Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
WinRAR Flaw Bypasses Windows Mark of the Web Security Alerts
(TLP: CLEAR) Recent intelligence reporting has highlighted a newly discovered vulnerability in WinRAR that enables threat actors to bypass the Windows’ “Mark of the Web” (MotW) security feature, effectively stripping away typical security alerts, a critical layer of security against untrusted and potentially malicious files. By exploiting this weakness, threat actors can extract and execute malicious payloads that are not flagged with the MotW identifier, thereby evading the standard security prompts users would normally receive when interacting with internet-delivered content. This enables adversaries to execute arbitrary code without user awareness, facilitating stealthy malware infections. This bug, tracked as CVE-2025-31334, stems from the application’s improper handling of symbolic links embedded within specially crafted archive files such as .RAR or .ZIP and impacts all versions of WinRAR prior to 7.11. Furthermore, this technique directly undermines a primary defense mechanism used to thwart phishing and social engineering attacks and enables seamless delivery of high-risk malware such as loaders, information stealers, and remote access trojans. Recent reporting also makes reference to a recent cyber-attack where Russian threat actors exploited a similar vulnerability in the 7-Zip archiver that failed to carry over the MotW alerting process when a file was nested inside another archive. This oversight allowed the threat actors to discreetly execute the SmokeLoader dropper, slipping past user warnings and traditional detection mechanisms with ease.
(TLP: CLEAR) Comments: According to reporting, WinRAR has addressed the vulnerability in version 7.11, and users are strongly advised to update immediately. Systems running unpatched versions remain exposed to silent infections that can easily evade traditional security controls.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:
“Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:
- By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.
- All vulnerabilities are ranked in accordance with requirement 6.3.1.
- All vulnerabilities are corrected.
- The application is re-evaluated after the corrections
OR
- Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
- Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.
- Generating audit logs.
- Configured to either block web-based attacks or generate an alert that is immediately investigated.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Source: https://www.bleepingcomputer.com/news/security/winrar-flaw-bypasses-windows-mark-of-the-web-security-alerts/
New Mirai Botnet Behind Surge in TVT DVR Exploitation
(TLP: CLEAR) Earlier this month, a dramatic escalation in exploitation attempts against TVT NVMS9000 DVRs was observed, with over 2,500 unique IP addresses actively probing for potentially exposed systems. According to recent reporting, this campaign exploits a critical information disclosure vulnerability, first documented in May 2024, which enables threat actors to extract administrative credentials in plaintext via a single TCP packet. This bug facilitates a complete authentication bypass, granting adversaries unfettered access to execute high-privilege commands on compromised devices. The vulnerability’s simplicity and severity make it a prime attack vector for large-scale attacks, posing a significant threat to systems integral to security and surveillance operations. Additional intelligence reporting suggests that the malicious activity aligns with a Mirai-derived malware variant, notorious for enslaving Internet of Things (IoT) devices into zombified botnets. These networks of compromised devices are typically weaponized for malicious activities, such as routing illicit traffic, conducting cryptojacking operations, or orchestrating distributed denial-of-service (DDoS) attacks that disrupt critical services. Over the past 30 days, security analysts have logged approximately 6,600 distinct malicious IPs involved in this campaign, all verified as non-spoofable, highlighting the coordinated nature of the threat. According to reporting, a majority of the malicious Ips source from the Asia-Pacific region, with Taiwan (3,637 IPs), Japan (809 IPs), and South Korea (542 IPs). As for the destination IPs, the targeted devices were predominantly located in Western nations, with the United States (6,471 IPs), United Kingdom (5,738 IPs), and Germany (5,713 IPs) bearing the brunt of the attacks. This geographical indicator suggests a deliberate strategy to exploit surveillance infrastructure in high-value regions, potentially compromising sensitive video feeds or enabling further network infiltration.
(TLP: CLEAR) Comments: The TVT NVMS9000 DVRs are widely deployed in surveillance infrastructures to capture, store, and manage video streams from security camera networks. Designed for centralized video monitoring, these devices are frequently connected to the internet for remote access and management, exposing them to elevated risk. The devices’ network-facing nature and broad deployment footprint make them attractive targets for threat actors, particularly botnets, which actively scan for exposed or vulnerable DVRs to exploit and conscript into large-scale attack operations. Additionally, the Mirai botnet’s involvement amplifies the urgency of this threat, given its history of exploiting IoT vulnerabilities to devastating effect. Indicators of compromise include abnormal outbound traffic, degraded device performance, frequent reboots, elevated CPU or memory usage during idle states, and unauthorized configuration changes.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.
(TLP: CLEAR) Vercara: Vercara’s UltraDDoS Solution, Vercara UltraDDoS Protect, supports scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API triggering. The result is an incredibly fast response against DDoS trouble when you need it most.
