DigiCert’s Open-Source Intelligence (OSINT) Report – November 14 – November 20, 2025

Microsoft Mitigates Record 15.72 Tbps DDoS Attack Driven by AISURU Botnet

(TLP: CLEAR) Microsoft’s Azure DDoS Protection system successfully detected and mitigated a massive 15.72 Tbps (terabits per second) distributed denial-of-service (DDoS) attack that targeted a single public IP endpoint in Australia, making it the largest cloud-based attack observed to date. The attack also peaked at nearly 3.64 billion packets per second (pps), underscoring both its volumetric and packet-rate intensity. The assault was launched by the AISURU botnet, which Microsoft describes as a “Turbo Mirai–class” internet of things (IoT) botnet. The sources of the attack comprised over 500,000 distinct IP addresses across different regions. The threat traffic primarily consisted of high-rate UDP floods, using random source ports and exhibiting minimal source IP spoofing, which aided in traceback of the botnet origins.

(TLP: CLEAR) Comments: The AISURU botnet itself is powered by roughly 300,000 compromised devices, including home routers, security cameras, and DVR systems. Beyond DDoS attacks, the botnet also supports other illicit operations such as credential stuffing, proxying, web scraping, phishing campaigns, and residential proxy services, making it a multi-purpose threat. Microsoft also noted that while some command-and-control (C2) infrastructure associated with similar botnets use alternative domain systems (e.g., OpenNIC’s “.libre” TLD), compromised devices remain a persistent risk even after active campaigns are disrupted meaning they may be re-enlisted into future botnets.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://thehackernews.com/2025/11/microsoft-mitigates-record-572-tbps.html 

Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar

(TLP: CLEAR) Researchers at Push Security have observed that the Sneaky 2FA phishing-as-a-service (PhaaS) toolkit has incorporated Browser-in-the-Browser (BitB) functionality, increasing its sophistication and effectiveness. This BitB technique uses HTML, CSS, and JavaScript to render a fake browser window inside a real browser, complete with a simulated address bar displaying a legitimate domain (e.g., Microsoft), deceiving victims into thinking they’re interacting with a genuine login prompt. In a typical attack chain, a user lands on a malicious phishing domain (such as previewdoc[.]us) and is first challenged by Cloudflare Turnstile, acting as a bot-protection gatekeeper. After passing this check, the victim sees a “Sign in with Microsoft” button; when clicked, a BitB pop-up appears that mimics Microsoft’s login flow. The kit then uses an adversary-in-the-middle (AiTM) reverse-proxy to relay the authentication process, allowing the attacker to capture both credentials and session tokens.

(TLP: CLEAR) Comments: Sneaky 2FA also employs robust evasion techniques: its pages are heavily obfuscated (e.g., encoded UI assets, hidden text), developer tools are disabled to hinder inspection, and phishing domains are regularly rotated to evade detection. cause the fake window is implemented via an iframe, it doesn’t behave like a true separate browser window: users cannot drag it outside the browser, nor does it appear as an independent instance in the taskbar—key behavioral differences compared to real pop-ups. Sneaky 2FA also uses conditional loading, meaning the more-sophisticated BitB phishing page only shows up for high-value targets, while others are redirected to benign content. The evolution of this phishing kit demonstrates how threat actors are continuing to professionalize their operations. By integrating BitB, Sneaky 2FA makes it easier for lower-skilled attackers to conduct highly deceptive login phishing attacks, especially against Microsoft accounts. To defend against this, Push Security and others argue for tighter use of phishing-resistant MFA, hardening of authentication flows, and deploying defenses capable of detecting BitB-style pop-up windows.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html https://www.bleepingcomputer.com/news/security/sneaky2fa-phaas-kit-now-uses-redteamers-browser-in-the-browser-attack/ 

PlushDaemon compromises network devices for adversary-in-the-middle attacks

(TLP: CLEAR) ESET researchers have uncovered a sophisticated adversary-in-the-middle (AiTM) threat from the China-aligned APT group PlushDaemon, enabled by a novel network-device implant dubbed EdgeStepper. PlushDaemon first compromises network infrastructure such as routers or other edge devices likely through software vulnerabilities or weak/default credentials and installs EdgeStepper there. Once active, EdgeStepper intercepts all DNS queries from devices on the network and forwards them to a malicious DNS node under PlushDaemon’s control. That node examines each DNS request: if the requested domain is associated with legitimate software-update infrastructure, the implant responds with a hijacking server’s IP address instead of the authentic update server. This effectively reroutes update traffic to attacker-controlled infrastructure. Using the hijacked update channel, PlushDaemon pushes a downloader called LittleDaemon (Windows DLL or executable) to victim machines. LittleDaemon then contacts another component, DaemonicLogistics, which downloads and loads the group’s primary backdoor, SlowStepper, directly into memory.

(TLP: CLEAR) Comments: The SlowStepper backdoor is PlushDaemon’s core espionage tool, with a modular architecture, allowing the attackers to run multiple plug-in modules to collect data, perform reconnaissance, or maintain persistence. ESET’s telemetry shows PlushDaemon has operated since at least 2018, targeting regions including the U.S., Taiwan, Hong Kong, Cambodia, South Korea, and New Zealand. The group has previously used supply chain attacks (for instance, in a South Korean VPN company) as an initial access vector. Finally, ESET published indicators of compromise (IoCs): for EdgeStepper (ELF “bioset” binary), its config file, and also for LittleDaemon (DLL and EXE) on Windows.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/