#botnet — Public Fediverse posts

Operazione Saffron: smantellata First VPN, il servizio criminale usato da 25 gang ransomware

https://insicurezzadigitale.com/operazione-saffron-smantellata-first-vpn-il-servizio-criminale-usato-da-25-gang-ransomware/

📣🚨 Hackers are exploiting a critical 2018 ASUS router flaw to hijack devices for the #RondoDox botnet. Over 1M routers are exposed online, with attackers abusing unsupported hardware for DDoS attacks.

Read: https://hackread.com/rondodox-botnet-2018-vulnerability-hijack-asus-routers/

#CyberSecurity #ASUS #Botnet #Router #DDoS #Malware

📣🚨 Hackers are exploiting a critical 2018 ASUS router flaw to hijack devices for the #RondoDox botnet. Over 1M routers are exposed online, with attackers abusing unsupported hardware for DDoS attacks.

Read: https://hackread.com/rondodox-botnet-2018-vulnerability-hijack-asus-routers/

#CyberSecurity #ASUS #Botnet #Router #DDoS #Malware

📣🚨 Hackers are exploiting a critical 2018 ASUS router flaw to hijack devices for the #RondoDox botnet. Over 1M routers are exposed online, with attackers abusing unsupported hardware for DDoS attacks.

Read: https://hackread.com/rondodox-botnet-2018-vulnerability-hijack-asus-routers/

#CyberSecurity #ASUS #Botnet #Router #DDoS #Malware

📣🚨 Hackers are exploiting a critical 2018 ASUS router flaw to hijack devices for the #RondoDox botnet. Over 1M routers are exposed online, with attackers abusing unsupported hardware for DDoS attacks.

Read: https://hackread.com/rondodox-botnet-2018-vulnerability-hijack-asus-routers/

#CyberSecurity #ASUS #Botnet #Router #DDoS #Malware

📣🚨 Hackers are exploiting a critical 2018 ASUS router flaw to hijack devices for the #RondoDox botnet. Over 1M routers are exposed online, with attackers abusing unsupported hardware for DDoS attacks.

Read: https://hackread.com/rondodox-botnet-2018-vulnerability-hijack-asus-routers/

#CyberSecurity #ASUS #Botnet #Router #DDoS #Malware

U.S. and Canadian authorities arrested #JacobButler, a 23-year-old Canadian man, for operating the #KimWolf #DDoS #botnet. Butler, also known as “#Dort,” sold access to a network of compromised devices used in over 25,000 attacks, causing significant financial losses. His arrest follows a previous operation that seized infrastructure used by KimWolf and related botnets. https://www.bleepingcomputer.com/news/security/us-and-canada-arrest-and-charge-suspected-kimwolf-botnet-admin/?eicker.news #tech #media #news

Alleged #Kimwolf Botmaster ‘#Dort’ Arrested, Charged in U.S. and Canada

https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/

#cybercrime #botnet #cybersecurity

If you missed this:

KrebsonSecurity: Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/ @briankrebs #infosec #botnet #IoT #DDoS

Canadian authorities arrested alleged KimWolf botnet admin “Dort” in connection with a DDoS-for-hire operation that reportedly infected 1M+ IoT devices and launched 25,000+ attacks.

Source: https://www.technadu.com/canadian-administrator-arrested-following-kimwolf-ddos-botnet-takedown/628296/

#Cybersecurity #DDoS #Botnet #IoT

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...

Pulse ID: 6a0f8f36422c8adb515a9804
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f36422c8adb515a9804
Pulse Author: AlienVault
Created: 2026-05-21 23:03:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CryptoMining #CyberCrime #CyberSecurity #Espionage #InfoSec #IoT #Israel #Malware #MalwareAsAService #MiddleEast #Mirai #OTX #OpenThreatExchange #RAT #SaudiArabia #Sliver #Telecom #Telecommunication #UAE #bot #botnet #AlienVault

New, from me: Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/

#botnet #ddos #kimwolf #cybercrime

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

An investigation identified persistent P2Pinfect botnet presence within Google Kubernetes Engine clusters at multiple organizations, with one compromise lasting six months. The intrusions originated from exposed Redis instances that provided initial access. The botnet utilizes a peer-to-peer architecture for resilience against takedowns and operates as a botnet-for-hire platform. While no second-stage payloads were executed in observed cases, the malware has been linked to ransomware and cryptocurrency mining deployment. A new deployment script was discovered, and evidence suggests P2Pinfect has expanded exploitation techniques to include CVE-2025-11953 (Metro4Shell) targeting React vulnerabilities. Possible incorporation of CVE-2025-49844 (RediShell) is speculated. The campaign demonstrates how single misconfigurations enable long-term compromise in cloud environments.

