DigiCert’s Open-Source Intelligence (OSINT) Report – November 28 – December 4, 2025

Threat Actors Register 2,000+ Fraudulent Holiday-Themed Online Stores to Steal User Payments

(TLP: CLEAR) Cybersecurity researchers at CloudSEK have recently exposed a large-scale phishing operation that has deployed more than 2,000 fraudulent e-commerce websites masquerading as legitimate holiday shopping domains. Launched in anticipation of major sales events like Black Friday and Cyber Monday, the campaign divides into two primary clusters of domains: one featuring typosquatted variations of major retailers such as Amazon (e.g., amawarehousesale[.]com or amaznshop[.]com), and the other utilizing .shop top-level domains that impersonate popular brands including Apple, Samsung, Ray-Ban, Xiaomi, Jo Malone, and Fujifilm, often appending suffixes like “safe” or “fast” (e.g., xiaomidea[.]shop or samsungsafe[.]shop). According to reporting, these sites employ identical phishing kits and templated layouts to create convincing landing pages, complete with seasonal promotions, urgency-inducing countdown timers, counterfeit trust seals, and simulated recent purchase notifications to build false credibility. Upon reaching the checkout stage, targeted victims are funneled to streamlined payment capture pages that siphon sensitive billing information and card details, routing transactions through lesser-known processors that skirt traditional fraud monitoring systems. The infrastructure reveals high coordination, with a common content delivery network at cdn.cloud360.top distributing assets to over 750 of the sites and a consistent JavaScript payload, identified by its unique SHA-256 hash, overseeing the deceptive transaction flows across the network.

(TLP: CLEAR) Comments: This holiday-season phishing surge underscores a maturing ecosystem of commoditized cybercrime tools, where shared kits and bulk domain provisioning enable low-barrier entry for threat actors to capitalize on seasonal consumer fervor. The dual-cluster approach not only diversifies evasion tactics but also amplifies reach by blending high-fidelity brand mimicry with opportunistic brandjacking, potentially harvesting thousands of credentials in a compressed timeframe. As e-commerce trust hinges on seamless experiences, such campaigns erode user confidence and strain payment processors, signaling a need for heightened vigilance during peak retail periods; the reliance on unflagged [.]shop domains further highlight gaps in registrar oversight that could fuel even larger waves in future high-volume shopping cycles

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s): 

• Detects all known types of malware. 
• Removes, blocks, or contains all known types of malware.

Any system components that are not at risk for malware are evaluated periodically to include the following: 

• A documented list of all system components not at risk for malware. 
• Identification and evaluation of evolving malware threats for those system components. 
• Confirmation whether such system components continue to not require anti-malware protection.

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://cybersecuritynews.com/hackers-registered-2000-fake-holiday-themed-online-stores/

V3G4 Botnet Evolves: From DDoS to Covert Cryptomining

(TLP: CLEAR) A recent cybersecurity investigation has revealed an advanced iteration of the V3G4 botnet, a Mirai-derived Linux malware family first noted in 2023, now incorporating stealthy, fileless cryptocurrency mining alongside its established denial-of-service (DDoS) functionalities. Targeting x86_64, ARM, and MIPS architectures prevalent in cloud servers, internet-of-things (IoT) endpoints, and exposed Linux systems, the infection unfolds in multiple stages: an initial universal shell script downloader probes the host’s CPU via uname -m, fetches an architecture-matched binary from a command-and-control (C2) server at 103[.]149[.]93[.]224, and executes it from /tmp. According to reporting, the subsequent payload, a statically linked and UPX-packed ELF named Mddos.x86_64, registers the device with C2 infrastructure at www.baojunwakuang.asia (resolving to 159[.]75[.]47[.]123 via Google Public DNS), masquerades as the systemd-logind process using prctl(2) to spoof command lines, and detaches into the background with setsid(2). Retaining Mirai-like raw socket scanning for SSH brute-forcing on port 22 and multi-threaded DDoS worker operations, the botnet’s innovation lies in its third-stage deployment of an XMRig-based Monero miner, unpacked into /tmp/.dbus-daemon and configured dynamically via runtime JSON blobs from C2, specifying pools, wallets, algorithms, and threads, eliminating persistent disk artifacts. This hybrid model sustains botnet propagation while siphoning computational resources for mining, with internal TCP listeners on 127[.]0[.]0[.]1:63841 facilitating inter-process coordination and a diagnostic banner “xXxSlicexXxxVEGA” confirming activation.

