DigiCert’s Open-Source Intelligence (OSINT) Report – April 17 – April 23, 2026

“Hackers can now launch massive 2Tbps attacks”: Report reveals staggering 10x growth in botnet size with record-breaking DDoS incidents

(TLP: CLEAR) The TechRadar report, citing data from Qrator Labs, highlights a significant escalation in the scale, capacity, and architectural sophistication of modern distributed denial-of-service (DDoS) campaigns, driven by rapid botnet expansion and evolving attack strategies. The largest observed botnet grew from approximately 1.33 million to 13.5 million compromised devices within a year, which is a tenfold increase thus enabling attackers to generate record-breaking traffic volumes exceeding 2 Tbps. These attacks are no longer short-lived bursts; instead, they can sustain high throughput for extended periods (over 40 minutes), with repeated traffic spikes exceeding 1 Tbps, indicating dynamic adjustment of attack parameters during execution to maintain service disruption.

Technically, the attacks are increasingly multi-vector, combining volumetric network-layer floods (L3/L4, e.g., UDP/TCP) with application-layer (L7, e.g., HTTP) techniques within a single campaign. The proportion of such hybrid attacks has risen noticeably, reflecting a shift toward layered attack orchestration that complicates detection and mitigation by overwhelming both bandwidth capacity and application logic simultaneously. Attack telemetry also shows a surge in automated malicious traffic (“bad bots”), with billions of requests per month and prolonged campaigns lasting weeks, underscoring the blending of DDoS activity with broader automated abuse such as scraping and account takeover attempts.

(TLP: CLEAR) Comments: A key architectural evolution is the adoption of decentralized command-and-control (C2) mechanisms, such as the Aeternum loader leveraging the Polygon blockchain to distribute instructions via smart contracts. This removes traditional centralized infrastructure, eliminating single points of failure and making botnet disruption significantly more difficult. Additionally, the global geographic distribution of infected devices spanning regions such as the United States, Brazil, India, and the UK then reduces the effectiveness of IP-based filtering and geo-blocking defenses. Overall, the report illustrates a transition toward highly scalable, resilient, and adaptive botnet ecosystems capable of sustained, high-bandwidth, and multi-layered DDoS operations. These developments reflect an ongoing arms race in which attackers leverage massive IoT/device compromise, decentralized control channels, and real-time attack tuning to outpace traditional mitigation strategies, necessitating more automated, distributed, and behavior-based defensive approaches.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.techradar.com/pro/hackers-can-now-launch-massive-2tbps-attacks-report-reveals-staggering-10x-growth-in-botnet-size-with-record-breaking-ddos-incidents-peaking-for-40-minutes-as-multi-vector-attacks-grow-in-complexity-and-become-harder-to-dismantle 

Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet

(TLP: CLEAR) The article from The Hacker News describes an active IoT-focused botnet campaign in which a Mirai malware variant named Nexcorium exploits known command-injection vulnerabilities—primarily CVE-2024-3721—in TBK DVR devices (notably DVR-4104 and DVR-4216 models) to gain unauthorized remote access and deploy malicious payloads. The infection chain begins with exploitation of the vulnerability to execute a downloader script, which retrieves and launches architecture-specific binaries, enabling the malware to run across diverse Linux-based embedded systems. Once executed, Nexcorium initializes a configuration table using XOR obfuscation, establishes persistence through mechanisms such as cron jobs and systemd services, and connects to command-and-control (C2) infrastructure to receive instructions for distributed denial-of-service (DDoS) attacks.

Technically, Nexcorium closely follows the modular design patterns of classic Mirai variants, incorporating components for scanning, exploitation, persistence, and attack execution. It expands laterally by leveraging both embedded exploits—such as CVE-2017-17215 targeting Huawei HG532 routers—and brute-force techniques using hard-coded credential lists over Telnet to compromise additional devices within a network. This dual propagation strategy (vulnerability exploitation plus credential abuse) increases infection rates and botnet scale. The malware supports multiple DDoS vectors, including UDP, TCP, and SMTP floods, and can remove its original binary post-infection to evade detection while maintaining long-term control of compromised systems.

(TLP: CLEAR) Comments: The campaign also highlights broader ecosystem risks, including concurrent probing of other vulnerabilities such as CVE-2023-33538 in end-of-life TP-Link routers, emphasizing how outdated or unpatched IoT devices remain highly susceptible to exploitation. Even when some exploitation attempts are flawed, the presence of real, unpatched vulnerabilities—combined with default credentials—creates viable entry points for attackers. Overall, Nexcorium exemplifies the continued evolution of Mirai-based botnets: leveraging publicly known exploits, multi-architecture payloads, and robust persistence techniques to build scalable DDoS infrastructure from insecure and legacy IoT deployments.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Source address spoofing is often combined with reflection and amplification from poorly administered open internet servers (e.g., DNS, NTP) to multiply the attack traffic volume by a factor of 50 or more. The attacker may use a single high-capacity computer with a high bandwidth internet connection or a botnet consisting of many compromised devices to send query requests to high-performance internet servers. The attacking systems employ source address spoofing, which inserts the IP address of the target as the source address in the requests. For internet services that use the User Datagram Protocol (UDP) (e.g., DNS, NTP), the query and response are each contained in a single packet, and the exchange does not require the establishment of a connection between the source and the server (unlike Transmission Control Protocol (TCP)). The responses from such open internet servers are directed to the attack target since the target’s IP address was forged as the source address field of the request messages. Often, the response from the server to the target address is much larger than the query itself, amplifying the effect of the DoS attack. Such reflection and amplification attacks can result in massive DDoS with attack volumes in the range of hundreds of Gbps.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://thehackernews.com/2026/04/mirai-variant-nexcorium-exploits-cve.html 

ZionSiphon Malware Targets Water Infrastructure Systems

(TLP: CLEAR) The Infosecurity Magazine article describes ZionSiphon as a newly identified, operational-technology (OT)-focused malware strain engineered to target industrial control systems (ICS) used in water treatment and desalination environments, with a particular emphasis on Israeli infrastructure. The malware combines conventional host-based techniques such as privilege escalation, persistence mechanisms, and propagation via removable media with specialized logic to identify and interact with OT systems. It performs environmental validation by checking both geographic indicators (hardcoded Israeli IP ranges) and system-specific artifacts (processes and files associated with desalination and water treatment operations), ensuring that its payload activates only on intended targets.

