Vercara’s Open-Source Intelligence (OSINT) Report – February 28 – March 7, 2025

Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains 

(TLP: CLEAR) A widespread phishing campaign involving 5,000 PDFs across 260 domains has been uncovered, primarily exploiting fake CAPTCHA pages to deliver the Lumma Stealer malware. These PDFs, often hosted on platforms like Webflow, GoDaddy, and Fastly, deceive victims into executing malicious PowerShell commands, leading to malware infections. The PDFs are indexed using SEO tactics to drive traffic via search engine results, with the goal of infecting users primarily in North America, Asia, and Southern Europe. 

(TLP: CLEAR) Comments: The Lumma Stealer malware is used to harvest sensitive information from compromised systems. Attackers also distribute these PDFs via legitimate online libraries and platforms. The use of techniques like ClickFix for executing malicious scripts highlights the growing sophistication of phishing attacks. Additionally, the malware integrates with proxy tools to bypass security measures. The campaign has impacted over 1,150 organizations, predominantly in technology, finance, and manufacturing sectors. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections 

Source: https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html   

12,000+ API Keys and Passwords Found in Public Datasets Used for LLM Training 

(TLP: CLEAR) A recent analysis of the Common Crawl archive, a publicly accessible web data repository, revealed over 12,000 live API keys, passwords, and other authentication secrets. These credentials were found in data used for training large language models (LLMs). The archive, which contains 400TB of data from 47.5 million hosts and spans 18 years, included various types of sensitive information, such as AWS root keys, Slack webhooks, and Mailchimp API keys. 

(TLP: CLEAR) Comments: The issue arises because LLMs cannot distinguish between valid and invalid credentials during training, meaning both valid and example keys contribute to insecure coding practices in the model’s output. This could lead to models inadvertently generating insecure code examples. The discovery highlights the dangers of hardcoded secrets in datasets and the potential risks of AI suggesting insecure coding practices, further compounding data privacy and security concerns in LLM applications. 

(TLP: CLEAR) Recommended best practices/regulations:  

OWASP API Top 10, API9:2023 “Improper Inventory Management”:  

• Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version.
• Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.
• Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.
• Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline.
• Make API documentation available only to those authorized to use the API.
• Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.
• Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.
• When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version.

(TLP: CLEAR) Vercara: Vercara UltraAPI Bot Manager detects and prevents sophisticated automated API attacks and business logic abuse using hundreds of ML rules that leverage an API threat database with billions of malicious behaviors, IP addresses, and organizations. Native, policy-based response options ensure that detected attacks are blocked in real time, without reliance on a third-party WAF or other security components. 

Source: https://thehackernews.com/2025/02/12000-api-keys-and-passwords-found-in.html   

A Brand-New Botnet Is Delivering Record-Size DDoS Attacks 

(TLP: CLEAR) A newly identified botnet, dubbed Eleven11bot, has rapidly emerged as one of the largest distributed denial-of-service (DDoS) botnets in recent years, compromising over 86,000 Internet of Things (IoT) devices, primarily security cameras and network video recorders (NVRs). Eleven11bot has been observed executing DDoS attacks targeting sectors such as gaming and communications, with attack intensities ranging from several hundred thousand to several hundred million packets per second (pps). These high-intensity attacks can cause substantial disruptions, including service outages and degraded performance for targeted services. 

(TLP: CLEAR) Comments: The botnet operates by exploiting vulnerabilities in IoT devices, particularly those with weak or default credentials, to recruit them into the botnet. Once compromised, these devices can be orchestrated to generate large-scale DDoS traffic, overwhelming targeted servers or networks. The use of IoT devices in botnets like Eleven11bot is concerning due to their typically inadequate security measures, making them susceptible to exploitation. 

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.” 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 

Source: https://www.wired.com/story/eleven11bot-botnet-record-size-ddos-attacks/  

Source: https://www.securityweek.com/new-eleven11bot-ddos-botnet-powered-by-80000-hacked-devices/?utm_source=chatgpt.com   

Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers 

(TLP: CLEAR) A large-scale brute-force attack campaign has been targeting over 4,000 ISP IP addresses, with a focus on networks in China and the U.S. West Coast. This ongoing attack involves the use of weak credentials to exploit vulnerabilities in exposed systems. The attackers deploy a range of malware, including info stealers and cryptocurrency miners, to compromise the affected hosts. The attackers typically use Python and PowerShell scripts to perform reconnaissance, steal sensitive data, and initiate cryptomining activities. The malware includes tools to exfiltrate information, such as clipboard data (including cryptocurrency wallet addresses) and take screenshots. A key feature of the malware is its ability to steal credentials and mine cryptocurrency using the victim’s system resources. 

(TLP: CLEAR) Comments: The attack methodology begins by disabling security features and terminating cryptominer detection services, followed by the delivery of malicious executables like Auto.exe and Masscan.exe. These tools facilitate further exploitation by downloading password lists and conducting brute-force attacks. The threat actors also employ Telegram as a command-and-control (C2) channel, adding to the difficulty of detection. The exploitation primarily targets ISP infrastructure in specific regions and is a clear example of the growing use of automation and minimal footprint in cybercrime activities. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 

Source: https://thehackernews.com/2025/03/over-4000-isp-networks-targeted-in.html