Vercara’s Open-Source Intelligence (OSINT) Report – June 27 – July 3, 2025

CISA Warns of Iranian Cyber Actors May Attack U.S. Critical Infrastructure

(TLP: CLEAR) The Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, NSA, and Department of Defense Cyber Crime Center, has issued a joint warning highlighting an escalating cyber threat posed by Iranian-affiliated actors targeting U.S. critical infrastructure. Despite diplomatic efforts and ceasefire negotiations, Iranian cyber groups remain highly active, particularly focusing on the Defense Industrial Base and organizations linked to Israeli research and defense sectors. These threat actors exploit known vulnerabilities, unpatched systems, and internet-connected devices with factory-default passwords. Their tactics include brute-force attacks, hash cracking, and the use of default credentials to gain access. Particularly concerning is their targeting of operational technology (OT) and industrial control systems (ICS), such as programmable logic controllers (PLCs) and human-machine interfaces (HMIs), often through internet-facing systems using standard TCP ports. Between November 2023 and January 2024, Iranian Islamic Revolutionary Guard Corps-affiliated groups launched a global campaign, successfully compromising U.S. infrastructure in sectors including energy, water, food manufacturing, and healthcare. Their operations combine technical intrusions with information warfare, conducting hack-and-leak campaigns amplified via social media to inflict reputational damage and erode public trust. This activity underscores the evolving sophistication and persistence of Iranian cyber capabilities, especially in targeting OT environments that are often under secured and vital to national security.

(TLP: CLEAR) Comments: The recent CISA alert on Iranian-affiliated cyber threats gains urgency in light of the 12-Day war between Iran and Israel in late June. That conflict, marked by missile exchanges and regional instability, has directly fueled Tehran’s parallel digital campaign. Iranian cyber actors have escalated operations targeting U.S. critical infrastructure, especially sectors tied to Israeli defense and research. These campaigns align with Tehran’s broader strategy of asymmetric retaliation—leveraging cyberattacks to inflict economic and reputational damage on allies of Israel without direct military confrontation. As the physical conflict subsides, the cyber battlefield remains active, posing persistent risks to U.S. operational technology systems.

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.

NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.
Source: https://cybersecuritynews.com/iranian-cyber-actors-may-attack-u-s-critical-infrastructure/

Hackers Use .PIF Files and UAC Bypass to Drop Remcos Malware on Windows

(TLP: CLEAR) A newly uncovered phishing campaign is using obsolete Windows file formats and advanced evasion techniques to deliver Remcos Remote Access Trojan (RAT), showcasing a troubling evolution in malware distribution. The attack leverages DBatLoader as its primary delivery mechanism, initiating with phishing emails that include malicious archives containing a disguised executable named “FAKTURA.” The malware uses outdated Program Information Files (.pif) and folder name tricks—like trailing spaces—to bypass User Account Control (UAC) protections and elevate privileges without triggering alerts. This approach manipulates Windows folder parsing to create deceptive directories (e.g., “C:\Windows ”). To evade detection, the malware introduces artificial execution delays using PING.EXE and employs BatCloak obfuscation, scheduled tasks, and extrac32.exe to bypass security solutions like Windows Defender. Once inside, Remcos injects itself into trusted system processes (e.g., SndVol.exe, colorcpl.exe) to maintain stealth and persistence. The campaign’s combination of legacy file exploitation, Living off the Land Binaries (LOLBins), and process injection tactics creates a resilient infection framework that challenges conventional security tools. Analysts warn that this multi-layered strategy could be adopted by other threat actors, elevating the broader threat landscape and necessitating more advanced behavioral detection techniques across organizations.

