I cracked one of those puppet accounts. It's part of a ring of accounts that do this kind of work.

What else do you want me to find out?

Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying - The hacker ecosystem in Russia, more than perhaps anywhere e... - https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-tied-to-botnets-used-in-cyberattacks-and-spying/ #russianhacking #syndication #security #biz⁢ #botnet

Feds Charge 16 Russians Allegedly Tied to Botnets Used in #Ransomware, Cyberattacks, and Spying

https://www.wired.com/story/us-charges-16-russians-danabot-malware/

US indicts leader of #Qakbot #botnet linked to #ransomware attacks

https://www.bleepingcomputer.com/news/security/us-indicts-leader-of-qakbot-botnet-linked-to-ransomware-attacks/

Security expert Brian Krebs targeted by DDoS attack with 6.3 terabits per second

A new botnet is preparing to take over the legacy of Mirai – only much stronger. A security expert was attacked at 6.3 terabits per second.

https://www.heise.de/en/news/Security-expert-Brian-Krebs-targeted-by-DDoS-attack-with-6-3-terabits-per-second-10393545.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Sicherheitsexperte Brian Krebs Ziel von DDoS-Attacke mit 6,3 Terabit pro Sekunde

Ein neues Botnet schickt sich an, das Erbe von Mirai anzutreten – nur ungleich stärker. Ein Sicherheitsexperte wurde mit 6,3 Terabit pro Sekunde attackiert.

https://www.heise.de/news/Sicherheitsexperte-Brian-Krebs-Ziel-von-DDoS-Attacke-mit-6-3-Terabit-pro-Sekunde-10393206.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#KrebsOnSecurity hit by a record-breaking 6.3 Tbps DDoS attack linked to the new #Aisuru IoT botnet.

Read: https://hackread.com/krebsonsecurity-6-3-tbps-ddos-attack-aisuru-botnet/

Pretty much the only regions on the planet from which we *don't* see regular volumetric DDOS against www.bbc.co.uk & www.bbc.com is central Africa & the poles.

This is map shows the number of time each country was a DDOS traffic source in the last 30 days (larger circles == more DDOS attacks).

The botnets are really well globally distributed these days (and we typically see thousands or tens of thousands of source IPs per attack - mostly compromised servers).

Cyberattaque mondiale : le FBI fait tomber un #botnet géant qui détournait vos #routeurs depuis plus de vingt ans. Pendant plus de 20 ans, des cybercriminels ont transformé des milliers de routeurs obsolètes en #proxys résidentiels pour dissimuler leurs activités illégales. Après une traque d’un an, les autorités viennent de démanteler le réseau #Anyproxy / #5Socks et d’inculper quatre personnes.
https://www.clubic.com/actualite-564990-cyberattaque-mondiale-le-fbi-fait-tomber-un-botnet-geant-qui-detournait-vos-routeurs-depuis-plus-de-vingt-ans.html

Police Dismantles Botnet Selling Hacked Routers As Residential Proxies - An anonymous reader quotes a report from BleepingComputer: Law enforcement authori... - https://it.slashdot.org/story/25/05/09/2223226/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies?utm_source=rss1.0mainlinkanon&utm_medium=feed #botnet

Police dismantles #botnet selling hacked routers as residential proxies

https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/

ACTIVE EXPLOITATION ALERT

Great work Kyle Lefton

The baddies at Akamai SIRT (Security Intelligence Response Team) have identified the first ITW exploitation of command injection vulns CVE-2024-6047 and CVE-2024-11120. It's a Mirai variant called LZRD (pronounced luh-zurd according to the interwebs)

blog post includes IOCs, full technical details and malware analysis. video is a silly interpretation bc i'm allergic to content without puns

https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet

A shady Market gives Money to App Developers on iOS, Android, MacOS and Windows for including a Library into their Apps that sells Users Network Bandwidth, acting as Proxy for Web Scrapers/Bots - Article by Jan Wildeboer @jwildeboer #Botnet https://jan.wildeboer.net/2025/04/Web-is-Broken-Botnet-Part-2/

New Threat Alert: Rustobot Botnet
A new Rust-based botnet is making waves — and it's hijacking routers to do it. @FortiGuardLabs latest research dives into Rustobot, a stealthy, modular botnet that’s fast, evasive, and ready to wreak havoc.

