Vercara’s Open-Source Intelligence (OSINT) Report – May 23 – May 29, 2025

HTTPBOT: Advanced DDoS Malware Emerges as New Threat to Windows-Based Organizations

(TLP: CLEAR) The HTTPBot malware represents a significant change in DDoS botnet architecture emerging as a threat in 2025. First observed in August 2024, HTTPBot’s activity surged in April 2025, marking a departure from traditional Linux and IoT-focused botnets toward precision Windows system targeting. Developed in GoLang, the malware employs sophisticated application-layer attack methodologies that pose substantial risks to gaming companies, educational institutions, and technology firms globally. The malware ensures operational persistence through strategic Windows registry modifications, enabling automatic execution following system reboots and maintaining long-term access to compromised systems. HTTPBot’s advanced design looks to exhaust server resources by utilizing randomized HTTP headers, dynamic URL paths, and sophisticated cookie manipulation to mimic legitimate browser behavior. This represents a tactical shift from overwhelming volumetric flooding to precision application exhaustion. Since April 2025, cybersecurity professionals have documented over 200 distinct HTTPBot attack campaigns, with targets including gaming, tech, and education sites with sophisticated HTTP-based attacks that closely mimic real browser traffic. The botnet demonstrates temporal consistency in its operations, maintaining attack activities distributed throughout 24-hour periods. Rather than deploying traditional high-volume traffic floods, HTTPBot employs surgical strike methodologies that target critical infrastructure components including payment processing systems and authentication mechanisms.

(TLP: CLEAR) Comments: HTTPBot’s emergence represents a strategic pivot in the DDoS threat landscape, suggesting threat actors are adapting to improved IoT security measures by targeting the vast Windows ecosystem. The timing of HTTPBot’s April 2025 operational surge coincides with increased global scrutiny of IoT botnets, indicating potential threat actor migration toward more persistent attack vectors. HTTPBot’s sophisticated evasion capabilities indicate access to advanced development resources and potential commercial distribution. The malware’s capabilities suggest ongoing development cycles, raising concerns about future capability expansion, including potential data exfiltration or even ransomware deployment modules. Most concerning is HTTPBot’s registry persistence mechanism, which transforms each compromised Windows system into a long-term strategic asset rather than a temporary attack vector. This approach mirrors advanced persistent threat (APT) methodologies, blurring traditional distinctions between cybercriminal botnets and nation-state operations. Organizations should anticipate HTTPBot variants incorporating additional persistence mechanisms and anti-forensic capabilities in future iterations. Widespread HTTPBot infection creates the infrastructure necessary for large-scale coordinated DDoS campaigns in future operations.

(TLP: CLEAR) Recommended best practices/regulations:NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”; Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time, such as Vercara’s UltraDDoS Protect.
Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most. Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://cybersecurefox.com/en/httpbot-ddos-malware-windows-systems-threat/

Why the Record-Breaking Number of Cyberattacks Could Be a Prelude to the ‘Big One’

(TLP: CLEAR) The Aisuru botnet stands as represents a significant evolution of a new era in cyber warfare, wielding unprecedented power to disrupt digital infrastructure on a global scale. Unlike its predecessors, Aisuru does not merely rely on brute-force volumetric attacks; instead, it employs complex, multi-layered techniques, randomized UDP flooding attacks and stealth HTTP request manipulation techniques, and adaptive traffic patterns to evade conventional defenses. This botnet, composed of hundreds of thousands of compromised IoT devices, infiltrates networks through default credentials and unpatched vulnerabilities, transforming everyday consumer electronics into components of a botnet. The botnet’s record-breaking attack volumes and sophisticated evasion techniques position it as a critical threat to global digital infrastructure, requiring enhanced defensive strategies across multiple industries.

(TLP: CLEAR) Comments: The Aisuru botnet has potentially emerged as one of the biggest Botnets thus far which is said to be larger than Mirai. If so, it’s capable of launching record-breaking DDoS attacks. Aisuru is ten times more powerful than the infamous Mirai botnet that disrupted global networks in 2016. It consists of hundreds of thousands of hijacked IoT devices, including smart fridges, security cameras, and routers, exploited via default passwords and software vulnerabilities. Cybercriminals are renting Aisuru on illicit forums for as little as $150 per day, enabling widespread attacks. This indicates that DDoS Services are becoming more available than they were in the past. Companies and organizations should look for safeguard measures to protect against DDoS attacks. With the current trends, UDP Floods are becoming larger and shorter in duration.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://www.the-independent.com/tech/cyber-attacks-big-one-aisuru-botnet-b2755263.html

