#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

botnet | Breaking Cybersecurity News | The Hacker News

Category — botnet
Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit

Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit

May 14, 2025 Vulnerability / Malware
Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw. It's worth noting that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw in the same product that was patched by Samsung in August 2024. CVE-2025-4632 has since been exploited in the wild shortly after the release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025, in some instances to even deploy the Mirai botnet. While it was initially assumed that the attacks were targeting CVE-2024-7399, cybersecurity company Huntress first revealed the existenc...
BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation

BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation

May 09, 2025 IoT Security / Network Security
A joint law enforcement operation undertaken by Dutch and U.S. authorities has dismantled a criminal proxy network that's powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, have been charged by the U.S. Department of Justice (DoJ) for operating, maintaining, and profiting from the proxy services. The DoJ noted that users paid a monthly subscription fee, ranging from $9.95 to $110 per month, netting the threat actors more than $46 million by selling access to the infected routers. The service is believed to have been available since 2004.
Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks

Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks

May 07, 2025 Dark Web / Cybercrime
Europol has announced the takedown of distributed denial of service (DDoS)-for-hire services that were used to launch thousands of cyber-attacks across the world. In connection with the operation, Polish authorities have arrested four individuals aged between 19 and 22 and the United States has seized nine domains that are associated with the now-defunct platforms. "The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10," Europol said in a statement. The services, named cfxapi, cfxsecurity, neostress, jetstress, quickdown and zapcut, are said to have been instrumental in launching widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.  Europol said the platforms offered "slick user interfaces," enabling malicious actors with little to no technical expertis...
cyber security

New Webinar: Defend Against Scattered Spider's Latest TTPs for 2025

websitePush SecurityThreat Intelligence / Cyber Attack
Learn about Scattered Spider's latest identity attack techniques and how to defend your organization.
cyber security

Get Proactive About Protecting Your Digital Identity 

websiteVeeam SoftwareData Security / Microsoft Entra ID
Security threats are just one reason you need to protect Microsoft Entra ID data. Learn all 6 reasons today.
Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

May 06, 2025 Internet of Thing / Vulnerability
Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command injection flaws ( CVE-2024-6047 and CVE-2024-11120 , CVSS scores: 9.8) that could be used to execute arbitrary system commands. "The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter," Akamai researcher Kyle Lefton said in a report shared with The Hacker News. In the attacks detected by the web security and infrastructure company, the botnet has been found injecting commands to download and execute an ARM version of the Mirai malware called LZRD . Some of the vulnerabilities exploited by the botnet includ...
⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More

⚡ Weekly Recap: Critical SAP Exploit, AI-Powered Phishing, Major Breaches, New CVEs & More

Apr 28, 2025 Cybersecurity / Hacking News
What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed. This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground. ⚡ Threat of the Week Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections. ...
Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals

Docker Malware Exploits Teneo Web3 Node to Earn Crypto via Fake Heartbeat Signals

Apr 22, 2025 IoT Security / Malware
Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security , represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points , which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from Darktrace's honeypots has revealed that the attack starts with a request to launch a container image " kazutod/tene:ten " from the ...
Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

Apr 18, 2025 IoT Security / Malware
Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS , with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. "From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.  "This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots." Nearly 42 percent of the compromised devices are located in the United States, followed by Japan, Canada, Denmark, Italy, Morocco, and China. XorDDoS is a well-known malware that has a track record of striking Linux systems for over a decade. In May 2022...
Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers

Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers

Apr 02, 2025 Cryptojacking / Malware
Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials. "Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday. Outlaw is also the name given to the threat actors behind the malware. It's believed to be of Romanian origin. Other hacking groups dominating the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and TeamTNT. Active since at least late 2018 , the hacking crew has brute-forced SSH servers , abusing the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the "authorized_keys" file. The attackers are also known to incorporate a multi-stage infection ...
Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker

Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker

Mar 25, 2025 Threat Intelligence / Malware
A new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin . "Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia," Silent Push said in a report shared with The Hacker News. Since its emergence in 2019, the malware has become a conduit for various malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It's also referred to as QNAP worm owing to the use of compromised QNAP devices to retrieve the payload. Over the years, Raspberry Robin attack chains have added a new distribution method that involves downloading it via archives and Windows Script Files sent as attachments using the messaging service Discord, not to mention acquiring one-day exploits to achieve local privilege escalation before they we...
BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse

BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse

Mar 18, 2025 Cyber Attack / Malware
At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX , painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in collaboration with Google, Trend Micro, Shadowserver, and other partners. The "complex and expansive fraud operation" has been codenamed BADBOX 2.0. It has been described as the largest botnet of infected connected TV (CTV) devices ever uncovered. "BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely," the company said . "These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors." The threat actors ar...
Unpatched Edimax Camera Flaw Exploited for Mirai Botnet Attacks Since Last Year

