DigiCert’s Open-Source Intelligence (OSINT) Report – February 5 – February 12, 2026

Kimwolf Botnet Swamps Anonymity Network I2P

(TLP: CLEAR) Recent reporting highlights the significant disruption to the I2P (Invisible Internet Project), an anonymity-focused overlay network designed to enable censorship-resistant and privacy-preserving communications. According to security researchers, the malicious activity is tied to activity from the Kimwolf botnet, the large-scale “Internet of Things” (IoT) botnet previously associated with the compromise of Android-based consumer devices, including media streaming boxes and smart TV platforms. Investigative findings indicate that Kimwolf-infected devices were leveraged to overwhelm portions of the I2P network with malicious traffic, effectively degrading performance and, in some cases, rendering services inaccessible. Unlike traditional volumetric distributed-denial-of-service (DDoS) attacks aimed at public-facing web infrastructure, this activity targeted the internal routing fabric of a decentralized anonymity network. By flooding routers and participating nodes with connection attempts and malformed traffic, the botnet strained peer selection mechanisms and routing stability within I2P’s distributed architecture. According to reporting, researchers estimate that Kimwolf has infected hundreds of thousands, and potentially millions, of Android-based devices globally. Many of these endpoints are inexpensive consumer electronics shipped with exposed Android Debug Bridge (ADB) services or outdated firmware, making them highly susceptible to automated compromise. Once infected, devices can be conscripted into botnet operations that include DDoS campaigns, proxy resale services, and anonymized traffic relays for criminal infrastructure. The abuse of I2P infrastructure represents an operational pivot. Rather than solely targeting commercial enterprises or government systems, botnet operators appear to be exploiting anonymity networks either as a target of disruption, a shield for command-and-control (C2) operations, or both. Analysts note that flooding I2P may also obscure malicious activity by increasing background noise and reducing defenders’ ability to isolate specific threat actor traffic within the network.

(TLP: CLEAR) Comments: Consumer Android TV boxes and low-cost media players continue to function as an unregulated attack surface. These devices often lack automated patch management, centralized oversight, or meaningful lifecycle support and represent persistent, globally distributed infrastructure ideal for sustained DDoS or proxy monetization campaigns. The disruption of I2P likely suggests that anonymity networks are no longer merely passive enablers of illicit activity but are themselves targeted digital terrain. For organizations reliant on privacy networks, this event reinforces the necessity of layered resilience planning.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://krebsonsecurity.com/2026/02/kimwolf-botnet-swamps-anonymity-network-i2p/

Hackers Weaponizing 7-Zip Downloads to Turn Home Computers into Proxy Nodes

(TLP: CLEAR) Recent intelligence reporting has unveiled a widespread malware campaign utilizing a trojanized version of the popular 7-Zip file archiving program to conscript unsuspecting home computers into a residential proxy network that ultimately allows threat actors to route arbitrary internet traffic through victims’ systems for profit or anonymity. According to reporting, at the center of the malicious campaign exists a fraudulent malicious domain — 7zip[.]com — impersonating the legitimate and trusted 7-Zip project site (7-zip.org). By mimicking the look and content of the genuine site, attackers trick users into downloading what appears to be a legitimate installer for the open-source archiver. Furthermore, what makes this campaign especially insidious is that the downloaded file does install a working copy of 7-Zip, lowering user suspicion. However, it simultaneously drops a set of hidden malicious components to a privileged Windows system directory (C:\Windows\SysWOW64\hero\) that are designed to persist and carry out background operations without obvious symptoms. Unlike classic botnets designed for distributed-denial-of-service attacks (DDoS) or ransomware delivery, this proxy network monetizes access to compromised home connections — essentially selling access to a real user’s internet identity. From a threat actor’s perspective, this offers a scalable, low-risk means to camouflage malicious operations behind genuine residential IPs.

(TLP: CLEAR) Comments: The aforementioned campaign exemplifies the evolution of security threats in the proxy economy and highlights that even well-known, legitimate software can be weaponized if distributed from a lookalike domain. Users and administrators alike should treat any deviation from official vendor sources as a significant red flag. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed. 

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s):

• Detects all known types of malware.

• Removes, blocks, or contains all known types of malware. 

Any system components that are not at risk for malware are evaluated periodically to include the following:

• A documented list of all system components not at risk for malware.

• Identification and evaluation of evolving malware threats for those system components.

• Confirmation whether such system components continue to not require anti-malware protection. 

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. 

