Vercara’s Open-Source Intelligence (OSINT) Report – July 11 – July 17, 2025

Ukrainian Hackers Claim to Have Destroyed Major Russian Drone Maker’s Network

(TLP: CLEAR) Recent reporting details the efforts of Ukrainian hacktivists latest cyber campaign which crippled the IT backbone of Russia’s Gaskar Integration plant, one of Moscow’s premier drone suppliers. In an operation that exfiltrated and then obliterated the manufacturer’s digital infrastructure, the BO Team (aka Black Owl), in collaboration with the Ukrainian Cyber Alliance, claims to have compromised Gaskar’s systems and ultimately seizing control of the entire network. According to threat actors, the joint operation executed a full‑network compromise, mapping every subnet, capturing credentials, and harvesting up 47 TB of engineering data on current and future unmanned‑aerial‑vehicle (UAV) programs, as well as 10 TB of backups. Additionally, in a coordinated statement, the Ukrainian Cyber Alliance claimed responsibility for exfiltrating the facility’s complete source code repository before executing what they termed a “digital scorched earth” operation. The threat actors described the destruction so devastating that it cascaded through the facility’s interconnected systems, disabling even basic security infrastructure including electronic door locks. Plant administrators were reportedly forced to activate the building’s fire alarm system as an emergency measure to evacuate personnel, further testament to the attack’s thoroughness. Gaskar

vercara.digicert.com

2201 Cooperative Way, Suite 350, Herndon, VA 20171, USA

Group has reportedly downplayed the impact of the cyberattack, denying that the breach caused any significant disruption.

(TLP: CLEAR) Comments: The BO Team’s aforementioned cyber assault appears to extend beyond immediate operational disruption. Ukrainian hackers project that the targeted infrastructures collapse will significantly impact Russia’s drone procurement pipeline, potentially delaying the delivery of thousands of unmanned aerial vehicles earmarked for frontline deployment a development that could potentially influence tactical operations in the ongoing conflict.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

(TLP: CLEAR) DigiCert: DigiCert Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Sources: https://www.theregister.com/2025/07/16/ukrainian_drone_attack/

Europol Disrupts Pro-Russian NoName057(16) DDoS Hacktivist Group

(TLP: CLEAR) On July 15, 2025, international law enforcement agencies executed Operation

Eastwood, a coordinated disruption campaign targeting the infrastructure and operational capabilities of NoName057(16), a prominent pro-Russian hacktivist collective responsible for systematic distributed denial-of-service (DDoS) attacks across European, Israeli, and Ukrainian targets. The operation, spearheaded by Europol and Eurojust with participation from twelve international partners, represents a significant multilateral response to persistent cyber threats against critical infrastructure supporting Ukraine. According to recent intelligence reporting, Operation Eastwood’s tactical execution involved simultaneous law enforcement actions across Germany, Latvia, Spain, Italy, Czechia, Poland, and France, resulting in the disruption or takedown of over 100 servers hosting the group’s command and control infrastructure. Europol disrupts pro-Russian NoName057(16) DDoS hacktivist group. The operation yielded two arrests—one preliminary detention in France and one in Spain—while generating seven European arrest warrants, including six issued by German authorities and one by Spanish counterparts. Europol disrupts pro-Russian NoName057(16) DDoS hacktivist group Law enforcement agencies also executed a psychological operations component, delivering direct warnings to 1,100 participants and 17 administrators via Telegram, explicitly notifying them of potential criminal liability for their continued participation. NoName057(16) emerged in March 2022 as a direct response to the Ukraine conflict, leveraging Telegram channels and the DDoSia project—a crowdsourced attack platform that weaponizes volunteer computing resources to execute coordinated DDoS campaigns against adversarial targets.

(TLP: CLEAR) Comments: Post-operation threat actor behavior indicates rapid operational recovery, with NoName057(16) continuing to announce new attacks and claiming successful breaches of German corporate targets as of the operation’s conclusion. This resilience demonstrates the inherent challenges in disrupting decentralized hacktivist networks with geographically distributed leadership structures, suggesting that while Operation Eastwood achieved significant tactical disruption, strategic impact may prove limited without addressing the threat actor’s Russian operational base. (TLP: CLEAR) Recommended best practices/regulations: Cybersecurity Critical Infrastructure and

Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DDoS solution, Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.bleepingcomputer.com/news/security/europol–disrupts–pro–russiannoname05716–ddos–hacktivist–group/

