DigiCert’s Open-Source Intelligence (OSINT) Report – February 27 – March 5, 2026

OCRFix Botnet Trojan Leveraging ClickFix Phishing and EtherHiding to Conceal Blockchain-Based Command Infrastructure 

(TLP: CLEAR) OCRFix is a newly discovered botnet campaign that combines social engineering with blockchain-based infrastructure to compromise machines while evading detection. Victims are lured to a fake website impersonating the legitimate Tesseract OCR tool through SEO poisoning, a YouTube video, and even ChatGPT recommendations. Once on the site, a fake CAPTCHA silently copies a malicious PowerShell command to the victim’s clipboard, which they are tricked into running themselves. This downloads and executes a malicious MSI file, after which victims are quietly redirected to the real Tesseract GitHub page, so nothing seems out of the ordinary. The malware operates in three stages: the first fetches attacker instructions from a blockchain smart contract, the second establishes persistence by creating a high-privilege scheduled task and bypassing Windows Defender, and the third collects system information and reports it back to the attacker’s control panel. Cyrillic comments in the panel’s source code suggest the operators may be Russian, though this is unconfirmed. The most technically notable aspect of the campaign is its use of EtherHiding, which involves storing command-and-control addresses inside smart contracts on the BNB blockchain. Because the blockchain cannot be taken down, attackers can update their instructions at any time, making traditional blocking methods ineffective. Defenders are advised to restrict PowerShell access, enable script logging, train staff to recognize fake CAPTCHA prompts, and monitor for unusual outbound connections to public blockchain nodes.

(TLP: CLEAR) Comments: The OCRFix campaign represents a meaningful evolution in how threat actors are layering well-known techniques to create something significantly harder to detect and disrupt. What makes this campaign particularly notable is not the invention of new methods, but the deliberate and effective combination of existing ones. ClickFix-style clipboard injection has been around long enough to be documented and trained against, yet its pairing with a convincing typosquatting site, SEO poisoning, and blockchain-based infrastructure transforms a relatively simple social engineering trick into a resilient and sophisticated attack chain. The use of LLM poisoning is arguably the most concerning development highlighted in this report. The fact that ChatGPT was observed recommending the malicious site suggests that attackers are now actively thinking about how AI tools fit into the modern user’s research workflow and exploiting that trust accordingly. As more people turn to AI assistants for software recommendations and technical guidance, this attack surface will only grow, and it represents a challenge that neither security teams nor AI developers have fully addressed yet. The adoption of EtherHiding beyond its previously observed North Korean threat actor context signals that blockchain-based command infrastructure is maturing into a broadly available technique rather than a niche capability. This is a significant shift. Traditional defenses rely heavily on the ability to take down or block attacker-controlled servers, and that option simply does not exist when instructions are embedded in a public blockchain. Security teams need to start treating outbound connections to public blockchain nodes as an inherently suspicious signal, since there is virtually no legitimate business reason for most endpoints to be communicating with them.

Overall, OCRFix is a strong indicator of where commodity malware campaigns are heading, toward greater operational resilience, abuse of trusted platforms, and exploitation of emerging technologies like AI and blockchain to stay one step ahead of defenders.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://cybersecuritynews.com/ocrfix-botnet-trojan-leveraging-clickfix-phishing-and-etherhiding/

Angular SSR Request Vulnerability Allows Attackers to Trick Applications into Sending Unauthorized Requests 

