All news with #ddos tag

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.

🔍 Iran’s cyber ecosystem combines state-aligned clusters, deniable operators, and hacktivists linked to IRGC and MOIS. These actors pursue espionage, disruption and destructive operations—DDoS, pseudo-ransomware, and wipers—often paired with information operations and coordinated amplification. Activity is intensifying amid the current crisis and is expected to broaden across the Middle East, the United States, and other regions.

⛓️ A newly discovered loader named Aeternum relocates botnet command-and-control onto the Polygon blockchain, researchers at Qrator Research Lab report. Infected machines retrieve instructions written as on-chain transactions and poll more than 50 RPC endpoints instead of contacting centralized servers or domains. The seller offers native C++ builds and a web dashboard that writes commands to smart contracts, creating a low-cost, resilient C2 channel that complicates traditional takedowns and shifts defensive emphasis to edge filtering and proactive DDoS mitigation.

🛡️ In episode 456 of Smashing Security, Graham Cluley and guest Paul Ducklin examine allegations that an internet archiving service operator weaponised its own CAPTCHA to DDoS a Finnish blogger, tampered with archive content to smear them, and issued bizarre threats about AI-generated pornography. The hosts also cover a ransomware crew that accidentally corrupted victims' decryption keys, rendering extortion efforts ineffective. The episode closes with a calm Pick of the Week and a furious rant about web forms.

🔒 Spanish authorities arrested four alleged members of the hacktivist group Anonymous Fénix for a series of distributed denial-of-service (DDoS) attacks that targeted government ministries, political parties, and public institutions. The Spanish Civil Guard said the group first struck in April 2023 and intensified activity after severe floods in Valencia in late October 2024, using X and Telegram for recruitment and propaganda. Courts ordered seizure of the group's X and YouTube accounts and closure of its Telegram channel following the arrests.

🛡️ This weekly recap highlights high‑impact incidents and emerging trends across devices, cloud services, and supply chains. Key items include a Dell RecoverPoint zero‑day (CVE‑2026‑22769) actively exploited to install web shells and backdoors and PromptSpy, an Android malware that leverages Google Gemini and accessibility services for persistence. The report also calls out a near‑30 Tbps DDoS surge, malicious Docker Hub images, and deceptive "double‑tap" skimmers targeting e‑commerce. Review the prioritized CVEs and advisories and map mitigations to your environment.

⚠️ The Radware 2026 Global Threat Analysis Report warns of a dramatic escalation in DDoS activity during 2025, recording a 168% year-over-year increase. On average, a Radware customer faced more than 25,351 attempted attacks (about 139 per day). Technology, telecommunications and financial services were hardest hit, with the technology sector accounting for 45% of network-layer attacks. Researchers note attacks are faster, stronger and increasingly coordinated by hacktivist ecosystems, and advise organisations to adopt proactive, pre-emptive defence measures.

🚨 Deutsche Bahn reported that its information and booking services, including the DB Navigator app and the bahn.de website, were disrupted by a cyberattack. The operator characterized the incident as a DDoS attack that produced intermittent outages starting Tuesday afternoon and recurring on Wednesday morning. Services were restored to a "largely stable" state after defensive measures, though temporary restrictions persisted and the company provided no details about possible perpetrators or motives. Deutsche Bahn said the measures taken helped keep customer impact as low as possible.

🔍 In 2025 the UK became the most targeted country in Europe, and the nature of attacks shifted dramatically. Where ransomware once dominated, attackers prioritized disruption over monetization, altering tactics and intent. Many organizations that hardened defenses for extortion found those assumptions outdated and exposures increased. Detection, response and business-continuity strategies must be reevaluated.

🔐 This week's briefing highlights attackers abusing trust across AI agents, update channels, and developer ecosystems. OpenClaw announced a partnership with VirusTotal to scan ClawHub skills after researchers discovered malicious packages and explosive typosquatting growth. High‑impact incidents include a 31.4 Tbps AISURU DDoS, a Notepad++ updater compromise delivering the Chrysalis backdoor, and an RCE in Docker's Ask Gordon AI assistant. Security teams should prioritize update integrity, supply‑chain controls, and agentic AI hygiene.

🚨 Cloudflare attributed a record hyper‑volumetric HTTP DDoS to the AISURU/Kimwolf botnet that peaked at 31.4 Tbps and lasted 35 seconds in November 2025. The group was also linked to a campaign codenamed The Night Before Christmas, which began on December 19, 2025, and produced averages near 3 Bpps, 4 Tbps and 54 Mrps. Google and Cloudflare disrupted the IPIDEA residential proxy network used to recruit more than 2 million Android devices.

🛡️ Cloudflare's 24th Quarterly DDoS Threat Report documents a record-setting 2025 capped by a 31.4 Tbps attack and a late-December campaign from the Aisuru-Kimwolf botnet. The firm observed a 121% year-over-year surge in DDoS activity, averaging 5,376 mitigations per hour and a tripling of network-layer assaults to 34.4 million. Hyper-volumetric HTTP floods—largely from infected Android TVs—peaked above 200 Mrps and targeted telcos, gaming, and AI providers, while Cloudflare's autonomous defenses automatically detected and mitigated these incidents.

🔍 The financial sector saw cyber incidents more than double in 2025 (864 → 1,858), driven by three dominant trends: surging DDoS campaigns, a sharp rise in data breaches and leaks, and the commercialization of cybercrime-as-a-service. These threats exploited weaknesses in cloud security, identity governance, and third-party risk. Banks and fintechs must accelerate adoption of layered defenses, continuous monitoring, and stronger vendor controls to maintain resilience.

🔒 A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment — swatting, DDoS, and call- and email-flooding — to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.

🛡️ Google disrupted the IPIDEA residential proxy network by seizing or sinkholing command-and-control domains, cutting operators' ability to route traffic and reducing millions of exit nodes that had been recruited via bundled SDKs or monetization lures. Microsoft released an out‑of‑band patch for an actively exploited Office zero‑day (CVE-2026-21509), while Ivanti fixed two EPMM RCEs. CERT Polska attributed destructive intrusions against Polish energy assets to Static Tundra, and criminals were observed hijacking exposed LLM endpoints for resale and lateral access. Researchers also documented new modular frameworks, open BYOB C2 repositories, and continued exploitation of web platforms and DevOps tooling.

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.

🔒 Encrypted internet traffic and TLS 1.3 are now the norm, creating inspection blind spots that threat actors exploit to hide DDoS attacks. NETSCOUT’s Arbor Edge Defense (AED) is presented as a selective-decryption, edge-deployed solution that prioritizes blocking suspicious encrypted sessions and decrypts only when validation or deeper analysis is needed. By combining handshake inspection, rate and connection controls, and targeted decryption, AED aims to preserve capacity while improving detection and mitigation of encrypted threats.

⚠️ The UK's National Cyber Security Centre (NCSC) warns that pro‑Russian hacktivist groups are conducting distributed denial-of-service (DDoS) attacks against British organisations, particularly local government and critical infrastructure operators. These attacks are typically low in technical sophistication but can still deny access, disrupt services and impose substantial recovery costs. The NCSC advises organisations and OT owners to review and harden defences, work with ISPs and CDNs, design scalable services, retain administrative access during incidents, and regularly test mitigations.

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.