info@thehackernews.com (The@The Hacker News
//
A new Flodrix botnet variant is actively targeting vulnerable Langflow AI servers by exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-3248. Langflow, a Python-based visual framework used for building artificial intelligence (AI) applications, contains a missing authentication vulnerability that enables unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Cybersecurity researchers at Trend Micro have highlighted this ongoing campaign, revealing that attackers are leveraging the flaw to execute downloader scripts on compromised Langflow servers. These scripts then fetch and install the Flodrix malware, ultimately leading to full system compromise.
Trend Micro's analysis reveals that attackers are exploiting CVE-2025-3248, which has a CVSS score of 9.8, by using publicly available proof-of-concept (PoC) code to target unpatched, internet-exposed Langflow instances. The vulnerability lies in the lack of input validation or sandboxing within Langflow, allowing malicious payloads to be compiled and executed within the server's context. The downloader scripts retrieve the Flodrix botnet malware from a specified host and, once installed, Flodrix establishes communication with a remote server via TCP to receive commands for launching distributed denial-of-service (DDoS) attacks against targeted IP addresses. Flodrix also supports connections over the TOR anonymity network.
The Flodrix botnet is considered an evolution of the LeetHozer botnet, linked to the Moobot group. This improved variant incorporates stealth techniques, including the ability to discreetly remove itself, minimize forensic traces, and obfuscate command-and-control (C2) server addresses, making analysis more challenging. Further enhancements include new, encrypted DDoS attack types. Organizations using Langflow are urged to immediately patch their systems to version 1.3.0 or later, which addresses CVE-2025-3248. Furthermore, implementing robust network monitoring is crucial to detect and mitigate any botnet activity resulting from this vulnerability.
Recommended read:
References :
- The Hacker News: New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks
- securityaffairs.com: News Flodrix botnet targets vulnerable Langflow servers
- securityonline.info: Langflow Under Attacks: CVE-2025-3248 Exploited to Deliver Stealthy Flodrix Botnet
- Virus Bulletin: Trend Micro uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
info@thehackernews.com (The@The Hacker News
//
A critical remote code execution vulnerability, CVE-2025-24016, affecting the Wazuh security platform is being actively exploited by Mirai botnets to launch distributed denial-of-service (DDoS) attacks. Akamai discovered this exploitation in late March 2025, revealing that threat actors are using this flaw to deploy Mirai botnet variants. The vulnerability, an unsafe deserialization issue, exists within the Wazuh API, specifically in how parameters within the DistributedAPI are handled.
The vulnerability stems from the deserialization of JSON data using the `as_wazuh_object` function in the `framework/wazuh/core/cluster/common.py` file. Attackers can inject malicious JSON payloads to execute arbitrary Python code remotely. CVE-2025-24016 affects Wazuh server versions 4.4.0 through 4.9.0, and has been assigned a critical CVSS score of 9.9. The flaw was patched in February 2025 with the release of Wazuh version 4.9.1, which replaced the unsafe `eval` function with `ast.literal_eval`.
Akamai has observed two distinct botnets exploiting this vulnerability. In both cases, a successful exploit leads to the execution of a shell script that downloads a Mirai botnet payload from an external server. The first botnet deploys variants of LZRD Mirai, a botnet that has been active since 2023, and has also been recently used in attacks targeting GeoVision IoT devices. The second botnet delivers a Mirai variant known as Resbot (aka Resentual). Security researchers emphasize the rapidly decreasing time-to-exploit for newly published CVEs by botnet operators.
Recommended read:
References :
- The Hacker News: Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks
- Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
- cvereports.com: CVE-2025-24016 - unsafe deserialization vulnerability in Wazuh leading to remote code execution
- Virus Bulletin: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
- securityaffairs.com: Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai warned.
- infosec.exchange: InfoSec Exchange post regarding Mirai botnets exploiting Wazuh vulnerability
- Help Net Security: Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned.
- gbhackers.com: Exploitation of Critical Wazuh Server RCE Vulnerability Leads to Mirai Variant Deployment
- The Register - Security: Critical Wazuh bug exploited in growing Mirai botnet infection
- www.helpnetsecurity.com: Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)
- hackread.com: Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.
- bsky.app: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
- Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
- Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
- nvd.nist.gov: Cybersecurity Vulnerability details CVE-2025-24016.
- Wazuh: Addressing the CVE-2025-24016 vulnerability
- sra.io: Wazuh server vulnerability CVE-2025-24016 exploited in the wild, patch has since been released.
