DigiCert’s Open-Source Intelligence (OSINT) Report – September 12 – September 18, 2025

AISURU Botnet: From Record-Breaking DDoS to Residential Proxy Empire

(TLP: CLEAR) The AISURU botnet, a sophisticated IoT-based malware network, has rapidly evolved from unleashing devastating distributed denial-of-service (DDoS) attacks to powering a lucrative residential proxy empire, as detailed in September 19, 2025, SecurityOnline.info article. AISURU primarily targets vulnerable routers and embedded devices using exploits like those in CVE-2023-1389 (a Netgear router flaw) and Mirai variants for initial infection. Once compromised, devices join a vast command-and-control (C2) infrastructure leveraging Telegram channels and dynamic DNS for resilience, allowing seamless updates and evasion of takedowns. The botnet’s notoriety peaked with a record-shattering 11.5 Tbps DDoS assault on a major European financial institution, orchestrated via UDP floods and amplification techniques from over 300,000 hijacked routers across 100+ countries. This attack, peaking at 2.5 Tbps sustained, crippled services for hours, highlighting the dangers of unsecured IoT ecosystems. Beyond disruption, AISURU’s operators have pivoted to monetization, renting botnet nodes as residential proxies for $50–$200/month per 1,000 IPs, facilitating anonymous browsing, ad fraud, and credential stuffing for cybercriminals. Financially, the operation generates millions annually through underground marketplaces, with modular plugins enabling crypto-mining and spam alongside proxy services. Detection challenges stem from its use of legitimate-looking traffic and peer-to-peer propagation. Mitigation strategies include firmware updates, network segmentation, and behavioral monitoring via tools like Suricata for anomalous outbound connections. The article warns that AISURU’s dual-use model—disruption and stealthy profit—signals a new era of botnets as cybercrime-as-a-service platforms, urging global collaboration to dismantle such networks before they escalate.

(TLP: CLEAR) Comments: AISURU botnet’s 11.5 Tbps DDoS attack underscores the escalating threat of IoT-based botnets. Its exploitation of CVE-2023-1389 and Mirai variants, combined with Telegram-driven C2, showcases advanced TTPs. The pivot to a residential proxy service, monetizing 300,000+ compromised devices for $50–$200/month, signals a sophisticated cybercrime-as-a-service model, enabling ad fraud and credential stuffing. Its global reach across 100+ countries complicates attribution and takedown. Mitigation requires robust IoT patch management and behavioral detection via tools like Suricata. Collaborative threat intelligence sharing is critical to disrupt this evolving threat.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency Alert TA14-017A: “By design, UDP is a connection-less protocol that does not validate source Internet Protocol (IP) addresses. Unless the application-layer protocol uses countermeasures such as session initiation in Voice over Internet Protocol, an attacker can easily forge the IP packet datagram (a basic transfer unit associated with a packet-switched network) to include an arbitrary source IP address. [1] When many UDP packets have their source IP address forged to the victim IP address, the destination server (or amplifier) responds to the victim (instead of the attacker), creating a reflected denial-of-service (DoS) attack.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale. 
Source: https://securityonline.info/aisuru-botnet-from-record-breaking-ddos-to-residential-proxy-empire/

Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate Domains for Malware Delivery

(TLP: CLEAR) Threat actor Hazy Hawk is exposed for exploiting misconfigured DNS records to hijack abandoned cloud resources from high-profile entities. By targeting dangling CNAME records in services like Amazon S3, Microsoft Azure, Akamai, Bunny CDN, Cloudflare, GitHub, and Netlify, Hazy Hawk commandeers subdomains from organizations such as the U.S. CDC (discovered February 2025), global government agencies, universities, and corporations including Deloitte, PricewaterhouseCoopers, and Ernst & Young—operations dating back to at least December 2023.

Rather than espionage, Hazy Hawk leverages these trusted domains for low-level cybercrime, boosting search credibility to distribute malicious URLs via traffic distribution systems (TDSes). Attack chains involve cloning legitimate sites, luring users with porn or pirated content, and redirecting them to scams, fake apps, and push notification traps. These notifications flood devices with scareware, surveys, and more lures, perpetuating adtech affiliate profits through click monetization and spam.

Infoblox’s Jacques Portal and Renée Burton note the “seedy underworld of adtech” driving this, suspecting domain hijacking as a Russian-linked service. Hazy Hawk’s evasion tactics include URL redirections to hide origins. Mitigation emphasizes prompt removal of DNS CNAME records upon resource decommissioning for domain owners, while users should block notifications from unfamiliar sites. This underscores the risks of forgotten DNS entries fueling scalable, profitable scams in the advertising ecosystem.