AkiraBot Targets 420,000 Sites with OpenAI-Generated Spam
(TLP: CLEAR) Recent intelligence reporting indicates that since September 2024, a sophisticated spam operation driven by a Python-based framework, referred to as AkiraBot, has targeted over 420,000 websites, successfully flooding approximately 80,000 of the targeted sites with promotional content for questionable search engine optimization (SEO) services branded as “Akira” and “ServiceWrap.” According to reporting, the campaign primarily focuses on small and medium-sized enterprises (SMEs) utilizing popular website-building platforms such as Shopify, GoDaddy, Wix, and Squarespace, which are favored for their user-friendly interfaces but often lack extensive security capabilites. AkiraBot leverages advanced artificial intelligence, specifically OpenAI’s large language models (LLMs) like GPT-4o-mini, to generate highly tailored, context-aware messages that mimic legitimate outreach. By scraping target websites with tools like BeautifulSoup, the bot crafts unique pitches that incorporate site-specific details, significantly reducing the effectiveness of traditional spam filters reliant on repetitive content patterns. Additionally, setting AkiraBot apart from the rest is its multifaceted evasion strategy. In order to bypass CAPTCHA protections such as hCAPTCHA, reCAPTCHA, and Cloudflare Turnstile, the framework employs Selenium WebDriver to emulate human interactions, manipulating browser attributes like audio context and hardware profiles to appear authentic. Furthermore, AkiraBot uses proxy services, notably SmartProxy, to route traffic through diverse residential, mobile, and data center IPs, obscuring its origins and thwarting IP-based blocking mechanisms. The bot’s modular design further enhances its adaptability, with versions evolving from targeting contact forms to infiltrating live chat widgets (e.g., Reamaze integrations) and comment sections, exploiting communication channels critical to SME operations. AkiraBot’s AI-driven approach signals a broader trend of adversaries weaponizing LLMs to scale and refine malicious activities, challenging legacy defenses like keyword-based filtering.
(TLP: CLEAR) Comments: The rise of AkiraBot illustrates a significant shift in the cyber threat landscape, where threat actors are increasingly leveraging technologies like large language models (LLMs) to automate and large-scale malicious campaigns with a high degree of sophistication. Unlike earlier waves of spam linked to the Akira and ServiceWrap SEO services, where message content followed recognizable patterns, the current iteration employs dynamically generated, LLM-crafted content, making traditional content-based filtering largely ineffective.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:
- Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
- Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
- Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
- Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://thehackernews.com/2025/04/akirabot-targets-420000-sites-with.html
Cybersecurity Agencies Warn Against Fast Flux Powering Resilient Malware, C2, and Phishing Networks
(TLP: CLEAR) A recent joint advisory from cybersecurity agencies from Australia, Canada, New Zealand, and the United States sheds light on the increasing use of fast flux DNS techniques by threat actors to enhance the resilience and longevity of malicious infrastructure. Fast flux, a tactic traditionally associated with advanced botnets and cybercriminal groups, involves rapidly changing DNS records, specifically A (IPv4), AAAA (IPv6), or NS records, to rotate the IP addresses associated with a malicious domain. This constant flux complicates takedown efforts, frustrates blocklisting, and significantly increases the operational durability of malware command-and-control (C2) servers, phishing pages, and exfiltration channels. According to the advisory, both financially motivated actors and nation-state groups are embracing this technique to maintain uninterrupted access to infected systems and to evade traditional detection mechanisms reliant on static IP intelligence. In recent incidents analyzed by federal authorities, fast flux networks have been observed supporting the backend infrastructure of malware campaigns that distribute banking trojans, stealers, ransomware payloads, and credential harvesting pages. These networks often leverage compromised residential and small business devices as proxy relays, masking the true location of the core C2 infrastructure and adding an additional layer of anonymity. The advisory emphasizes that fast flux is not a single technique but rather part of a larger ecosystem of evasive tactics, including double fluxing, bulletproof hosting, and rapid domain generation algorithms (DGAs), all working in concert to sustain malicious campaigns. CISA and the FBI recommend that defenders employ behavioral-based detection, DNS traffic analysis, and more dynamic blocking strategies rather than relying solely on static indicators of compromise. The resurgence of fast flux as a preferred tactic demonstrates that adversaries continue to favor decentralized and agile infrastructure to stay ahead of security teams, and it underscores the necessity of adopting adaptive, intelligence-driven defenses to mitigate the evolving threat landscape.
(TLP: CLEAR) Comments: The aforementioned advisory underscores the reemergence of fast flux DNS as a cornerstone of modern cybercriminal and nation-state operations, signaling a strategic evolution in adversary tactics. The technique’s ability to rapidly rotate DNS records (A, AAAA, NS) creates a moving target that frustrates traditional takedown and blocklisting efforts, enabling prolonged campaigns involving banking trojans, ransomware, stealers, and phishing operations.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.
Source: https://thehackernews.com/2025/04/cisa-and-fbi-warn-fast-flux-is-powering.html