DigiCert’s Open-Source Intelligence (OSINT) Report – March 6 – March 12, 2026

Hackers Abuse .arpa DNS and IPV6 to Evade Phishing Defenses

(TLP: CLEAR) Recent reporting highlights a novel phishing campaign where threat actors abuse the special-use .arpa namespace and IPv6 reverse DNS infrastructure to evade traditional phishing defenses, domain reputation systems, and some email security controls. The .arpa domain is not intended for ordinary website hosting; rather, it exists for Internet infrastructure functions, including reverse lookups through namespaces such as in-addr.arpa and ip6.arpa. Researchers found that attackers are exploiting this trusted, low-scrutiny portion of DNS to deliver phishing content through URLs that many defensive products do not treat as suspicious because the namespace is generally assumed to be non-user-facing infrastructure. According to reporting, the technique relies on the intersection of IPv6 addressing, reverse DNS delegation, and tunneling services. Threat actors obtain or control IPv6 address space, then leverage reverse DNS records tied to ip6.arpa to create hostnames that can be operationalized in phishing lures. Infoblox researchers reported that some providers’ DNS management workflows make this abuse possible by allowing records to be added in ways that were not intended for web-hosted content. In observed campaigns, the adversary then couples that DNS abuse with IPv6 tunnel services and supporting hosting infrastructure to present phishing pages behind URLs that appear highly unusual, are difficult for users to interpret, and may bypass tools trained on conventional domain-based phishing patterns. Furthermore, this approach is operationally significant because it does not depend on exploiting a software vulnerability in browsers or email clients. Instead, it abuses legitimate Internet plumbing in a way that sits outside many common detection assumptions. The .arpa namespace is administered for infrastructure purposes by IANA under guidance from the Internet technical community, and RFC 3172 explicitly describes it as an area reserved for address and routing parameters rather than consumer-facing content. As a result, many security products, blocklists, and analyst workflows are optimized for suspicious registered domains, not infrastructure-oriented reverse DNS space that “should not” ordinarily appear in phishing URLs.

(TLP: CLEAR) Comments: The abuse of .arpa and IPv6 reverse DNS represents a meaningful evolution in phishing infrastructure because it weaponizes a part of the DNS ecosystem that most users never see and many defenders do not routinely scrutinize. Rather than relying solely on deceptive lookalike domains, the actor is exploiting trust assumptions built into core Internet operations. This makes the activity more than a routine phishing campaign; it is an example of adversaries deliberately moving into the seams between infrastructure administration and security monitoring. Organizations should treat this as a warning that phishing detection strategies centered only on traditional domain reputation are increasingly insufficient. Expanded IPv6 visibility, stricter treatment of special-use namespaces in secure web gateways and email filters, and deeper inspection of URL redirection chains will be necessary to identify similar campaigns going forward.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.bleepingcomputer.com/news/security/hackers-abuse-arpa-dns-and-ipv6-to-evade-phishing-defenses/

Hikvision Multiple Products Vulnerability Allows Malicious Users to Escalate Privileges

(TLP: CLEAR) Intelligence reporting highlights renewed risks associated with a legacy but still dangerous Hikvision vulnerability, CVE-2017-7921, an improper authentication flaw affecting multiple Hikvision surveillance products. The Cybersecurity and Infrastructure Security Agency (CISA) later added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on March 5, 2026 after confirming the vulnerability’s active exploitation in the wild. The bug in question allows an unauthenticated attacker to bypass normal authentication controls, escalate privileges, and access sensitive device information or functions without valid credentials. Public reporting notes that exposed IP cameras and related video-surveillance appliances remain especially attractive targets because they are often internet reachable, infrequently patched, and embedded deep inside enterprise, municipal, healthcare, warehouse, and campus environments where they are treated as operational technology rather than actively managed IT assets. Hikvision originally disclosed the flaw in March 2017, stating that affected cameras could allow attackers to obtain unauthorized elevated privileges and tamper with device information, with fixed firmware released for impacted product lines. The persistence of exploitation nearly nine years later suggests a familiar but serious pattern in the connected-device ecosystem: vulnerable edge devices remain deployed far beyond normal patch cycles, creating durable access opportunities for threat actors. In operational terms, compromise of a surveillance platform may extend beyond privacy loss; an attacker with administrative-level access may be able to view live feeds, retrieve archived footage, alter settings, harvest network details, and use the device as a foothold for lateral movement into broader internal environments. The vulnerability’s renewed prioritization also underscores a broader defensive concern: legacy camera and NVR infrastructure often sits at the intersection of physical and cyber risk. Unlike conventional workstations or servers, these systems may be managed by facilities, third-party integrators, or regional operations teams instead of central security staff. That governance gap can leave old firmware, weak segmentation, exposed management interfaces, and default or long-lived credentials in place for years. CISA has directed federal civilian agencies to remediate the flaw by March 26, 2026, and its required action states that organizations should apply vendor mitigations, follow applicable BOD 22-01 guidance, or discontinue use of affected products when mitigations are unavailable. Private-sector organizations should treat that timeline as a strong prioritization signal, particularly where Hikvision devices are externally reachable or connected to sensitive internal networks.