- wazuh.com: Addressing the CVE-2025-24016 vulnerability
Pierluigi Paganini@securityaffairs.com
//
A new botnet campaign, dubbed AyySSHush, is targeting ASUS routers, compromising over 9,000 devices globally. The attackers are exploiting a known command injection vulnerability, CVE-2023-39780, along with other authentication bypass techniques to gain unauthorized access. Models such as RT-AC3100, RT-AC3200, and RT-AX55 are among those being targeted, with attackers seeking to establish a persistent presence within the compromised routers. GreyNoise researchers, who uncovered the campaign, emphasize the stealthy tactics employed, which include disabling router logging and avoiding the installation of malware, making detection difficult.
Attackers initially gain access to ASUS routers through brute-force login attempts and the exploitation of authentication bypass flaws, including techniques that have not yet been assigned CVEs. Once inside, they leverage the CVE-2023-39780 command injection vulnerability to execute system commands and modify router settings. These commands enable SSH access on a custom port, typically TCP/53282, and insert an attacker-controlled public key for remote access. This allows the attackers to maintain a persistent backdoor into the compromised routers, even after firmware upgrades and reboots.
As a result of this sophisticated campaign, compromised ASUS routers require a factory reset to fully remove the persistent SSH backdoor. Standard firmware updates are insufficient, as the attackers abuse legitimate router configuration features stored in non-volatile memory (NVRAM). GreyNoise recommends users rotate all authentication tokens, including passwords and SSH keys, and perform a factory reset to clear the affected devices' NVRAM. Users can also use runZero's service inventory to locate potentially impacted assets by querying for SSH protocol on port 53282, or scan for the attacker’s public key using the SSHamble tool.
Recommended read:
References :
- cyberinsider.com: A campaign targeting nearly 9,000 ASUS routers globally has given attackers persistent, undetectable access, likely to build a botnet network for future operations.
- The GreyNoise Blog: GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
- Blog: ASUS routers exposed to the public Internet are being compromised, with backdoors being installed. Here's how to find impacted assets on your network.
- www.scworld.com: ASUS router backdoors affect 9K devices, persist after firmware updates
- securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet
- bsky.app: Over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco
- securityaffairs.com: New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.
- securityonline.info: Beyond Malware: Stealthy ASUS Router Exploitation Survives Reboots, Builds Botnet.
- CyberInsider: 9,000 ASUS Routers Compromised in Stealthy Backdoor Campaign
- BleepingComputer: Botnet hacks 9,000+ ASUS routers to add persistent SSH backdoor
- www.techradar.com: Thousands of Asus routers hacked to create a major botnet planting damaging malware.
- The Register - Security: 8,000+ Asus routers popped in 'advanced' mystery botnet plot
- PCMag UK security: Cybercriminals Hack Asus Routers: Here's How to Check If They Got Into Yours
- eSecurity Planet: Over 9,000 Routers Hijacked: ASUS Users Caught in Ongoing Cyber Operation
- www.itpro.com: Asus routers at risk from backdoor vulnerability
- www.csoonline.com: New botnet hijacks AI-powered security tool on Asus routers
- www.esecurityplanet.com: Over 9,000 ASUS routers were hacked in a stealth cyberattack exploiting CVE-2023-39780.
- cyble.com: Researchers disclosed that attackers have exploited this vulnerability in a widespread and stealthy botnet campaign, compromising over 9,000 ASUS routers and enabling persistent, unauthorized access to the affected devices.
- hothardware.com: Heads up if you have an Asus router in your home or office, as there's a backdoor exploit doing the rounds affecting 9,000 devices and counting.
- techvro.com: GreyNoise has exposed the AyySSHush botnet infecting over 9,000 ASUS routers, urging owners to factory reset devices as firmware updates alone won’t remove the hidden backdoor.
- Techzine Global: New botnet creates permanent backdoors in ASUS routers
- securityonline.info: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
- securityonline.info: SecurityOnline: AyySSHush: New Stealthy Botnet Backdoors ASUS Routers, Persists Through Firmware Updates
- Catalin Cimpanu: -AyySSHush botnet infects 9k ASUS routers
- Blog: In early 2025, cybersecurity researchers uncovered a stealthy campaign compromising over 9,000 ASUS routers. Dubbed "AyySSHush," this operation targets specific ASUS models, including RT-AC3100, RT-AC3200, and RT-AX55, by exploiting a known command injection vulnerability, designated CVE-2023-39780, alongside other authentication bypass techniques.