(TLP: CLEAR) Comments: The V3G4 variant exemplifies a pragmatic adaptation in botnet economics, layering resource-intensive cryptomining atop DDoS capabilities to hedge against detection-driven disruptions in either vector, thereby optimizing returns from compromised Linux ecosystems that dominate cloud and edge computing. By avoiding file-based persistence in favor of ephemeral, runtime-driven mining, threat actors evade endpoint forensics and signature-based defenses, a tactic that could proliferate across Mirai lineages amid rising Monero’s appeal for untraceable payouts. This convergence poses amplified risks to resource-constrained environments like IoT and virtualized workloads, where dual exploitation compounds performance degradation and service outages; it also reflects broader threat actor maturation, potentially drawing in affiliates via malware-as-a-service models that blend disruption-for-hire with passive income streams.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.” 

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.

Source: https://gbhackers.com/stealthy-linux-malware/

Ransomware Threats Moving Out to the Edge

(TLP: CLEAR) Recent intelligence reporting signifies a noticeable pivot in ransomware operations toward edge computing environments, where over 80 distinct groups maintain relentless global activity despite law enforcement interventions, exploiting freshly disclosed vulnerabilities in devices that resist rapid patching. This expansion capitalizes on the decentralized nature of edge networks, encompassing internet-of-things (IoT) gateways, remote sensors, and distributed endpoints, where update cycles lag due to operational constraints, enabling attackers to weaponize flaws mere days after public revelation. Coordinated cyber-campaigns overwhelm security and network defenders through sheer volume and velocity, with groups rebounding swiftly from takedowns thanks to lucrative yields that fund resilient infrastructures. Tactics emphasize initial access via unpatched exposures, followed by lateral movement to core systems, but the edge focus introduces novel challenges like limited visibility and segmented defenses, amplifying propagation speeds in hybrid setups.

(TLP: CLEAR) Comments: The migration of ransomware to edge perimeters signals a strategic response to maturing core-network protections, transforming once-peripheral devices into high-value beachheads that bypass traditional segmentation and monitoring. With patching windows compressed by business imperatives, this shift not only accelerates breach timelines but also diversifies attack surfaces across sectors reliant on real-time edge processing, such as manufacturing and smart cities, potentially cascading into widespread operational halts. The coexistence of 80+ groups underscores a fragmented yet hyper-efficient threat marketplace, where rapid vuln-to-ransom pipelines outpace vendor responses; organizations must prioritize behavioral anomaly detection over sole reliance on updates, as edge proliferation could normalize ransomware as a persistent drag on distributed architectures.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.inforisktoday.com/ransomware-threats-moving-out-to-edge-a-30172

AI-Driven DDoS Attacks Pressure Mid-Market Industrial Operators

(TLP: CLEAR) Security investigators have recently highlighted the escalating sophistication of distributed denial-of-service (DDoS) campaigns powered by artificial intelligence, which are increasingly targeting mid-sized manufacturing and industrial entities with adaptive, low-profile assaults that evade conventional safeguards. These AI-enhanced operations enable rapid deployment and scaling, allowing attackers to generate traffic surges in mere minutes while dynamically adjusting vectors to probe and exploit network weak points, particularly at the convergence of information technology (IT) and operational technology (OT) environments. Mid-market operators, often constrained by limited in-house expertise and budgets, face heightened risks as even brief disruptions, such as a 30-minute barrage, can cascade into production halts, delayed shipments, and diminished stakeholder trust. Traditional web application firewalls (WAFs), while effective against application-layer exploits, prove inadequate against volumetric floods, underscoring the need for integrated, perimeter-based defenses that incorporate real-time anomaly detection and automated allow-listing to filter threats without imposing latency or resource strain.

(TLP: CLEAR) Comments: The infusion of AI into DDoS tactics marks a pivotal evolution in malicious DDoS operations, democratizing high-impact disruptions for less-resourced adversaries and amplifying pressure on mid-tier industrial sectors where OT dependencies amplify downtime costs into tangible revenue losses and safety concerns. This trend exposes systemic gaps in hybrid IT/OT architectures, where visibility silos enable stealthy, sub-radar incursions that traditional tools overlook; as attacks grow in velocity and variability, it compels a reevaluation of defense paradigms toward proactive, AI-augmented mitigation, potentially spurring greater reliance on managed services to bridge capability shortfalls and sustain operational resilience amid an asymmetrically empowered threat environment.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.” 