(TLP: CLEAR) A critical security vulnerability tracked as CVE-2026-27739 has been discovered in Angular’s Server-Side Rendering (SSR) framework, classified as a Server-Side Request Forgery (SSRF) flaw. The root cause lies in how Angular reconstructs URLs using HTTP headers. Specifically, the framework blindly trusts the Host and X-Forwarded-* headers without validating whether they originate from a legitimate source. Additionally, Angular fails to sanitize these headers for special characters or verify that port values are numeric, opening the door to malformed URI construction and injection attacks. If successfully exploited, the vulnerability enables two primary attack paths. The first involves manipulating the application’s base origin so that its internal HTTP client resolves requests to attacker-controlled servers. The second involves redirecting traffic through unsafe URL construction using unvalidated request headers. In practical terms, this means attackers could intercept sensitive credentials such as authorization headers and session cookies, probe internal networks, and access internal services or cloud metadata endpoints that would otherwise be completely hidden from the public internet. The Angular team has responded by releasing patched versions, specifically 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21, and organizations are strongly urged to upgrade immediately. For those unable to patch right away, the recommended workaround is to avoid using request headers for URL construction entirely, relying instead on hardcoded absolute URLs with trusted base API paths. Given the potential for full confidentiality breaches, prompt remediation should be treated as a high priority for any organization running Angular SSR in production.

(TLP: CLEAR) Comments: CVE-2026-27739 highlights a fundamental trust issue that is surprisingly common in modern web frameworks, where internally generated or reconstructed values are treated as inherently safe without sufficient validation. The fact that Angular’s SSR implementation of blindly trusted user-controlled headers like Host and X-Forwarded-Host is particularly concerning because these headers are trivially easy for an attacker to manipulate. This is not a novel class of vulnerability; SSRF has been well understood for years, which makes its presence in a widely adopted framework like Angular even more noteworthy. What elevates the severity of this flaw beyond a typical SSRF finding is the server-side rendering context in which it exists. SSR applications by nature handle sensitive data on the server, including session tokens, API credentials, and internal service communications, meaning that any successful redirection of requests carries a much higher potential for damage than it would in a purely client-side context. The ability to reach cloud metadata endpoints is especially alarming in modern cloud-native deployments, as these endpoints frequently expose instance credentials that can be leveraged for full cloud environment compromise. The presence of this vulnerability also raises broader questions about how framework developers approach header validation as a security concern versus a functional one. In many development workflows, headers like X-Forwarded-Host are treated primarily as infrastructure conveniences for load balancers and proxies, and their security implications are often underweighted during design and code review. This incident serves as a reminder that any value originating outside the application’s own trusted boundary must be validated rigorously before being used in URL construction or request routing. From a remediation standpoint, the advice to rely on hardcoded absolute URLs rather than dynamically constructing them from request headers reflects a sound secure-by-default principle. Organizations that cannot patch immediately should treat this workaround as urgent rather than optional, particularly those running Angular SSR in cloud environments or behind internal microservice architectures where the blast radius of a successful SSRF attack is significantly amplified.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Source: https://cybersecuritynews.com/angular-ssr-request-vulnerability/

Researchers Uncover Aeternum C2 Infrastructure with Advanced Persistence and Network Evasion Features 

(TLP: CLEAR) Aeternum C2 is a newly discovered botnet loader that fundamentally challenges the traditional method of dismantling botnets by storing all command-and-control instructions directly on the Polygon blockchain rather than on conventional servers or domains. Because blockchain infrastructure is replicated across thousands of nodes worldwide, there is no single server to seize or domain to suspend, rendering the takedown strategies that law enforcement used against major operations like Emotet, TrickBot, and QakBot essentially ineffective. The loader is written in native C++, available in both 32-bit and 64-bit builds and is being sold openly on underground forums as either a lifetime licensed build or as full source code with ongoing updates. Operationally, the attacker manages everything through a web-based control panel, where commands are published to smart contracts on the Polygon network and picked up by infected machines through public RPC endpoints within two to three minutes. The system supports multiple simultaneous contracts, each tied to different malicious functions such as stealers, clippers, remote access tools, and miners. Adding to its resilience, Aeternum includes anti-virtual machine detection to block analysis in sandboxed environments, and a built-in scanner showed that major antivirus engines including CrowdStrike, Avast, and ClamAV failed to flag it at the time of testing. The operational costs are remarkably low, with just one dollar worth of MATIC tokens covering over a hundred command transactions and no server or domain expenses required. Even if all infected machines were cleaned up, the operator’s smart contracts remain intact, and a full redeployment could happen immediately. Security teams are advised to focus on endpoint behavioral monitoring, strict application controls, and evaluating whether outbound connections to known Polygon RPC endpoints can be restricted at the network edge.

