DigiCert’s Open-Source Intelligence (OSINT) Report – August 22 – August 28, 2025

DigiCert Discloses Details of Two Massive DDoS Attacks

(TLP: CLEAR) DigiCert successfully mitigated two record-breaking distributed denial-of-service (DDoS) attacks in the past month, peaking at 2.4 Tbps and 3.7 Tbps, using its UltraDDoS Protect infrastructure. The first attack, targeting an organization in the EMEA region, reached 553 million packets per second (Mpps), while the second, aimed at a U.S.-based organization, hit 336 Mpps and sustained high-volume traffic for over two minutes. The attacks leveraged globally distributed sources, including the U.S., Mexico, Canada, Japan, Israel, and Taiwan, with traffic primarily targeting port 443, complicating traditional filtering methods. DigiCert warns that future attacks could exceed 20 Tbps as cybercriminals increasingly exploit insecure Internet of Things (IoT) devices, leveraging botnets and “carpet bombing” techniques to amplify attack impact. The rise of illicit bot services has lowered barriers to entry, making it easier for malicious actors to launch massive-scale campaigns at reduced costs. Additionally, the growing integration of artificial intelligence (AI) into botnet discovery and exploitation pipelines is expected to accelerate compromise rates and amplify volumetric attacks even further. The report underscores the urgent need for organizations to adopt enterprise-grade mitigation strategies, as attacks at this scale are beyond the defensive capabilities of individual networks. Without robust protection, businesses relying on online services face significant operational risks. DigiCert’s findings reinforce the broader trend of adversaries increasingly weaponizing insecure infrastructure, signaling that DDoS attacks will continue to grow in both frequency and intensity throughout 2025.

(TLP: CLEAR) Comments: DigiCert’s mitigation of the 2.4 Tbps and 3.7 Tbps DDoS attacks underscores the rising scale and sophistication of modern threat campaigns. These incidents demonstrate how attackers are leveraging vast botnet infrastructures, often composed of compromised IoT devices, to launch highly distributed assaults generating between 336M–553M packets per second. The targeted use of port 443 traffic, which underpins secure web communications, made traditional filtering ineffective and highlights the evolving complexity of attacker methodologies. The widespread geographic distribution of attack traffic—from the U.S., Mexico, Canada, Japan, Israel, and Taiwan—suggests a globally orchestrated campaign using hijacked infrastructure and illicit bot services. The findings also reveal that adversaries are increasingly turning to AI-driven discovery techniques to rapidly identify insecure devices and scale botnet capabilities, further fueling “carpet-bombing” DDoS attacks that simultaneously target multiple network subnets. These attacks reflect a broader shift toward industrial-scale DDoS operations, where attackers leverage automation, advanced infrastructure, and stealth techniques to overwhelm defenses. As DigiCert warns, peak attack volumes are expected to surpass 20 Tbps in the near future, posing an escalating threat to organizations reliant on online services. This trend illustrates how adversaries are evolving beyond traditional volumetric DDoS to leverage smarter, more adaptive techniques capable of bypassing conventional mitigation strategies

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness. 

Source: https://securityboulevard.com/2025/08/digicert-discloses-details-of-two-massive-ddos-attacks/

Malware Devs Abuse Anthropic’s Claude AI to Build Ransomware

(TLP: CLEAR) Anthropic’s Claude Code AI tool has been weaponized by malicious actors to develop ransomware, conduct data extortion campaigns, and assist in cybercrime operations. Researchers uncovered multiple cases where threat actors used Claude as both a development assistant and an active operator during attacks. One notable case, GTG-5004, involved a UK-based actor who built a Ransomware-as-a-Service (RaaS) platform almost entirely with Claude’s assistance. The AI-generated ransomware used ChaCha20 encryption, RSA key management, reflective DLL injection, and advanced anti-analysis techniques. The operator sold ransomware kits, C2 infrastructure, and crypters for $400–$1,200 on dark web forums. In GTG-2002, Claude was used in a data extortion campaign against 17 organizations across government, financial, and healthcare sectors. The AI performed network reconnaissance, generated custom malware based on the Chisel tunneling tool, and analyzed stolen data to calculate ransom demands ranging from $75K to $500K. It even generated custom HTML ransom notes embedded into victim boot processes. Other misuse cases include aiding Chinese APT operations, supporting North Korean IT fraud campaigns, creating advanced API integrations for criminal marketplaces, and powering multilingual romance scams. Anthropic has banned accounts tied to these activities, built detection systems for AI abuse, and shared threat indicators with partners. The findings highlight growing risks of AI-assisted cybercrime, where inexperienced actors can launch sophisticated attacks without deep technical expertise.

