DigiCert’s Open-Source Intelligence (OSINT) Report – November 21 – November 27, 2025

LLMs Tools Like GPT-3.5-Turbo and GPT-4 Fuels the Development of Fully Autonomous Malware

(TLP: CLEAR) Netskope researchers have revealed how large language models (LLMs) such as GPT-3.5-Turbo and GPT-4 are increasingly being tested by cybercriminals to generate and execute malicious code dynamically, potentially transforming how future malware operates. Traditional malware relies on embedded static code, but these AI-driven variants could instead generate payloads in real time—a method that drastically reduces detectable signatures and complicates defense. Attackers exploit prompt-injection techniques, persuading LLMs to act as “penetration testing tools” or system utilities to produce harmful functions such as process injection, antivirus termination, or persistence scripts. While GPT-3.5 readily created functional malicious code, GPT-4’s guardrails initially blocked such outputs until researchers reframed the request through role-based injection. Once bypassed, GPT-4 successfully generated working process-injection and AV-disabling scripts, proving that contextual manipulation can neutralize built-in safety mechanisms. However, attempts to create virtual-environment or sandbox-evasion scripts largely failed, with the AI-generated code performing inconsistently across test systems—indicating current limitations in producing reliable, autonomous malware. The study underscores a critical transition point: though still constrained by reliability and model safeguards, the next generation of LLMs (like the anticipated GPT-5) may overcome these technical barriers, enabling attackers to automate code generation, polymorphism, and defense evasion. This research highlights an emerging AI-assisted malware paradigm, where threats evolve dynamically in memory rather than through static binaries, challenging conventional detection and digital-forensics methodologies.

(TLP: CLEAR) Comments: The Netskope research illustrates a pivotal shift in the cyber threat landscape, where malicious actors no longer need to embed complex, detectable logic inside malware binaries. Instead, they can rely on large language models to generate malicious code dynamically at runtime, creating payloads that exist only briefly in memory and leave virtually no forensic trace. This approach fundamentally complicates detection, as traditional static signatures and behavioral baselines become less effective against malware that continuously rewrites itself using AI. What makes this trend especially concerning is how easily threat actors can manipulate LLMs through prompt-injection, reframing malicious intent as benign activity such as penetration testing or software debugging. Under these conditions, even sophisticated guardrails can be bypassed, allowing attackers to obtain functional code for process injection, AV termination, or data theft. While today’s AI-generated malware still struggles with reliable virtualization detection and complex environment awareness, these limitations are expected to diminish as models advance. The wider implication is that AI is rapidly democratizing malware development. Individuals with limited technical expertise can now generate components that previously required advanced programming skill, accelerating development cycles and enabling more adaptive, polymorphic attack chains. As models evolve, defenders will face malware that not only evades traditional controls but continuously improves itself through real-time AI-driven generation—marking a substantial escalation in adversary capability.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://cybersecuritynews.com/llms-tools-like-gpt-3-5-turbo-and-gpt-4/

New EtherHiding Attack Uses Web-Based Attacks to Deliver Malware and Rotate Payloads

(TLP: CLEAR) A newly identified malware delivery technique called EtherHiding is redefining how attackers distribute malware by using blockchain smart contracts instead of traditional command-and-control servers. Unlike older campaigns that rely on fixed infrastructure, EtherHiding stores, updates, and manages malware payloads on decentralized blockchain networks, making takedowns extremely difficult and enabling attackers to modify payloads without altering compromised websites. The attack begins when malicious JavaScript is injected into legitimate websites, displaying a fake CAPTCHA page that instructs users to copy and paste commands into their terminal. This manual execution step allows malware installation to bypass many automated security tools. Censys researchers uncovered the campaign while investigating clusters of fake CAPTCHA lures across compromised sites. EtherHiding’s delivery chain uses Base64-encoded JavaScript that contacts Binance Smart Chain smart contracts, which return obfuscated payloads tailored to the victim’s operating system. The campaign includes gating mechanisms that selectively deliver malware using persistent identifiers, enabling the attacker to control who receives the payload simply by updating blockchain data.The final malware includes commodity stealers such as Amos Stealer and Vidar, deployed via platform-specific scripts (e.g., AppleScript on macOS) that establish persistence, retrieve command-and-control instructions from Telegram or Steam profiles, and harvest credentials. EtherHiding’s combination of decentralized hosting, social engineering, and user-triggered execution represents a major evolution in malware delivery that is harder to trace, block, and analyze.

