DigiCert’s Open-Source Intelligence (OSINT) Report – March 20 – March 26, 2026

DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

(TLP: CLEAR) The U.S. Department of Justice (DoJ) conducted a court-authorized operation to disrupt a large-scale network of Internet of Things (IoT) botnets—specifically variants known as AISURU, Kimwolf, JackSkid, and Mossad—that collectively compromised more than 3 million devices worldwide and were used to launch high-impact distributed denial-of-service (DDoS) attacks. The operation targeted the botnets’ command-and-control (C2) infrastructure, with assistance from industry partners such as Lumen’s Black Lotus Labs, which helped neutralize nearly 1,000 C2 servers to sever communication between infected devices and their operators. These botnets, largely derived from Mirai malware, infected vulnerable IoT devices including routers, cameras, and other internet-connected systems and aggregated them into a coordinated attack network capable of generating extremely high traffic volumes. Notably, the infrastructure was linked to record-breaking DDoS activity, including a 31.4 Tbps attack observed in late 2025, as well as sustained “hyper-volumetric” attacks reaching billions of packets per second.

(TLP: CLEAR) Comments: The operators employed a “cybercrime-as-a-service” model, monetizing access to compromised devices by renting botnet capabilities to other threat actors. This enabled widespread malicious activity, with court documents indicating hundreds of thousands of issued attack commands across the different botnet families (e.g., over 200,000 attributed to AISURU alone). Additionally, the Kimwolf variant introduced a notable evolution in botnet propagation by leveraging residential proxy networks rather than traditional internet-wide scanning, allowing it to infect devices that are typically shielded behind firewalls. Overall, the disruption highlights both the scale and sophistication of modern IoT-based botnets and underscores persistent security weaknesses in internet-connected devices. The operation demonstrates the importance of coordinated public-private cybersecurity efforts to dismantle distributed attack infrastructure and mitigate global threats posed by increasingly adaptive botnet ecosystems.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational needs, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available. 

Source: https://thehackernews.com/2026/03/doj-disrupts-3-million-device-iot.html 

FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks

(TLP: CLEAR) The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint warning to a large-scale cyber espionage campaign conducted by Russian intelligence-linked threat actors targeting users of commercial messaging applications, particularly Signal. The campaign primarily focuses on high-value individuals including current and former U.S. government officials, military personnel, journalists, and political figures and has already resulted in the compromise of thousands of accounts globally. Rather than exploiting vulnerabilities in the underlying software or encryption protocols, the attackers rely on sophisticated phishing and social engineering techniques to gain unauthorized access. The attack methodology involves impersonating legitimate platform support entities and sending deceptive messages designed to trick users into divulging sensitive authentication data, such as verification codes or account PINs. Once obtained, these credentials enable adversaries to link their own devices to victim accounts or execute full account takeovers. This access allows attackers to read private communications, harvest contact lists, impersonate victims, and propagate additional phishing campaigns from trusted accounts, thereby amplifying the attack’s reach and effectiveness.

(TLP: CLEAR) Comments: Importantly, security agencies emphasize that the campaign does not compromise the end-to-end encryption mechanisms of applications like Signal; instead, it exploits human factors and authentication workflows to bypass security controls. Similar activity has been identified as part of a broader global effort, corroborated by allied intelligence agencies, indicating a coordinated and persistent threat landscape targeting secure communication platforms. Overall, the campaign highlights the growing effectiveness of identity-based attacks and underscores the critical need for user awareness, secure authentication practices, and resistance to social engineering in mitigating modern cyber threats.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://thehackernews.com/2026/03/fbi-warns-russian-hackers-target-signal.html 

Iran-Linked Pay2Key Ransomware Group Re-Emerges

(TLP: CLEAR) The Iran-linked Pay2Key ransomware group has re-emerged with significantly enhanced capabilities, reflecting both technical evolution and shifting operational objectives. Active since 2020 and historically aligned with Iranian geopolitical interests, Pay2Key has resumed operations with upgraded malware featuring improved evasion, execution, and anti-forensics mechanisms designed to bypass traditional detection and obscure post-incident analysis. Recent investigations by security firms identified a 2026 intrusion targeting a U.S. healthcare organization, where attackers leveraged credential theft tools (e.g., Mimikatz, LaZagne), remote access software, and network reconnaissance utilities before rapidly deploying ransomware. Notably, the group demonstrated advanced anti-forensic behavior by clearing system logs and removing artifacts after encryption, complicating incident response efforts. Unlike conventional ransomware operations, the latest Pay2Key activity deviates from the typical double-extortion model, as no evidence of data exfiltration was observed in the analyzed attack. This suggests a potential strategic shift toward destructive or disruptive outcomes rather than purely financial gain, aligning with prior assessments that the group may function as a state-aligned cyber capability. Additionally, Pay2Key continues to operate under a ransomware-as-a-service (RaaS) model, actively recruiting affiliates on cybercriminal forums and increasing profit-sharing incentives, while also exhibiting ties to Russian-speaking threat actors, raising uncertainty about its ownership and control following an attempted sale of its infrastructure in 2025.

(TLP: CLEAR) Comments: Overall, the resurgence of Pay2Key highlights the convergence of cybercrime and state-sponsored activity, with its operations often correlating with periods of geopolitical tension involving Iran. The group’s evolving tactics, ambiguous motivations, and willingness to prioritize system disruption over monetization underscore a growing threat to Western organizations and emphasize the need for enhanced detection, rapid response, and resilience strategies against increasingly sophisticated ransomware campaigns.

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include: 

• Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks. 
• Implementing procedures to guard against and detect malicious software. 
• Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections. 
• Implementing access controls to limit access to ePHI to only those persons or software programs requiring access

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.infosecurity-magazine.com/news/iranlinked-pay2key-ransomware/ 

Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

(TLP: CLEAR) Microsoft has identified a large-scale phishing campaign leveraging U.S. tax season themes—specifically impersonating the Internal Revenue Service (IRS) that has targeted over 29,000 users across approximately 10,000 organizations, with the vast majority of victims located in the United States. The campaign relies on socially engineered emails containing tax-related lures (e.g., W-2 forms or refund notices) to trick recipients into engaging with malicious content, ultimately enabling credential harvesting and initial access. A key technical component of the attack chain involves the deployment of remote monitoring and management (RMM) tools, which attackers use post-compromise to establish persistent access, conduct lateral movement, and maintain control over infected systems while blending in with legitimate administrative activity. 

(TLP: CLEAR) Comments: The operation reflects a broader trend of adversaries exploiting predictable seasonal events to increase phishing success rates, combining identity spoofing with legitimate tools to evade detection. Rather than relying solely on malware, the attackers emphasize credential theft and “living-off-the-land” techniques, using trusted software and services to reduce their forensic footprint and bypass conventional security controls. This campaign highlights the continued effectiveness of phishing-as-an-initial-access vector, particularly when paired with remote access tooling, and underscores the need for enhanced email security, user awareness, and monitoring of anomalous administrative activity to mitigate enterprise risk during high-volume social engineering periods such as tax season.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://thehackernews.com/2026/03/microsoft-warns-irs-phishing-hits-29000.html