Hackers Exploit a Blind Spot by Hiding Malware Inside DNS Records

(TLP: CLEAR) Recent reporting sheds light on a sophisticated new attack vector that exploits one of the internet’s most fundamental systems: the Domain Name System (DNS). By embedding malicious code directly into DNS TXT records, threat actors are turning this essential infrastructure into a covert distribution network for malware. TXT records, commonly used to verify domain ownership for services like Google Workspace, can store arbitrary text and thus make ideal containers for hiding payload fragments. By slicing the payload into manageable chunks, each subdomain’s TXT record acted as a piece of a puzzle. Once inside a compromised network, the malware could be reconstructed by issuing what appear to be harmless DNS queries to retrieve each chunk, reassembling and decoding them back into a working binary. DNS operates as the internet’s address book, with billions of legitimate queries processed daily. By camouflaging malware within this trusted communication channel, attackers can distribute code with minimal risk of detection, effectively weaponizing the very infrastructure that keeps the internet functioning.

(TLP: CLEAR) Comments: While the use of DNS TXT records for malicious purposes isn’t entirely new—researchers have tracked DNS-hosted PowerShell scripts for nearly a decade—the use of hexencoded binaries as a delivery mechanism is less common and represents a concerning evolution. (TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. Source: https://arstechnica.com/security/2025/07/hackers–exploit–a–blind–spot–by–hiding–malwareinside–dns–records/

Microsoft Exposes Scattered Spider’s Latest Tactics

(TLP: CLEAR) Microsoft recently issued a detailed warning on the evolving tactics of the threat actor known as Scattered Spider, underscoring the growing sophistication in hybrid attack methodologies targeting both on-premises and cloud infrastructure. According to Microsoft, the group, codenamed Octo Tempest, is infamous for its aggressive use of social engineering and cloud identity attacks, has recently expanded its operational scope to include initial-stage compromise of on-premises accounts and infrastructure, a shift from its typical cloud-first intrusion pattern. Traditionally, Scattered Spider leveraged elevated privileges within cloud identity platforms to pivot into internal environments. However, Microsoft now confirms that the group’s recent campaigns began with initiating attacks onprem, escalating privileges locally, and then expanding into cloud environments. This evolution represents a more flexible, multi-pronged strategy that complicates detection and response efforts for defenders. Between April and July 2025, Scattered Spider has expanded its operational focus across multiple verticals, launching ransomware and extortion attacks against airlines, retailers, food service providers, hospitality organizations, and insurance companies. This scope in targeting reflects a highly opportunistic model focused on industries with complex digital footprints and high-value data. Additionally, Microsoft indicated that threat actors were actively deploying DragonForce ransomware, with a notable emphasis on environments running VMware ESXi hypervisors. This targeting aligns with broader trends observed among financially motivated eCrime groups who focus on virtualized infrastructure for maximum operational impact and ransom leverage. In order to counter these evolving threats, Microsoft has claimed to have strengthened its security products, particularly Microsoft Defender and Microsoft Sentinel, with updated detection and mitigation capabilities tailored to Scattered Spider’s tactics, techniques, and procedures (TTPs). These updates include enhanced visibility across endpoints, identities, SaaS applications, email platforms, collaboration tools, and cloud workloads, ensuring end-to-end telemetry and defense.

(TLP: CLEAR) Comments: In order to further bolster security safeguards, Microsoft advocates for proactive use of its Security Exposure Management solution. By performing attack path analysis, identifying critical asset exposure, and mapping threat actor behavior, organizations can reduce the surface area susceptible to compromise. It is also recommended that network infrastructure is built around multi-factor authentication (MFA), risk-based sign-in policies, and least-privilege access across all identity, endpoint, and cloud resources.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.infosecurity–magazine.com/news/microsoft–exposes–scattered/

