< ciso
brief />
Tag Banner

All news with #botnet tag

126 articles · page 5 of 7

Weekly Cyber Recap: React2Shell, AI IDE Flaws, DDoS

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.
read more →

Cloudflare Mitigates Record 29.7 Tbps DDoS by AISURU

🚨 Cloudflare reported it detected and mitigated a record 29.7 Tbps distributed denial-of-service attack attributed to the AISURU botnet. The UDP "carpet-bombing" assault, which randomized packet attributes and targeted an average of 15,000 destination ports per second, lasted 69 seconds. Cloudflare also mitigated a 14.1 Bpps event and said AISURU may comprise 1–4 million infected hosts, while blocking thousands of related hyper-volumetric attacks and noting significant quarterly increases in DDoS activity.
read more →

Aisuru botnet behind record 29.7 Tbps DDoS attack impact

⚠️ In three months the Aisuru botnet has been linked to more than 1,300 DDoS attacks, including a record peak of 29.7 Tbps in Q3 2025 that Cloudflare mitigated. The botnet, offered as a rental service, leverages an estimated 1–4 million compromised routers and IoT devices exploited via known vulnerabilities and weak credentials. The record incident lasted 69 seconds and used UDP carpet‑bombing across roughly 15,000 destination ports per second; Cloudflare reports a sharp rise in hyper‑volumetric attacks that can disrupt ISPs and critical services.
read more →

Free GreyNoise IP Check to Detect Botnet Participation

🛡 GreyNoise Labs provides a free online IP-check tool that helps users determine whether their home or family public IP has been observed performing malicious scanning or appears in GreyNoise's dataset. The GreyNoise IP Check returns one of three outcomes: clean, suspicious/malicious activity, or traffic consistent with VPN, corporate, or cloud environments, and shows a 90-day activity history when correlations exist. For advanced users, an unauthenticated, rate‑limit‑free JSON API accessible via curl supplies structured data for integration into MDMs, VPN scripts, or network onboarding.
read more →

GreyNoise launches free IP scanner to detect botnet

🔍 GreyNoise Labs has launched GreyNoise IP Check, a free scanner that lets users determine whether an IP address has been observed performing malicious scanning activity, including botnets and residential proxy traffic. The web tool returns one of three statuses — Clean, Malicious/Suspicious, or Common Business Service — and, when applicable, provides a 90-day activity timeline to help pinpoint potential infection points. A rate-limit-free JSON API is available for integration, and GreyNoise recommends conducting malware scans, updating device firmware, securing router credentials, and disabling unneeded remote access when an IP appears suspicious.
read more →

ThreatsDay: AI Malware, Voice Scam Flaws, and IoT Botnets

🔍 This week's briefing highlights resurgent Mirai variants, AI-enabled malware, and large-scale social engineering and laundering operations. Security vendors reported ShadowV2 and RondoDox infecting IoT devices, while researchers uncovered the QuietEnvelope mail-server backdoors and a Retell AI API flaw enabling automated deepfake calls. Regulators and vendors are pushing fixes, bans, and protocol upgrades as defenders race to close gaps.
read more →

ShadowV2 Mirai Botnet Tested During AWS Outage Activity

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.
read more →

ShadowV2 IoT Botnet Exploits Multiple Device Flaws

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.
read more →

Superbox Android TV Boxes Found Relaying Malicious Traffic

⚠️ Superbox media streaming boxes sold through retailers like BestBuy and Walmart have been found running intrusive, unofficial apps that can enlist buyers' Internet connections into distributed residential proxy networks and botnets. Censys researchers observed devices phoning home to Tencent QQ and a proxy service called Grass IO, and installing tools such as tcpdump and netcat while performing DNS hijacking and ARP spoofing. The boxes require removing Google Play and installing a third-party app store, increasing the risk of unauthorized relays, advertising fraud, and account takeovers. Consumers are advised to avoid uncertified Android TV devices and follow FBI and EFF guidance on suspicious app marketplaces.
read more →

Operation Endgame 3.0 Disrupts Rhadamanthys Infostealer

🔒Operation Endgame 3.0, coordinated by Europol with over 30 national and private partners, dismantled more than 1,000 servers and seized 20 domains tied to the Rhadamanthys infostealer, VenomRAT and the Elysium botnet. Authorities say the disrupted infrastructure harboured hundreds of thousands of infected computers and millions of stolen credentials, with the Rhadamanthys operator allegedly accessing over 100,000 crypto wallets. The action included 11 searches and at least one arrest; users are advised to check accounts via national breach-check services or HaveIBeenPwned and to maintain strong defences as criminals can rebuild.
read more →

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.
read more →

Tsundere Botnet Expands Using Game Lures and Node.js

🛡️ Kaspersky researcher Lisandro Ubiedo details an expanding Windows-focused botnet named Tsundere that retrieves and executes arbitrary JavaScript from remote command-and-control servers. The threat, active since mid‑2025, has been distributed via fake MSI installers and PowerShell scripts that deploy Node.js, install dependencies (ws, ethers, and pm2) and establish persistence. Operators fetch WebSocket C2 addresses from an Ethereum smart contract to rotate infrastructure, while a control panel enables artifact building, bot management, proxying, and an on-platform marketplace.
read more →

