FortiGuard Labs exposes a high-severity phishing campaign impersonating the National Police of Ukraine to deliver Amatera Stealer (data theft) and PureMiner (cryptojacking) to Windows PCs.

Hackers are distributing malicious emails that imitate official notices from the National Police of Ukraine. This phishing campaign, identified by FortiGuard Labs, targets any organisation running **Microsoft Windows** to compromise their systems with at least two new malware strains, including Amatera Stealer and PureMiner.

The attacks start with an email that includes a malicious Scalable Vector Graphics (**SVG**) file. For your information, an SVG is a simple image format, but attackers exploit its text-based code to embed harmful content.

The messages pressure the recipient using formal, legal language, falsely claiming an appeal is under review and warning that ignoring the notice could lead to “further legal action.”

Phishing email (source: FortiGuard)

****How the Infection Spreads****

When a victim opens the SVG attachment, the file tricks them by displaying a fake screen that says, “Please wait, your document is loading…” It then immediately forces the computer to download one of several password-protected ZIP archives, including ergosystem.zip or smtpB.zip, with the password displayed to make the process seem trustworthy.

Inside the archive is a Compiled HTML Help (CHM) file, which acts as the main trigger, launching a malicious script called the CountLoader. This loader, which _Hackread.com_ previously **reported** on, is a known entry point designed to deliver multiple harmful programs.

Here, its job is to connect with a remote server, steal some basic system details, and then deliver the final malware. Researchers refer to this as a “**fileless**” threat because the payload is loaded directly into the computer’s memory, making it hard to detect.

****Double Threat of Data Theft and Hijacking****

According to FortiGuard Labs’ **blog post**, CountLoader delivers two dangerous payloads: Amatera Stealer and PureMiner. Researchers explained in a report shared exclusively with Hackread.com that the PureMiner cryptominer is delivered using DLL sideloading from ergosystem.zip, while the Amatera Stealer is deployed via a malicious **Python** script found in smtpB.zip.

Attack Chain (Source: FortiGuard)

Amatera Stealer is an information-gathering tool that first gathers basic system information (like computer name, OS details, and username) and current clipboard contents. It then aggressively targets saved information, including credentials and files, from Firefox and Chrome browsers, chat apps like Telegram and Discord, and programs like Steam, FileZilla, and AnyDesk. It also targets files from major desktop crypto wallets, including BitcoinCore, Exodus, Atomic, and Electrum, and can search up to five folders deep for these files.

On the other hand, PureMiner is a **cryptominer** that collects detailed hardware information, like video card specifications. Once installed, PureMiner allows the criminals to secretly use the victim’s own computer power (both the CPU and GPU) for their financial benefit, a process called cryptocurrency mining.

The overall impact of this attack is rated as High severity as it allows remote control, data theft, and resource hijacking. Given this threat, users are urged to maintain strong security awareness. Avoid opening unexpected attachments, and always verify urgent, unsolicited requests through a separate trusted channel before clicking links.

Fake Ukraine Police Notices Spread New Amatera Stealer and PureMiner

California-based Archer Health exposed 23GB of patient records, including SSNs, IDs, and medical files, after an unprotected database was found online.

A large cache of medical and personal information belonging to patients of Archer Health Inc. was left publicly accessible after a database was found online without encryption or password protection. Archer Health Inc., also known as Archer Home Health, is a California-based provider of in-home healthcare and palliative care services.

The exposure, first identified by cybersecurity researcher Jeremiah Fowler and reported to Website Planet, included highly sensitive files that could have put thousands of individuals at risk.

The database held more than 145,000 files, sized up to 23 gigabytes. Among the documents were patient assessments, home health certifications, care plans, discharge forms, and internal communications.

Many of these contained personal details such as names, Social Security numbers (SSN), addresses, phone numbers, patient ID numbers, and medical information. Some folders were even labelled with patient names, while others contained categories like “faxed orders” or “referrals,” further confirming the sensitive nature of the data.

The files also included screenshots of healthcare management software dashboards, showing scheduling details, provider information, and patient records. Such exposures can carry significant risks, including identity theft, fraud, and violations of medical privacy regulations like HIPAA.

One of the screenshots showing the type of data involved in the leak (Credit: Jeremiah Fowler via Website Planet)

Fowler reported the exposure directly to the company, and access to the database was restricted within hours. Archer Health acknowledged the notification, stating that it takes patient privacy seriously and that its team is investigating the issue.

It remains unclear how long the database was exposed or whether any unauthorised parties accessed the records before it was secured. However, incidents like this show the constant risks when healthcare data is stored without proper security authentication.

****Possible Legal Consequences****

While Archer Health acted quickly once informed, patients whose records were included in the exposure may face long-term consequences if their identifiers or medical histories were accessed by malicious threat actors or copied during the time the database was online.

Additionally, when a healthcare provider or related service fails to protect sensitive data, it may face serious legal exposure. In a related example, a misconfigured Amazon Web Services (AWS) bucket belonging to Florida-based **IMDataCenter was publicly exposed**, letting a hacker known as “ThinkingOne” download tens of gigabytes of records, including names, emails, addresses and even Social Security numbers.

