Talos findings, UAT-8099 has demonstrated that it has taken a multifaceted approach to compromising a system, as it does not merely consider susceptible IIS servers to be entry points but also as long-term assets in its criminal workflow as a whole. 

By gaining access to these systems, the group then uses them as a covert way to forward searches in mobile search to spam-driven advertising networks and gambling platforms that are illicit, allowing them to monetize the established credibility of well-known organizations. 

Meanwhile, the attackers harvest sensitive information contained on the servers in a systematic manner, including authentication information as well as internal access records, which may be used for later intrusions or are sold on underground markets in order to maintain control over the servers. 

There are some operations that are common to Chinese-language SEO fraud collectives that exhibit UAT-8099's operational characteristics—and they are similar to the clusters that have been tracked by other security firms such as GhostRedirector and CL-UNK-1037. However, the boundaries between these groups remain indistinct, indicating that financial motivations play an integral role in the evolution of cybercrime.


There is some evidence that indicates that the activity is linked to a Chinese-based threat cluster that has been ongoing since April 2025, with operational evidence indicating that the campaign began in April of that year. The analysis also shows significant parallels with a separate BadIIS attack, identified by WithSecure as WEBJACK by Finnish cybersecurity firm WithSecure, which includes similar tooling, command-and-control infrastructures, and patterns in victim selection.

Cisco Talos has observed a significant increase in activity against IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan during the recent wave of activity. In particular, Cisco Talos has noted an increase in targeting in Thailand and Vietnam. This geographic focus reflects a broader refinement in the group's targeting strategy, which is why the attackers prioritize regions where compromised servers can be exploited in order to monetize and maintain long-term control. 

The Talos researchers have noted that UAT-8099 has shown a significant evolution in terms of its tradecraft from a technical perspective. The group is still relying on web shells and network utilities like SoftEther VPN and EasyTier to maintain access to infected servers, but it has increasingly incorporated red team frameworks and legitimate administrative tools in order to reduce its footprint and extend its longevity. 

An initial attack typically involves exploiting vulnerabilities within IIS environments or misconfigured file upload mechanisms to gain access to the host system. Once the attackers have embedded themselves within the host system, they conduct reconnaissance in order to profile it, create concealed user accounts to establish persistence, and set up utilities aimed at suppressing forensic visibility, disabling defensive controls, and facilitating remote control of the system.

This attack ensures uninterrupted operation of the SEO fraud infrastructure by dynamically adjusting the persistence mechanisms to counter detection measures that flag previously used account names. As a result, attackers create alternative hidden accounts to ensure their persistence mechanisms are constantly adjusted. 

BadIIS malware represents the last stage of the attack chain, and variants have been observed that have been specifically tailored for regional audiences. A strain of the virus was specifically developed to target systems in Vietnam, while another strain of the virus was designed specifically for Thai-based environments or users who speak the Thai language.

It intercepts and evaluates inbound web traffic, identifies search engine crawlers, and covertly redirects them to fraudulent SEO sites despite these customizations. By injecting malicious scripts into server responses, the malware manipulates server responses for ordinary users, particularly those whose browser language settings match the targeted region. 

There is a twin-path approach to this operation, which enables them to quietly manipulate search rankings without the risk of being discovered by legitimate visitors, increasing the significance of the group's emphasis on stealth and sustained exploitation as a result. 

Despite its importance as a foundational component of web infrastructure for organizations across sectors, Microsoft Internet Information Services remains one of the most easily abused components of the Internet.

When the security controls on the IIS environment are not adequate, it is an easy target for abuse. Threat actors have proven that compromised IIS environments can be repurposed to deliver malicious or misleading content to unwitting visitors, effectively turning trusted websites into distribution points for criminals. 

There have been recent examples in which newly observed malware variants were primarily used to promote online gambling content, although security experts caution that this technique is easily capable of being applied to large-scale malware delivery or carefully crafted watering hole attacks that target specific audiences as well. 

It is worth emphasizing that unsecured web servers that retain outward signs of legitimacy pose a broader risk than simply adapting to these methods. In addition to technical disruption, the consequences of a misuse of a reputable website can have long-term consequences for organizations affected. 

A misuse of a reputable website can lead to a loss of user confidence, erode reputations, and expose site owners to a variety of legal and regulatory scrutiny, especially when they are found to have a role in malicious activity. Those who work in the field of cybersecurity emphasize the importance of disciplined server management as well as proactive defense measures in order to reduce such risks. '

Among the key tasks that must be accomplished is maintaining a clear inventory of internet-facing assets, applying security updates on a timely basis, and closely monitoring the IIS environments for irregular modules installed or binaries placed in unanticipated locations. 

An attacker's ability to operate undetected can be further hindered if additional safeguards are put in place, such as limiting administrative access, enforcing strong authentication mechanisms backed by multifactor authentication, and regulating inbound and outbound traffic using firewalls. 

It remains important to perform continuous log analysis in order to minimize the attack surface of IIS deployments while maintaining their integrity. It is clear that UAT-8099's activities have a major impact on the stolen sensitive data from compromised environments, both immediately and tangiblely. 

Once access has been secured, this group reinforces its foothold by deploying additional backdoors, as well as commercial-grade post-exploitation frameworks, and they proceed to collect credentials, configuration files, and digital certificates that are used to support additional intrusions or that can be monetized through underground channels in order to strengthen its foothold. 

