DigiCert’s Open-Source Intelligence (OSINT) Report – October 24 – October 30, 2025

Hackers Launch Mass Attacks Exploiting Outdated WordPress Plugins

(TLP: CLEAR) A large-scale exploitation campaign is actively targeting WordPress sites using outdated versions of the GutenKit and Hunk Companion plugins, both of which contain critical vulnerabilities that can be leveraged to install additional plugins and ultimately achieve remote code execution. According to Wordfence, more than 8.7 million attack attempts were recorded over just two days in early October. The flaws—CVE-2024-9234 in GutenKit and CVE-2024-9707 / CVE-2024-11972 in Hunk Companion—allow attackers to install arbitrary plugins without proper authorization. Although patches were released in late 2024, many websites are still running vulnerable versions. Threat actors are distributing a malicious plugin archive named up via GitHub, which contains obfuscated scripts enabling persistent unauthorized access, file manipulation, and automated administrative login. When this plugin fails to provide full control, attackers deploy the wp-query-console plugin to enable unauthenticated remote code execution. Indicators of compromise include suspicious REST API activity and unfamiliar plugin directories on the server. The campaign highlights the ongoing risk posed by outdated WordPress plugins and the scale at which attackers are automating exploitation across the web.

(TLP: CLEAR) Comments: The GutenKit / Hunk Companion campaign is a textbook example of opportunistic, high-leverage exploitation that weaponizes poor patch hygiene at Internet scale. Attackers are not inventing novel exploits; they are automating exploitation chains against known, patched REST-API flaws to convert thousands of low-effort compromises into high-value footholds. The use of a reusable malicious plugin archive (the “up” package) and fallback installers such as wp-query-console shows a modular approach: when one persistence vector fails, operators pivot to another, reducing per-target effort and increasing success rates. This commoditization means that relatively unsophisticated actors can rapidly scale post-exploitation tasks—deploying backdoors, installing crypters, or harvesting credentials—turning compromised sites into staging grounds for phishing, spam, data theft, or even proxy/DDoS infrastructure. The campaign also amplifies supply-chain risk: plugin repositories and developer workflows are being abused to host or mirror malicious payloads (GitHub was observed), so attribution and takedown become harder and recovery slower. From a detection perspective, emphasis should shift from signature chasing to behavioral and telemetry signals—surges of REST API calls to /wp-json/* endpoints, anomalous plugin installation patterns, and creation of uncommon directories are higher-value indicators. Finally, the persistence of vulnerable installs nearly a year after patches demonstrates the ongoing operational return on exploitation investment for adversaries and underscores how quickly automated scanning maps and exploits internet-scale attack surface.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.

Source: https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/

HashiCorp Vault Vulnerabilities Let Attack Bypass Authentication and Trigger DoS Attack

(TLP: CLEAR) Researchers have identified a sophisticated phishing campaign that uses randomly generated UUIDs, randomized domain selection, and server-driven page replacement to bypass Secure Email Gateways and perimeter defenses. Delivered via HTML attachments and spoofed file-sharing pages (OneDrive, SharePoint, DocuSign, Adobe Sign), the embedded JavaScript selects one domain at random from a small pool of bulk-generated .org hosts, generates a unique victim UUID plus a campaign UUID, and sends an HTTPS POST to the chosen server. The backend returns dynamically assembled, context-aware HTML which the script injects into the current document via DOM manipulation rather than performing a visible redirect, producing seamless, branded credential-capture pages that preserve the original URL. This dual-UUID tracking enables per-victim tailoring and session correlation, while randomized domains and lack of static redirects reduce blocklist and ML detection efficacy. Cofense’s analysis highlights the campaign’s operational maturity: real-time page customization, minimal observable indicators in transit, and a delivery method that leverages trusted collaboration platforms to increase user trust.

