DigiCert’s Open-Source Intelligence (OSINT) Report – October 3 – October 9, 2025

Massive DDoS Attack Knocks Out Steam, Riot, and Other Services

(TLP: CLEAR) Record-breaking distributed denial-of-service (DDoS) attack disrupted the availability of several major gaming platforms, including Steam, Riot Games, Xbox, PlayStation, and Epic Games. The coordinated strike began just before 11 PM ET and was powered by the Airsuru botnet, has been rumored to have generated an unprecedented 29.69 terabits per second (Tbps) of malicious traffic. This would’ve surpassed the previous global record of 22.2 Tbps if confirmed. By the following day, services across the various platforms had been restored. This event highlights the importance of seeking DDoS Services at an Enterprise level to mitigate Terabits of traffic.

(TLP: CLEAR) Comments: Organizations should consider the recent attacks from Airsuru to be a large threat in the realm of DDoS. Their previous attacks have been a blend of protocols, some attacks mainly UDP but, this attack on game platforms highlights TCP as the main protocol. TCP-based attacks are especially dangerous because they exploit the stateful nature of TCP handshakes and session tracking, forcing servers and firewalls to allocate memory and CPU for half-open or malformed connections. Resources that can be exhausted far more quickly than with stateless UDP floods. Unlike UDP, which can often be rate-limited or filtered at the edge, TCP attacks blend into legitimate traffic flows, making them harder to distinguish and allowing them to degrade critical infrastructure with greater precision and persistence. Organizations should seek high availability through providers with enterprise scale capacity to mitigate Terabits of traffic. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale. 
Source: https://windowsreport.com/massive-ddos-attack-knocks-out-steam-riot-and-other-services/

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

(TLP: CLEAR) A cybercriminal group ShinyHunters, long known for large‑scale data breaches and selling stolen information, has unveiled a new data leak platform called “Trinity of Chaos.” This site is designed to amplify their extortion campaigns by publishing sensitive data from victims who refuse to pay, while also announcing new ransomware targets. By combining data theft with public exposure, ShinyHunters is adopting the “double extortion” model that has become a hallmark of modern ransomware operations. Launch of Trinity of Chaos was accompanied by the disclosure of several new victims, underscoring the group’s active targeting of organizations across industries. The site functions both as a pressure tactic—forcing companies to negotiate under the threat of reputational and regulatory damage—and as a marketing tool to showcase the group’s credibility within the cybercriminal ecosystem. The group is now positioning itself as a full‑fledged ransomware operator with a structured leak site, branding, and timed releases. This evolution highlights the increasing professionalization of threat actors and signals that organizations must strengthen incident response, data protection, and threat intelligence to counter the growing sophistication of ransomware campaigns.

(TLP: CLEAR) Comments: ShinyHunters expanding ties with prominent cybercrime groups such as LAPSUS$ and Scattered Spider make their progression particularly concerning. It is important to point out that these groups are increasingly overlapping in tactics, infrastructure, and even personnel, which erodes distinctions between them and results in a closely connected network of threat actors. This can create resilience against law enforcement if one group encounters law enforcement then, the other groups can continue to carry the banner of “Trinity of Chaos”.

(TLP: CLEAR) Recommended best practices/regulations: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://securityaffairs.com/182918/cyber-crime/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims.html

Discord Data Breach Exposes 1.5 Tb of Data and 2 million Government ID Photos 

(TLP: CLEAR) Discord is facing a significant cybersecurity crisis after attackers compromised a third party customer service provider, exposing sensitive user data. The breach, which occurred on September 20, 2025, involved unauthorized access to Zendesk systems used by Discord’s outsourced support team. Threat actors-maintained access for nearly 58 hours by hijacking a support agent’s account, ultimately exfiltrating an estimated 1.5 terabytes of data. The attackers, identifying themselves as the group Scattered Lapsus$ Hunters (SLH), claim to have stolen more than 2.1 million government‑issued identification photos, including driver’s licenses and passports submitted for age verification. Discord disputes these figures, stating that approximately 70,000 users were directly affected. In addition to ID images, exposed data includes usernames, email addresses, partial billing details, IP addresses, and customer service message exchanges. Importantly, Discord confirmed that full credit card numbers, passwords, and private messages outside of support interactions were not compromised. Following the incident, Discord immediately severed ties with the vendor, revoked all third‑party access, and launched an internal investigation with the help of forensic experts. The company is working with law enforcement and regulatory authorities while notifying impacted users. 

(TLP: CLEAR) Comments: This breach underscores the growing risk of supply chain attacks, where adversaries exploit third‑party partners to infiltrate larger platforms. The theft of government IDs is particularly concerning, as it could enable identity fraud and long‑term exploitation. The incident highlights the urgent need for stronger vendor security controls and more cautious handling of sensitive verification data.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole. 

Source: https://gbhackers.com/discord-data-breach-exposes-1-5-tb-of-data/

RondoDox Botnet Exploits 50+ Vulnerabilities to Attack Routers, CCTV Systems and Web Servers

(TLP: CLEAR) The RondoDox botnet, discovered in early 2025, is a sophisticated malware campaign targeting IoT devices such as routers, CCTV systems, and web servers. It exploits over 50 known vulnerabilities across various vendors including D-Link, Netgear, Cisco, TP-Link, and Hikvision. Built in Go, RondoDox is lightweight, cross-platform, and modular—allowing attackers to deploy tailored exploit payloads based on the target device. The infection process begins with automated scans for open Telnet (port 23), SSH (port 22), and HTTP interfaces. Once a vulnerable device is found, RondoDox delivers an exploit—such as CVE-2021-20090—to execute shell commands and install its payload. A key feature of the botnet is its encrypted command-and-control (C2) communication, which uses TLS over port 443 to mimic legitimate HTTPS traffic. This stealthy channel is reinforced by custom certificate bundles, making interception and analysis difficult.

After establishing C2 contact, the botnet loads additional modules directly into memory, including network scanners and DDoS tools. It also installs a persistence agent that survives reboots and firmware updates and can self-repair if removed. Persistence techniques vary by device, including crontab entries and firmware modifications.

(TLP: CLEAR) Comments: RondoDox is a rapidly evolving IoT botnet discovered in early 2025 that targets routers, CCTV systems, and web servers by exploiting over 50 known vulnerabilities across a wide range of vendors. The use of TLS-encrypted C2 channels over 443 is a clear attempt to bypass traditional network monitoring. Analysts should prioritize deep packet inspection and certificate anomaly detection to surface these threats. The botnet’s broad exploit library and stealthy C2 infrastructure make it a significant threat to both consumer and enterprise environments

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://cybersecuritynews.com/rondodox-botnet-exploits-50-vulnerabilities/