- www.zdnet.com: Cybercriminals have hacked into thousands of Asus routers. Here's how to tell if yours is compromised.
Pierluigi Paganini@Security Affairs
//
A new botnet, dubbed PumaBot, is actively targeting Linux-based IoT devices, posing a significant security risk. This Go-based malware is designed to steal SSH credentials through brute-force attacks, allowing it to spread malicious payloads and illicitly mine cryptocurrency. Unlike other botnets that perform broad internet scans, PumaBot employs a more targeted approach by retrieving lists of IP addresses from its command-and-control (C2) server, enabling it to focus its attacks on specific devices. This approach, coupled with its ability to impersonate legitimate system files, makes PumaBot a stealthy and dangerous threat to embedded Linux systems.
The attack begins with PumaBot attempting to brute-force SSH credentials on targeted devices, aiming to gain unauthorized access. Once inside, it establishes persistence using systemd service files, ensuring it survives reboots and remains active on the compromised device. To further mask its activities, PumaBot disguises itself as a legitimate Redis system file, attempting to blend in with normal system processes. After successfully gaining access to an infected system, it collects and exfiltrates basic system information to the C2 server, where it can receive commands to carry out its malicious objectives.
The primary goal of PumaBot appears to be cryptocurrency mining, as evidenced by the presence of "xmrig" and "networkxm" commands within its code. These commands suggest that compromised devices are being leveraged to generate illicit cryptocurrency gains for the botnet operators. Security experts also observed that the botnet performs checks to avoid honeypots and, curiously, looks for the string "Pumatronix," a surveillance and traffic camera manufacturer, hinting at a targeted or exclusionary approach. The discovery highlights the ongoing need for robust security measures for IoT devices, as they continue to be attractive targets for botnet recruitment and malicious activities.
Recommended read:
References :
- ciso2ciso.com: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto – Source:thehackernews.com
- Anonymous ???????? :af:: New PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and mine crypto.
- securityaffairs.com: New PumaBot targets Linux IoT surveillance devices
- The Hacker News: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto
- BleepingComputer: A newly discovered Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT devices to deploy malicious payloads.
- gbhackers.com: New PumaBot Hijacks IoT Devices via SSH Brute-Force for Persistent Access
- www.csoonline.com: Novel PumaBot slips into IoT surveillance with stealthy SSH break-ins
- www.sentinelone.com: PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
- securityonline.info: PumaBot: New Stealthy Linux Botnet Evades Detection, Targets IoT Devices
- securityonline.info: PumaBot: New Stealthy Linux Botnet Evades Detection, Targets IoT Devices
@www.bleepingcomputer.com
//
The US government has indicted Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, as the leader of the Qakbot botnet malware conspiracy. Gallyamov, also known as "Cortes" and other aliases, is accused of leading a group of cybercriminals responsible for developing and deploying the Qakbot malware since 2008. This indictment is part of an ongoing multinational effort involving the United States, France, Germany, the Netherlands, Denmark, the United Kingdom, and Canada to combat cybercrime. The Justice Department has also filed a civil forfeiture complaint against Gallyamov, seeking to seize over $24 million in cryptocurrency allegedly obtained through his criminal activities.
According to court documents, Gallyamov used the Qakbot malware to infect over 700,000 computers globally, establishing a vast network or "botnet" of compromised machines. Starting in 2019, this botnet was leveraged to facilitate ransomware attacks against innocent victims worldwide, causing significant financial losses. The FBI and its international partners crippled Gallyamov's bot network in 2023, but he allegedly continued to deploy alternative methods to make his malware available to criminal cyber gangs. The Qakbot malware, also known as Qbot and Pinkslipbot, evolved over time from a banking trojan into a tool used for malware dropping and keystroke logging.
Officials emphasize the commitment to holding cybercriminals accountable and disrupting their activities. "Today’s announcement of the Justice Department’s latest actions to counter the Qakbot malware scheme sends a clear message to the cybercrime community,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. U.S. Attorney Bill Essayli for the Central District of California added, "The criminal charges and forfeiture case announced today are part of an ongoing effort with our domestic and international law enforcement partners to identify, disrupt, and hold accountable cybercriminals." The case demonstrates the FBI’s commitment to relentlessly pursuing individuals who target Americans and demand ransom, even when they reside overseas.