(TLP: CLEAR) Comments: The continued exploitation of CVE-2017-7921 is a reminder that internet-connected cameras remain a chronically under-defended attack surface. Surveillance devices are often deployed for years with minimal lifecycle oversight, yet they can expose far more than video alone: once compromised, they may reveal physical layouts, daily routines, administrative credentials, and adjacent network architecture. The risk is amplified because these devices frequently exist outside normal endpoint protection and vulnerability-management workflows. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://cybersecuritynews.com/hikvision-multiple-products-vulnerability/

Hackers Leveraging Popular Web Services Provider Anti-Bot Features to Steal Microsoft 365 Credentials

(TLP: CLEAR) Security researchers have recently identified a credential-harvesting campaign targeting Microsoft 365 users that abuses legitimate Cloudflare anti-bot functionality to delay detection and impede automated analysis. According to reporting, the phishing operation used Cloudflare’s human-verification layer as an initial screening mechanism, forcing visitors through a Turnstile check before exposing any malicious content. Researchers found that the infrastructure was designed to distinguish real victims from scanners, crawlers, and security researchers, allowing the threat actor to preserve the phishing kit while limiting visibility into its behavior. Upon initial communication, the site reportedly performed additional filtering by querying the visitor’s public IP address and comparing it against a hardcoded list of blocked network ranges associated with security vendors and major cloud providers. Reporting further indicates the phishing page also inspected user-agent strings and, when it detected known bots or crawler identifiers, dynamically returned a fake “404 Not Found” page instead of the malicious content. This layered anti-analysis workflow significantly reduced the likelihood that the site would be indexed, flagged, or rapidly profiled by defenders using automated tooling. Researchers also observed that the credential theft logic was heavily obfuscated. Rather than exposing conventional JavaScript functions that could be easily inspected, the phishing framework reportedly relied on a custom virtual-machine-like routine to interpret encoded instructions and assemble the downstream credential-harvesting path. If the gatekeeping logic determined that a visitor was suspicious, the framework could reportedly swap the malicious destination for a benign site such as Google, further reducing the observable malicious footprint during analysis. This suggests the operators placed considerable emphasis on infrastructure survivability and counter-detection rather than relying solely on disposable phishing pages. Additionally, reporting suggests that this campaign was tied to domains such as securedsnmail[.]com and additional related infrastructure that shared common registration and hosting characteristics. DomainTools noted a recurring Cloudflare Turnstile sitekey across multiple phishing sites, indicating that defenders may be able to pivot on that artifact in telemetry sources to identify related domains before they are operationalized at scale. The broader significance is that trusted security and content-delivery services can be repurposed as defensive cover for malicious infrastructure, complicating takedown, slowing triage, and increasing the dwell time of phishing operations targeting enterprise identities such as Microsoft 365 accounts.

(TLP: CLEAR) Comments: The aforementioned campaign demonstrates an increasingly sophisticated phishing infrastructure model in which threat actors no longer depend on crude credential lures alone, but instead engineer the surrounding delivery infrastructure to actively resist investigation. By leveraging a trusted intermediary such as Cloudflare, operators gain both reputational camouflage and technical friction against automated inspection. A significant aspect is not simply the Microsoft 365 lure, but the deliberate use of anti-bot controls, IP filtering, and response shaping to selectively expose malicious content only to likely victims. This indicates a shift toward phishing infrastructure that behaves more like hardened criminal access architecture than a disposable scam page. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 

• Actively running and up to date as applicable.