Learn how it works, what makes it different, and how to protect your network:
https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers

IOCs

URLs

hxxp://66[.]63[.]187[.]69/w.sh
hxxp://66[.]63[.]187[.]69/wget.sh
hxxp://66[.]63[.]187[.]69/t
hxxp://66[.]63[.]187[.]69/tftp.sh
hxxp://66[.]63[.]187[.]69/arm5
hxxp://66[.]63[.]187[.]69/arm6
hxxp://66[.]63[.]187[.]69/arm7
hxxp://66[.]63[.]187[.]69/mips
hxxp://66[.]63[.]187[.]69/mpsl
hxxp://66[.]63[.]187[.]69/x86

Hosts

dvrhelper[.]anondns[.]net
techsupport[.]anondns[.]net
rustbot[.]anondns[.]net
miraisucks[.]anondns[.]net
5[.]255[.]125[.]150

Edit: Shout-out to the author behind this research, @7olzu

Botnet alert: A newly uncovered XorDDoS controller is widening the threat surface.

Attackers are targeting:
Linux servers
Docker environments
IoT infrastructure

Their method?
SSH brute-force
Persistence via cron jobs and init scripts
71% of detected activity focused on U.S. systems
Indicators suggest Chinese-speaking actors

This isn’t just noise — it’s a sustained, evolving threat to cloud and edge ecosystems.

#CyberSecurity #XorDDoS #Botnet #LinuxSecurity #ThreatIntelligence #security #privacy #cloud #infosec
https://thehackernews.com/2025/04/experts-uncover-new-xorddos-controller.html

#OperationEndgame - With the operators out of the picture, law enforcement is closing in on Smokeloader botnet’s paying customers across Europe and North America.

Read: https://hackread.com/smokeloader-users-identified-arrested-operation-endgame/

New #Mirai #botnet behind surge in #TVT #DVR exploitation

https://www.bleepingcomputer.com/news/security/new-mirai-botnet-behind-surge-in-tvt-dvr-exploitation/

I'm having trouble figuring out what kind of botnet has been hammering our web servers over the past week. Requests come in from tens of thousands of addresses, just once or twice each (and not getting blocked by fail2ban), with different browser strings (Chrome versions ranging from 24.0.1292.0 - 108.0.5163.147) and ridiculous cobbled-together paths like /about-us/1-2-3-to-the-zoo/the-tiny-seed/10-little-rubber-ducks/1-2-3-to-the-zoo/the-tiny-seed/the-nonsense-show/slowly-slowly-slowly-said-the-sloth/the-boastful-fisherman/the-boastful-fisherman/brown-bear-brown-bear-what-do-you-see/the-boastful-fisherman/brown-bear-brown-bear-what-do-you-see/brown-bear-brown-bear-what-do-you-see/pancakes-pancakes/pancakes-pancakes/the-tiny-seed/pancakes-pancakes/pancakes-pancakes/slowly-slowly-slowly-said-the-sloth/the-tiny-seed

(I just put together a bunch of Eric Carle titles as an example. The actual paths are pasted together from valid paths on our server but in invalid order, with as many as 32 subdirectories.)

Has anyone else been seeing this and do you have an idea what's behind it?

NSA Warns 'Fast Flux' Threatens National Security - An anonymous reader quotes a report from Ars Technica: A technique that hostile na... - https://it.slashdot.org/story/25/04/04/2059211/nsa-warns-fast-flux-threatens-national-security?utm_source=rss1.0mainlinkanon&utm_medium=feed #botnet