CyberSecurity news
FlagThis - #Botnet
|
info@thehackernews.com (The@The Hacker News
//
A new Flodrix botnet variant is actively targeting vulnerable Langflow AI servers by exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-3248. Langflow, a Python-based visual framework used for building artificial intelligence (AI) applications, contains a missing authentication vulnerability that enables unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Cybersecurity researchers at Trend Micro have highlighted this ongoing campaign, revealing that attackers are leveraging the flaw to execute downloader scripts on compromised Langflow servers. These scripts then fetch and install the Flodrix malware, ultimately leading to full system compromise.
Trend Micro's analysis reveals that attackers are exploiting CVE-2025-3248, which has a CVSS score of 9.8, by using publicly available proof-of-concept (PoC) code to target unpatched, internet-exposed Langflow instances. The vulnerability lies in the lack of input validation or sandboxing within Langflow, allowing malicious payloads to be compiled and executed within the server's context. The downloader scripts retrieve the Flodrix botnet malware from a specified host and, once installed, Flodrix establishes communication with a remote server via TCP to receive commands for launching distributed denial-of-service (DDoS) attacks against targeted IP addresses. Flodrix also supports connections over the TOR anonymity network. The Flodrix botnet is considered an evolution of the LeetHozer botnet, linked to the Moobot group. This improved variant incorporates stealth techniques, including the ability to discreetly remove itself, minimize forensic traces, and obfuscate command-and-control (C2) server addresses, making analysis more challenging. Further enhancements include new, encrypted DDoS attack types. Organizations using Langflow are urged to immediately patch their systems to version 1.3.0 or later, which addresses CVE-2025-3248. Furthermore, implementing robust network monitoring is crucial to detect and mitigate any botnet activity resulting from this vulnerability. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical remote code execution vulnerability, CVE-2025-24016, affecting the Wazuh security platform is being actively exploited by Mirai botnets to launch distributed denial-of-service (DDoS) attacks. Akamai discovered this exploitation in late March 2025, revealing that threat actors are using this flaw to deploy Mirai botnet variants. The vulnerability, an unsafe deserialization issue, exists within the Wazuh API, specifically in how parameters within the DistributedAPI are handled.
The vulnerability stems from the deserialization of JSON data using the `as_wazuh_object` function in the `framework/wazuh/core/cluster/common.py` file. Attackers can inject malicious JSON payloads to execute arbitrary Python code remotely. CVE-2025-24016 affects Wazuh server versions 4.4.0 through 4.9.0, and has been assigned a critical CVSS score of 9.9. The flaw was patched in February 2025 with the release of Wazuh version 4.9.1, which replaced the unsafe `eval` function with `ast.literal_eval`. Akamai has observed two distinct botnets exploiting this vulnerability. In both cases, a successful exploit leads to the execution of a shell script that downloads a Mirai botnet payload from an external server. The first botnet deploys variants of LZRD Mirai, a botnet that has been active since 2023, and has also been recently used in attacks targeting GeoVision IoT devices. The second botnet delivers a Mirai variant known as Resbot (aka Resentual). Security researchers emphasize the rapidly decreasing time-to-exploit for newly published CVEs by botnet operators. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new botnet campaign, dubbed AyySSHush, is targeting ASUS routers, compromising over 9,000 devices globally. The attackers are exploiting a known command injection vulnerability, CVE-2023-39780, along with other authentication bypass techniques to gain unauthorized access. Models such as RT-AC3100, RT-AC3200, and RT-AX55 are among those being targeted, with attackers seeking to establish a persistent presence within the compromised routers. GreyNoise researchers, who uncovered the campaign, emphasize the stealthy tactics employed, which include disabling router logging and avoiding the installation of malware, making detection difficult.
Attackers initially gain access to ASUS routers through brute-force login attempts and the exploitation of authentication bypass flaws, including techniques that have not yet been assigned CVEs. Once inside, they leverage the CVE-2023-39780 command injection vulnerability to execute system commands and modify router settings. These commands enable SSH access on a custom port, typically TCP/53282, and insert an attacker-controlled public key for remote access. This allows the attackers to maintain a persistent backdoor into the compromised routers, even after firmware upgrades and reboots. As a result of this sophisticated campaign, compromised ASUS routers require a factory reset to fully remove the persistent SSH backdoor. Standard firmware updates are insufficient, as the attackers abuse legitimate router configuration features stored in non-volatile memory (NVRAM). GreyNoise recommends users rotate all authentication tokens, including passwords and SSH keys, and perform a factory reset to clear the affected devices' NVRAM. Users can also use runZero's service inventory to locate potentially impacted assets by querying for SSH protocol on port 53282, or scan for the attacker’s public key using the SSHamble tool. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A new botnet, dubbed PumaBot, is actively targeting Linux-based IoT devices, posing a significant security risk. This Go-based malware is designed to steal SSH credentials through brute-force attacks, allowing it to spread malicious payloads and illicitly mine cryptocurrency. Unlike other botnets that perform broad internet scans, PumaBot employs a more targeted approach by retrieving lists of IP addresses from its command-and-control (C2) server, enabling it to focus its attacks on specific devices. This approach, coupled with its ability to impersonate legitimate system files, makes PumaBot a stealthy and dangerous threat to embedded Linux systems.