Pulse ID: 6a0e3753562a6e67c9d9aac4
Pulse Link: https://otx.alienvault.com/pulse/6a0e3753562a6e67c9d9aac4
Pulse Author: AlienVault
Created: 2026-05-20 22:36:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Google #InfoSec #Malware #NATO #OTX #OpenThreatExchange #RAT #RansomWare #Redis #bot #botnet #cryptocurrency #AlienVault

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

An investigation identified persistent P2Pinfect botnet presence within Google Kubernetes Engine clusters at multiple organizations, with one compromise lasting six months. The intrusions originated from exposed Redis instances that provided initial access. The botnet utilizes a peer-to-peer architecture for resilience against takedowns and operates as a botnet-for-hire platform. While no second-stage payloads were executed in observed cases, the malware has been linked to ransomware and cryptocurrency mining deployment. A new deployment script was discovered, and evidence suggests P2Pinfect has expanded exploitation techniques to include CVE-2025-11953 (Metro4Shell) targeting React vulnerabilities. Possible incorporation of CVE-2025-49844 (RediShell) is speculated. The campaign demonstrates how single misconfigurations enable long-term compromise in cloud environments.

Pulse ID: 6a0e3753562a6e67c9d9aac4
Pulse Link: https://otx.alienvault.com/pulse/6a0e3753562a6e67c9d9aac4
Pulse Author: AlienVault
Created: 2026-05-20 22:36:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Google #InfoSec #Malware #NATO #OTX #OpenThreatExchange #RAT #RansomWare #Redis #bot #botnet #cryptocurrency #AlienVault

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

An investigation identified persistent P2Pinfect botnet presence within Google Kubernetes Engine clusters at multiple organizations, with one compromise lasting six months. The intrusions originated from exposed Redis instances that provided initial access. The botnet utilizes a peer-to-peer architecture for resilience against takedowns and operates as a botnet-for-hire platform. While no second-stage payloads were executed in observed cases, the malware has been linked to ransomware and cryptocurrency mining deployment. A new deployment script was discovered, and evidence suggests P2Pinfect has expanded exploitation techniques to include CVE-2025-11953 (Metro4Shell) targeting React vulnerabilities. Possible incorporation of CVE-2025-49844 (RediShell) is speculated. The campaign demonstrates how single misconfigurations enable long-term compromise in cloud environments.

Pulse ID: 6a0e3753562a6e67c9d9aac4
Pulse Link: https://otx.alienvault.com/pulse/6a0e3753562a6e67c9d9aac4
Pulse Author: AlienVault
Created: 2026-05-20 22:36:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Google #InfoSec #Malware #NATO #OTX #OpenThreatExchange #RAT #RansomWare #Redis #bot #botnet #cryptocurrency #AlienVault

9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities

CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file, remains highly exploited nearly a decade after disclosure. Analysis reveals over 80,000 exploitation attempts detected in 30 days, with 36,500 hits in the last 10 days alone. The vulnerability affects PHPUnit versions prior to 4.8.28 and 5.x before 5.6.3, allowing attackers to execute arbitrary PHP code via POST requests without authentication. Mass-scanning infrastructure targets dozens of framework-specific paths across Laravel, Drupal, Yii, and WordPress installations. Primary attack sources include compromised infrastructure in the UK and US, delivering webshells and botnet payloads. Multiple botnets including RondoDox, Kinsing, KashmirBlack, Sysrv, and Androxgh0st actively exploit this vulnerability. The persistent exploitation stems from developers failing to exclude development dependencies in production environments and exposing vendor directories to web servers.