(TLP: CLEAR) Comments: The EtherHiding campaign reflects a significant evolution in malware delivery, demonstrating how threat actors are increasingly leveraging decentralized infrastructure to evade traditional defenses. By storing and updating payloads on blockchain smart contracts, attackers eliminate conventional points of failure—there is no server to seize, sinkhole, or block. This provides a resilient and censorship-resistant staging mechanism that complicates attribution and takedown. The fake CAPTCHA overlay, which tricks victims into manually pasting commands into their terminal, also bypasses automated detection because the user initiates the malicious action themselves. Combined with OS-specific payload retrieval and contract-based gating, EtherHiding enables highly selective targeting and real-time campaign adjustment. The result is a delivery model with minimal forensic traces and a long operational lifespan, signaling a broader shift toward blockchain-backed, socially engineered malware tactics that will become increasingly difficult to detect with traditional security controls.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable. 
• Generating audit logs. 
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.

Source: https://cybersecuritynews.com/new-etherhiding-attack-uses-web-based-attacks/

Ransomware Actors Primarily Targeting Retailers This Holiday Season to Deploy Malicious Payloads

(TLP: CLEAR) Retailers are experiencing a surge in highly targeted ransomware attacks timed to coincide with the holiday shopping season, when operational downtime is most damaging. Threat actors are focusing on point-of-sale systems, e-commerce platforms, and order-processing infrastructure, using phishing emails, fake shipping alerts, and malvertising to gain an initial foothold. Once a user interacts with a malicious link or attachment, attackers move quickly—often achieving full domain compromise within hours. The campaign identified by Morphisec uses stealthy loaders that mimic legitimate helpdesk and remote-support activity, inject into trusted processes, and download their ransomware payloads over HTTPS from cloud-like domains. After harvesting credentials from LSASS and browsers, the malware spreads laterally across store networks, reaching payment terminals, inventory databases, and backend servers. The resulting impact includes locked registers, frozen online checkout systems, and widespread data theft that fuels double-extortion demands.

(TLP: CLEAR) Comments: This campaign highlights how ransomware actors are evolving their tradecraft to inflict maximum disruption on retail operations during the most financially vulnerable period of the year. By timing intrusions to coincide with holiday demand, malicious actors exploit the urgency retailers face to keep point-of-sale systems, online checkout flows, and inventory platforms running without interruption. The use of loaders and scripts that imitate legitimate helpdesk tools reflects a growing trend in which adversaries blend seamlessly into day-to-day retail IT activity, making early detection significantly harder. The rapid shift from initial access to full domain compromise demonstrates a well-rehearsed playbook built around credential theft, process injection, and lateral movement techniques that bypass traditional endpoint controls. What is particularly concerning is the dual-impact framework: on one hand, operators aim to encrypt core retail systems that directly affect sales; on the other, they exfiltrate customer data, pricing files, and promotional insights to enhance leverage during extortion negotiations. This combination increases financial, reputational, and regulatory risks for victims. The speed and precision of these attacks suggest that threat actors have invested time in profiling retail architectures and exploiting predictable operational patterns, indicating a shift toward more specialized, commerce-focused ransomware operations.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://cybersecuritynews.com/ransomware-actors-primarily-targeting-retailers/

Russian and North Korean Hackers Form Alliances to Attack Organizations Worldwide 

(TLP: CLEAR) A newly uncovered command-and-control (C2) infrastructure overlap suggests that two major state-sponsored threat groups—Russia-aligned Gamaredon and North Korea’s Lazarus—may be operating together for the first time. Researchers observed that an IP address long associated with Gamaredon’s command-and-control ecosystem (144[.]172[.]112[.]106) was also hosting an obfuscated variant of Lazarus’ InvisibleFerret malware only days later. The payload’s URL structure and hash matched previous Lazarus activity, including its ContagiousInterview campaign, which targeted victims through fake recruitment messages. This finding emerges against a backdrop of deepening political and military cooperation between Russia and North Korea, formalized in their 2024 Comprehensive Strategic Partnership. North Korean forces have even been deployed alongside Russian troops in Ukraine, making the potential cyber collaboration even more plausible. Gamaredon, active since 2013 and linked to Russia’s FSB, specializes in rapid-paced espionage targeting Ukrainian government entities. Lazarus, operational since 2009, has shifted between espionage and large-scale financial theft—stealing over $1.7 billion in cryptocurrency. If validated, this shared infrastructure marks a significant shift in global cyber operations, suggesting coordination between two of the world’s most prolific APTs. This development underscores the need for defenders to strengthen infrastructure correlation analysis and expand intelligence sharing to detect future cross-nation cyber partnerships.