(TLP: CLEAR) Comments: This phishing campaign marks a significant evolution in cyberattack tactics by blending legacy Windows file formats with modern evasion techniques, reinforcing the persistent adaptability of malicious actors. By exploiting obsolete .pif files—originally designed for DOS applications—threat actors effectively weaponize long-abandoned functionality to circumvent security controls such as User Account Control (UAC). The use of directory names with trailing spaces and stealthy abuse of system binaries like PING.EXE, extrac32.exe, and obfuscated scripts underscores a deliberate effort to avoid both static and behavioral detection. The deployment of Remcos RAT through DBatLoader also reflects a broader industry trend toward leveraging Living off the Land Binaries (LOLBins), which use legitimate system tools to disguise malicious activity. This not only helps evade antivirus software but also complicates forensic investigation, as these tools blend into normal Windows operations. Moreover, the campaign’s modular design—combining UAC bypass, scheduled task persistence, and process injection—provides attackers with long-term, stealthy access to compromised endpoints. The ability to adapt these methods to other malware strains increases the risk of widespread adoption by financially motivated or espionage-focused threat actors. Organizations should prioritize endpoint detection and response (EDR) solutions capable of deep behavioral analysis, alongside user education on phishing tactics and stricter controls on legacy file type handling. This campaign serves as a warning that even outdated technologies remain potent attack vectors when reengineered by sophisticated threat actors.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://cybersecuritynews.com/hackers-use-pif-files-and-uac-bypass/

Hackers Exploiting Critical Langflow Vulnerability to Deploy Flodrix Botnet and Take System Control

(TLP: CLEAR) A critical vulnerability in the Langflow Python framework (CVE-2025-3248) has triggered an active exploitation campaign, allowing unauthenticated remote code execution via a single crafted POST request to the /api/v1/validate/code endpoint. This flaw affects all Langflow versions prior to 1.3.0 and has already led to widespread compromise of over 1,600 internet-facing servers, particularly in research clouds and start-up environments with default configurations. Threat actors are using the exploit to deploy the newly identified Flodrix botnet, which exhibits advanced evasion techniques, including forensic artifact wiping, deceptive process names, and a reinfection safeguard via a hidden .system_idle file. Once compromised, infected servers exhibit signs of high CPU usage and outbound traffic to Tor relays, indicating both DDoS potential and data exfiltration. The attack chain involves injecting Python code directly into Langflow’s worker process, spawning a downloader (/tmp/docker) to retrieve the main ELF payload. If root privileges are obtained, the malware establishes persistence through a systemd service named langflow-sync.service. Flodrix also implements a XOR-encoded C2 communication system and a built-in kill switch triggered by sending a specific packet to TCP port 6666. To mitigate, users must upgrade to v1.3.0, restrict public exposure of the vulnerable endpoint, and monitor for abnormal traffic or unauthorized services. This campaign demonstrates the dangers of insecure AI tooling and highlights how malicious actors exploit rapid adoption cycles to weaponize unpatched systems.

(TLP: CLEAR) Comments: The exploitation of CVE-2025-3248 in Langflow highlights how threat actors are targeting undersecured AI platforms to build DDoS botnets. The newly observed Flodrix malware leverages this vulnerability to gain remote code execution and persistence on vulnerable Langflow instances, many of which reside in high-bandwidth cloud environments. Once compromised, these nodes are repurposed for DDoS operations, exhibiting CPU spikes and outbound traffic to Tor relays shortly after infection. Flodrix’s design suggests clear intent for scalable DDoS use: it avoids reinfecting controlled hosts, uses process name obfuscation, and includes a self-delete routine to reduce forensic visibility. Its presence across over 1,600 internet-facing servers poses a significant threat, as compromised AI infrastructure can be transformed into effective DDoS launchpads. Organizations must urgently patch to Langflow v1.3.0 and restrict public access to mitigate the risk of these systems becoming enablers of disruptive attacks in larger campaigns.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://cybersecuritynews.com/hackers-exploiting-critical-langflow-vulnerability/