Pulse ID: 6a0ca36a3571d3fbd4cd92bc
Pulse Link: https://otx.alienvault.com/pulse/6a0ca36a3571d3fbd4cd92bc
Pulse Author: AlienVault
Created: 2026-05-19 17:52:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AndroxGh0st #CyberSecurity #InfoSec #Kinsing #OTX #OpenThreatExchange #PHP #RCE #RDP #RemoteCodeExecution #UK #Vulnerability #Word #Wordpress #bot #botnet #developers #AlienVault

9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities

CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file, remains highly exploited nearly a decade after disclosure. Analysis reveals over 80,000 exploitation attempts detected in 30 days, with 36,500 hits in the last 10 days alone. The vulnerability affects PHPUnit versions prior to 4.8.28 and 5.x before 5.6.3, allowing attackers to execute arbitrary PHP code via POST requests without authentication. Mass-scanning infrastructure targets dozens of framework-specific paths across Laravel, Drupal, Yii, and WordPress installations. Primary attack sources include compromised infrastructure in the UK and US, delivering webshells and botnet payloads. Multiple botnets including RondoDox, Kinsing, KashmirBlack, Sysrv, and Androxgh0st actively exploit this vulnerability. The persistent exploitation stems from developers failing to exclude development dependencies in production environments and exposing vendor directories to web servers.

Pulse ID: 6a0ca36a3571d3fbd4cd92bc
Pulse Link: https://otx.alienvault.com/pulse/6a0ca36a3571d3fbd4cd92bc
Pulse Author: AlienVault
Created: 2026-05-19 17:52:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AndroxGh0st #CyberSecurity #InfoSec #Kinsing #OTX #OpenThreatExchange #PHP #RCE #RDP #RemoteCodeExecution #UK #Vulnerability #Word #Wordpress #bot #botnet #developers #AlienVault

9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities

CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file, remains highly exploited nearly a decade after disclosure. Analysis reveals over 80,000 exploitation attempts detected in 30 days, with 36,500 hits in the last 10 days alone. The vulnerability affects PHPUnit versions prior to 4.8.28 and 5.x before 5.6.3, allowing attackers to execute arbitrary PHP code via POST requests without authentication. Mass-scanning infrastructure targets dozens of framework-specific paths across Laravel, Drupal, Yii, and WordPress installations. Primary attack sources include compromised infrastructure in the UK and US, delivering webshells and botnet payloads. Multiple botnets including RondoDox, Kinsing, KashmirBlack, Sysrv, and Androxgh0st actively exploit this vulnerability. The persistent exploitation stems from developers failing to exclude development dependencies in production environments and exposing vendor directories to web servers.

Pulse ID: 6a0ca36a3571d3fbd4cd92bc
Pulse Link: https://otx.alienvault.com/pulse/6a0ca36a3571d3fbd4cd92bc
Pulse Author: AlienVault
Created: 2026-05-19 17:52:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AndroxGh0st #CyberSecurity #InfoSec #Kinsing #OTX #OpenThreatExchange #PHP #RCE #RDP #RemoteCodeExecution #UK #Vulnerability #Word #Wordpress #bot #botnet #developers #AlienVault

9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities

CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file, remains highly exploited nearly a decade after disclosure. Analysis reveals over 80,000 exploitation attempts detected in 30 days, with 36,500 hits in the last 10 days alone. The vulnerability affects PHPUnit versions prior to 4.8.28 and 5.x before 5.6.3, allowing attackers to execute arbitrary PHP code via POST requests without authentication. Mass-scanning infrastructure targets dozens of framework-specific paths across Laravel, Drupal, Yii, and WordPress installations. Primary attack sources include compromised infrastructure in the UK and US, delivering webshells and botnet payloads. Multiple botnets including RondoDox, Kinsing, KashmirBlack, Sysrv, and Androxgh0st actively exploit this vulnerability. The persistent exploitation stems from developers failing to exclude development dependencies in production environments and exposing vendor directories to web servers.

