DigiCert’s Open-Source Intelligence (OSINT) Report – September 19 – September 25, 2025

ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS-for-Hire Service

(TLP: CLEAR) ShadowV2 is a newly observed DDoS‑for‑hire botnet, identified by Darktrace, that preys on misconfigured Docker containers in AWS environments (particularly EC2) to build its attack infrastructure. Attackers initially target exposed or improperly secured Docker APIs with a Python‑based spreader that spins up a generic container, installs tooling, builds a custom image inside the victim environment, and executes a Go‑based ELF payload that maintains a persistent heartbeat to a FastAPI/Pydantic‑based command‑and‑control (C2) server (hosted behind Cloudflare) for tasking. The botnet supports advanced attack techniques including HTTP/2 Rapid Reset and multi‑vector HTTP floods, and it incorporates mechanisms to evade protections such as Cloudflare’s “Under Attack” mode by using browser automation (ChromeDP) to solve JavaScript challenges and reuse clearance cookies to make malicious traffic appear legitimate. The C2 exposes an operator UI and APIs to manage users, select attack types, and configure targets and exclusions, effectively packaging the infrastructure as a rent‑a‑service DDoS offering.

(TLP: CLEAR) Comments: The campaign highlights persistent risks from insecure container configurations and cloud mismanagement, the increasing sophistication of botnet tooling and operator interfaces, and the ability of attackers to circumvent challenge‑based mitigations; defenders should therefore ensure Docker daemons are not publicly exposed, enforce strict image/build controls and logging within container environments, employ layered DDoS defenses and anomaly detection for heartbeat/polling behavior, and monitor for automated browser activity and unusual outbound connections indicative of C2 communication.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://thehackernews.com/2025/09/shadowv2-botnet-exploits-misconfigured.html

Source: https://www.infosecurity-magazine.com/news/shadowv-botnet-ddos-service?utm_source=twitterfeed&utm_medium=twitter

Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam

(TLP: CLEAR) Researchers have uncovered a novel attack vector leveraging SVG (Scalable Vector Graphics) files to deliver and obfuscate a PureRAT remote access trojan payload. SVGs—being XML‑based image files capable of embedding scripts—are abused to carry hidden JavaScript that, when the SVG is viewed or rendered in a browser, decodes and instantiates a malicious payload (often via Base64 transformations).

(TLP: CLEAR) Comments: The embedded script triggers a dropper or downloader that retrieves the PureRAT binary, which establishes persistence and contacts a command‑and‑control (C2) server to receive further instructions. The PureRAT implant can execute arbitrary commands, exfiltrating data, capturing system details, keylogging, and enabling full remote control. The coupling of SVG abuse with PureRAT allows attackers to exploit typical trust in image files and bypass many static detection mechanisms. The campaign underscores the need for defensive controls around image rendering and file inspection, sanitization of SVG/script content, strict whitelisting of file types, and runtime monitoring for unusual script execution originating within image formats.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets that depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://thehackernews.com/2025/09/researchers-expose-svg-and-purerat.html 

New MacOS XCSSET Variant Targets Firefox with Clipper and Persistence Module

(TLP: CLEAR) The newly observed XCSSET variant extends the family’s macOS espionage toolkit by specifically targeting Firefox and adding a clipboard‑clipper plus a dedicated persistence module: initial compromise continues to leverage trojanized macOS apps, compromised Xcode projects, or social‑engineered installers to drop a Mach‑O implant, after which the payload performs environment checks and establishes persistence (commonly via LaunchAgents/LaunchDaemons, login items, or manipulated application bundles and plist entries). Once resident, the implant injects into or hooks Firefox—either by tampering with extension files or using process injection/IPC—to monitor web pages and intercept sensitive operations, while a clipper component opportunistically monitors the system clipboard and replaces copied cryptocurrency addresses (and potentially other financial identifiers) with attacker‑controlled values.

(TLP: CLEAR) Comments: The persistence module hardens re‑infection by re‑deploying helpers, protecting its files (obfuscation/packing) and reinstalling launch entries if removed; C2 communications are performed over encrypted channels with periodic beacons for tasking, data exfiltration, and additional payload retrieval. Evasion techniques include selective activation (sandbox/VM checks), obfuscated strings and payloads, and use of legitimate browser extension paths to blend with benign artefacts. Defenders should treat unexpected LaunchAgent/login‑item changes as high priority, inspect Firefox extension manifests and profiles for unauthorized modifications, monitor clipboard activity and outgoing connections for anomalous domains or heartbeat patterns, enforce code signing and application integrity for developer tooling, apply endpoint detection for injected processes and browser‑hook indicators, and block or scrutinize suspicious outbound TLS endpoints to disrupt C2.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://thehackernews.com/2025/09/new-macos-xcsset-variant-targets.html 

17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge

(TLP: CLEAR) The article reports on a significant rise in “Phishing as a Service” (PhaaS) activity, in which operators of platforms such as Lucid and Lighthouse have deployed over 17,500 phishing domains that impersonate 316 brands across 74 countries. The PhaaS model allows subscribers to rent phishing infrastructure, complete with prebuilt templates, real‑time monitoring, and user targeting capabilities. Lucid, linked to a Chinese‑speaking threat actor group called XinXin (also known as changqixinyun), enables campaigns across numerous industries (government, finance, postal, etc.) and includes targeting controls such as user‑agent filtering, geographic proxy constraints, and path restrictions so that only intended victims see the phishing content. Lighthouse offers template customization and operator dashboards, with subscriptions ranging from weekly to annual plans (~USD 88/week to USD 1,588/year). The two platforms overlap in infrastructure and targeting patterns, pointing to collaboration or shared tooling in the PhaaS ecosystem.

(TLP: CLEAR) Comments: In these campaigns, attackers also employ homoglyph domains (e.g. using the Japanese Hiragana character “ん” to mimic legitimate domain names), with over 600 domains spotted in scams targeting cryptocurrency users. The phishing domains often masquerade as browser extension sites (for wallets like Phantom, MetaMask, OKX, etc.), luring users into installing fake extension‑wallets that harvest credentials or seed phrases. The article notes that these campaigns are also shifting from modern communication channels (e.g. Telegram) back to email-based phishing due to email’s federated nature and takedown resilience. Additionally, many phishing kits now integrate APIs (e.g. via EmailJS) to harvest login credentials and 2FA codes without requiring attackers to host backend infrastructure. Overall, the surge in PhaaS activity underlines the increasing commoditization of phishing, with highly scalable, low-barrier platforms enabling widespread brand impersonation and threat actor monetization.

(TLP: CLEAR) Recommended best practices/regulations: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2025/09/17500-phishing-domains-target-316.html