DigiCert’s Open-Source Intelligence (OSINT) Report – November 7 – November 13, 2025

MAD-CAT “Meow” Tool Sparks Real-World Data Corruption Attacks

(TLP: CLEAR) The notorious “Meow” attacks, which wiped unsecured databases in 2020, have returned in a more dangerous form through MAD-CAT—a custom-built automation tool designed to corrupt data across six major platforms simultaneously: MongoDB, Elasticsearch, Cassandra, Redis, CouchDB, and Hadoop HDFS. Unlike the original attacks that hit one system at a time, MAD-CAT uses bulk CSV targeting to launch coordinated strikes, replacing real data with random strings ending in “-MEOW.” It connects without credentials to exposed databases or exploits weak logins, then systematically erases operational records, sparing only system files to maximize damage. In a simulated healthcare breach, MAD-CAT could destroy patient records, disable search functions, erase device telemetry, invalidate user sessions, block portal access, and wipe billing data in minutes. While Shodan data shows a sharp decline in vulnerable systems dozens of exposed databases still exist, proving legacy systems and poor security hygiene remain widespread.

MAD-CAT underscores a simple truth: misconfiguration enables mass destruction. Organizations must enforce authentication, restrict public access, segment databases, and maintain verified backups. Tools that detect default credentials and exposed services are now essential defenses.

(TLP: CLEAR) Comments: The re-emergence of the “Meow” attack through a new tool called MAD-CAT should serve as a clear warning to every organization relying on databases. This automated system doesn’t just target one database at a time—it can strike six different types simultaneously, erasing real business data and replacing it with meaningless strings ending in “-MEOW.” In a hospital, for example, this could wipe patient records, disable search functions, erase medical device logs, log out active users, block online portals, and destroy billing history in minutes. While the number of vulnerable databases has dropped dramatically since 2020, those remaining are often in critical systems that haven’t been updated or properly secured. These are not sophisticated hacks requiring insider access; they exploit simple oversights—like leaving databases open to the internet without passwords.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-22: “ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE”: Control:

• Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
• Discussion: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).”

(TLP: CLEAR) DigiCert: Digicert’s UltraDNS Health Check tool makes it easy to ensure that your domains are RFC-compliant, checks for adherence to best practices, and identifies possible configuration and security issues.

Source: https://gbhackers.com/mad-cat-meow-tool/

Lazarus Group Deploys Weaponized Documents Against Aerospace & Defense

(TLP: CLEAR) Lazarus Group’s campaign underscores a persistent and adaptive threat to critical sectors. Active since at least March 2025, this operation deploys spear-phishing lures via malicious Word documents (.docx) mimicking trusted entities like Edge Group, IIT Kanpur, and Airbus. Hosted on domains such as office-theme[.]com, these files trigger a multi-stage infection upon macro enablement, delivering an advanced Comebacker backdoor variant designed for long-term espionage.

The infection chain reveals Lazarus’s technical maturation: VBA macros decrypt a loader DLL using custom XOR and bit-swapping—eschewing older RC4/HC256 methods—for enhanced evasion. The loader establishes persistence via startup shortcuts and writes encrypted payloads (ChaCha20 with hardcoded keys) to paths like C:\ProgramData\WPSOffice\wpsoffice_aam.ocx and USOShared\USOInfo.dat. Execution leverages rundll32.exe for in-memory operations, minimizing disk footprints. C&C communications, now AES-128-CBC encrypted over HTTPS, feature randomized query strings and base64 identifiers, with MD5 hash checks ensuring payload integrity. A secondary domain, birancearea[.]com, indicates redundant infrastructure for sustained operations.

This evolution—shifting from plaintext beacons to encrypted, resilient C2—complicates detection, aligning with Lazarus’s DPRK-aligned playbook of resource hijacking and data exfiltration. Aerospace and defense firms, often handling classified IP, face heightened risks of supply-chain compromise or IP theft, potentially fueling adversarial military advancements.

(TLP: CLEAR) Comments: Lazarus Group has launched a highly targeted espionage campaign against aerospace and defense organizations, using convincingly disguised Word documents to deliver a sophisticated new backdoor called Comebacker. These emails pretend to come from trusted industry names like Airbus or the Indian Institute of Technology, tricking employees into opening attachments that appear legitimate. Once macros are enabled, the document silently installs malware that gives attackers long-term access to sensitive systems. Lazarus is focusing on organizations that design aircraft, satellites, and military technology, exactly the kind of strategic information a nation-state wants. The malware now uses stronger encryption, hides in normal system folders, and communicates in ways that are much harder for standard security tools to detect. It can steal files, monitor activity, and even download additional tools—all without raising obvious alarms.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Source: https://gbhackers.com/lazarus-group/