Forminator Plugin Flaw Exposes WordPress Sites to Takeover Attacks

(TLP: CLEAR) A high-severity vulnerability (CVE-2025-6463) has been discovered in the Forminator Forms WordPress plugin, affecting all versions up to 1.44.2. With over 600,000 active installations, this plugin is widely used for building and embedding form-based content. The flaw allows unauthenticated attackers to delete arbitrary files on the server due to insufficient validation and insecure backend logic. Specifically, attackers can craft malicious file input data that targets critical WordPress core files, such as wp-config.php. If this file is deleted—either manually by an admin or automatically by the plugin’s submission cleanup routine—the WordPress site enters a setup state, enabling attackers to hijack the site by linking it to a malicious database. The vulnerability was responsibly disclosed by researcher Phat RiO – BlueRock, earning an $8,100 bug bounty from Wordfence, who coordinated the fix with plugin developer WPMU DEV. A patch was issued on June 30, 2025, in version 1.44.3, adding file path restrictions and proper field validation. Although no active exploitation has been reported, the public disclosure and ease of exploitation increase the urgency for users to update or temporarily deactivate the plugin to prevent possible compromise.

(TLP: CLEAR) Comments: The discovery of CVE-2025-6463 in the Forminator WordPress plugin underscores the persistent risk that insecure input validation poses to widely deployed web applications. With over 600,000 active installations, Forminator’s reach makes this a particularly attractive target for malicious actors. The ability for unauthenticated users to craft malicious form submissions that trigger arbitrary file deletion—especially targeting critical configuration files like wp-config.php—represents a significant escalation path from low-level access to full site takeover. This vulnerability is especially dangerous because it can be exploited indirectly through normal plugin behavior (e.g., auto-deletion of form submissions), reducing the visibility of an attack until it is too late. Once a WordPress site enters its installation setup phase, an attacker can easily reconnect it to a rogue database, essentially assuming administrative control. Although there are no current reports of widespread exploitation, the detailed public disclosure and low technical barrier to weaponization make exploitation likely, especially by opportunistic threat actors or botnets scanning for outdated plugins. Additionally, this flaw highlights the continued need for WordPress site administrators to implement layered security—such as file integrity monitoring, web application firewalls, and routine plugin audits. It also reinforces the importance of rapid patch adoption across large plugin user bases to minimize the window of exposure after vulnerability disclosure.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, sits in front of web applications to protect them against a variety of attacks such as SQLi, XSS, and CSRF. It also integrates bot protections to stop bots and application-layer DDoS attacks.

Source: https://www.bleepingcomputer.com/news/security/forminator-plugin-flaw-exposes-wordpress-sites-to-takeover-attacks/

Hacktivist Group Claimed Attacks Across 20+ Critical Sectors Following Iran–Israel Conflict

(TLP: CLEAR) The escalating Iran-Israel conflict has catalyzed one of the largest hacktivist cyber offensives to date, with over 80 hacktivist groups launching coordinated attacks across 18 critical infrastructure sectors following Israeli strikes on Iranian military and nuclear sites in June 2025. Pro-Iranian and pro-Palestinian collectives have targeted Israeli government services, defense contractors, energy grids, financial systems, and emergency networks using a range of attack vectors, including distributed denial-of-service (DDoS), data theft, ransomware, and industrial control system (ICS) intrusions. Groups like GhostSec, Dark Storm Team, Arabian Ghosts, and Mr Hamza have claimed responsibility for major breaches, extending their capabilities beyond typical web defacements to include advanced persistent threats, ICS targeting, and psychological operations such as doxxing. Analysts observed unprecedented coordination among these groups, involving shared malware, tools, and intelligence. Notably, GhostSec claims to have compromised numerous industrial systems, including over 100 Modbus PLCs and VSAT devices. Custom malware such as GhostLocker ransomware, GhostStealer, and IOControl—with ICS wiper and AI-assisted exploit modules—underscore the campaign’s technical depth. The use of DDoS tools like Abyssal DDoS V3 and the Arthur C2 infrastructure blurs lines between hacktivism and state-backed cyber warfare, raising serious concerns about attribution, escalation, and the resilience of critical infrastructure under geopolitical cyber pressure.