(TLP: CLEAR) Comments: This campaign is notable for operational sophistication and clear tradecraft evolution: by combining randomized domain selection, per-victim UUIDs, and server-driven DOM replacement the adversary removes the usual, static indicators (fixed phishing URLs, predictable redirects, and hardcoded HTML) that many Secure Email Gateways and URL-based detectors rely on. The practical result is higher deliverability through trusted collaboration platforms and lower visibility for automated defenses, while the dual-UUID scheme gives the operator precise session correlation and follow-up targeting (credential validation, lateral phishing, or sold access). From a defender’s perspective the attack shifts the detection surface away from simple URL/filename signatures to telemetry and behavior: transient DNS queries and certificates for bulk-generated domains, unusual outbound POSTs from client browsers to odd domains after opening HTML attachments, rapid per-session content changes in the DOM, and login attempts shortly after document interaction. Mitigations should therefore prioritise telemetry aggregation and behavioral detection (monitoring browser-origin POSTs, client-side DOM injection events where instrumentable, short-lived domain registration patterns, and abnormal session creation), harden mail/attachment handling (strip or sandbox HTML attachments, enforce link rewrites), and ensure strong compensating controls such as MFA and anomalous login detection. Finally, the campaign’s personalization capability increases success against high-value targets; organizations should treat these threats as targeted credential-harvesting operations and align detection, logging, and incident playbooks accordingly.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-20: “SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)”: Control: 

• Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and 
• Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.

(TLP: CLEAR) DigiCert: Digicert’s UltraDNS solutions include 2 separate and diverse authoritative resolution platforms for an aggregate 47 deployment nodes. UltraDNS provides resiliency, performance and advanced features such as load-balancing, monitored failover, automated DNSSEC signing and geographic resolution.

Digicert UltraDDoS Protect can accept traffic in an always-on or on-demand mode with DNS and API-based integration options that can adapt to your existing technology stack and operational practices. UltraDDoS Protect also includes a variety of options to automate detection to mitigation so that DDoS attacks can be thwarted immediately or within seconds.

Source: https://cybersecuritynews.com/hashicorp-vault-vulnerabilities/

Russian Rosselkhoznadzor Hit by DDoS Attack, Food Shipments Across Russia Delayed

(TLP: CLEAR) This article reports that Russia’s Federal Service for Veterinary and Phytosanitary Surveillance (Rosselkhoznadzor) experienced a large-scale DDoS attack that disrupted its national food certification and tracking platforms, particularly the Mercury system within VetIS. These systems are required to issue electronic veterinary documents for shipping products such as meat, dairy, and baby food. When the system went offline, food producers were unable to process shipments, causing delays across supply chains and prompting attempts to negotiate emergency workarounds, including shipping goods without the required electronic certificates. The agency stated that no data breach occurred and that telecom providers, including Megafon and Rostelecom, were working to filter malicious traffic. Rosselkhoznadzor claimed the system continued to process millions of documents and denied long-term outages, though producers reported operational impacts. This incident marks the fourth time in 2025 that the Mercury system has been targeted, highlighting continued vulnerability of critical food logistics infrastructure to DDoS disruptions.

(TLP: CLEAR) Comments: The DDoS attack on Rosselkhoznadzor’s Mercury system illustrates the continued use of cyber disruption as a strategic lever within the broader Russia-Ukraine conflict. Since early 2022, pro-Ukrainian hacktivist collectives and affiliated cyber volunteer groups have repeatedly targeted Russian government services, logistics platforms, and transport networks to create operational friction rather than permanent damage. Food logistics systems are particularly impactful targets because brief outages can cascade into supply chain delays, cost increases, and public frustration. Although attribution has not yet been confirmed, the tactics and timing align with previous campaigns where DDoS is used to signal political pressure and undermine confidence in state administrative capacity. This incident also highlights the vulnerability of Russian critical digital systems that rely on centralized government platforms with limited redundancy. The Mercury platform has been attacked multiple times in 2025, demonstrating that adversaries view agricultural certification as a strategic chokepoint in sustaining domestic stability. If this activity is linked to the Ukraine conflict, it would represent a continuation of hybrid warfare aimed at eroding Russia’s internal resilience rather than achieving direct kinetic outcomes. As both state and non-state actors continue to operate in parallel, Russia’s administrative infrastructure will likely remain a persistent target for symbolic and disruptive cyber operations.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://securityaffairs.com/183845/security/russian-rosselkhoznadzor-hit-by-ddos-attack-food-shipments-delayed.html

New Atroposia Malware Comes With a Local Vulnerability Scanner

(TLP: CLEAR) Atroposia is a newly identified malware-as-a-service offering a modular remote-access trojan (RAT) aimed at lowering the barrier to entry for cybercriminals. Marketed as a $200/month subscription, the platform provides encrypted C2 communications, UAC-bypass privilege escalation, and persistent, stealthy access to Windows hosts. Its feature set includes a covert remote desktop (HRDP) that can interact with user sessions without visible indicators, an explorer-style file manager with targeted grabber and in-memory exfiltration, credential and crypto-wallet theft, real-time clipboard capture, and a host-level DNS hijack capability for silent redirection and MITM. Unusually, Atroposia also bundles a local vulnerability scanner to identify missing patches and exploitable software, enabling attackers to prioritize privilege escalation and lateral movement. Researchers characterize Atroposia as another “plug-and-play” toolkit that empowers lower-skill operators to conduct sophisticated intrusions, data theft, and network manipulation.