ShadowRay 2.0 Converts Exposed Ray Clusters to Miners

⚠ A global campaign named ShadowRay 2.0 is exploiting an unpatched code-execution flaw (CVE-2023-48022) in Ray clusters to deploy a self-propagating cryptomining botnet. Researchers at Oligo attribute the activity to an actor tracked as IronErn440, which uses AI-generated payloads submitted to Ray’s unauthenticated Jobs API. The malware deploys XMRig to mine Monero, establishes persistence via cron and systemd, and opens reverse shells for interactive control. Operators also throttle CPU use and conceal miners with deceptive names to evade detection.
read more →

Azure Mitigates Record 15.72 Tbps DDoS from IoT Botnet

🛡️ Microsoft Azure said it blocked a record 15.72 Tbps DDoS attack tied to the Aisuru IoT botnet that surged to roughly 3.64 billion packets per second and targeted a single cloud endpoint in Australia. The attacker launched extremely high-rate UDP floods from over 500,000 source IPs with minimal spoofing and random source ports. Azure DDoS Protection automatically detected and mitigated the traffic without disrupting customer workloads, and Microsoft urged organizations to validate internet-facing protections ahead of peak periods, noting systemic IoT security gaps.
read more →

Microsoft Mitigates 15.72 Tbps IoT-Driven DDoS Attack

🛡 Microsoft automatically detected and mitigated a massive DDoS attack that peaked at 15.72 Tbps and roughly 3.64 billion packets per second against a single Australian endpoint. The traffic was attributed to a TurboMirai-class IoT botnet called AISURU, sourced from hundreds of thousands of compromised routers, cameras, and DVRs and launched from over 500,000 source IPs across multiple regions. Attackers used high-rate UDP floods with minimal source spoofing and random source ports, factors Microsoft said helped simplify traceback and provider enforcement. The incident underscores rising DDoS baselines as broadband speeds increase and IoT devices become more capable.
read more →

RondoDox Botnet Exploits Critical XWiki RCE (CVE-2025-24893)

⚠️ RondoDox operators are exploiting a critical remote code execution flaw in XWiki Platform (CVE-2025-24893), which CISA flagged as actively exploited on October 30. VulnCheck observed attacks beginning November 3 that inject base64-encoded Groovy into the XWiki SolrSearch endpoint via a crafted HTTP GET to download and run a remote shell (rondo..sh) that stages the main payload. Administrators should upgrade to 15.10.11 or 16.4.1, apply network controls, and use published IoCs to block scanning and payload hosts.
read more →

Aisuru Botnet Fires 15.72 Tbps DDoS at Microsoft Azure

⚠️ Microsoft reported that the Aisuru botnet launched a massive DDoS attack against a public Azure IP in Australia, peaking at 15.72 Tbps and nearly 3.64 billion packets per second. The traffic originated from over 500,000 IP addresses and consisted of extremely high-rate UDP floods with minimal source spoofing. Microsoft noted the bursts used random source ports, which aided traceback and provider enforcement. Azure's mitigations absorbed the attack without a reported widespread outage.
read more →

RondoDox Exploits XWiki Flaw to Rapidly Expand Botnet

⚠️ RondoDox has been observed exploiting unpatched XWiki instances to weaponize a critical eval injection, CVE-2025-24893, enabling arbitrary remote code execution via the /bin/get/Main/SolrSearch endpoint. The flaw was patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1 in late February 2025, but scanning and exploitation surged in November, including botnet-driven DDoS and cryptocurrency miner deployments. Security vendors noted spikes in activity on November 7 and November 11 and observed RondoDox adding this vector on November 3, 2025. Administrators should apply vendor patches immediately and review logs and network traffic for indicators of compromise.
read more →

Operation Endgame 3.0 Disrupts Three Major Malware Networks

🔒 Operation Endgame 3.0 targeted and dismantled infrastructure supporting three prominent malware families — Rhadamanthys, VenomRAT and the Elysium botnet — in coordinated actions carried out between 10 and 13 November. Authorities disrupted or seized more than 1,025 servers and 20 domains, searched 11 locations across multiple countries and arrested a suspected VenomRAT operator in Greece. The initiative was led by Europol with Eurojust, national law enforcement partners and over 30 private cybersecurity organizations.
read more →

Operation Endgame Disrupts Multiple Malware Networks

🛡️ A coordinated law enforcement operation led by Europol and Eurojust between November 10–13, 2025 disrupted major malware infrastructures, including Rhadamanthys Stealer, Venom RAT, and an Elysium botnet. Authorities seized 20 domains, took down more than 1,025 servers and arrested a primary suspect in Greece on November 3. Europol said the dismantled networks encompassed hundreds of thousands of infected machines and several million stolen credentials, and that the infostealer operator had access to roughly 100,000 cryptocurrency wallets.
read more →