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://cybersecuritynews.com/hackers-weaponizing-7-zip-downloads/

Sanctioned Bulletproof Host Tied to DNS Hijacking

(TLP: CLEAR) A global DNS hijacking campaign has recently been linked to compromised home and small-office routers whose traffic is being stealthily rerouted through Domain Name System (DNS) resolvers operated by a sanctioned bulletproof hosting provider, Aeza International. According to reporting, the malicious campaign manipulates router configurations so that all DNS queries are directed to rogue resolvers hosted by the sanctioned provider, which then selectively alters responses to benefit threat actors. Bulletproof hosting services often provide resilient, tolerant infrastructure for malicious or high-risk operations by ignoring abuse complaints and resisting takedowns. Aeza International, previously sanctioned in mid-2025 by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for facilitating cybercriminal activity, remains a central node in criminal infrastructure, allowing threat actors to rent servers and IP space without meaningful oversight. Additionally, unlike typical DNS hijacks that abruptly break connectivity, this campaign often leaves everyday web traffic appearing normal while silently intercepting specific requests. Attackers compromise outdated or poorly configured routers or devices often lack ongoing security updates and alter DNS settings at the network gateway. Because the fraudulent DNS resolver sits upstream of all connected devices, phones, laptops, or smart appliances on the same Wi-Fi network become unknowingly subject to malicious traffic redirection. Once users’ DNS queries are forwarded to the rogue servers, selected domain lookups are resolved to malicious or monetized destinations instead of the legitimate IP addresses. Users might thus be routed to deceptive advertising sites, affiliate pages designed for revenue generation, or look-alike domains crafted to facilitate credential harvesting or exploit injection all while other domains continue to resolve correctly to avoid detection. By controlling the DNS layer, essentially the internet’s “address book”, attackers can subtly influence how users traverse the web without raising immediate alarms. These tactics represent a powerful evolution of the simple router hijack into a controlled, profitable infrastructure.

(TLP: CLEAR) Comments: Bulletproof hosting services like Aeza International (or Stark Industries) are engineered to withstand abuse reports and law enforcement pressures, offering a persistent infrastructure layer for criminal operators. Despite being sanctioned, such providers often continue to operate directly or through affiliate entities, highlighting persistent enforcement challenges in cyberspace. The association between this DNS hijacking campaign and a sanctioned host illustrates how criminal ecosystems reuse resilient infrastructure to scale abuse. Ultimately, the following campaign displays how attackers exploit both technical weaknesses (outdated hardware and exposed routers) and infrastructure gaps (bulletproof hosting tolerance) to build profit-oriented malicious systems.

(TLP: CLEAR) Recommended best practices/regulations: ICANN SAC 007: “Domain Name Hijacking: Incidents, Threats, Risks and Remediation”: “Registrars should improve registrant awareness of the threats of domain name hijacking and registrant impersonation and fraud and emphasize the need for registrants to keep registration information accurate. Registrars should also inform registrants of the availability and purpose of the Registrar-Lock and encourage its use. Registrars should further inform registrants of the purpose of authorization mechanisms (EPP authInfo) and should develop recommended practices for registrants to protect their domains, including routine monitoring of domain name status, and timely and accurate maintenance of contact and authentication information.”

(TLP: CLEAR) DigiCert: DigiCert’s authoritative DNS solution, UltraDNS, can protect against online threats with both UltraDNS and UltraDNS2 DNS services engineered with nameserver segmentation and DNSSEC support add an additional layer of protection that prevents malicious activity.

Source: https://www.inforisktoday.com/sanctioned-bulletproof-host-tied-to-dns-hijacking-a-30723

Prometei Botnet Attacking Windows Servers to Gain Remote Access and Deploy Malware

(TLP: CLEAR) The latest intelligence reporting highlights a reviving Prometei botnet campaign that is actively targeting vulnerable Windows Server instances in order to establish persistent remote access and deliver malware. Historically, the modular malware platform Prometei has been observed previously targeting Linux-based systems and network-attached storage devices. Reporting suggests that in its latest iteration, however, threat actors are focusing on Windows environments, where wide usage of RDP and legacy services offer a broader attack surface. Upon successful infiltration, the botnet deploys a custom agent that communicates with cloud-based command-and-control (C2) infrastructure, enabling operators to issue commands, download additional payloads, and execute arbitrary code. Additionally, Prometei’s modular architecture allows operators to tailor payloads to specific operational goals, whether to steal sensitive data, monetize with cryptomining, enable ransomware deployment, or pivot into deeper network layers. This flexibility increases the threat actor’s longevity and impact, as compromised hosts become multi-purpose assets rather than single-use infections.