(TLP: CLEAR) Comments: Aeternum C2 represents a genuinely disruptive shift in botnet architecture, and its implications deserve serious analytical attention beyond the technical details alone. What makes this loader particularly significant is not just that it uses blockchain for command and control, but that it has packaged that capability into a commercially available product with negligible operating costs. The barrier to entry for running a resilient, takedown-proof botnet has effectively collapsed, and that democratization of capability is arguably more consequential than the technology itself. Threat actors who previously lacked the infrastructure expertise or financial resources to maintain a durable botnet operation can now acquire one for the cost of a software license. From a DDoS perspective, Aeternum’s architecture is especially alarming. Traditional DDoS botnets depend on centralized or semi-centralized command infrastructure to coordinate attack timing, target selection, and volume. Disrupting that infrastructure, whether through takedowns, null-routing, or law enforcement action, has historically been one of the most reliable ways to neutralize a large-scale DDoS campaign mid-flight. Aeternum removes that option entirely. An operator running a DDoS campaign through blockchain-based commands can sustain coordinated, high-volume attacks indefinitely without any risk of losing command capability. Even if defenders identify and sinkhole thousands of infected machines, the operator simply issues redeployment instructions through the same immutable smart contract, rebuilds the attack fleet, and resumes within minutes. The two-to-three-minute command propagation time is more than fast enough to dynamically retarget attacks, shift attack vectors, or rotate between UDP floods, HTTP floods, and application-layer attacks in near real time. The multi-contract architecture further amplifies the DDoS threat. Because operators can run separate smart contracts simultaneously, each tied to a different function, a single Aeternum deployment could theoretically segment its botnet into specialized attack layers. One contract could manage volumetric flood traffic while another handles application-layer slowloris attacks, and a third coordinates amplification relay nodes, all running in parallel with no shared infrastructure that defenders can target. This kind of layered, simultaneous multi-vector DDoS attack is already considered among the hardest to mitigate, and Aeternum’s architecture makes sustaining it dramatically easier and cheaper than before. The low-cost dimension cannot be overstated in the DDoS context specifically. DDoS-for-hire services have long been a commodity market, but they depend on the service operator maintaining infrastructure that can be disrupted. A threat actor using Aeternum to build their own DDoS capability bypasses that dependency entirely, owning the full attack chain at near zero marginal cost per command. For critical infrastructure operators, financial institutions, and large-scale online platforms that are already primary DDoS targets, this represents a meaningful escalation in the threat landscape that traditional infrastructure-level defenses are simply not designed to handle.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://cybersecuritynews.com/researchers-uncover-aeternum-c2-infrastructure/

British organizations urged to be alert to threat of Iranian cyberattacks 

(TLP: CLEAR) Following a joint U.S. and Israeli air campaign that killed Iran’s Supreme Leader Ayatollah Ali Khamenei and other senior officials, the UK’s National Cyber Security Centre (NCSC) has issued an advisory urging British organization to review and strengthen their cyber defenses. While the NCSC assessed that there is likely no significant immediate change in the direct cyber threat from Iran to the UK, it emphasized that the fast-evolving nature of the conflict means that assessment could change rapidly. The warning comes as Iran responded to the strikes with missile and drone attacks across the region, including a suspected Iranian drone strike on a Royal Air Force base in Cyprus. The NCSC highlighted a heightened risk of indirect cyber threats for organizations with a presence or supply chains in the Middle East, noting that both Iranian state actors and state-aligned groups maintain meaningful cyber capabilities. UK Prime Minister Keir Starmer confirmed that British armed forces did not participate in the strikes against Iran, though British jets are actively intercepting Iranian strikes and UK bases are being used by U.S. forces to target Iranian missile sites, a level of involvement that could still make British interests a target for retaliatory cyber activity. The NCSC’s advisory included practical guidance for organizations to reduce their exposure, with particular emphasis on critical national infrastructure operators preparing for and responding to severe cyber threats. The warning aligns with a broader pattern of concern, as the NCSC had previously echoed a U.S. government assessment from last year describing an elevated risk from Iranian state-sponsored threat actors against critical infrastructure. Organizations with any exposure to the Middle East region, whether through operations, partnerships, or supply chains, are being urged to treat the current period as one of elevated vigilance.