The attack begins with PumaBot attempting to brute-force SSH credentials on targeted devices, aiming to gain unauthorized access. Once inside, it establishes persistence using systemd service files, ensuring it survives reboots and remains active on the compromised device. To further mask its activities, PumaBot disguises itself as a legitimate Redis system file, attempting to blend in with normal system processes. After successfully gaining access to an infected system, it collects and exfiltrates basic system information to the C2 server, where it can receive commands to carry out its malicious objectives. The primary goal of PumaBot appears to be cryptocurrency mining, as evidenced by the presence of "xmrig" and "networkxm" commands within its code. These commands suggest that compromised devices are being leveraged to generate illicit cryptocurrency gains for the botnet operators. Security experts also observed that the botnet performs checks to avoid honeypots and, curiously, looks for the string "Pumatronix," a surveillance and traffic camera manufacturer, hinting at a targeted or exclusionary approach. The discovery highlights the ongoing need for robust security measures for IoT devices, as they continue to be attractive targets for botnet recruitment and malicious activities. Recommended read:
References :
@www.bleepingcomputer.com
//
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.
According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging. Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.
The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network. To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities. Recommended read:
References :
@cyberinsider.com
//
Law enforcement agencies across North America and Europe have taken action against users of the Smokeloader botnet in a follow-up to Operation Endgame, a major takedown that occurred in May 2024. This new phase targets the demand side of the cybercrime economy, focusing on individuals who purchased access to compromised computers through Smokeloader’s pay-per-install service, which was operated by the cybercriminal known as "Superstar". Authorities have arrested at least five individuals, conducted house searches, and interrogated suspects linked to the use of the Smokeloader botnet. In addition to arrests, servers used by the Smokeloader botnet's customers have also been seized.
Evidence used to identify and apprehend the Smokeloader users came from backend databases obtained during the initial Operation Endgame takedown. These databases contained information about who had purchased access to the infected machines, allowing investigators to match usernames and payment information to real-world identities. The customers of the Smokeloader botnet were using the access to deploy various types of malware, including ransomware, spyware, and cryptominers for their own illicit activities. Some suspects were found to be reselling the Smokeloader access for profit, adding another layer to the investigation. The investigation remains open, and authorities are continuing to work through leads, with more actions expected. Europol has launched a dedicated website, operation-endgame.com, to collect tips and provide updates on the operation. Law enforcement agencies are sending a clear message that they are committed to disrupting the cybercrime ecosystem by targeting not only the operators of malicious services but also the individuals who use and fund them. Officials said that the malware's customers faced various consequences ranging from "knock and talks," full house searches, all the way to arrests. Recommended read:
References :
Alex Delamotte@sentinelone.com
//
AkiraBot, an AI-powered botnet, has been identified as the source of a widespread spam campaign targeting over 80,000 websites since September 2024. This sophisticated framework leverages OpenAI's API to generate custom outreach messages tailored to the content of each targeted website, effectively promoting dubious SEO services. Unlike typical spam tools, AkiraBot employs advanced CAPTCHA bypass mechanisms and network detection evasion techniques, posing a significant challenge to website security. It achieves this by rotating attacker-controlled domain names and using AI-generated content, making it difficult for traditional spam filters to identify and block the messages.
AkiraBot operates by targeting contact forms and chat widgets embedded on small to medium-sized business websites. The framework is modular and specifically designed to evade CAPTCHA filters and avoid network detections. To bypass CAPTCHAs, AkiraBot mimics legitimate user behavior, and uses services like Capsolver, FastCaptcha, and NextCaptcha. It also relies on proxy services like SmartProxy, typically used by advertisers, to rotate IP addresses and maintain geographic anonymity, preventing rate-limiting and system-wide blocks. The use of OpenAI's language models, specifically GPT-4o-mini, allows AkiraBot to create unique and personalized spam messages for each targeted site. By scraping site content, the bot generates messages that appear authentic, increasing engagement and evading traditional spam filters. While OpenAI has since revoked the spammers' account, the four months the activity went unnoticed highlight the reactive nature of enforcement and the emerging challenges AI poses to defending websites against spam attacks. This sophisticated approach marks a significant evolution in spam tactics, as the individualized nature of AI-generated content complicates detection and blocking measures. Recommended read:
References :
@securityonline.info
//
GreyNoise has observed a significant surge, approximately three times the typical level, in exploitation attempts targeting TVT NVMS9000 DVRs. The peak of this activity occurred on April 3, 2025, with over 2,500 unique IP addresses involved in scanning for vulnerable devices. This vulnerability is an information disclosure flaw that allows attackers to gain administrative control over affected systems, essentially bypassing authentication and executing commands without restriction. Countless prior reports have identified the TVT NVMS9000 DVR as a target for botnet recruitment, including a GreyNoise update in early March 2025.
The exploitation activity is strongly suspected to be associated with the Mirai botnet, a notorious threat known for targeting vulnerabilities in IoT devices. GreyNoise has identified sufficient overlap with Mirai to support this attribution. Manufactured by TVT Digital Technology Co., Ltd., based in Shenzhen, the NVMS9000 DVRs are used in security and surveillance systems for recording, storing, and managing video footage from security cameras. The company reports serving customers in over 120 countries. The majority of the malicious IP addresses involved in the exploitation attempts originate from the Asia-Pacific (APAC) region, specifically Taiwan, Japan, and South Korea. However, the top target countries are the United States, United Kingdom, and Germany. Organizations using the NVMS9000 DVR or similar systems are advised to take immediate action to secure their devices. Recommended mitigations include blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and closely monitoring network traffic for signs of unusual scanning or exploitation attempts. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.
The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat. Recommended read:
References :
|