(TLP: CLEAR) Comments: Atroposia exemplifies the continued commoditization of offensive capabilities, packaging remote access, reconnaissance, and exploitation tooling into a turnkey subscription that materially lowers the skill and cost threshold for impactful intrusions. Its combination of a covert HRDP-style desktop, in-memory exfiltration, credential and wallet theft, and a host-level DNS hijack makes it useful across multiple criminal workflows—initial access resale, long-term espionage, targeted data theft, and ransomware preparation—because it both harvests high-value artifacts and provides stealthy hands-on access for follow-on operations. The built-in local vulnerability scanner is a force multiplier: by automatically identifying unpatched VPN clients, outdated privilege-escalation vectors, or weak configurations, Atroposia accelerates lateral movement and privilege escalation while reducing operator expertise requirements. Operationally, DNS hijacking and persistent stealth mechanisms complicate detection and containment, enabling persistent MITM, credential harvesting, and supply-chain manipulations without obvious file artifacts. Attribution will be challenging because commoditized MaaS offerings encourage diverse groups to reuse the same tooling, obscuring developer and operator links. For defenders, the priority implications are clear—assume a higher likelihood of multi-vector intrusions, expect quick transition from compromise to data staging, and prepare for complex remediation when DNS and long-running stealth modules are present. Monitoring for anomalous scheduled tasks, unusual registry/UAC changes, outbound DNS anomalies, and in-memory execution patterns will materially improve detection of Atroposia-style activity.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.bleepingcomputer.com/news/security/new-atroposia-malware-comes-with-a-local-vulnerability-scanner/

New Phishing Attack Using Invisible Characters Hidden in Subject Line Using MIME Encoding

(TLP: CLEAR) Researchers uncovered a phishing technique that hides malicious intent by inserting invisible Unicode characters—principally soft hyphens—into email subject headers using MIME encoded-word formatting. Because the subject is Base64-encoded per RFC 2047, attackers can fragment trigger keywords at the character level (for example turning “password” into “p-a-s-s-w-o-r-d”) while the rendered text remains normal for human recipients. The discrepancy between list-view and opened-message rendering enabled discovery of the technique. Campaigns leveraging this method direct victims to compromised domains hosting generic webmail-style credential-harvesting pages. The approach defeats conventional keyword and pattern-based email filters without altering visible content, and the same soft-character obfuscation has been observed in message bodies as well, increasing the likelihood of bypassing automated scanners. Analysts identified the abuse through examination of MIME headers and decoded samples, highlighting a novel, low-noise evasion vector that complicates automated detection of credential-theft lures.

(TLP: CLEAR) Comments: The use of invisible Unicode characters in MIME-encoded subject headers represents a low-cost, high-return evasion technique that materially complicates email security at scale. By exploiting RFC-2047 encoded-word semantics and inserting soft hyphens or similar codepoints (e.g., U+00AD) inside Base64-encoded subject strings, attackers fragment detection triggers at the token level while leaving the human display unchanged. This creates a class of false negatives for rule-based filters and many legacy SEGs that match on contiguous keyword patterns, and it reduces the signal quality for ML models trained on visible text features. Because the manipulation occurs in headers rather than bodies, it can also evade controls that focus scanning on message payloads. Operationally, the technique is attractive to adversaries: it is trivial to automate, scales across large campaigns (including targeted spear-phishing), and survives many forwarding or archiving paths that preserve original headers. Defenders face several practical challenges—correct canonicalization and normalization of encoded headers, reliable decoding for logging and detection, and avoiding collateral breaking of legitimate multi-language mail. In the near term, this tactic will likely proliferate among opportunistic and targeted actors alike, increasing the urgency for detection that operates on decoded canonical headers and behavioral indicators (click patterns, landing-page fingerprinting) rather than raw keyword matches alone.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://cybersecuritynews.com/new-phishing-attack-using-invisible-characters/