In response, IMDataCenter is now the target of a lawsuit over the data leak. If Archer Health faces similar scrutiny, it could confront claims under privacy and data protection laws, especially laws governing health and personal information.

Archer Health Data Leak Exposes 23GB of Medical Records

Austin / TX, United States, 25th September 2025, CyberNewsWire

**Austin / TX, United States, September 25th, 2025, CyberNewsWire**

Living Security, a global leader in Human Risk Management (HRM), today announced the full speaker lineup for the Human Risk Management Conference (HRMCon 2025), taking place October 20, 2025, at Austin’s Q2 Stadium and virtually worldwide.

The announcement follows findings from the newly published **2025 State of Human Cyber Risk Report**, produced by the **Cyentia Institute in collaboration with Living Security**, which reveals that on average, organizations detect only **19% of all human risk activity**. That means the majority of risky behaviors — from credential misuse to insider threats — go unseen, leaving enterprises exposed to risks that technology or traditional awareness programs alone can’t solve.

HRMCon is a one-day event focused on the people side of cybersecurity, offered this year both in-person in Austin and virtually worldwide. The program is designed for CISOs, security leaders, risk managers, and HR professionals who are responsible for building security culture and reducing human-driven risk. Sessions will explore how to extend risk ownership beyond traditional awareness programs and the security operations center, empowering managers and employees across the business to take accountability. Attendees will gain practical strategies they can apply immediately from executives, global analysts, and peers. Participants with confirmed attendance may also request a completion certificate for Continuing Professional Education (CPE) credits for the full conference.

> “Most organizations remain blind to the majority of human-driven risk, leaving gaps that technology or traditional awareness programs alone can’t solve,” said Ashley Rose, CEO and Co-Founder of Living Security. “Closing that visibility gap requires new strategies, proven frameworks, and collaboration across functions — which is exactly what HRMCon is designed to deliver. No matter where you are in your HRM journey, you’ll walk away with practical playbooks, proven strategies, and inspiring stories you can apply immediately. This isn’t just another security event—it’s a launchpad for making human risk a managed business function, all without pulling you away from your day-to-day responsibilities.”

HRMCon 2025 will feature enterprise CISOs, Fortune 500 veterans, and leading analysts sharing research-backed strategies and real-world lessons on operationalizing human risk management.

**Speaker Highlights**

**Opening Keynote – Brett Wahlin, CISO, Aurora –** From Counterintelligence to Cybersecurity: Rethinking the Human Factor Across Industries.

Risk frameworks have shaped enterprise security for decades but often overlook the human element. Drawing on his path from counterintelligence to the CISO seat, Brett Wahlin will show where traditional frameworks succeed, where they fall short, and how Human Risk Management can integrate people into the same disciplined approach that governs technology.

**Tim Taylor, VP of Security Education and Awareness, Mastercard –** Creating Human Risk Visibility: Where to Start and How to Scale.

Tim offers a step-by-step play for creating measurable human risk visibility in 90 days. Attendees will learn how to define goals, connect data sources, and build momentum toward sustainable risk reduction.

**Ashley Atiles, Director of Identity Risk, & Alfonso Mancuso, Director of Information Security, Labcorp –** The Access Equation: Identity Meets Human Risk.

Ashley and Alfonso will explore how identity and behavior intersect as the earliest line of defense. Attendees will learn how integrating IAM signals with human risk data creates a powerful new lever for stopping threats before they escalate.

**Kelly Harward, VP of Product & Mike Siegel, President, Living Security –** Operationalizing HRM: From Frameworks and Playbooks to Goals for Adaptive Defense.

Living Security leaders show how to translate frameworks into measurable outcomes. Attendees will see real-world playbooks and a preview of the new Goals feature, which ties behavior change directly to risk reduction.

**Jinan Budge, VP & Principal Analyst, Forrester –** The Future of Human Risk Management: Market Landscape and the Role of Agentic AI.

A market-level view of how Human Risk Management is evolving from compliance to strategy. Attendees will learn about the current state of the market, where it’s headed, and how autonomous AI agents are set to reshape HRM strategies in the years ahead.

**Closing Keynote – Larry Whiteside Jr., CISO Advisor & Co-Founder, Confide –** Evolving the Role of the CISO: From Defense to Business Enabler.

A concise look at how the CISO role is shifting from technical defense to strategic business leadership. Attendees will hear how Human Risk Management can help CISOs align security with culture, accountability, and measurable business outcomes.

**HRMCon 2025 Features**

*   **Grounded in Research:** Learning real-world strategies to close the 19% human risk visibility gap.
*   **Professional Development:** Earning verifiable CPE credits with a completion certificate (confirmed attendance and upon request).
*   **Free and Flexible:** Registering at no cost and choose to attending live in Austin or virtually from anywhere.
*   **Expert-Led:** Hearing from leading CISOs, analysts, and security practitioners shaping the HRM market.
*   **Peer Insights:** Seeing how organizations are operationalizing HRM through case studies and playbooks.
*   **Immediate Takeaways:** Leaving with frameworks, tools, and strategies you can implement right away.