Once deployed in a qualifying environment, ZionSiphon conducts local network reconnaissance to discover ICS devices and attempts protocol-level communication using industrial standards such as Modbus, DNP3, and S7comm. Its core objective appears to be manipulation of physical processes: the malware includes routines to modify configuration parameters tied to chlorine dosing and water pressure, indicating an intent to disrupt or potentially sabotage water treatment operations. Additionally, it can scan subnet devices, tamper with configuration files, and propagate laterally through USB media, reflecting a multi-vector approach to persistence and spread within segmented OT networks.

(TLP: CLEAR) Comments: The analyzed samples show that ZionSiphon is still immature and partially non-functional. Researchers observed flaws in its geographic validation logic and incomplete or ineffective implementations for certain industrial protocols, suggesting the malware is either under development or experimental. Despite these limitations, the campaign is significant because it demonstrates a shift toward purpose-built malware targeting critical infrastructure, blending ideological or geopolitical motivations with technical attempts to manipulate cyber-physical systems rather than merely exfiltrate data or conduct traditional IT-focused attacks.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.
Source: https://www.infosecurity-magazine.com/news/zionsiphon-malware-water/ 

New GoGra malware for Linux uses Microsoft Graph API for comms

(TLP: CLEAR) The BleepingComputer article details a newly observed Linux variant of the Go-based GoGra backdoor attributed to the Harvester espionage group, which leverages legitimate Microsoft cloud infrastructure for stealthy command-and-control (C2) operations. Initial infection relies on social engineering, where victims are tricked into executing ELF binaries disguised as benign documents (e.g., PDFs). A dropper then deploys the payload and establishes persistence using systemd services and XDG autostart entries while masquerading as legitimate system components, enabling long-term access on compromised Linux hosts.

A defining technical characteristic of GoGra is its abuse of the Microsoft Graph API in conjunction with Outlook mailboxes to create a covert C2 channel that blends with normal enterprise traffic. The malware uses hardcoded Azure Active Directory credentials to obtain OAuth2 tokens and continuously polls a specific mailbox folder (e.g., “Zomato Pizza”) using OData queries at short intervals. It filters for emails with predefined subject markers (such as “Input”), decrypts their AES-CBC and base64-encoded contents to extract commands, executes them locally, and exfiltrates results by replying with encrypted “Output” messages. To minimize forensic traces, it deletes processed command emails via API calls, effectively using legitimate SaaS infrastructure as a bidirectional tasking and exfiltration mechanism.

(TLP: CLEAR) Comments: Code analysis shows that the Linux variant shares near-identical logic, encryption routines, and even implementation artifacts with its Windows counterpart, strongly indicating a unified cross-platform codebase maintained by the same developer. This reuse highlights an evolution toward multi-platform espionage tooling and demonstrates how attackers are increasingly exploiting trusted cloud services to bypass traditional perimeter defenses. Overall, GoGra exemplifies a shift toward “living-off-trusted-services” C2 design, where malware communications are embedded legitimate API traffic, significantly complicating detection and response in modern enterprise environments.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://www.bleepingcomputer.com/news/security/new-gogra-malware-for-linux-uses-microsoft-graph-api-for-comms/ 

Over 10,000 Zimbra servers vulnerable to ongoing XSS attacks

(TLP: CLEAR) A cross-site scripting (XSS) vulnerability, tracked as CVE-2025-48700, in the Zimbra Collaboration Suite (ZCS) is being actively exploited in the wild, with more than 10,000 internet-exposed servers remaining vulnerable. The flaw affects multiple versions (8.8.15, 9.0, 10.0, and 10.1) and allows unauthenticated attackers to execute arbitrary JavaScript within a victim’s webmail session by delivering a specially crafted email. Critically, the exploit requires no additional user interaction beyond viewing the email in the Zimbra Classic UI, making it highly effective for phishing-style attacks and session hijacking.

The vulnerability stems from insufficient sanitization of HTML content, enabling script injection through malicious email bodies. Once triggered, attackers can access sensitive information, including authentication tokens and mailbox data, effectively compromising user accounts. Due to its severity and active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and mandated that federal agencies remediate affected systems within a short deadline, highlighting the urgency of patching.

(TLP: CLEAR) Comments: Telemetry from Shadowserver indicates that over 10,500 unpatched Zimbra instances remain exposed online, with the highest concentrations in Europe and Asia, suggesting a broad and globally distributed attack surface. The campaign also reflects a recurring pattern: Zimbra XSS vulnerabilities have historically been leveraged in espionage operations by state-backed threat actors (e.g., APT28 and APT29) to harvest emails and credentials from government and enterprise targets. Overall, the ongoing exploitation of CVE-2025-48700 underscores persistent weaknesses in email platform security, particularly the risks posed by client-side vulnerabilities that can be weaponized through simple phishing delivery mechanisms.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks.

Source: https://www.bleepingcomputer.com/news/security/cisa-says-zimbra-flaw-now-exploited-over-10k-servers-vulnerable/