(TLP: CLEAR) Comments: The NCSC advisory reflects a broader reality that cyber conflict rarely respects geographic boundaries in the way conventional military operations do. History consistently shows that state-sponsored cyber actors, particularly Iranian ones, do not limit retaliatory operations to the immediate theater of conflict. Groups like APT33, APT34, and Charming Kitten have demonstrated a sustained capacity to conduct operations across Europe and North America, meaning Western organizations should not interpret the absence of an immediate escalation warning as a signal to stand down. Supply chain exposure is one of the most underappreciated cyber risk vectors in geopolitical conflict scenarios. An organization headquartered in London with a logistics partner, software vendor, or cloud service provider operating in the Middle East carries inherited risk that its own internal defenses cannot fully address. This concern is further validated by the DigiCert Cyber Threat Intelligence team, which released a dedicated threat alert reinforcing that the conflict carries serious implications well beyond the Middle East. The convergence of both the NCSC and DigiCert issuing warnings in close succession reflects a broad consensus that the ripple effects in cyberspace are likely to be wide-reaching and sustained. Beyond state-sponsored activity, the current conflict is highly likely to energize hacktivist DDoS groups who align their targeting with geopolitical narratives. Groups such as Anonymous Sudan, Killnet, and various pro-Iranian hacktivist collectives have a well-documented pattern of rapidly mobilizing DDoS campaigns in response to major geopolitical events, and the killing of Iran’s Supreme Leader represents exactly the kind of high-profile trigger that historically galvanizes these actors. These groups frequently coordinate through Telegram channels, announcing targets publicly and recruiting volunteers to amplify attack volume, meaning campaign mobilization can happen within hours rather than days. Ultimately, the compounding effect of state-sponsored operations, supply chain exploitation, and opportunistic hacktivist DDoS campaigns creates a threat environment that is broader and faster moving than any single advisory can fully capture. Organizations should treat the current guidance as a floor rather than a ceiling for defensive action.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://therecord.media/iran-britain-cyber-threats-warning

Escalating Iranian APT Threats Against Critical Infrastructure Amid Geopolitical Conflict 

(TLP: CLEAR) Following the outbreak of open conflict between Iran, Israel, and the United States through Operation Lion’s Roar, a coordinated strike targeting Iranian military and nuclear installations, the cyber domain has rapidly emerged as an active and consequential battleground alongside the physical conflict. Iran has responded not only with missile and drone strikes across the Gulf region but through a systematic increase in state-affiliated cyber activity, with Nozomi Networks analysts observing a notable surge in Iranian-linked APT activity over the past two weeks. The Manufacturing and Transportation sectors have emerged as the most frequently targeted industries in this early phase. Four key Iranian threat groups are currently driving this surge. MuddyWater, operating on behalf of Iran’s Ministry of Intelligence and Security, focuses on espionage against government, energy, and telecommunications targets globally. OilRig, also known as APT34, targets financial services, defense contractors, and energy organizations through spear-phishing and credential harvesting. APT33 operates across aerospace, aviation, energy, and government sectors with a history of both espionage and potentially disruptive operations. UNC1549 focuses on defense, aerospace, and telecommunications entities aligned with Iran’s broader geopolitical priorities. Current observed attack techniques suggest adversaries are in an early reconnaissance and positioning phase, with default credential abuse, brute force attacks, valid account exploitation, and network scanning dominating detections. This indicates attackers are quietly mapping target environments to identify high-value assets before advancing to more destructive stages. The exposure level in the Middle East is particularly elevated, with 61% of detected vulnerabilities carrying high or critical severity scores, well above the global average of 48%. Organizations are urged to activate continuous monitoring, update Iranian APT threat intelligence signatures on a rolling basis, change default credentials across all assets particularly OT and IoT devices, and establish clear IT and OT network segmentation. The current reconnaissance window represents a critical opportunity for defenders to intervene before attackers successfully escalate privileges or cause operational disruption.