(TLP: CLEAR) Comments: The misuse of AI-driven tools like Anthropic’s Claude Code highlights a major shift in the cyber threat landscape, where malicious actors are rapidly enhancing their ability to build sophisticated, evasive malware at unprecedented speed. In the past, developing advanced ransomware, data exfiltration frameworks, or stealthy loaders required deep technical expertise, significant time, and resources. However, with generative AI, even relatively inexperienced actors can now design, build, and deploy highly capable malware in days rather than months. Claude’s role in helping create Ransomware-as-a-Service (RaaS) platforms demonstrates this acceleration. By automating encryption implementation, anti-debugging techniques, reflective DLL injection, and custom payload generation, AI drastically lowers the barrier to entry. This means more actors—ranging from cybercriminal syndicates to state-sponsored groups—can produce FUD (Fully Undetectable) malware capable of bypassing traditional signature-based security solutions. The technology also speeds up evasion tactics. AI can quickly generate polymorphic code, automate obfuscation, simulate sandbox bypasses, and craft adaptive payloads designed to blend into normal network behavior. Combined with real-time reconnaissance and personalized phishing generated by AI, this enables highly targeted and persistent campaigns. As adoption grows, organizations should expect a surge in AI-assisted cybercrime, including ransomware, espionage operations, and DDoS botnet development. The ease, speed, and scalability of AI-driven malware creation represent a significant evolution in the threat landscape, requiring behavior-based detection, AI-powered defenses, and continuous monitoring to keep pace.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 

• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 

• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 

• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.bleepingcomputer.com/news/security/malware-devs-abuse-anthropics-claude-ai-to-build-ransomware/

Hackers Abuse Legitimate Email Marketing Platforms to Disguise Malicious Links

(TLP: CLEAR) Cybercriminals are increasingly exploiting legitimate email marketing platforms like Klaviyo and Drip Global to conduct highly sophisticated phishing campaigns that bypass traditional security defenses. By leveraging trusted click-tracking domains (e.g., klclick3.com, dripemail2.com), attackers mask malicious URLs, making their phishing emails appear authentic and evade detection by security filters. These campaigns employ advanced redirection techniques, such as Base64-encoded URLs, multi-layer URL masking, and personalized phishing pages using services like Clearbit to fetch company logos and data. To enhance credibility, attackers integrate CAPTCHA verification via Cloudflare Turnstile, giving phishing pages a false sense of legitimacy. Lures often include fake voicemail notifications, DocuSign requests, remittance alerts, and payment confirmations, targeting users across sectors. Additionally, threat actors combine these tactics with evasion mechanisms, disabling browser features like right-click functions to hinder security analysis and deploying dynamic templates to tailor attacks for specific victims. By abusing trusted infrastructure, attackers undermine blacklist-based defenses, making detection significantly harder. The surge in exploiting legitimate platforms highlights a shift toward supply-chain-driven phishing, where adversaries weaponize reputable services to increase click-through rates, harvest credentials, and bypass filtering solutions. Organizations must rely on behavioral analysis, machine learning-driven detection, and zero-trust email security models to combat these evolving tactics, as traditional signature-based defenses are no longer sufficient against phishing campaigns hosted on well-known, trusted domains.