(TLP: CLEAR) Comments: The possible collaboration between Gamaredon and Lazarus represents a meaningful escalation in state-aligned cyber activity, signaling that geopolitical alliances may now extend directly into shared offensive cyber infrastructure. Both groups traditionally operate independently, pursuing distinct national objectives—Gamaredon conducting fast-paced espionage in support of Russia’s war in Ukraine, and Lazarus engaging in financially motivated intrusions to fund North Korea’s sanctioned economy. Their coexistence on the same command-and-control server suggests a shift toward operational alignment or at minimum logistical cooperation. This overlap may indicate a broader strategic convergence emerging from the deepening Russia–North Korea relationship, which now includes military cooperation in Ukraine. Cyber collaboration would be a logical extension: Gamaredon provides rapid intrusion and access-engineering expertise, while Lazarus contributes advanced malware tooling and financial-theft capabilities. Joint infrastructure also complicates attribution, allowing both states to obscure responsibility behind each other’s known signatures. From a threat-intelligence perspective, this development underscores the growing fluidity between espionage and financially motivated campaigns. A shared ecosystem increases the likelihood that compromised networks in Ukraine, Europe, or the United States could be repurposed for theft, espionage, or disruptive operations depending on shifting political priorities. If this trend continues, defenders should anticipate more hybrid APT activity, where infrastructure, malware families, and operators overlap across national boundaries. Such alliances raise the operational ceiling for both groups and introduce new challenges for attribution, response prioritization, and long-term threat modeling.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Source: https://cybersecuritynews.com/russian-and-north-korean-hackers-form-alliances/

New ShadowV2 Botnet Malware Used AWS Outage as a Test Opportunity 

(TLP: CLEAR) A new Mirai-based botnet named ShadowV2 has been discovered targeting vulnerable IoT devices from major vendors including D-Link, TP-Link, DigiEver, TBK, and others. Identified by Fortinet’s FortiGuard Labs, ShadowV2 was active only during the October AWS outage—likely as a controlled test—and spread by exploiting at least eight known vulnerabilities, several of which affect end-of-life devices that will never receive security patches. ShadowV2 leverages exploits such as DD-WRT CVE-2009-2765, multiple D-Link command injection flaws (including actively exploited CVE-2024-10914), and TP-Link CVE-2024-53375. Attacks originated from 198[.]199[.]72[.]27, with the botnet hitting routers, NAS devices, and DVRs across seven sectors, including government, telecom, manufacturing, MSSPs, and education. Infections appeared worldwide—North and South America, Europe, Africa, Asia, and Australia—showing broad opportunistic targeting. The malware, labeled “ShadowV2 Build v1.0.0 IoT version,” resembles the Mirai LZRD variant and is delivered via a downloader script that retrieves payloads from 81[.]88[.]18[.]108. It includes XOR-encoded configuration data and supports Mirai-style UDP, TCP, and HTTP DDoS attacks, indicating its potential use in-for-hire DDoS operations. Fortinet has released indicators of compromise and warns that unsupported IoT devices remain at high risk, as attackers continue weaponizing unpatched vulnerabilities to build next-generation botnets like ShadowV2.