(TLP: CLEAR) Comments: Operation Lion’s Roar and its aftermath represent a pivotal moment in the evolution of hybrid warfare, where the boundaries between physical and digital conflict have become effectively indistinguishable. What is particularly striking is the speed at which Iranian cyber actors have mobilized alongside conventional military responses. The systematic increase in APT activity observed by Nozomi Networks within just two weeks of the conflict’s outbreak confirms that Iranian cyber operations are not an afterthought to physical military strategy, they are a deeply integrated and pre-planned component of it. The targeting of Manufacturing and Transportation sectors in this early phase is analytically significant. These sectors sit at the intersection of economic output and logistical dependency, meaning that successful disruption creates cascading effects that extend far beyond the immediate target. Iranian threat actors appear to understand this leverage point well, and their sector targeting reflects a sophisticated understanding of where cyber operations can generate disproportionate strategic impact without crossing thresholds that might trigger a more direct military response. The reconnaissance and positioning phase currently underway is perhaps the most critical window for defenders to act, yet it is also historically the phase that receives the least attention. Organizations tend to mobilize defenses in response to visible damage rather than early indicators of intrusion, and Iranian APT groups have consistently demonstrated the patience to spend weeks in quiet reconnaissance before executing disruptive payloads. The dominance of default credential abuse and brute force techniques in current detections suggests that fundamental hygiene failures remain widespread enough to serve as reliable entry points even for sophisticated actors. The vulnerability landscape amplifies all these concerns considerably. With 61% of detected vulnerabilities in the Middle East carrying high or critical severity scores compared to a global average of 48%, Iranian threat actors are operating against a structurally more exposed target environment. Organizations outside the region should not consider themselves insulated, as supply chain and partner ecosystem exposure may be creating inherited vulnerabilities that internal security postures alone cannot compensate for.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s): 

• Detects all known types of malware. 
• Removes, blocks, or contains all known types of malware.

Any system components that are not at risk for malware are evaluated periodically to include the following: 

• A documented list of all system components not at risk for malware. 
• Identification and evaluation of evolving malware threats for those system components. 
• Confirmation whether such system components continue to not require anti-malware protection.

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://cybersecuritynews.com/escalating-iranian-apt-threats-against-critical-infrastructure/