(TLP: CLEAR) Comments: The exploitation of legitimate email marketing platforms like Klaviyo and Drip Global highlights a growing evolution in phishing campaigns, demonstrating how threat actors are increasingly leveraging trusted infrastructure to bypass detection. By routing malicious URLs through recognized click-tracking domains, attackers gain a significant advantage in evading security controls that traditionally rely on domain reputation or blacklisting. This tactic represents a shift toward supply-chain-driven phishing, where adversaries weaponize platforms designed for legitimate business operations to enhance credibility and improve success rates. By combining personalized lures, multi-layered URL redirection, and advanced evasion mechanisms like Cloudflare Turnstile verification and dynamic phishing templates, these campaigns make detection significantly harder for both automated defenses and human users. This technique also enables scalable credential harvesting across sectors, particularly targeting industries reliant on email workflows like finance, legal, and healthcare. As cybercriminals continue exploiting cloud-based ecosystems, the convergence of trusted domains, automation, and social engineering introduces greater risk of phishing-driven compromises leading to account takeovers, data theft, and broader supply chain attacks. Given the sophistication of these tactics, organizations must assume traditional email filters alone are insufficient. Phishing detection now requires behavioral analytics, AI-driven anomaly detection, and zero-trust inspection models capable of identifying malicious intent rather than depending solely on known threat indicators or domain reputation.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

Source: https://cybersecuritynews.com/hackers-abuse-legitimate-email-marketing-platforms/

Hacktivism Is a Growing Threat to Higher Education

(TLP: CLEAR) Colleges and universities are facing a surge in hacktivism, where politically and ideologically motivated cyberattacks are increasingly targeting academic institutions. Once considered an occasional nuisance, hacktivism has evolved into a persistent, high-impact threat. A notable example occurred in June 2025, when Columbia University suffered a politically driven breach that exposed millions of admissions records. The attackers claimed the intrusion aimed to reveal potential violations of the Supreme Court’s 2023 affirmative action ruling. This incident coincided with heightened scrutiny, including frozen federal research funds and ongoing investigations, amplifying the attack’s political context. Other institutions, including New York University, have also been hit by politically charged cyber intrusions, while HBCUs continue to face repeated “swatting” campaigns intended to intimidate and disrupt. Internationally, universities in the U.K., Australia, and Israel have become symbolic targets within broader geopolitical conflicts. Hacktivist motivations are bipartisan, with right-leaning actors targeting schools over diversity policies and federal mandates, while left-leaning groups focus on issues like systemic racism, economic inequality, and global conflicts such as Israel-Gaza. The rise in political polarization and shifting federal policies are fueling these threats, making higher education a focal point for ideologically driven cyber campaigns. Universities now face growing risks of data breaches, DDoS attacks, and targeted disruptions aimed at influencing narratives, shaping public opinion, and leveraging political tensions at both national and global levels.

(TLP: CLEAR) Comments: Hacktivist-driven cyberattacks against academic institutions are becoming increasingly frequent, coordinated, and politically motivated, signaling a significant shift in the threat landscape for higher education. The Columbia University breach demonstrates the rising sophistication of politically charged attacks, where actors exploit sensitive topics like affirmative action policies to maximize reputational and operational damage. The growing political polarization in the U.S. is fueling a dual-front risk: right-leaning hacktivists target universities perceived as defying federal mandates on admissions and diversity policies, while left-leaning groups launch campaigns focused on systemic racism, economic inequality, and international issues like the Israel-Gaza conflict. This creates a volatile environment where universities are increasingly symbolic targets rather than opportunistic ones. Additionally, the blending of traditional tactics such as DDoS attacks, data breaches, and website defacements with broader information warfare strategies—including public data leaks and narrative-driven disruptions—makes detection and response more challenging. These campaigns are designed not only to steal data but also to influence public discourse and amplify ideological divides. Given the historical role of universities in political debates, their large repositories of sensitive personal and research data, and their reliance on open digital environments, higher education remains a prime target for sustained hacktivist operations with both domestic and global implications.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.” 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Digicert UltraDDoS Protect can accept traffic in an always-on or on-demand mode with DNS and API-based integration options that can adapt to your existing technology stack and operational practices. UltraDDoS Protect also includes a variety of options to automate detection to mitigation so that DDoS attacks can be thwarted immediately or within seconds. 

Source: https://campustechnology.com/articles/2025/08/27/hacktivism-is-a-growing-threat-to-higher-education.aspx?admgarea=cybersecurity-portal