• Generating audit logs.

• Configured to either block web-based attacks or generate an alert that is immediately investigated. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Source: https://cybersecuritynews.com/cloudflare-anti-bot-features-microsoft-365/

Israeli, US Strikes Against Iran Triggers a Surge in Hacktivist Activity

(TLP: CLEAR) Recent intelligence reporting indicates that the February 28, 2026, coordinated U.S. and Israeli strikes against Iran rapidly spilled into the cyber landscape, prompting a sharp rise in hacktivist activity across the Middle East and beyond. According to Intel471, the onset of open conflict was followed within hours by a wave of hacktivist claims, the majority of which were aligned with Iran and directed at Israel, the United States, and Gulf states, while a smaller number of anti-Iranian operations also emerged. Reporting displayed a significant spike beginning February 28 and a sustained volume of alleged attacks through the following week, with Israel identified as the most impacted region, followed by Kuwait and Jordan. The most frequently affected sectors were national government, aerospace and defense, and technology. Researchers indicated the overwhelming share of this activity was disruptive rather than destructive, centered on distributed denial-of-service (DDoS) attacks, website defacements, breach claims, and opportunistic influence operations. Intel471 observed pro-Iranian or Iran-aligned actors claiming compromises of oil and gas organizations in Israel, Jordan, and Saudi Arabia; DDoS attacks against military and government entities in Bahrain and Saudi Arabia; attacks on U.S. military online resources; and operations targeting Israeli telecommunications and infrastructure-related entities. The activity was not limited to directly Iranian-aligned actors. Pro-Russian hacktivist collectives also publicly signaled support for Iran and joined related campaigns, including attacks claimed against Israeli political parties, local authorities, banks, telecommunications firms, and even industrial or water-management systems. It was separately reported that between February 28 and March 2, 2026, 149 hacktivist-attributed DDoS attacks targeted 110 organizations across 16 countries, reinforcing that the post-strike activity was both immediate and geographically broad. Additional reporting indicates that this cyber activity unfolded alongside broader operational pressure inside Iran itself. From an operational standpoint, the current activity reflects a familiar but still consequential pattern in geopolitical cyber escalation: fast-moving, low-to-medium sophistication disruptions intended to create psychological pressure, force defensive resource expenditure, and amplify political messaging rather than consistently achieve lasting strategic damage.

(TLP: CLEAR) Comments: The latest wave of hacktivist activity demonstrates how quickly geopolitical conflict can translate into cyber disruption, even when many of the participating actors lack the sophistication of mature nation-state operators. The operational risk is not solely in the technical damage caused by individual incidents, but in the cumulative burden placed on defenders as numerous low-cost attacks, exaggerated breach claims, and coordinated propaganda operations force organizations to investigate, validate, and respond at speed. The visible participation of pro-Russian groups alongside pro-Iranian collectives also suggests a widening opportunistic ecosystem in which ideologically adjacent actors use regional conflict to boost visibility, expand targeting scope, and reinforce anti-Western narratives. For organizations with internet-facing services, particularly in government and critical infrastructure sectors, the current environment reinforces the need for resilient DDoS readiness, continuous monitoring, and well-rehearsed incident response procedures.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.” 

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.intel471.com/blog/israeli-us-strikes-against-iran-triggers-a-surge-in-hacktivist-activity?utm_content=372456000&utm_medium=social&utm_source=twitter&hss_channel=tw-2524569404