The secondary layer of exploitation aims to exploit vulnerable IIS servers to create staging points for larger campaigns, extending the risk much further than the initial compromise, and increasing the value of the targeted systems as a result. However, much of the group’s activity remains largely unknown both to the affected organizations as well as to the users of the website, making detection and response a challenging task. 

There is a tendency for site owners to dismiss external warnings as false positives since the integrity and outward appearance of compromised websites usually remain the same, and it is believed that no visible changes equate to the lack of intrusion on the compromised website. 

The perception gap, according to practitioners in threat intelligence, is often at the core of remediation efforts, despite attempts at the national and sectorion levels of alerting organizations to covert compromises. In spite of the fact that the immediate effects may seem abstract or low priority, experts warn that the underlying vulnerabilities that are being exploited are anything but benign. 

In the same way that hackers can silently manipulate content or insert hidden redirects by utilizing the same weaknesses, malicious scripts can also be injected into a system that will harvest session cookies, login credentials, and payment information from legitimate users, putting organizations at greater risk than they ever imagined.

It was revealed by an analysis of the latest BadIIS variants that they were designed in a modular way that supported a variety of operational modes while remaining undetected. As the malware is working in proxy mode, it validates the request paths and decodes an embedded command-and-control address. This address is used by the malware as an intermediary for fetching content from secondary infrastructure, which is then relayed back through the Internet Information System. 

It is important to note that the responses submitted to search engines are modified before they are routed. This is done to simulate legitimate HTTP traffic with content being injected directly into the bodies of response via native IIS APIs, ensuring seamless delivery without affecting the server itself. 

Additionally, the malware's SEO fraud capability relies on large-scale backlink manipulation: exploiting compromised servers, it displays search engines with HTML-based link structures intended to artificially inflate rankings for attacker-controlled domains, thereby attempting to fool search engines into believing users are the owner of the site. 

There is also an injector mode that enables users tasked with searching for the answer to a search query, retrieved JavaScript from remote servers and embedded in web responses to trigger covert redirections, which can be used with this approach. When operators host redirect logic externally instead of within the malware itself, they have the option of switching destinations, localizing messages by region, and evading signature-based defenses. 

Additionally, a second cluster of BadIIS samples enhances these capabilities by implementing additional request-handling mechanisms to enforce redirects at multiple stages of the HTTP lifecycle and supporting a variety of hijacking scenarios ranging from a complete site replacement to selective homepage redirection or path-based proxying, as well as providing different levels of functionality. 

All these features are taken together to demonstrate a mature, adaptable framework, capable of manipulating search ecosystems as well as exploiting trust web infrastructure for long-term abuse without being visible to victims or their families. It's important to mention that security experts caution that this campaign highlights what is arguably one of the most serious risks facing organizations that use internet-facing web infrastructure to function. 

There is a possibility that IIS servers, which have not been properly hardened, will gradually become long-term assets for cybercriminal operations without causing immediate operational alarms when left unhardened. 

As a result, organizations should reassess their web environments' security posture, and to treat reputation and visibility as potential risks, rather than as safeguards, as they might be. There is an increasing need for proactive patch management, strict access controls, continuous monitoring, and regular integrity checks, which are regarded not as best practices but as a fundamental requirement. 

Campaigns such as UAT-8099 show us that despite the absence of visible disruption, compromise is still a threat, and organizations and their users may suffer far more severe outcomes if they fail to address these silent threats in the future.
Read more »
Stealth Attack
GoTo Resolve malware Malware PUA Threat Ransomware Stealth Attack

GoTo Resolve Tool Mimics Ransomware Tactics in Stealth Attacks

 

Security researchers have raised alarms over a remote administration tool that can quietly turn into a stealthy entry point for cybercriminals. The program, flagged as HEURRemoteAdmin.GoToResolve.gen, is now classified as a Potentially Unwanted Application (PUA) due to the way it conceals its presence and behavior from end users. 

The warning comes from the Lat61 Threat Intelligence Team at Point Wild, a data breach prevention firm that analyzed how this tool can transform a routine IT utility into a serious security liability. According to their report, the application is linked to GoTo Resolve, a legitimate platform formerly known as LogMeIn, widely used by IT support teams for remote access and troubleshooting. 

What makes this case particularly concerning is the tool’s ability to install and operate “silently,” maintaining a persistent foothold on the system without any visible prompts or notifications. Researchers found it buried in a directory named C:\Program Files (x86)\GoTo Resolve Unattended\, along with a bundled file called “32000~” that contains hidden instructions for managing the application in the background. 

Because it runs unattended, this component effectively creates a new attack surface, similar to leaving a window unlocked for intruders. Threat actors who manage to hijack the tool could exploit its background capabilities to move laterally, gather intelligence, or prepare a larger compromise, all without attracting attention from the user sitting at the keyboard.

The most disturbing link is to ransomware tradecraft through the use of the Windows Restart Manager library, RstrtMgr.dll. This DLL has been abused in past campaigns by high-profile groups like Conti and Cactus ransomware, as well as the BiBi wiper, to terminate processes that might block file encryption or forensic analysis, including antivirus tools and security services. Even more deceptive is the fact that the software carries a valid digital signature from GoTo Technologies USA, LLC, giving it an appearance of full legitimacy in the eyes of both users and operating systems.

Experts stress that a trusted signature does not guarantee safe behavior and warn organizations to treat this tool as a high-risk component unless explicitly approved and monitored by their security teams, calling its stealthy execution and Restart Manager loading a form of “dangerous pre-positioning” for future, more destructive attacks.
Read more »
Subscribe to: Comments (Atom)