Aisuru Botnet is Behind Record 20Tb/sec DDoS Attacks

(TLP: CLEAR) Aisuru is a Mirai-variant IoT botnet that has recently carried out extremely large DDoS attacks, with peak traffic exceeding 20 Tbps, according to research from Netscout. The botnet is part of the broader “TurboMirai” family, known for harnessing large numbers of compromised consumer devices such as routers, CCTV systems, and other home and small-office equipment. Aisuru operators primarily rent the botnet as a DDoS-for-hire service, with most attacks targeting online gaming platforms rather than government networks. The botnet uses residential proxies to reflect HTTPS traffic and supports multiple attack methods, including UDP, TCP, and GRE floods. Some of these attacks exceeded 1 Tbps from infected customer devices alone, causing service degradation for broadband providers and, in some cases, router hardware failures. The attacks often balance bandwidth and packet volume, using medium-sized packets for sustained throughput, while smaller high-rate packet floods have overwhelmed line cards in carrier-grade routing equipment. In addition to DDoS, Aisuru has capabilities for credential stuffing, automated web scraping, phishing, and spam distribution. While traffic used in attacks is not spoofed—making traceback feasible—rapid reinfection and continuous expansion efforts highlight the resilience of the botnet.

(TLP: CLEAR) Comments: The Aisuru botnet represents the latest stage in the evolution of the Mirai malware lineage, which first emerged in 2016 when its source code was leaked publicly, enabling widespread replication and modification. Since then, numerous threat actors have produced increasingly optimized variants—collectively known as “TurboMirai”—that target consumer IoT devices with weak or default credentials. Aisuru fits squarely within this ecosystem, but its operational scale and sustained throughput mark a new threshold for offensive DDoS capability. Reports of attacks exceeding 20 Tbps demonstrate not only brute-force volume but also improved coordination across globally distributed residential networks. Unlike earlier Mirai variants that relied heavily on raw volumetric floods, Aisuru incorporates reflection techniques through residential proxy networks, enabling HTTPS-based DDoS attacks that blend more easily with normal encrypted traffic. This makes filtering significantly more difficult, particularly when traffic originates from legitimate ISP address space rather than spoofed sources. Additionally, the botnet’s ability to produce both high-bandwidth and high-packet-rate floods has demonstrated the capacity to push carrier-grade routing equipment into failure conditions, rather than merely overwhelming target servers. The operators’ emphasis on DDoS-as-a-service and targeting of gaming and commercial services reflects the current monetization trend in the botnet landscape—profit-driven disruption rather than political signaling. However, the same infrastructure could be redirected rapidly for strategic use if conflict dynamics shift, particularly in the context of hybrid warfare observed in recent geopolitical crises. The continued proliferation of insecure consumer IoT devices, combined with scalable command infrastructure, suggests that Aisuru and related TurboMirai-class botnets will remain a persistent and structurally difficult threat to mitigate.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness.

Source: https://securityaffairs.com/183969/malware/aisuru-botnet-is-behind-record-20tb-sec-ddos-attacks.html

PHP Servers and IoT Devices Face Growing Cyber-Attack Risks

(TLP: CLEAR) Cybersecurity researchers from the Qualys Threat Research Unit (TRU) report a significant rise in attacks targeting PHP servers, IoT devices, and cloud gateways, largely driven by botnets such as Mirai, Gafgyt, and Mozi. These botnets are exploiting known vulnerabilities and cloud misconfigurations to expand their infrastructure and enable remote code execution and data theft. With PHP powering most web applications and many enterprises struggling with cloud configuration management, servers running platforms like WordPress remain high-value targets. The report highlights several actively exploited vulnerabilities, including ThinkPHP (CVE-2022-47945), Laravel Ignition (CVE-2021-3129), and PHPUnit (CVE-2017-9841), as well as misconfigured debugging tools and exposed AWS credential files on Linux systems. IoT devices continue to face risk due to outdated firmware, with recent exploitation of DVR command injection flaws linked to Mirai-style botnets. Researchers warn that compromised routers and IoT devices are increasingly used not only for DDoS attacks but also for credential-stuffing and large-scale authentication abuse. Cloud-native environments are similarly vulnerable, particularly when misconfigurations allow remote execution in services like Spring Cloud Gateway (CVE-2022-22947). The report concludes that low-skill attackers can now carry out these attacks using widely available exploit kits, emphasizing the need for visibility, patching, and controlled configuration practices.