Russian Hacker Group Killnet Returns with New Identity

(TLP: CLEAR) The Russian hacker group Killnet has resurfaced after months of inactivity, reportedly claiming responsibility for a cyberattack on Ukraine’s drone-tracking system. Though the operation was heavily promoted in Russian media, its legitimacy remains unverified by independent analysts. The group’s reappearance coincided with Victory Day, a significant date in Russian propaganda, suggesting the event may be part of a broader information operation. Killnet’s return may signal a strategic rebranding, transitioning from ideologically driven hacktivism to a profit-oriented cybercriminal operation. This transformation has been marked by a leadership change following the exposure of its founder, KillMilk, in late 2023. Leadership was transferred to the Deanon Club, a group focused on anti-drug trafficking, whose administrator “BTC” allegedly bought Killnet’s assets. The move led to internal dissent and the departure of original members, weakening the group’s operational capacity. Under BTC’s leadership, Killnet appears to have shifted toward hack-for-hire services and criminal revenue generation, while maintaining a hacktivist veneer. This evolution has caused ideological rifts, leading to the creation of politically motivated splinter groups like KillNet 2.0 and Just Evil. Analysts describe Killnet as a fragmented, decentralized collective that reflects a broader trend in cybercriminal circles: repeated cycles of rebranding, splintering, and reactivation under familiar names to maintain influence and visibility. While the group’s current structure and true affiliations remain opaque, experts agree that Killnet’s activities have not ceased but mutated driven increasingly by financial gain over political loyalty.

(TLP: CLEAR) Comments: Killnet’s recent reappearance marks a significant evolution in its threat profile. Since emerging in early 2023, the group has been tracked by Vercara for its sustained and visible DDoS campaigns, initially targeting Western institutions in alignment with Russian geopolitical interests. These early attacks—often rudimentary in nature—relied heavily on borrowed botnets and aimed to generate psychological disruption more than technical damage. The group’s reactivation in May 2025, timed with Russia’s Victory Day, suggests a renewed focus on information warfare, possibly designed to support ongoing disinformation and influence campaigns amid U.S.-Russia-Ukraine negotiations. Vercara has noted Killnet’s pivot from overt hacktivism to a more mercenary model under new leadership, with claims of access to sensitive Ukrainian military systems—though unverified—underscoring this shift. Killnet’s transition is emblematic of a broader trend among cyber threat groups: rebranding, splintering, and resurfacing under familiar names to exploit brand recognition. This tactic complicates attribution and allows for flexibility in operations and targeting. The group’s monetization efforts, including hack-for-hire services and darknet campaigns, have alienated original pro-Kremlin supporters but expanded its criminal relevance. While its technical capabilities remain limited, Killnet’s operational fragmentation and dual-use branding increase the complexity of detection and response. Vercara assesses that the group’s history of DDoS attacks, combined with its evolving tactics, makes it a persistent threat, particularly during geopolitical flashpoints. Organizations should continue to employ layered defenses, including robust DDoS mitigation and threat intelligence, to defend against both ideological and profit-driven cyber actors leveraging the Killnet identity.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale.

Source: https://therecord.media/russian-hacker-group-killnet-returns-with-new-identity

Cybercriminals Exploit AI Hype to Spread Ransomware, Malware’

(TLP: CLEAR) Cybercriminals are increasingly leveraging the widespread interest in artificial intelligence tools to distribute malicious software, with several new ransomware and malware families emerging that specifically target users seeking AI applications. This trend represents an evolution of tactics that began with advanced threat actors using deepfake content generators as infection vectors. researchers have identified three distinct malicious campaigns exploiting AI tool popularity: CyberLock Ransomware which operates through a sophisticated impersonation scheme, creating a fake website (novaleadsai[.]com) that mimics the legitimate novaleads.app service. The attackers entice victims with offers of free 12-month subscriptions to AI tools. Once users download what they believe is legitimate software, they receive a .NET loader that deploys PowerShell-based ransomware. The malware encrypts files across multiple disk partitions, appending a .cyberlock extension to locked files. Victims face a $50,000 ransom demand payable in Monero cryptocurrency, with attackers claiming the funds will support humanitarian causes in Palestine, Ukraine, Africa, and Asia. Lucky_Gh0$t Ransomware represents a new variant derived from the Yashma ransomware family, which itself originated from Chaos ransomware. This threat is distributed through fake ChatGPT installers branded as “ChatGPT 4.0 full version – Premium.exe” packaged within self-extracting archives. To evade detection, the malicious package includes legitimate Microsoft open-source AI tools alongside the ransomware payload. The malware targets files smaller than 1.2GB for encryption, appending random four-character extensions, while larger files are replaced with junk data and deleted. Victims receive personalized identification numbers and must contact attackers through the secure messaging platform Session for ransom negotiations. Numero Malware takes a different approach by masquerading as an InVideo AI installer. Rather than encrypting or stealing data, this malware focuses on system disruption. It deploys through a dropper containing batch files, VB scripts, and an executable called wintitle.exe. The malware operates in an infinite loop, continuously corrupting the Windows graphical user interface by overwriting window titles, buttons, and content with the numeric string “1234567890.” While no data is destroyed, the constant corruption renders infected systems completely unusable, effectively “locking” them in a visually corrupted state.
These malicious campaigns primarily rely on search engine optimization (SEO) poisoning and malvertising techniques to achieve high rankings in search results for AI-related terms. This strategy exploits users’ tendency to trust top search results and their eagerness to access new AI tools and services.