Pulse ID: 6a0ca36a3571d3fbd4cd92bc
Pulse Link: https://otx.alienvault.com/pulse/6a0ca36a3571d3fbd4cd92bc
Pulse Author: AlienVault
Created: 2026-05-19 17:52:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AndroxGh0st #CyberSecurity #InfoSec #Kinsing #OTX #OpenThreatExchange #PHP #RCE #RDP #RemoteCodeExecution #UK #Vulnerability #Word #Wordpress #bot #botnet #developers #AlienVault

9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities

CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file, remains highly exploited nearly a decade after disclosure. Analysis reveals over 80,000 exploitation attempts detected in 30 days, with 36,500 hits in the last 10 days alone. The vulnerability affects PHPUnit versions prior to 4.8.28 and 5.x before 5.6.3, allowing attackers to execute arbitrary PHP code via POST requests without authentication. Mass-scanning infrastructure targets dozens of framework-specific paths across Laravel, Drupal, Yii, and WordPress installations. Primary attack sources include compromised infrastructure in the UK and US, delivering webshells and botnet payloads. Multiple botnets including RondoDox, Kinsing, KashmirBlack, Sysrv, and Androxgh0st actively exploit this vulnerability. The persistent exploitation stems from developers failing to exclude development dependencies in production environments and exposing vendor directories to web servers.

Pulse ID: 6a0ca36a3571d3fbd4cd92bc
Pulse Link: https://otx.alienvault.com/pulse/6a0ca36a3571d3fbd4cd92bc
Pulse Author: AlienVault
Created: 2026-05-19 17:52:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AndroxGh0st #CyberSecurity #InfoSec #Kinsing #OTX #OpenThreatExchange #PHP #RCE #RDP #RemoteCodeExecution #UK #Vulnerability #Word #Wordpress #bot #botnet #developers #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Copycat hits another npm package

A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.

Pulse ID: 6a0b921d3574a6ef2eca8d47
Pulse Link: https://otx.alienvault.com/pulse/6a0b921d3574a6ef2eca8d47
Pulse Author: AlienVault
Created: 2026-05-18 22:26:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DDoS #DoS #GitHub #InfoSec #InfoStealer #Malware #NPM #OTX #OpenThreatExchange #RAT #RCE #Worm #bot #botnet #cryptocurrency #iOS #AlienVault

Kazuar si evolve: Secret Blizzard (Turla) trasforma il suo backdoor storico in una botnet P2P modulare invisibile

https://insicurezzadigitale.com/kazuar-si-evolve-secret-blizzard-turla-trasforma-il-suo-backdoor-storico-in-una-botnet-p2p-modulare-invisibile/

Kazuar si evolve: Secret Blizzard (Turla) trasforma il suo backdoor storico in una botnet P2P modulare invisibile

https://insicurezzadigitale.com/kazuar-si-evolve-secret-blizzard-turla-trasforma-il-suo-backdoor-storico-in-una-botnet-p2p-modulare-invisibile/

Kazuar si evolve: Secret Blizzard (Turla) trasforma il suo backdoor storico in una botnet P2P modulare invisibile

https://insicurezzadigitale.com/kazuar-si-evolve-secret-blizzard-turla-trasforma-il-suo-backdoor-storico-in-una-botnet-p2p-modulare-invisibile/

Kazuar si evolve: Secret Blizzard (Turla) trasforma il suo backdoor storico in una botnet P2P modulare invisibile

https://insicurezzadigitale.com/kazuar-si-evolve-secret-blizzard-turla-trasforma-il-suo-backdoor-storico-in-una-botnet-p2p-modulare-invisibile/

Kazuar si evolve: Secret Blizzard (Turla) trasforma il suo backdoor storico in una botnet P2P modulare invisibile

https://insicurezzadigitale.com/kazuar-si-evolve-secret-blizzard-turla-trasforma-il-suo-backdoor-storico-in-una-botnet-p2p-modulare-invisibile/

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

Nexcorium is a multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to build a botnet for distributed denial-of-service attacks. The campaign, attributed to Nexus Team based on custom HTTP headers, uses OS command injection to deliver malware across ARM, MIPS, and x86-64 architectures. The malware implements multiple persistence mechanisms including init configuration, startup scripts, systemd services, and cron jobs. It features XOR-encoded configurations, self-integrity checks, and self-replication capabilities. Attack capabilities include UDP flood, TCP SYN flood, TCP ACK flood, and VSE query flood among others. The botnet spreads through brute-force attacks using default credentials and exploits CVE-2017-17215 targeting Huawei HG532 devices, demonstrating typical IoT-focused botnet characteristics.