Unpatched Edimax Camera Flaw Exploited for Mirai Botnet Attacks Since Last Year

Mar 17, 2025 Botnet / Vulnerability
An unpatched security flaw impacting the Edimax IC-7100 network camera is being exploited by threat actors to deliver Mirat botnet malware variants since at least May 2024. The vulnerability in question is CVE-2025-1316 (CVSS v4 score: 9.3), a critical operating system command injection flaw that an attacker could exploit to achieve remote code execution on susceptible devices by means of a specially crafted request. Web infrastructure and security company Akamai said the earliest exploit attempt targeting the flaw dates back to May 2024, although a proof-of-concept (PoC) exploit has been publicly available since June 2023. "The exploit targets the /camera-cgi/admin/param.cgi endpoint in Edimax devices, and injects commands into the NTP_serverName option as part of the ipcamSource option of param.cgi," Akamai researchers Kyle Lefton and Larry Cashdollar said . While weaponizing the endpoint requires authentication, it has been found that the exploitation attempts are...
New MassJacker Malware Targets Piracy Users, Hijacking Cryptocurrency Transactions

New MassJacker Malware Targets Piracy Users, Hijacking Cryptocurrency Transactions

Mar 14, 2025 Software Security / Cybercrime
Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk. Clipper malware is a type of cryware (as coined by Microsoft) that's designed to monitor a victim's clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses with an attacker-controlled one so as to reroute them to the adversary instead of the intended target. "The infection chain begins at a site called pesktop[.]com," security researcher Ari Novick said in an analysis published earlier this week. "This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware." The initial executable acts as a conduit to run a PowerShell script that delivers a botnet malware named Amadey , as well as two other .NET binaries, each compiled for 32- and 64-bit architect...
Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Targets Over 6,000 Devices

Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Targets Over 6,000 Devices

Mar 11, 2025 Network Security / Vulnerability
Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista, according to new findings from the Cato CTRL team. "The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet," security researchers Ofek Vardi and Matan Mittelman said in a technical report shared with The Hacker News. CVE-2023-1389 is a high-severity security flaw impacting TP-Link Archer AX-21 routers that could lead to command injection, which could then pave the way for remote code execution. The earliest evidence of active exploitation of the flaw dates back to April 2023, with unidentified threat actors using it to drop Mirai botnet malware. Since then, it has also been abused to propagate other malware families like Condi and AndroxGh0st . Cato CTRL said it detected the Ballista campaign on January 10, 2025. The most recent exploitation attempt was recorded on Februa...
Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Mar 04, 2025 Cyber Attack / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-20118 (CVSS score: 6.5) - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) CVE-2022-43939 (CVSS score: 8.6) - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1) CVE-2022-43769 (CVSS score: 8.8) - A special element injection vulnerability in Hitachi Vantara...
Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries

Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries

Mar 03, 2025 Mobile Security / Botnet
Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d . The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 countries and regions. As of February 25, 2025, India has experienced a notable surge in infection rate, increasing from less than 1% (3,901) to 18.17% (217,771).  "Vo1d has evolved to enhance its stealth, resilience, and anti-detection capabilities," QiAnXin XLab said . "RSA encryption secures network communication, preventing [command-and-control] takeover even if [the Domain Generation Algorithm] domains are registered by researchers. Each payload uses a unique Downloader, with XXTEA encryption and RSA-protected keys, making analysis harder." The malware was first documented by Doctor Web in September 2024 as affecting Androi...
PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

Feb 27, 2025 Vulnerability / Network Security
A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023. French cybersecurity company Sekoia said it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443. In the attack registered against Sekoia's honeypots, the vulnerability is said to have been used to deliver a previously undocumented implant, a TLS backdoor that incorporates the ability to listen for incoming client connections and execu...
New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks

New Aquabot Botnet Exploits CVE-2024-41710 in Mitel Phones for DDoS Attacks

Jan 30, 2025 Vulnerability / IoT Security
A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks. The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone. It affects Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw became publicly available in August. Outside of CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw targeting Linksys E-series devices.  "Aquabot is a botnet that was built off the Mirai fram...
Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices

Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Devices

Jan 22, 2025 Botnet / Network Security
Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. The activity originated from a Mirai -variant botnet. "The attack lasted only 80 seconds and originated from over 13,000 IoT devices," Cloudflare's Omer Yoachimik and Jorge Pacheco said in a report. That said, the average unique source IP address observed per second was 5,500, with the average contribution of each IP address per second around 1 Gbps. The previous record for the largest volumetric DDoS assault was also reported by Cloudflare in October 2024, which peaked at 3.8 Tbps. Cloudflare also revealed it blocked approximately 21.3 million DDoS attacks in 2024, a 53% increase from 2023, and th...
Expert Insights Articles Videos
Cybersecurity Resources