(TLP: CLEAR) Comments: The use of SEO poisoning means that malicious sites are going to appear at the top of search results, making them seem legitimate. Cybercriminals are essentially opportunistic – they go where people’s attention and interest are focused because that’s where they can find the most victims. Right now, AI is the top trend, with millions of people actively searching for and trying new AI tools. The trend highlights how cybercriminals continuously evolve their techniques to exploit current technological interests and user behaviors. Numero, Cyberlock, and Lucky_Gh0$t demonstrate various ways to manipulate users such as fake installers and websites. Companies and Organizations should raise awareness and use safe online practices which are essential for protection against these emerging threats.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.

Source: https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-ai-hype-to-spread-ransomware-malware/

New PumaBot Botnet Brute Forces SSH Credentials to Breach Devices

(TLP: CLEAR) A newly discovered Go-based Linux botnet malware called PumaBot is conducting sophisticated brute-force attacks against SSH credentials on embedded IoT devices, particularly targeting surveillance and traffic camera systems from Pumatronix vendors. Unlike typical botnets that scan broadly across the internet, PumaBot operates with precision by receiving specific target IP lists from its command-and-control server (ssh.ddos-cc[.]org) and then systematically attempting SSH login attacks on port 22. Once successful access is gained, the malware performs environment checks to avoid honeypots, deploys its main binary called “jierui” to /lib/redis, and establishes persistence through a systemd service called redis.service. The botnet maintains long-term access by injecting its own SSH key into the authorized_keys file and deploys additional malicious payloads including PAM rootkits that harvest SSH login credentials, storing them in a text file (con.txt) that is continuously monitored and exfiltrated by a watcher daemon before being wiped to eliminate traces. This approach enables PumaBot to collect credentials for lateral movement and deeper corporate network infiltration rather than using infected devices for typical low-grade cybercrime activities like DDoS attacks, making it particularly dangerous for organizations with IoT surveillance systems that could serve as entry points into critical infrastructure.

(TLP: CLEAR) Comments: PumaBot represents a significant shift from traditional botnet behavior. Instead of using compromised devices for immediate monetization through DDoS attacks or cryptocurrency mining, it’s designed as a reconnaissance and lateral movement platform. This suggests cybercriminals are adopting more sophisticated, long-term strategies focused on high-value targets rather than quick profits. The targeting of surveillance cameras is particularly concerning because these devices often exist at the intersection of physical and digital security. Compromised surveillance systems could provide attackers with visual intelligence about facilities, disable security monitoring, or serve as pivot points into corporate networks that may have different security controls than typical IT infrastructure. This behavior underscores why IoT devices should never be deployed on the same network segments as critical business systems. The botnet’s clear intent for lateral movement makes proper network isolation a critical defense rather than just a best practice.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.3: Anti-malware mechanisms and processes are active, maintained, and monitored

• The anti-malware solution(s) is kept current via automatic updates.
• The anti-malware solution(s):
• Performs periodic scans and active or real-time scans.

OR

• Performs continuous behavioral analysis of systems or processes.

If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. Regular updating of anti-malware definitions and performing periodic scans requires processing and disk input/output. As a result, most updates and scans happen overnight, resulting in a detection gap of up to several days depending on the type of device. Protective DNS solutions are able to update their detection rules in real-time and provide support for network-based behavioral analytics.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.

Source: https://www.bleepingcomputer.com/news/security/new-pumabot-botnet-brute-forces-ssh-credentials-to-breach-devices/