botnet | Breaking Cybersecurity News | The Hacker News

Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw. It's worth noting that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw in the same product that was patched by Samsung in August 2024. CVE-2025-4632 has since been exploited in the wild shortly after the release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025, in some instances to even deploy the Mirai botnet. While it was initially assumed that the attacks were targeting CVE-2024-7399, cybersecurity company Huntress first revealed the existenc...

A joint law enforcement operation undertaken by Dutch and U.S. authorities has dismantled a criminal proxy network that's powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, have been charged by the U.S. Department of Justice (DoJ) for operating, maintaining, and profiting from the proxy services. The DoJ noted that users paid a monthly subscription fee, ranging from $9.95 to $110 per month, netting the threat actors more than $46 million by selling access to the infected routers. The service is believed to have been available since 2004.

Europol has announced the takedown of distributed denial of service (DDoS)-for-hire services that were used to launch thousands of cyber-attacks across the world. In connection with the operation, Polish authorities have arrested four individuals aged between 19 and 22 and the United States has seized nine domains that are associated with the now-defunct platforms. "The suspects are believed to be behind six separate stresser/booter services that enabled paying customers to flood websites and servers with malicious traffic — knocking them offline for as little as EUR 10," Europol said in a statement. The services, named cfxapi, cfxsecurity, neostress, jetstress, quickdown and zapcut, are said to have been instrumental in launching widespread attacks on schools, government services, businesses, and gaming platforms between 2022 and 2025.  Europol said the platforms offered "slick user interfaces," enabling malicious actors with little to no technical expertis...

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command injection flaws ( CVE-2024-6047 and CVE-2024-11120 , CVSS scores: 9.8) that could be used to execute arbitrary system commands. "The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter," Akamai researcher Kyle Lefton said in a report shared with The Hacker News. In the attacks detected by the web security and infrastructure company, the botnet has been found injecting commands to download and execute an ARM version of the Mirai malware called LZRD . Some of the vulnerabilities exploited by the botnet includ...

What happens when cybercriminals no longer need deep skills to breach your defenses? Today's attackers are armed with powerful tools that do the heavy lifting — from AI-powered phishing kits to large botnets ready to strike. And they're not just after big corporations. Anyone can be a target when fake identities, hijacked infrastructure, and insider tricks are used to slip past security unnoticed. This week's threats are a reminder: waiting to react is no longer an option. Every delay gives attackers more ground. ⚡ Threat of the Week Critical SAP NetWeaver Flaw Exploited as 0-Day — A critical security flaw in SAP NetWeaver (CVE-2025-31324, CVSS score: 10.0) has been exploited by unknown threat actors to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. The attacks have also been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections. ...

Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security , represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points , which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from Darktrace's honeypots has revealed that the attack starts with a request to launch a container image " kazutod/tene:ten " from the ...

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS , with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. "From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.  "This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots." Nearly 42 percent of the compromised devices are located in the United States, followed by Japan, Canada, Denmark, Italy, Morocco, and China. XorDDoS is a well-known malware that has a track record of striking Linux systems for over a decade. In May 2022...

Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials. "Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday. Outlaw is also the name given to the threat actors behind the malware. It's believed to be of Romanian origin. Other hacking groups dominating the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and TeamTNT. Active since at least late 2018 , the hacking crew has brute-forced SSH servers , abusing the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the "authorized_keys" file. The attackers are also known to incorporate a multi-stage infection ...

A new investigation has unearthed nearly 200 unique command-and-control (C2) domains associated with a malware called Raspberry Robin . "Raspberry Robin (also known as Roshtyak or Storm-0856) is a complex and evolving threat actor that provides initial access broker (IAB) services to numerous criminal groups, many of which have connections to Russia," Silent Push said in a report shared with The Hacker News. Since its emergence in 2019, the malware has become a conduit for various malicious strains like SocGholish, Dridex, LockBit, IcedID, BumbleBee, and TrueBot. It's also referred to as QNAP worm owing to the use of compromised QNAP devices to retrieve the payload. Over the years, Raspberry Robin attack chains have added a new distribution method that involves downloading it via archives and Windows Script Files sent as attachments using the messaging service Discord, not to mention acquiring one-day exploits to achieve local privilege escalation before they we...

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX , painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in collaboration with Google, Trend Micro, Shadowserver, and other partners. The "complex and expansive fraud operation" has been codenamed BADBOX 2.0. It has been described as the largest botnet of infected connected TV (CTV) devices ever uncovered. "BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely," the company said . "These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors." The threat actors ar...