White House Cyber Strategy Prioritizes Offense

(TLP: CLEAR) Recent reporting highlights the release of a new White House cyber strategy that signals a more aggressive U.S. posture in cyberspace, emphasizing preemption, deterrence, and the broader use of national power against state-backed and criminal cyber threats. Dark Reading reported that the strategy frames cybersecurity not only as a defensive technology challenge, but as a strategic arena in which the United States intends to impose costs on adversaries and pursue more proactive disruption efforts. According to the reporting, the strategy is intentionally high level and functions more as a statement of posture than a detailed implementation plan. The White House’s strategy document states that the administration will “not confine” responses to the cyber realm and will instead act “swiftly, deliberately, and proactively” to disable threats to America. It further outlines six policy pillars: shaping adversary behavior, promoting common-sense regulation, modernizing and securing federal government networks, securing critical infrastructure, sustaining superiority in critical and emerging technologies, and building talent and capacity. Of these, the most consequential from a threat landscape perspective is the first pillar, which explicitly calls for the use of the full suite of U.S. government defensive and offensive cyber operations to detect, confront, and defeat adversaries before they breach U.S. networks and systems. The strategy also places notable emphasis on hardening critical infrastructure and supply chains, including energy systems, telecommunications, financial networks, data centers, water utilities, and hospitals. In parallel, it calls for modernization of federal systems through zero-trust architecture, cloud transition, post-quantum cryptography, and AI-enabled cybersecurity tools. This suggests the administration is attempting to pair a more assertive offensive posture with stronger domestic resilience, especially for sectors whose disruption could carry national security or economic consequences.

(TLP: CLEAR) Comments: The newly released strategy underscores a growing consensus within Washington that malicious cyber activity can no longer be treated solely as a network defense problem. Instead, hostile cyber operations are increasingly viewed as part of a broader contest involving geopolitical coercion, criminal enablement, economic disruption, and infrastructure risk. The strategy’s emphasis on offensive disruption, public-private coordination, and critical infrastructure hardening suggests that defenders should expect a more assertive federal posture, but also greater expectations that private-sector operators strengthen their own resilience. For enterprise security teams, the practical takeaway is unchanged: regardless of strategic rhetoric, organizations remain the first line of defense against disruptive attacks targeting availability, trust, and operational continuity.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. 

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://www.darkreading.com/cybersecurity-operations/white-house-cyber-strategy-prioritizes-offense

New ‘BlackSanta’ EDR Killer Spotted Targeting HR Departments

(TLP: CLEAR) Recent reporting highlights a long-running malware campaign targeting human resources and recruitment personnel with a newly identified endpoint defense neutralization tool dubbed BlackSanta. According to the following reporting, the campaign has operated for more than a year and is attributed to a Russian-speaking threat actor that appears to rely on social engineering, evasive execution chains, and post-compromise defense suppression to obtain sensitive information from victim environments. Victims are reportedly lured into downloading ISO files masquerading as resumes, likely delivered through spear-phishing and hosted on cloud storage platforms such as Dropbox. Once opened, the ISO contains a shortcut file disguised as a PDF, a PowerShell script, an image file, and an icon file, forming the basis of a multi-stage infection chain. Analysis of the infection flow indicates the malicious shortcut launches PowerShell to run a script that extracts hidden data from an image using steganography and executes the recovered code directly in memory. The next stage downloads a ZIP archive containing a legitimate SumatraPDF executable alongside a malicious DWrite.dll, which is loaded through DLL sideloading. Researchers state the malware then fingerprints the host, communicates with command-and-control infrastructure, and checks for sandboxes, virtual machines, and debugging tools before proceeding. Additional payloads are then fetched and launched using process hollowing, while Windows Defender settings are altered to reduce host-level protections and defensive visibility. Aryaka’s research adds that the malware communicates with its command-and-control over encrypted HTTPS and was built to support persistence, data theft, and long-term access. The campaign’s most notable capability is the BlackSanta module itself, which functions as a dedicated EDR killer. Reporting indicates BlackSanta adds Microsoft Defender exclusions for “.dls” and “.sys” files, modifies registry values to reduce telemetry and automatic sample submission, and can suppress Windows notifications to limit user awareness. Its core purpose is to enumerate running processes, compare them against a hardcoded list of antivirus, EDR, SIEM, and forensic tooling, retrieve the associated process IDs, and terminate those protections at the kernel level. To accomplish this, the malware reportedly uses a Bring Your Own Vulnerable Driver (BYOVD) technique involving the RogueKiller Antirootkit driver v3.1.0 and IObitUnlocker.sys v1.2.0.1, giving the operator low-level access to memory and processes and materially weakening host-based detection and response. Researchers were unable to recover the final payload from the observed sample because the C2 server was unavailable, though linked infrastructure suggested the broader operation had been active for roughly a year and likely supported information theft.