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can accept traffic in an always-on or on-demand mode with DNS and API-based integration options that can adapt to your existing technology stack and operational practices. UltraDDoS Protect also includes a variety of options to automate detection to mitigation so that DDoS attacks can be thwarted immediately or within seconds.

Source: https://www.sdcexec.com/safety-security/risk-compliance/article/22950546/corero-network-security-aidriven-ddos-attacks-pressure-midmarket-industrial-operators

Scattered Lapsus$ Hunters Tied to Targeting of Zendesk Users

(TLP: CLEAR) Cybersecurity investigators have attributed a persistent social engineering offensive against Zendesk’s customer support infrastructure to the Scattered Lapsus$ Hunters, a loose-knit Western collective of predominantly teenage operatives emerging from the “The Community” forum, employing deceptive tactics to subvert help desk protocols and harvest authentication artifacts. Over the past six months, the actors have provisioned more than 40 typosquatted domains, such as znedesk[.]com and vpn-zendesk[.]com—that emulate official Zendesk endpoints, directing users to fabricated single sign-on interfaces designed to capture login credentials and enable account compromise. This initiative parallels earlier incursions against Salesforce and Gainsight, where pilfered OAuth tokens facilitated unauthorized access to affiliated platforms, alongside a broader arsenal of approximately 600 [.]dev domains impersonating brand support portals for entities including Zendesk and Cloudflare; these sites incorporate AI-synthesized content with embedded human-moderated chat widgets that solicit contact details under pretexts, culminating in prompts to deploy sanctioned remote access tools for endpoint domination.

(TLP: CLEAR) Comments: Scattered Lapsus$ Hunters’ campaign exemplifies the potent blend of youthful ingenuity and forum-honed guile in perpetuating low-barrier, high-yield social engineering against foundational support systems, where impersonation of trusted interfaces exploits inherent user reliance on streamlined assistance flows to propagate credential theft at scale. With precedents yielding breaches impacting hundreds of organizations and exposing tens of millions of records—as seen in the Discord incident revealing sensitive user profiles—this splinter group’s claimed pipeline of additional operations portends sustained erosion of CRM ecosystem integrity, particularly as AI-augmented facades lower fabrication costs; it underscores the fragility of human-centric verification in hybrid threat landscapes, urging fortified insider threat training and anomaly-driven monitoring to counter such opportunistic, English-fluent predators who thrive on the seams between technical and procedural safeguards.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link. 

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts. 

• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response),

receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for 

indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://www.inforisktoday.com/scattered-lapsus-hunters-tied-to-targeting-zendesk-users-a-30166

New Report Warns of 68% Of Actively Serving Phishing Kits Protected by Popular CDN Provider

(TLP: CLEAR) A recent comprehensive security assessment has revealed that 68 percent of operational phishing kits are shielded by a major content delivery network (CDN) provider’s infrastructure, derived from monitoring 25,305 malicious domains where 17,202 leverage the provider’s network for obfuscation and resilience. The study cataloged over 42,000 verified URLs and domains facilitating phishing lures, command-and-control communications, and payload dissemination, noting an impressive 96.16 percent average DNS resolution uptime that ensures persistent accessibility for threat actors. The provider’s appeal stems from its no-cost entry tier, which bundles distributed denial-of-service (DoS) shielding and proxying to conceal underlying hosts, concentrating thousands of illicit domains under a single autonomous system number. Advanced phishing-as-a-service offerings, including EvilProxy and Tycoon 2FA, function as intermediary proxies that hijack sessions to pilfer authentication cookies, circumventing multi-factor protocols through tactics like IP-based geofencing, device-specific user-agent evasion, detection of debugging tools to abort suspicious sessions, and integrated CAPTCHA challenges to repel automated reconnaissance.

(TLP: CLEAR) Comments: This pervasive entrenchment within phishing ecosystems illustrates a double-edged dynamic, where legitimate protective features inadvertently subsidize commoditized cybercrime by lowering operational hurdles and enhancing campaign longevity, fostering a proliferation of coordinated clusters that mimic enterprise-grade reliability. The identification of 20 interconnected phishing syndicates via overlapping evasion signatures points to a maturing underground economy reliant on shared tooling, potentially complicating blocklisting efforts and necessitating refined attribution models; as these kits erode multi-factor efficacy through session hijacking, it heightens imperatives for behavioral analytics in authentication flows, signaling broader vulnerabilities in cloud-agnostic defenses that could extend to other service providers if adoption patterns persist.

(TLP: CLEAR) Recommended best practices/regulations: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers. 

Source: https://gbhackers.com/active-phishing-kits/