Google Sues to Disrupt BadBox 2.0 Botnet Infecting 10 Million Devices

(TLP: CLEAR) Google has initiated legal actions against the unidentified operators behind the BadBox 2.0 malware botnet, accusing a network of Chinese entities of orchestrating a massive global ad fraud operation that leverages compromised Android devices to defraud its advertising platforms. Filed under the Computer Fraud and Abuse Act (CFAA) and the Racketeer Influenced and Corrupt Organizations (RICO) Act, the lawsuit targets an extensive cybercriminal enterprise that has allegedly infected more than 10 million Android-based devices worldwide as of April 2025, with over 170,000 compromised devices in New York state alone. According to intelligence reporting, BadBox 2.0 is designed to exploit devices built on the Android Open Source Project (AOSP)—including smart TVs, streaming boxes, and other Internet-connected devices that lack core protections such as Google Play Protect. These low-cost AOSP devices are either purchased wholesale and preloaded with malware before being resold online or infected via social engineering tactics that trick end users into installing malicious applications and software. Once compromised, the malware establishes a persistent backdoor, connecting infected hosts to a command-and-control (C2) infrastructure controlled by the threat actors. From there, devices are conscripted into the botnet and repurposed for two primary objectives: Residential Proxy Services, Infected devices are covertly converted into residential proxy nodes and resold to other threat actors for use in further criminal activity, often without the victims’ knowledge or consent and Ad Fraud Operations, which is the centerpiece of Google’s lawsuit. This operation uses infected devices to generate fraudulent advertising revenue by manipulating Google’s ad ecosystem through three core tactics: Hidden Ad Rendering, Search Ad Click Fraud, and WebBased Game Exploits. Due to the anonymity of the operators—who are believed to reside in China— Google’s lawsuit names 25 John Doe defendants and seeks damages, along with a permanent injunction to dismantle the malware infrastructure and halt the operation’s expansion. The filing includes over 100 internet domains identified as integral to BadBox 2.0’s C2 and fraud infrastructure. With this legal action, Google aims to not only protect its advertising platforms and customers but also set a legal precedent in the fight against botnet-driven fraud originating from unregulated global device supply chains and opaque online ecosystems.

(TLP: CLEAR) Comments: Although the original BadBox operation was disrupted in 2024 through DNS sinkholing by German authorities, the criminal enterprise quickly regrouped, launching the BadBox 2.0 variant with enhanced infrastructure and evasion techniques. Google’s complaint reveals that despite aggressive countermeasures implementation such as including the termination of thousands of fraudulent publisher accounts, the operation continues to grow, posing a substantial and ongoing cybersecurity risk.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION

Control:

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment:

organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection. 

• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with antivirus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://www.bleepingcomputer.com/news/security/google–sues–to–disrupt–badbox–20botnet–infecting–10–million–devices/

Chinese Hackers Breached National Guard to Steal Network Configurations

(TLP: CLEAR) The following reporting details one of the most consequential cyber-espionage campaigns disclosed in 2024. The Chinese state-sponsored group Salt Typhoon, attributed to China’s Ministry of State Security (MSS), maintained covert access to a U.S. Army National Guard network for nine months, from March to December 2024, exfiltrating network configurations, admin credentials, personal data, and topologies from National Guard units across all U.S. states and four territories. This operation reflects Salt Typhoon’s evolution from targeting telecom providers like AT&T and Verizon to infiltrating U.S. military infrastructure, using intelligence from past breaches to fuel recursive intrusions into additional federal networks. According to recent reporting, the stolen configuration files, detailing device settings, VPN credentials, routing protocols, and access controls, provided blueprints for further compromise and were part of a broader campaign that saw over 1,460 such files stolen from at least 70 government and critical infrastructure entities. While DHS has not disclosed the precise intrusion vector, Salt Typhoon is known for exploiting unpatched vulnerabilities in edge devices, such as CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, and CVE-2024-3400, often chaining them to maintain persistence. Previous telecom intrusions were leveraged to surveil lawmakers and military systems via custom malware like JumblePath and GhostSpider, illustrating their intent to establish persistent, high-value espionage footholds. DHS has urged immediate patching, network segmentation, and SMB hardening to mitigate future attacks. While the National Guard confirmed the breach did not impact active operations, China’s embassy denied culpability, citing a lack of “conclusive evidence.” The breach highlights a sophisticated, state-directed campaign characterized by extended dwell times, intelligence-driven lateral movement, and strategic targeting of defense and government systems, underscoring the urgency of hardened cyber defenses against advanced persistent threats.

(TLP: CLEAR) Comments: This breach represents a critical inflection point in Chinese cyber-espionage strategy, marking a deliberate shift from surveillance of civilian infrastructure to deep, sustained penetration of U.S. military networks. Salt Typhoon’s exploitation of legacy edge device vulnerabilities to maintain long-term access—coupled with its ability to pivot laterally across federal entities using previously exfiltrated intelligence—demonstrates a maturing threat actor with operational continuity, technical discipline, and strategic intent.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many

Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections. Source: https://www.bleepingcomputer.com/news/security/chinese–hackers–breached–nationalguard–to–steal–network–configurations/