Indian Government’s CPGRAMS Portal Hit by Cyberattack

(TLP: CLEAR) India’s Centralised Public Grievance Redress and Monitoring System (CPGRAMS), a critical government platform for citizens to file and track complaints against public services, was temporarily disrupted on November 11, 2025, following a Distributed Denial-of-Service (DDoS) attack claimed by the hacktivist group THE GARUDA EYE. Announced via Telegram, the group flooded the portal with massive traffic, causing timeouts, slow responses, and failed submissions for users nationwide. While the outage lasted only a few hours and no data was compromised, it exposed vulnerabilities in India’s digital governance infrastructure, which handles thousands of daily grievances. Garuda Eye, a 2025-emerging nationalist hacktivist collective, aims to highlight perceived government inefficiencies rather than financial gain. Using botnets and multi-vector floods (HTTP, UDP, DNS amplification), the group overwhelmed CPGRAMS servers, demonstrating how easily public services can be disrupted. The National Informatics Centre (NIC) restored service by filtering malicious traffic and rerouting requests. The attack serves as a wake-up call for India’s Digital India initiative: even brief downtime in essential public platforms erodes trust and disrupts civic engagement. With Garuda Eye hinting at more targets, proactive defense is now a national priority.

(TLP: CLEAR) Comments: The DDoS attack on India’s CPGRAMS portal by the hacktivist group Garuda Eye is a textbook example of how low-effort, high-visibility disruptions can undermine public confidence in government digital services. While the outage lasted only hours and no data was compromised, it exposed a vulnerability that affects any organization with public-facing systems: even a flood of fake traffic can silence real users. The fact that this platform—used daily by citizens to hold government accountable—was taken offline underscores a growing trend: hacktivists no longer need to breach systems to cause damage; they just need to make them unreachable. The National Informatics Centre (NIC) deserves recognition for a swift and effective response—restoring service without external help by filtering malicious traffic and rerouting legitimate requests. This internal resilience limited the impact and prevented escalation. However, the incident reveals a broader risk: many critical public systems still lack always-on protection against traffic surges. In today’s environment, where politically motivated groups can rent botnets for pennies, DDoS is not a technical nuisance—it’s a reputational and operational threat.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Source address spoofing is often combined with reflection and amplification from poorly administered open internet servers (e.g., DNS, NTP) to multiply the attack traffic volume by a factor of 50 or more. The attacker may use a single high-capacity computer with a high bandwidth internet connection or a botnet consisting of many compromised devices to send query requests to high-performance internet servers. The attacking systems employ source address spoofing, which inserts the IP address of the target as the source address in the requests. For internet services that use the User Datagram Protocol (UDP) (e.g., DNS, NTP), the query and response are each contained in a single packet, and the exchange does not require the establishment of a connection between the source and the server (unlike Transmission Control Protocol (TCP)). The responses from such open internet servers are directed to the attack target since the target’s IP address was forged as the source address field of the request messages. Often, the response from the server to the target address is much larger than the query itself, amplifying the effect of the DoS attack. Such reflection and amplification attacks can result in massive DDoS with attack volumes in the range of hundreds of Gbps.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://www.reuters.com/world/big-russian-port-operator-says-its-systems-were-targeted-by-foreign-hackers-2025-11-13/

Cyberattack hits Danish government and defence companies

(TLP: CLEAR) On 13 November 2025, a multi-vector Layer 7 DDoS campaign orchestrated by the pro-Russian hacktivist collective NoName057(16) successfully disrupted key Danish public and defense digital assets, including the Ministry of Transport, Borger.dk (the national citizen portal), and Terma, a critical aerospace and defense contractor. As a DDoS threat intelligence engineer, I assess this as a high-visibility, low-complexity volumetric and application-layer flood leveraging the group’s established DDoSia toolkit—consistent with their 2024–2025 pattern of targeting NATO-aligned nations supporting Ukraine. Traffic surges overwhelmed HTTP/S endpoints, causing temporary unavailability but no data exfiltration or system compromise, with full-service restoration achieved within hours. Terma’s rapid mitigation—likely via pre-configured CDN/WAF and rate-limiting—prevented operational impact, while Denmark’s Civil Protection Agency and military intelligence (DDIS) coordinated real-time traffic filtering and situational awareness. This incident underscores the evolving hacktivist DDoS playbook: politically timed, botnet-driven, and designed for maximum disruption with minimal technical overhead. Defenders must prioritize always-on application-layer protection, geo-aware traffic management, and cross-agency incident coordination to neutralize these increasingly frequent low-barrier attacks.

(TLP: CLEAR) Comments: The DDoS attack on Denmark’s government and defense websites—including the national citizen portal and a major aerospace contractor—was not about stealing data; it was about disruption and visibility. The pro-Russian group NoName057(16) deliberately chose high-profile targets to send a message: even strong digital systems can be silenced for hours with a flood of fake traffic. While services were restored quickly and no information was lost, the timing—just before local elections—shows how these attacks are now part of political pressure campaigns, not random attacks.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://www.eurointegration.com.ua/eng/news/2025/11/13/7224817/