US Banks on High Alert for Cyberattacks as Iran War Escalates 

(TLP: CLEAR) The U.S. financial services industry has moved to a heightened state of alert following the killing of Iranian Supreme Leader Ali Khamenei and the outbreak of open conflict between the U.S. and Iran. Financial firms are stepping up monitoring and reinforcing operational resilience measures in anticipation of potential Iran-linked cyberattacks, with industry executives describing the threat as likely rather than merely possible. SIFMA, a major financial industry group, emphasized that the sector remains vigilant and ready to respond, particularly given that financial services operate critical U.S. infrastructure including payments, clearing and settlement systems, trading platforms, and Treasury markets. A U.S. intelligence assessment reported by Reuters indicates that Iran-aligned hacktivists could conduct low-level cyberattacks against U.S. networks, with DDoS attacks identified as a probable near-term threat vector. This assessment is consistent with historical patterns, as the FS-ISAC’s 2025 report identified financial services as the top target of DDoS attacks in 2024, with the Hamas-Israel and Russia-Ukraine conflicts fueling a significant surge in hacktivist activity. Credit rating agency Morningstar DBRS warned that while the most significant risks to global banks may be indirect through sustained oil price increases and borrower shocks, cyber risks could also rise materially, with Iran potentially increasing attacks against Western financial institutions. U.S. investment bank Lazard’s geopolitical advisory team echoed these concerns, noting Iran’s demonstrated willingness to deploy cyber capabilities against commercial and financial targets. While the financial sector has not suffered a major disruption from a hostile attack in recent memory, smaller scale incidents have caused real damage, most notably a 2023 ransomware attack on the U.S. broker-dealer unit of the Industrial and Commercial Bank of China that disrupted settlement of U.S. Treasury trades. FS-ISAC confirmed it is actively coordinating with relevant parties to ensure the global financial ecosystem has continuous access to the latest intelligence and protective guidance. 

(TLP: CLEAR) Comments: The financial services sector’s elevated posture in response to the U.S.-Iran conflict is both appropriate and telling. The fact that senior banking officials are describing cyberattacks as likely rather than merely possible reflects a level of threat confidence that goes beyond routine geopolitical caution. When industry leadership speaks in those terms publicly, it signals that private intelligence assessments are painting a considerably more serious picture than what is being shared openly. The identification of DDoS attacks as the most probable near-term threat vector is analytically consistent with how Iran-aligned actors have historically responded to geopolitical escalation. DDoS campaigns offer a low-cost, high-visibility mechanism for demonstrating retaliatory capability without crossing thresholds that would invite a direct kinetic response. For hacktivist groups operating in ideological alignment with Iran, targeting Western financial institutions carries significant symbolic weight. The FS-ISAC finding that financial services was already the top DDoS target in 2024 driven by Middle Eastern conflicts suggests the current escalation will accelerate that trend considerably. What makes the current environment particularly complex is the layered nature of the threat landscape financial institutions are navigating simultaneously. Beyond direct DDoS disruption, Iranian state-sponsored actors have demonstrated sophisticated capabilities in destructive malware deployment, credential harvesting, and supply chain infiltration. The 2023 ransomware attack on the Industrial and Commercial Bank of China’s U.S. broker-dealer unit serves as a stark reminder that even a single successful intrusion into a systemically important financial entity can generate disruption that ripples across Treasury markets and settlement infrastructure far beyond the initial point of compromise. The convergence of state-sponsored APT activity, ideologically motivated hacktivist DDoS campaigns, and broader market instability creates a threat environment that is genuinely more complex than any single threat category suggests in isolation. The true test will come not in the preparation phase but in whether industry coordination translates into rapid, effective response when attacks materialize, as current intelligence strongly suggests they will.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://www.teiss.co.uk/news/news-scroller/us-banks-on-high-alert-for-cyberattacks-as-iran-war-escalates-17178 

Iran War Prompts U.S. Hospitals to Prep for Potential DDoS Attacks 

(TLP: CLEAR) Health-ISAC has issued a warning to healthcare organizations nationwide about the elevated risk of cyberattacks stemming from U.S. military strikes on Iran, noting that threats are more likely to come from loosely aligned hacktivist groups than directly from the Iranian state itself. While Health-ISAC is not currently aware of specific credible campaigns targeting U.S. healthcare, history shows that major military escalations are consistently accompanied by surges in DDoS activity and hacktivist operations. A confirmed example has already emerged, with a hospital in Israel reporting that an internet-facing IoT system was compromised by pro-Iranian hacktivists. Public-facing systems including clinical websites, patient portals, VPNs, and internet-exposed IoT and OT devices supporting clinical operations are identified as the most likely targets. Health-ISAC Chief Security Officer Errol Weiss outlined three key recommended steps for healthcare organizations. The first is to validate and enhance DDoS protections with ISPs, content delivery networks, and cloud providers. The second is to take inventory of and harden all internet-facing systems, with a particular focus on identity security given that attackers frequently gain access through stolen credentials. The third is to rehearse downtime and incident response procedures for essential clinical services, ensuring that manual workflows for registration, patient check-ins, scheduling, and medication administration are well documented, tested, and accessible to staff. The stakes in healthcare are uniquely high given that cyber disruptions can directly compromise patient care, with even a four-hour outage from a DDoS attack creating genuine operational risk for hospitals unable to access electronic health records or patient portals. CloudWave’s Brian Lamberger echoed the call for pragmatic vigilance, cautioning organizations not to let unverified social media claims from hacktivist groups drive panic, but equally not to mistake online noise for safety. Legislative support may also be on the way, with the Health Care Cybersecurity and Resiliency Act advancing through the Senate this week.