(TLP: CLEAR) Comments: The observed surge in exploitation of PHP servers, IoT devices, and cloud gateways aligns with a broader trend in botnet expansion that directly feeds into increasingly large and sustained DDoS attack campaigns. Mirai, Gafgyt, and Mozi—originally known for harnessing vulnerable consumer routers, DVRs, and low-cost IoT hardware—continue to evolve by incorporating newly disclosed vulnerabilities and misconfigurations, allowing them to rebuild and expand botnet capacity even when takedowns occur. The exploitation of PHP-based web applications and cloud environments provides these groups with access to more stable, higher-bandwidth infrastructure, significantly amplifying their DDoS capabilities. Once compromised, servers running WordPress, ThinkPHP, or Laravel often act as high-throughput nodes that can generate substantial attack traffic, while IoT devices contribute massive parallelism. This layered botnet composition enables attackers to launch multi-vector DDoS operations that are both high-bandwidth and high-packet-rate, making them more difficult to mitigate at the network edge. As organizations continue shifting workloads to cloud platforms, exposed APIs and poorly controlled debugging tools create new entry points that attackers can automate at scale. The result is that even low-skill operators can assemble or rent powerful DDoS-as-a-Service infrastructures. The continued proliferation of vulnerable IoT devices, combined with persistent gaps in cloud configuration management, suggests that the operational capacity for large-scale DDoS attacks will continue to grow, particularly as threat actors leverage automation and AI-driven scanning tools to accelerate compromise cycles.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

Request for Comments (RFC) 2827/Best Common Practice (BC) 38: “Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community as a whole to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.infosecurity-magazine.com/news/php-servers-and-iot-devices-cyber/

PolarEdge Botnet Infected 25,000+ Devices and 140 C2 Servers Exploiting IoT Vulnerabilities

(TLP: CLEAR) A new botnet known as PolarEdge has compromised more than 25,000 IoT and edge devices across 40 countries, establishing an extensive network of roughly 140 command-and-control (C2) servers. First documented in February 2025, PolarEdge is designed to function as an infrastructure-as-a-service platform, enabling advanced threat actors to hide their activity behind compromised devices. The botnet uses a client-server architecture, where infected devices run an RPX_Client module that connects to RPX_Server nodes hosted largely on Alibaba Cloud and Tencent Cloud. These servers act as proxy relays in a multi-hop communication chain that masks the true origin of malicious traffic, making attribution difficult. Infection activity surged in May 2025, with the highest concentration of compromised devices located in South Korea (42%), followed by China (20%) and Thailand (8%). Affected devices include CCTV systems, DVRs, routers, and UTM appliances from vendors such as KT, TVT, Cyberoam, Asus, Cisco, D-Link, and DrayTek. PolarEdge maintains persistence by modifying system initialization scripts and disguises its running processes to avoid detection. It communicates with C2 infrastructure using encrypted configurations and dedicated ports for proxying and remote command execution. The botnet is actively maintained, with operators able to migrate or upgrade nodes when exposed. Overall, PolarEdge represents a highly organized, resilient IoT proxy network optimized for covert operations, such as anonymizing cyberattacks or supporting further intrusion campaigns.

(TLP: CLEAR) Comments: PolarEdge’s design not only facilitates covert proxying and operational concealment but also makes the platform readily repurposable into a powerful DDoS asset. Its tens of thousands of compromised IoT endpoints, many with high uptime and direct consumer-grade bandwidth (CCTV, DVRs, routers), provide both the scale and diversity needed to mount multi-vector campaigns that combine high-bandwidth (UDP/TCP floods) and high-throughput (small-packet, high-pps) assaults. The RPX multi-hop relay architecture further amplifies the threat by obfuscating attacker origin and by enabling distributed amplification of traffic through chained proxies, which complicates traceback and increases the effort required for upstream mitigation. Operators can weaponize PolarEdge either directly (operator-launched campaigns) or commercially (DDoS-for-hire) with minimal extra tooling, and the botnet’s demonstrated capabilities for rapid C2 migration and self-upgrade raise the risk of prolonged or follow-on attacks. Finally, because the botnet traffic traverses many legitimate consumer connections, blunt perimeter filtering risks collateral service disruption for subscribers and downstream victims, shifting the remediation burden onto ISPs and coordinated mitigation services rather than individual defenders.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://cybersecuritynews.com/polaredge-botnet-infected-25000-devices/