(TLP: CLEAR) Comments: The BlackSanta campaign reflects a more mature form of intrusion tradecraft in which threat actors do not merely seek initial access, but deliberately engineer the environment for low-noise follow-on operations. HR and recruitment teams remain uniquely exposed because opening resumes, reviewing attachments, and interacting with external candidates are core business functions, giving adversaries a believable delivery path that blends into normal workflow. The combination of steganography, DLL sideloading, in-memory execution, process hollowing, and BYOVD-based security tool termination suggests an actor prioritizing stealth, investigative disruption, and durable access over smash-and-grab execution. From a defender’s standpoint, the campaign reinforces that endpoint visibility alone is insufficient if adversaries can tamper with security controls before final payload delivery. Organizations should view HR as a high-risk operational enclave and apply heightened monitoring, attachment isolation, PowerShell scrutiny, driver-loading controls, and strict process protection around systems that routinely handle unsolicited applicant content.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION

Control:

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.

• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.

• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 

• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. 

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/

KadNap, a New Botnet Hijacks ASUS Routers to Fuel Cybercrime 

(TLP: CLEAR) Recent reporting highlights the emergence of a stealthy botnet malware family dubbed KadNap that is actively compromising ASUS routers and other edge networking devices to build a criminal proxy network. Researchers suggest that KadNap has been under observation since August 2025 and has grown to more than 14,000 infected devices, with roughly 60% of observed victims located in the United States. Additional victim concentrations have been noted in Taiwan, Hong Kong, and Russia, underscoring both the scale and geographic dispersion of the campaign. Unlike conventional botnets that rely on static or centrally managed command-and-control (C2) servers, KadNap uses a custom implementation of the Kademlia Distributed Hash Table (DHT) protocol to obscure the location of its control infrastructure inside peer-to-peer traffic. This design enables infected devices to discover botnet peers and locate C2 nodes in a decentralized manner, complicating traditional blocklisting and takedown efforts. Researchers assess that this architecture gives operators a more resilient communications layer while also helping their infrastructure blend into legitimate peer-to-peer network behavior. The infection chain begins when a victim device retrieves a malicious shell script, aic.sh, from attacker-controlled infrastructure. That script establishes persistence through a cron job scheduled to execute every hour at the 55-minute mark, then downloads and launches an ELF binary named kad. Black Lotus Labs identified samples compiled for both ARM and MIPS architectures, indicating deliberate support for the router and embedded-device ecosystem. Once active, the malware suppresses normal input/output visibility, determines the infected host’s external IP address, and proceeds to integrate the device into the malicious peer network. Reporting further links KadNap to the Doppelganger proxy service, which researchers believe is a rebrand or operational successor to the Faceless proxy network previously associated with TheMoon malware. In practical terms, this means compromised routers are not simply being warehoused for possible future use; they are being operationalized as residential-style proxies that can be sold or leased to cybercriminal customers. Those customers can then route malicious traffic through real consumer and small-office devices to support brute-force activity, targeted exploitation, traffic laundering, and other operations that benefit from blending into seemingly legitimate residential IP space.

(TLP: CLEAR) Comments: KadNap reflects a continued evolution in how threat actors monetize compromised edge infrastructure. Rather than using infected routers solely for distributed-denial-of-service operations, the operators appear to be prioritizing proxy resale and traffic anonymization, which can generate sustained criminal value while reducing direct exposure of attacker-controlled assets. The use of Kademlia-based peer discovery is particularly notable because it reduces the defenders’ ability to identify a single chokepoint for disruption and increases the botnet’s survivability under enforcement or sinkholing pressure. More broadly, the campaign reinforces that home-office and small-business routers remain a poorly defended but highly scalable attack surface, especially when devices are internet-exposed, weakly administered, unpatched, or approaching end-of-life. For defenders, KadNap is a reminder that edge devices should be treated as part of the enterprise security boundary rather than as passive networking appliances.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://www.bleepingcomputer.com/news/security/new-kadnap-botnet-hijacks-asus-routers-to-fuel-cybercrime-proxy-network/