(TLP: CLEAR) Comments: The cyber onslaught following the June 2025 Israel-Iran conflict marks a shift from isolated hacktivism to coordinated, state-aligned cyber warfare. Groups like GhostSec and Dark Storm Team targeted Israeli critical infrastructure using advanced malware—GhostLocker, IOControl, and AI-assisted ICS exploits. These operations, including Modbus PLC and VSAT compromises, reflect deep operational knowledge and possible Iranian state support. Notably, the campaign blended cyber and psychological warfare, with doxxing and media manipulation amplifying impact. The collaboration among hacktivist collectives and deployment of nation-grade tools highlight a growing threat convergence, underscoring the need for enhanced cyber-physical defense strategies amid escalating regional hostilities.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.

Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://cybersecuritynews.com/hacktivist-group-claimed-attacks-across-20-critical-sectors/

Pro-Russian Hackers Making New Alliances to Launch High-Profile Attacks

(TLP: CLEAR) Since early 2025, pro-Russian hacktivist activity has intensified, evolving into a highly coordinated and technically sophisticated threat to Western critical infrastructure. Following the decline of KillNet, newer groups like the IT Army of Russia, TwoNet, and NoName057(16) have emerged, forming strategic alliances to conduct advanced campaigns across Europe and North America. Notably, the #OpLithuania operation in May 2025 involved seven hacktivist groups targeting Lithuanian financial and government systems after the country supported stronger sanctions against Russia. These campaigns now mirror state-sponsored operations, employing distributed denial-of-service (DDoS) attacks, SQL injection, and targeted industrial control system (ICS) exploits. NoName057(16)’s DDoSia platform exemplifies this shift, incentivizing crowdsourced attacks via cryptocurrency and using Go-based clients to coordinate high-volume assaults. In one instance, a record-setting 7.3 Tbps DDoS attack was recorded. Beyond DDoS, hacktivists have demonstrated the capability to disrupt operational technology, including compromising water treatment systems, underscoring the growing convergence of hacktivism and state-aligned cyber warfare tactics.

(TLP: CLEAR) Comments: The recent surge in pro-Russian hacktivist activity marks a significant evolution in the threat landscape, as loosely organized groups adopt tactics and tools traditionally associated with state-sponsored operations. The emergence of entities like IT Army of Russia and TwoNet—operating in concert with established collectives such as NoName057(16)—demonstrates a more structured and technically capable adversary ecosystem. These groups are no longer limited to surface-level disruptions like website defacements; instead, they now engage in high-impact operations including SQL injection, ICS targeting, and large-scale DDoS attacks. Their collaboration on campaigns such as #OpLithuania shows a new level of operational coordination, with attacks carefully timed in response to geopolitical developments. The DDoSia platform, developed by NoName057(16), is especially concerning. It gamifies participation, tracks volunteer activity, and reportedly incentivizes top contributors with cryptocurrency, thereby crowdsourcing cyberattacks at scale. Open source reporting indicates that one such campaign in May 2025 reached 7.3 Tbps—one of the largest recorded DDoS attacks to date. The ability to manipulate operational technology environments, including water treatment and critical infrastructure, underscores an alarming trend toward physical impact. As this convergence between hacktivist motivation and state-aligned capabilities accelerates, it challenges conventional defenses and demands enhanced attribution efforts, improved interagency coordination, and proactive infrastructure resilience planning.

(TLP: CLEAR) Recommended best practices/regulations: UK National Cyber Security Centre “Denial of Service (DoS) Guidance”: We recommend that you:

• Understand the denial-of-service mitigations that your ISP has in place on your account. If additional mitigations are available, decide whether you want them enabled on your account, or the circumstances under which you could deploy them if an attack was threatened. Examine the service’s SLA for details of any mitigation.
• Look into third party DDOS mitigation services that can be used to protect against network traffic-based attacks.
• Consider deploying a Content Delivery Network, for web-based services
• Understand when and how your service provider might limit your network access in order to protect their other customers.
• Consider using multiple service providers for some functionality.

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://cybersecuritynews.com/pro-russian-hackers-making-new-alliances/