(TLP: CLEAR) Comments: The Health-ISAC advisory highlights a threat dynamic that is particularly consequential in the healthcare context, where the stakes of operational disruption extend directly into patient safety rather than remaining in the realm of financial or reputational damage. The confirmation that a hospital in Israel already had an internet-facing IoT system compromised by pro-Iranian hacktivists within days of the conflict’s escalation is a significant data point, as it demonstrates that the threat has already moved beyond warning into active execution, and Western healthcare organizations should treat that precedent seriously. The emphasis on hacktivist groups rather than direct state-sponsored actors is analytically important. Hacktivist collectives operate with a speed and ideological flexibility that state actors cannot always match publicly, and they frequently serve as a first wave of disruptive activity that precedes more sophisticated state-sponsored operations. Groups like CyberAv3ngers have already demonstrated a specific interest in healthcare and industrial control systems, and the current geopolitical environment provides exactly the kind of motivational trigger that accelerates their operational tempo significantly. The IoT and OT exposure dimension deserves particular attention in the healthcare context. Medical environments are densely populated with internet-connected devices that were designed for clinical functionality rather than security, and many operate on outdated firmware with no viable patching pathway. These devices represent a structurally vulnerable attack surface that DDoS and hacktivist groups are increasingly aware of and willing to exploit, as compromising a single internet-facing clinical device can create cascading disruption across interconnected hospital systems. The advice to rehearse downtime procedures reflects a mature understanding that cyber resilience in healthcare is ultimately a clinical operations problem as much as a technology problem. Organizations that treat incident response as an IT function rather than a hospital-wide discipline will find themselves dangerously underprepared when disruption materializes. The current threat environment makes that preparation not optional but urgent.

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:

• Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks.
• Implementing procedures to guard against and detect malicious software.
• Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections.

• Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

Critical Infrastructure and Security Agency (CISA) publication “Additional DDoS Guidance for Federal Agencies”: “Many ISPs have DDoS protections, but a dedicated DDoS protection service would likely provide more robust protections against larger or more advanced DDoS attacks. Agencies should evaluate current defenses against DDoS, verify DDoS protections are in place, and consider implementing more robust protections if the agency determines its current protections may be lacking.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Digicert UltraDDoS Protect delivers DDoS mitigation and protection with competitive pricing tailored to your budget. Secure and reliable, it defends your online assets against DDoS threats, offering a flexible range of solutions for any organizational need.

Source: https://www.healthcareitnews.com/news/iran-war-prompts-us-hospitals-prep-potential-ddos-attacks