(TLP: CLEAR) Comments: Prometei infections may likely run deeper than surface indicators suggest, as persistent backdoors often require complete system rebuilds and credential resets for full remediation. It is highly suggested that network defenders prioritize immediate review of RDP exposure, account lockout policies, and password hygiene across Windows Server environments, while deploying comprehensive endpoint detection and response (EDR) controls. Ultimately, the Prometei botnet’s pivot to Windows Server exploitation is a clear reminder that legacy services and weak authentication practices remain a powerful enabler for threat actors, and that preventive hardening, vigilant monitoring, and robust incident response playbooks are essential to mitigate this adaptable and persistent threat.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://cybersecuritynews.com/prometei-botnet-attacking-windows-server/

SSHStalker Botnet Uses IRC C2 to Control Linux Systems via Legacy Kernel Exploits

(TLP: CLEAR) Recent reporting sheds light on a recently observed linux-focused botnet campaign actively leveraging legacy kernel vulnerabilities and Internet Relay Chat (IRC)-based command-and-control (C2) mechanisms in order to compromise and gain access to vulnerable hosts. Dubbed “SSHStalker” and unlike many contemporary Linux malware families that favor HTTPS or custom C2 protocols, SSHStalker’s use of the decade-old real-time messaging system, IRC, underscores a slight return to resilient and decentralized botnet orchestration techniques. The infection process begins with automated scanning for internet-facing Linux systems that exhibit weak SSH configurations or lack basic hardening measures. Attackers launch brute force attacks against user accounts, seeking to gain initial access via weak passwords. In parallel, SSHStalker incorporates a suite of legacy Linux kernel exploits targeting older 2.6.x series kernels, which remain unpatched on many forgotten, abandoned, or poorly maintained systems. Among the exploit set are a number of CVEs dating back more than a decade — including CVE-2009-2692 and CVE-2009-2698, which permit remote kernel manipulation via crafted socket operations, and CVE-2010-3849, a local privilege escalation flaw. Once a system is compromised either by brute force or by kernel exploitation, the botnet drops its main agent and attempts to maintain persistence. SSHStalker establishes an IRC connection to attacker-controlled servers and joins specific channels where operators broadcast commands. Through these channels the threat actor can execute arbitrary shell commands on the infected host, deploy additional payloads such as cryptominers or reconnaissance tools, and harvest credentials and system information.

(TLP: CLEAR) Comments: SSHStalker’s ability to pivot between brute-force credential compromise and kernel exploitation increases its operational reach exponentially: even if brute force fails, the presence of a legacy kernel exploit can still achieve access. This means defenders cannot rely on a single hardening technique; they must adopt a comprehensive strategy that includes both strong authentication practices and diligent patch management.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html

Microsoft Office Word 0-day Vulnerability Actively Exploited in the Wild

(TLP: CLEAR) Recent reporting indicates a critical zero-day vulnerability in Microsoft Office Word is being actively exploited in the wild, with threat actors weaponizing malicious Word documents to achieve arbitrary code execution on targeted vulnerable systems. According to security researchers, the vulnerability in question, tracked as CVE-2026-21514, resides in the way Word handles malformed objects in .doc and .docx files, enabling attackers to trigger a memory corruption condition that can lead to remote code execution without any user interaction beyond opening the document. Initial reporting indicated that the exploit was being distributed via spear-phishing campaigns, where targets receive carefully crafted emails purporting to be legitimate business correspondence, but containing embedded Word attachments that trigger the vulnerability when opened. Unlike typical phishing campaigns that require enabling macros or following external links, this exploit leverages a flaw in core document parsing logic, meaning victims need only open the attachment for malicious code to execute. The active exploitation in the wild suggests a low barrier to successful compromises, particularly against unpatched systems and endpoints lacking robust email filtering or sandbox analysis. Microsoft has acknowledged the vulnerability and is working on a fix, but as of the latest reporting, no official patch has been released. While this situation persists, defenders must rely on workarounds and layered defenses to mitigate exploitation risk. Additionally, according to reporting, incident response teams are already reporting increases in alerts related to abnormal Microsoft Word process behavior, including unexpected network connections, child process spawning, and in-memory code injection patterns which tend to be hallmark indicators of exploitation following the initial alert or trigger of the attack.

(TLP: CLEAR) Comments: Microsoft Word documents are ubiquitous as both a collaboration tool and a file format circulated across corporate and personal email channels; this familiarity fosters trust and reduces user skepticism which is exactly the psychology threat actors exploit to get users to open attachments. What makes this particular vulnerability especially dangerous is the absence of prerequisite actions beyond opening the file. Traditional document-based malware often relies on enabling macros or executing embedded scripts, steps that many users have been trained to avoid. By contrast, this 0-day leverages a flaw in the core parsing engine of Word, meaning no macro prompts, no user-enabled content, no trickery beyond the initial click. This raises the risk profile significantly, because defenders must assume that any Word document could potentially harbor exploit code until the patch is applied.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION

Control:

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.

• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.

• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 

• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response),

supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 

• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 

• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 

• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://cybersecuritynews.com/microsoft-office-word-0-day-vulnerability/