Recommended read:
References :
- bsky.app: Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
- DataBreaches.Net: Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
- www.bleepingcomputer.com: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
- The DefendOps Diaries: The Indictment of Rustam Rafailevich Gallyamov: A Turning Point in Cybercrime Battle
- thecyberexpress.com: The U.S. Justice Department has unsealed an indictment against Rustam Rafailevich Gallyamov, a Russian national accused of running a cybercrime group responsible for one of the most notorious malware threats in recent years:.
- BleepingComputer: US indicts leader of Qakbot botnet linked to ransomware attacks
- The Register - Security: Feds finger Russian 'behind Qakbot malware' that hit 700K computers Agents thought they shut this all down in 2023, but the duck quacked again Uncle Sam on Thursday unsealed criminal charges and a civil forfeiture case against a Russian national accused of leading the cybercrime ring behind Qakbot, the notorious malware that infected hundreds of thousands of computers worldwide and helped fuel ransomware attacks costing victims tens of millions of dollars.
- Tech Monitor: The U.S. Justice Department has indicted Rustam Rafailevich Gallyamov, the alleged leader of the Qakbot botnet malware operation.
- www.justice.gov: Justice Department Announces Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme
- Security Affairs: Leader of Qakbot cybercrime network indicted in U.S. crackdown
- BleepingComputer: The U.S. government has indicted Russian national Rustam Rafailevich Gallyamov, the leader of the Qakbot botnet malware operation that compromised over 700,000 computers and enabled ransomware attacks.
- securityaffairs.com: Leader of Qakbot cybercrime network indicted in U.S. crackdown
- Daily CyberSecurity: Europol and Eurojust have dismantled the digital backbone of several major malware strains used in ransomware operations.
- www.helpnetsecurity.com: DanaBot botnet disrupted, QakBot leader indicted
- ComputerWeekly.com: US makes fresh indictments over DanaBot, Qakbot malwares
Ashish Khaitan@The Cyber Express
//
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.
The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network.
To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities.
Recommended read:
References :
- Daily CyberSecurity: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
- The DefendOps Diaries: Exploitation of End-of-Life Routers: A Growing Cybersecurity Threat
- BleepingComputer: FBI: End-of-life routers hacked for cybercrime proxy networks
- Davey Winder: FBI Warns Of Router Attacks — Is Yours On The List Of 13?
- www.scworld.com: Attacks surge against antiquated routers, FBI warns
- bsky.app: The FBI IC3 has published a new PSA warning companies and home consumers that threat actors are exploiting old and outdated end-of-life routers to create massive botnets and that they should probably buy a new device
- BleepingComputer: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
- cyberinsider.com: FBI Warns Hackers Are Exploiting EoL Routers in Stealthy Malware Attacks
- www.bleepingcomputer.com: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
- bsky.app: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxiesÂ
sold on the 5Socks and Anyproxy networks.
- thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
- thecyberexpress.com: TheMoon Malware Targets Aging Routers, FBI Issues Alert
- The Hacker News: BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation
- securityonline.info: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
- securityaffairs.com: The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.
- www.techradar.com: FBI warns outdated routers are being hacked
- thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware.
- BleepingComputer: Police dismantles botnet selling hacked routers as residential proxies
- thecyberexpress.com: Law Enforcement Takes Down Botnet Made Up of Thousands of End-Of-Life Routers
- techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
- infosec.exchange: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
- techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
- www.justice.gov: A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.
- www.csoonline.com: The FBI is warning that cybercriminals are exploiting that are no longer being patched by manufacturers. Specifically, the “5Socks†and “Anyproxy†criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, and Cradlepoint.
- The Register - Security: The FBI also issued a list of end-of-life routers you need to replace Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.…
- iHLS: FBI Warns: Old Routers Exploited in Cybercrime Proxy Networks
- Peter Murray: FBI and Dutch police seize and shut down botnet of hacked routers
- The DefendOps Diaries: Explore the dismantling of the Anyproxy botnet and the global efforts to secure digital infrastructure against cybercrime.
- securityaffairs.com: Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services
- Anonymous ???????? :af:: BREAKING: $46M cybercrime empire busted. FBI & Dutch forces take down a botnet run on hacked home routers—active since 2004.
- www.itpro.com: FBI takes down botnet exploiting aging routers
- Threats | CyberScoop: US seizes Anyproxy, 5socks botnets and indicts alleged administrators
|
|
FlagThis - #botnet