Pulse ID: 69e2824d25c0dbc3e1de156b
Pulse Link: https://otx.alienvault.com/pulse/69e2824d25c0dbc3e1de156b
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #GRIT #HTTP #ICS #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #RAT #RCE #SMS #TCP #UDP #Vulnerability #bot #botnet #AlienVault

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

Nexcorium is a multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to build a botnet for distributed denial-of-service attacks. The campaign, attributed to Nexus Team based on custom HTTP headers, uses OS command injection to deliver malware across ARM, MIPS, and x86-64 architectures. The malware implements multiple persistence mechanisms including init configuration, startup scripts, systemd services, and cron jobs. It features XOR-encoded configurations, self-integrity checks, and self-replication capabilities. Attack capabilities include UDP flood, TCP SYN flood, TCP ACK flood, and VSE query flood among others. The botnet spreads through brute-force attacks using default credentials and exploits CVE-2017-17215 targeting Huawei HG532 devices, demonstrating typical IoT-focused botnet characteristics.

Pulse ID: 69e2824d25c0dbc3e1de156b
Pulse Link: https://otx.alienvault.com/pulse/69e2824d25c0dbc3e1de156b
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #GRIT #HTTP #ICS #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #RAT #RCE #SMS #TCP #UDP #Vulnerability #bot #botnet #AlienVault

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

Nexcorium is a multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to build a botnet for distributed denial-of-service attacks. The campaign, attributed to Nexus Team based on custom HTTP headers, uses OS command injection to deliver malware across ARM, MIPS, and x86-64 architectures. The malware implements multiple persistence mechanisms including init configuration, startup scripts, systemd services, and cron jobs. It features XOR-encoded configurations, self-integrity checks, and self-replication capabilities. Attack capabilities include UDP flood, TCP SYN flood, TCP ACK flood, and VSE query flood among others. The botnet spreads through brute-force attacks using default credentials and exploits CVE-2017-17215 targeting Huawei HG532 devices, demonstrating typical IoT-focused botnet characteristics.

Pulse ID: 69e2824d25c0dbc3e1de156b
Pulse Link: https://otx.alienvault.com/pulse/69e2824d25c0dbc3e1de156b
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #GRIT #HTTP #ICS #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #RAT #RCE #SMS #TCP #UDP #Vulnerability #bot #botnet #AlienVault

Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

Nexcorium is a multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to build a botnet for distributed denial-of-service attacks. The campaign, attributed to Nexus Team based on custom HTTP headers, uses OS command injection to deliver malware across ARM, MIPS, and x86-64 architectures. The malware implements multiple persistence mechanisms including init configuration, startup scripts, systemd services, and cron jobs. It features XOR-encoded configurations, self-integrity checks, and self-replication capabilities. Attack capabilities include UDP flood, TCP SYN flood, TCP ACK flood, and VSE query flood among others. The botnet spreads through brute-force attacks using default credentials and exploits CVE-2017-17215 targeting Huawei HG532 devices, demonstrating typical IoT-focused botnet characteristics.

Pulse ID: 69e2824d25c0dbc3e1de156b
Pulse Link: https://otx.alienvault.com/pulse/69e2824d25c0dbc3e1de156b
Pulse Author: AlienVault
Created: 2026-04-17 18:56:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #GRIT #HTTP #ICS #InfoSec #IoT #Malware #Mirai #OTX #OpenThreatExchange #RAT #RCE #SMS #TCP #UDP #Vulnerability #bot #botnet #AlienVault

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually

Chrome is now LLM malware

Chrome on all OS, silently installs an LLM on your local machine, (like) true authentic malware. It's 2 to 4 GB 4096MB in size, taking up space I'm certain you have reserved for something else.

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually.

Google transformed Chrome into malware

With billions 109 installations, the climate burden is Massive!

https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/

#Distributed #malware #Alphabet #Google #Chrome #silent #re #install #botnet #LLM #AI #Slop #Enshittification #programming #virus #fucked

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually

Chrome is now LLM malware

Chrome on all OS, silently installs an LLM on your local machine, (like) true authentic malware. It's 2 to 4 GB 4096MB in size, taking up space I'm certain you have reserved for something else.