DDoS and Website Defacement Might Increase on US Networks Says DHS 

(TLP: CLEAR) As tensions between the United States, Israel, and Iran have escalated sharply, the conflict has extended well beyond conventional military operations into the cyber domain. Reports indicate that cyberattacks have already targeted critical Iranian infrastructure, disrupting elements of the country’s power grid and telecommunications networks, demonstrating how modern warfare increasingly blends physical and digital tactics with widespread consequences for civilian systems and economic stability. In response, the U.S. Department of Homeland Security has issued an advisory urging both public and private sector organizations to strengthen their cybersecurity defenses against a range of potential retaliatory threats. These include website defacement, phishing campaigns, ransomware attempts, and DDoS attacks. While such attacks may not always cause lasting structural damage, they can undermine public confidence, interrupt business operations, and create significant operational confusion across critical sectors including energy, finance, healthcare, and transportation. Security experts caution that Iranian-linked cyber actors are likely to pursue retaliatory measures, though these may not resemble large-scale sophisticated campaigns. Instead, analysts anticipate smaller-scale intrusions, opportunistic attacks on vulnerable networks, and lone wolf operations carried out by individuals sympathetic to Iran’s position. Cyber warfare is particularly attractive in this context because it offers a low-cost, deniable method of retaliation that can be launched remotely with ambiguous attribution, allowing nations to signal strength and cause disruption without escalating to open armed conflict. While Iran may not match the United States in conventional military capacity, it has a demonstrated track record of conducting disruptive cyber operations against Western targets. U.S. agencies are responding by emphasizing enhanced surveillance, intelligence sharing, and real-time network monitoring, with strengthened public-private partnerships and rapid response capabilities viewed as essential components of the defensive posture. The situation reinforces the broader reality that in today’s interconnected world, geopolitical conflict rarely remains confined to the physical battlefield.

(TLP: CLEAR) Comments: The escalation between the U.S., Israel, and Iran represents one of the clearest illustrations yet of how modern geopolitical conflict operates simultaneously across physical and digital domains. The reported disruption of Iranian power grid and telecommunications infrastructure through cyberattacks is particularly significant analytically, as it signals that cyber operations are no longer a supplementary tool in military strategy, but a primary instrument of coercion deployed alongside conventional strikes. This integration of cyber and kinetic operations sets an important precedent, and Iran’s retaliatory calculus will almost certainly reflect an equivalent willingness to target civilian infrastructure in adversary nations. The DHS advisory’s focus on lower-level threats like website defacement, phishing, and DDoS rather than catastrophic infrastructure attacks reflects a realistic near-term threat assessment. Iran’s most probable response in the immediate term is not a sophisticated, highly coordinated campaign against U.S. critical infrastructure, but rather a sustained drumbeat of disruptive, visible, and deniable operations designed to signal capability and intent without triggering a disproportionate response. This approach has been consistent with Iranian cyber doctrine for years, and the current conflict provides both the motivation and the political justification to intensify it significantly. The deniability dimension of cyber warfare is particularly relevant in this conflict scenario. Iran faces significant asymmetric disadvantages in conventional military terms, making cyber operations an attractive equalizer that allows it to inflict meaningful damage on Western economies and public confidence while maintaining ambiguity around attribution. The involvement of state-aligned hacktivist groups further extends this deniability, creating a buffer between Iranian state intent and observable action that complicates both attribution and proportional response decisions for U.S. policymakers. The emphasis on public-private partnerships and intelligence sharing in the DHS response reflects an understanding that the attack surface extends far beyond government networks. Critical infrastructure in the United States is predominantly privately owned, meaning that the effectiveness of any national cyber defense posture depends heavily on how quickly and completely private sector organizations can operationalize threat intelligence into defensive action. That gap between intelligence availability and operational implementation remains one of the most significant structural vulnerabilities in the U.S. cyber defense ecosystem, and the current threat environment will test it severely.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “Additional DDoS Guidance for Federal Agencies”: “Many ISPs have DDoS protections, but a dedicated DDoS protection service would likely provide more robust protections against larger or more advanced DDoS attacks. Agencies should evaluate current defenses against DDoS, verify DDoS protections are in place, and consider implementing more robust protections if the agency determines its current protections may be lacking.”

PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable. 
• Generating audit logs. 
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Digicert’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks.

Source: https://www.cybersecurity-insiders.com/ddos-and-website-defacement-might-increase-on-us-networks-says-dhs/