(TLP: CLEAR) Comments: Hazy Hawk’s exploitation of dangling DNS CNAME records to hijack domains from trusted entities like the CDC and major corporations is a stark reminder of persistent DNS vulnerabilities. Active since at least December 2023, its use of abandoned cloud resources for scam delivery via TDSes shows a low-sophistication, high-impact approach. The pivot to adtech-driven cybercrime, leveraging push notifications and cloned sites, highlights a profitable affiliate model, possibly offered as a service. Mitigation demands rigorous DNS hygiene, removing stale CNAME records, and user awareness to block unsolicited notifications. Tracking such actors requires enhanced DNS threat intelligence.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole. 

Source: https://thehackernews.com/2025/05/hazy-hawk-exploits-dns-records-to.html

Scatter Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims

(TLP: CLEAR) Recent research has connected recent financial sector cyberattacks to Scattered Spider, contradicting the group’s claim of ceasing operations alongside 14 other cybercrime groups, including LAPSUS$. Part of the loose “The Com” network, Scattered Spider targeted U.S. banks through social engineering, notably resetting an executive’s password via Azure Active Directory Self-Service Password Management. Attackers accessed sensitive IT documents, navigated laterally through Citrix and VPN, compromised VMware ESXi to extract credentials, and escalated privileges by modifying Veeam accounts and Azure permissions, while attempting data theft from Snowflake, AWS, and other platforms. The group’s renewed activity includes creating finance-focused lookalike domains. Scattered Spider overlaps with ShinyHunters and LAPSUS$, forming a collective dubbed “scattered LAPSUS$ hunters.” ShinyHunters has conducted extortion using Salesforce data stolen months after initial breaches by groups like UNC6040. The retirement announcement is a tactic to dodge law enforcement, refine methods, or rebrand. The article emphasizes ongoing vigilance, as cybercrime groups often pause and resurface under new names rather than truly disband. This underscores the persistent, evolving threat from sophisticated, financially driven cybercriminals.

(TLP: CLEAR) Comments: Scattered Spider’s return, despite their “retirement” claim, shows how slippery cybercrime groups can be. Their focus on banks, using social engineering to trick executives and sneak into systems like Azure and VMware, is clever and dangerous. They’re stealing data from big platforms like Snowflake and AWS, then demanding ransoms. Their ties to ShinyHunters and LAPSUS$ make them part of a bigger, adaptable hacking network. The “retirement” seems like a dodge to avoid police while they potentially arise under a new name.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed. 

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s):

• Detects all known types of malware.

• Removes, blocks, or contains all known types of malware. 

Any system components that are not at risk for malware are evaluated periodically to include the following:

• A documented list of all system components not at risk for malware.

• Identification and evaluation of evolving malware threats for those system components.

• Confirmation whether such system components continue to not require anti-malware protection. 

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. 

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 

Source: https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html

New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site

(TLP: CLEAR) Sources have uncovered a new campaign using a variant of the FileFix social engineering tactic to distribute the StealC information stealer malware. The attack begins with a multilingual phishing site mimicking a Facebook Security page, warning users of account suspension due to policy violations. Victims are prompted to appeal by clicking a button, leading to a heavily obfuscated page with anti-analysis techniques like junk code and fragmentation.

The FileFix method tricks users into copying a seemingly harmless file path into File Explorer’s address bar, but it pastes a hidden PowerShell command with extra spaces. This command downloads innocuous-looking images from a Bitbucket repository, decodes them into a Go-based loader, and executes shellcode to deploy StealC. Unlike ClickFix, FileFix leverages browser file upload features, making it harder to block via admin restrictions, though it’s spawned from the browser, potentially easier to detect. The campaign shows sophisticated engineering for evasion and impact.

Separately, Doppel reported similar attacks combining fake support portals, Cloudflare CAPTCHA pages, and ClickFix to run PowerShell scripts delivering AnyDesk, TeamViewer, stealers, and clippers. Variants use MSHTA commands from lookalike domains. AHK scripts are weaponized for host profiling and payload delivery, highlighting evolving social engineering threats.

(TLP: CLEAR) Comments: The new FileFix variant delivering StealC malware via a multilingual phishing campaign is a clever escalation of social engineering tactics. By exploiting File Explorer’s address bar instead of the Run dialog, attackers bypass traditional admin blocks, showing their adaptability. Using Bitbucket to host malicious payloads disguised as images is a smart move to evade detection, while the obfuscated phishing site mimicking Facebook Security adds credibility to the lure. The shift to browser-based execution, though, may aid detection efforts. This underscores the need for user awareness training, robust endpoint monitoring, and filtering suspicious downloads to counter such evolving threats.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html