(TLP: CLEAR) Comments: ShadowV2 reflects the continued evolution of Mirai-lineage botnets and underscores how unpatched IoT ecosystems remain central to the global DDoS threat landscape. This variant’s reliance on multiple known vulnerabilities—many in end-of-life D-Link and TP-Link devices that will never receive fixes—shows how malicious actors systematically harvest abandoned hardware to expand bot capacity. ShadowV2’s ability to infect routers, NAS devices, and DVRs across every major region also mirrors the pattern seen in Aisuru, Mozi, and Gafgyt campaigns, where broad geographic distribution provides both resilience and massive aggregate bandwidth for DDoS operations. The botnet’s built-in UDP, TCP, and HTTP flood capabilities demonstrate that ShadowV2 is purpose-built for high-volume DDoS activity. Mirai-style packet floods that use medium-sized packets enable balanced throughput, while HTTP-based floods allow more targeted application-layer disruption. The fact that ShadowV2 was observed only during the AWS outage may indicate a controlled test of attack capacity or C2 stability before wider deployment, a tactic increasingly common among operators preparing for large-scale service-for-hire campaigns. Because most of the exploited vulnerabilities are publicly documented—and some widely weaponized—ShadowV2 could easily scale into a multi-terabit botnet if its operators continue to incorporate additional IoT exploits. This aligns with broader industry concerns that IoT botnets will fuel the next wave of DDoS attacks, particularly against online gaming, telecom, and cloud service providers. As seen with Aisuru’s 20 Tbps events, even mid-tier botnets can now generate unprecedented volumes of traffic, meaning variants like ShadowV2 represent a significant emerging threat if left unchecked.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-used-aws-outage-as-a-test-opportunity/

Hackers Registered 18,000 Holiday-Themed Domains Targeting ‘Christmas,’ ‘Black Friday,’ and ‘Flash Sale’ 

(TLP: CLEAR) A major surge in holiday-themed cyberattacks is underway as threat actors capitalize on the 2025 shopping season, deploying industrial-scale infrastructure to impersonate retailers and steal consumer data. More than 18,000 fraudulent holiday domains—many mimicking well-known brands—have been registered in the past three months, forming the backbone of widespread phishing campaigns, fake storefronts, and gift-card scams. Attackers are also boosting the visibility of these malicious sites through SEO poisoning, ensuring they appear alongside legitimate search results during peak shopping traffic. Fortinet analysts report a sharp rise in credential theft as well, with over 1.57 million e-commerce login accounts circulating on underground markets and enabling large-scale account takeover activity. Beyond impersonation schemes, adversaries are aggressively exploiting multiple critical e-commerce vulnerabilities, including a Magento RCE flaw (CVE-2025-54236), an unauthenticated Oracle E-Business Suite RCE (CVE-2025-61882) used by ransomware groups, and a WooCommerce SQL injection bug (CVE-2025-47569) that allows wholesale database theft. Automated probing tools are scanning for unpatched systems globally, enabling attackers to inject web skimmers, hijack sessions, and disrupt backend order-management systems. The coordinated exploitation of platform vulnerabilities combined with mass domain fraud marks a highly organized pre-holiday offensive that poses severe risks to both merchants and consumers.

(TLP: CLEAR) Comments: The campaign demonstrates how attackers are increasingly blending large-scale infrastructure abuse with finely tuned social engineering to manipulate user trust. By registering more than 18,000 holiday-themed domains that closely resemble legitimate retailers, threat actors exploit the urgency and distraction that accompany peak shopping periods. Shoppers searching for “Black Friday deals” or tracking holiday shipments are funneled toward malicious look-alike sites that appear authentic through familiar branding, polished layouts, and high search-engine placement achieved through SEO poisoning. This tactic is highly effective because users believe they are interacting with trusted merchants, lowering skepticism and increasing the likelihood of clicking links or entering credentials. Once victims land on these fraudulent pages, attackers weaponize the environment through malicious scripts, drive-by downloads, or skimmer-injected checkout pages. In some cases, the session hijacking and RCE vulnerabilities (such as CVE-2025-54236 in Magento) allow attackers to compromise genuine retailer sites outright, further blurring the line between safe and malicious web experiences. This creates a scenario where shoppers may unknowingly download infostealers, have payment data intercepted, or expose personal information through invisible skimmer injections. The combination of deceptive domain ecosystems, compromised legitimate infrastructure, and automated exploitation pipelines reflects a broader trend in which cybercriminals merge technical precision with psychological manipulation to scale malware distribution during the most profitable season of the year.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s): 

• Detects all known types of malware. 
• Removes, blocks, or contains all known types of malware.

Any system components that are not at risk for malware are evaluated periodically to include the following: 

• A documented list of all system components not at risk for malware. 
• Identification and evaluation of evolving malware threats for those system components. 
• Confirmation whether such system components continue to not require anti-malware protection.

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://cybersecuritynews.com/hackers-registered-18000-holiday-themed-domains/