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually.

Google transformed Chrome into malware

With billions 109 installations, the climate burden is Massive!

https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/

#Distributed #malware #Alphabet #Google #Chrome #silent #re #install #botnet #LLM #AI #Slop #Enshittification #programming #virus #fucked

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually

Chrome is now LLM malware

Chrome on all OS, silently installs an LLM on your local machine, (like) true authentic malware. It's 2 to 4 GB 4096MB in size, taking up space I'm certain you have reserved for something else.

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually.

Google transformed Chrome into malware

With billions 109 installations, the climate burden is Massive!

https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/

#Distributed #malware #Alphabet #Google #Chrome #silent #re #install #botnet #LLM #AI #Slop #Enshittification #programming #virus #fucked

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually

Chrome is now LLM malware

Chrome on all OS, silently installs an LLM on your local machine, (like) true authentic malware. It's 2 to 4 GB 4096MB in size, taking up space I'm certain you have reserved for something else.

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually.

Google transformed Chrome into malware

With billions 109 installations, the climate burden is Massive!

https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/

#Distributed #malware #Alphabet #Google #Chrome #silent #re #install #botnet #LLM #AI #Slop #Enshittification #programming #virus #fucked

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually

Chrome is now LLM malware

Chrome on all OS, silently installs an LLM on your local machine, (like) true authentic malware. It's 2 to 4 GB 4096MB in size, taking up space I'm certain you have reserved for something else.

No consent dialog. No opt-out UI. Re-installs itself if the user removes it manually.

Google transformed Chrome into malware

With billions 109 installations, the climate burden is Massive!

https://www.thatprivacyguy.com/blog/chrome-silent-nano-install/

#Distributed #malware #Alphabet #Google #Chrome #silent #re #install #botnet #LLM #AI #Slop #Enshittification #programming #virus #fucked

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Pulse ID: 6a02ae32b11ecc72977b2a1b
Pulse Link: https://otx.alienvault.com/pulse/6a02ae32b11ecc72977b2a1b
Pulse Author: Tr1sa111
Created: 2026-05-12 04:36:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HoneyPot #InfoSec #OTX #OpenThreatExchange #bot #botnet #Tr1sa111

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the threat actors achieved remote code execution by sending malicious Groovy scripts to intentionally misconfigured instances with weak passwords. The multi-platform payload targets both Windows and Linux systems, deploying malware that evades detection through process renaming and daemonization. The botnet supports multiple attack vectors including UDP floods, TCP attacks, HTTP requests, and game-specific techniques targeting Valve Source Engine servers. Infrastructure hosted in Vietnam serves dual purposes for payload distribution and command-and-control communications. The campaign demonstrates continued opportunistic exploitation of internet-facing services, with gaming industry servers being primary targets for distributed denial-of-service attacks.

Pulse ID: 6a0199674dd4cf450633dd32
Pulse Link: https://otx.alienvault.com/pulse/6a0199674dd4cf450633dd32
Pulse Author: AlienVault
Created: 2026-05-11 08:55:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HTTP #HoneyPot #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #RCE #RemoteCodeExecution #TCP #UDP #Vietnam #Windows #Word #bot #botnet #AlienVault

Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers

Analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the threat actors achieved remote code execution by sending malicious Groovy scripts to intentionally misconfigured instances with weak passwords. The multi-platform payload targets both Windows and Linux systems, deploying malware that evades detection through process renaming and daemonization. The botnet supports multiple attack vectors including UDP floods, TCP attacks, HTTP requests, and game-specific techniques targeting Valve Source Engine servers. Infrastructure hosted in Vietnam serves dual purposes for payload distribution and command-and-control communications. The campaign demonstrates continued opportunistic exploitation of internet-facing services, with gaming industry servers being primary targets for distributed denial-of-service attacks.

Pulse ID: 6a0199674dd4cf450633dd32
Pulse Link: https://otx.alienvault.com/pulse/6a0199674dd4cf450633dd32
Pulse Author: AlienVault
Created: 2026-05-11 08:55:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DDoS #DoS #HTTP #HoneyPot #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #RCE #RemoteCodeExecution #TCP #UDP #Vietnam #Windows #Word #bot #botnet #AlienVault