An unpatched security flaw impacting the Edimax IC-7100 network camera is being exploited by threat actors to deliver Mirat botnet malware variants since at least May 2024. The vulnerability in question is CVE-2025-1316 (CVSS v4 score: 9.3), a critical operating system command injection flaw that an attacker could exploit to achieve remote code execution on susceptible devices by means of a specially crafted request. Web infrastructure and security company Akamai said the earliest exploit attempt targeting the flaw dates back to May 2024, although a proof-of-concept (PoC) exploit has been publicly available since June 2023. "The exploit targets the /camera-cgi/admin/param.cgi endpoint in Edimax devices, and injects commands into the NTP_serverName option as part of the ipcamSource option of param.cgi," Akamai researchers Kyle Lefton and Larry Cashdollar said . While weaponizing the endpoint requires authentication, it has been found that the exploitation attempts are...

Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk. Clipper malware is a type of cryware (as coined by Microsoft) that's designed to monitor a victim's clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses with an attacker-controlled one so as to reroute them to the adversary instead of the intended target. "The infection chain begins at a site called pesktop[.]com," security researcher Ari Novick said in an analysis published earlier this week. "This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware." The initial executable acts as a conduit to run a PowerShell script that delivers a botnet malware named Amadey , as well as two other .NET binaries, each compiled for 32- and 64-bit architect...

Unpatched TP-Link Archer routers have become the target of a new botnet campaign dubbed Ballista, according to new findings from the Cato CTRL team. "The botnet exploits a remote code execution (RCE) vulnerability in TP-Link Archer routers (CVE-2023-1389) to spread itself automatically over the Internet," security researchers Ofek Vardi and Matan Mittelman said in a technical report shared with The Hacker News. CVE-2023-1389 is a high-severity security flaw impacting TP-Link Archer AX-21 routers that could lead to command injection, which could then pave the way for remote code execution. The earliest evidence of active exploitation of the flaw dates back to April 2023, with unidentified threat actors using it to drop Mirai botnet malware. Since then, it has also been abused to propagate other malware families like Condi and AndroxGh0st . Cato CTRL said it detected the Ballista campaign on January 10, 2025. The most recent exploitation attempt was recorded on Februa...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-20118 (CVSS score: 6.5) - A command injection vulnerability in the web-based management interface of Cisco Small Business RV Series routers that allows an authenticated, remote attacker to gain root-level privileges and access unauthorized data (Unpatched due to the routers reaching end-of-life status) CVE-2022-43939 (CVSS score: 8.6) - An authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server that stems from the use of non-canonical URL paths for authorization decisions (Fixed in August 2024 with versions 9.3.0.2 and 9.4.0.1) CVE-2022-43769 (CVSS score: 8.8) - A special element injection vulnerability in Hitachi Vantara...

Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d . The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 countries and regions. As of February 25, 2025, India has experienced a notable surge in infection rate, increasing from less than 1% (3,901) to 18.17% (217,771).  "Vo1d has evolved to enhance its stealth, resilience, and anti-detection capabilities," QiAnXin XLab said . "RSA encryption secures network communication, preventing [command-and-control] takeover even if [the Domain Generation Algorithm] domains are registered by researchers. Each payload uses a unique Downloader, with XXTEA encryption and RSA-protected keys, making analysis harder." The malware was first documented by Doctor Web in September 2024 as affecting Androi...

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023. French cybersecurity company Sekoia said it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443. In the attack registered against Sekoia's honeypots, the vulnerability is said to have been used to deliver a previously undocumented implant, a TLS backdoor that incorporates the ability to listen for incoming client connections and execu...

A Mirai botnet variant dubbed Aquabot has been observed actively attempting to exploit a medium-severity security flaw impacting Mitel phones in order to ensnare them into a network capable of mounting distributed denial-of-service (DDoS) attacks. The vulnerability in question is CVE-2024-41710 (CVSS score: 6.8), a case of command injection in the boot process that could allow a malicious actor to execute arbitrary commands within the context of the phone. It affects Mitel 6800 Series, 6900 Series, 6900w Series SIP Phones, and Mitel 6970 Conference Unit. It was addressed by Mitel in mid-July 2024. A proof-of-concept (PoC) exploit for the flaw became publicly available in August. Outside of CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw targeting Linksys E-series devices.  "Aquabot is a botnet that was built off the Mirai fram...

Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. The activity originated from a Mirai -variant botnet. "The attack lasted only 80 seconds and originated from over 13,000 IoT devices," Cloudflare's Omer Yoachimik and Jorge Pacheco said in a report. That said, the average unique source IP address observed per second was 5,500, with the average contribution of each IP address per second around 1 Gbps. The previous record for the largest volumetric DDoS assault was also reported by Cloudflare in October 2024, which peaked at 3.8 Tbps. Cloudflare also revealed it blocked approximately 21.3 million DDoS attacks in 2024, a 53% increase from 2023, and th...