HRMCon 2025, hosted by Living Security, comes at a pivotal time for organizations looking to transform security culture, reduce human-driven risk, and lead in an AI-enabled world.

**Users can register today at www.livingsecurity.com/hrmcon-2025**

**About Living Security**

Living Security is the global leader in Human Risk Management (HRM), providing a risk-informed approach that meets organizations where they are—whether that’s starting with AI-based phishing simulations, intelligent behavior-based training, or implementing a full HRM strategy that correlates behavior, identity, and threat data streams.

Living Security’s Unify platform delivers 3X more visibility into human risk than traditional, compliance-based training platforms by eliminating siloed data and integrating across the security ecosystem. The platform pinpoints the 8–12% of users who pose the greatest risk and automates targeted interventions in real time—reducing exposure to human risk by over 90%. Powered by AI, human analysis, and industry-wide threat telemetry, Unify transforms fragmented signals into intelligent, adaptive defense.

Named a Global Leader in Human Risk Management by Forrester and trusted by enterprises like Unilever, Mastercard, Merck, and Abbott Labs, Living Security helps security teams move from awareness to action—driving measurable behavior change and proving impact at every stage of the journey.

**Contact**

**Living Security Media**  
**\[email protected\]**

Living Security Unveils HRMCon 2025 Speakers as Report Finds Firms Detect Just 19% of Human Risk

New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam.

A Vietnamese hacking group known as Lone None is running an online scam campaign that has been active since at least November 2024. The campaign focuses on stealing personal and financial information, especially cryptocurrency.

Cybersecurity research firm Cofense Intelligence has been tracking this threat actor’s movements and shared their analysis with Hackread.com.

****The Face Copyright Notice****

The attacks begin with a fake email of an official legal notice from different law firms across the world, telling the recipient to take down copyrighted content from their website or social media, sometimes even naming the recipient’s real Facebook account.

Fake Take Down notice (Image credit: Cofense Intelligence)

These messages are sent in around ten different languages, including English, French, German, and Chinese, suggesting the criminals’ aim to expand their reach. The emails contain a link that, when clicked, leads to a downloaded archive (like a ZIP file). This archive contains the malware, which is cleverly disguised as evidence documents such as PDFs or PNGs.

To execute the malware, the attackers use DLL side-loading, which allows them to abuse a legitimate, signed program (like a trusted Microsoft Word or PDF reader executable) to secretly run their malicious code and bypass standard security checks.

Attack Flow (Image credit: Cofense Intelligence)

****Malware Deployment****

The campaign delivers two types of information stealers: Pure Logs Stealer and the newer Lone None Stealer (aka PXA Stealer).  Pure Logs steals a wide range of sensitive data, including passwords, credit card numbers, session cookies, and local crypto wallet files saved in a victim’s browsers and computers.

The Lone None Stealer, however, focuses on stealing cryptocurrency. It monitors the victim’s clipboard (the place where copied text is temporarily stored) and, if a crypto-wallet address is copied, the malware quietly replaces it with the criminal’s address. This means if a victim tries to send money by copying and pasting a wallet address, the funds go straight to the hacker instead.

In its blog post, Cofense Intelligence noted that Lone None Stealer has been found in nearly a third (29%) of all recent reports involving the older Pure Logs Stealer since June 2025, indicating its growing use.

****Evasive C2****

This scam involves a unique staging technique where the actor hides the address for the next step of the attack within a Telegram bot profile page. Moreover, Lone None Stealer uses the Telegram network as its primary Command and Control (C2) channel, rapidly sending back all the collected data to the hackers.

Since this scam plays directly on the fear of an urgent legal dispute, it is important to recognise the signs of a fake email. Never click links or download files from unexpected sources, as this simple precaution remains the best security against such scams.

Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer

Cybersecurity firm Noma Security reveals ForcedLeak, a critical flaw in Salesforce Agentforce that allowed data theft. Learn what companies need to do now to secure AI agents.

A vulnerability dubbed ForcedLeak was recently discovered in Salesforce Agentforce, an AI-driven system designed to handle complex business tasks within CRM environments. Noma Security identified the critical flaw, which was initially rated CVSS 9.1 and later updated to 9.4, allowing remote attackers to steal private CRM data. The firm shared its research with Hackread.com.

****How the Attack Worked****

The problem lies in the autonomous way AI agents work. Unlike simple chatbots that are “prompt-response” systems, these agents can “reason, plan, and execute complex business tasks,” making them a considerably bigger target. The core issue here was an indirect prompt injection attack, which happens when a bad instruction is secretly placed inside data that the AI system later processes.

In the case of Agentforce, attackers used the commonly enabled Web-to-Lead feature, which lets website visitors submit information that goes straight into the CRM. By putting malicious code into a large input field, like the Description box, the attacker set a trap. When an employee later asked the AI agent a normal question about that lead data, the agent would mistakenly treat the hidden instruction as part of its job.

According to Noma Security’s blog post, its researchers found that the AI could not tell the difference “between legitimate data loaded into its context versus malicious instructions.” To prove the risk, they ran a Proof of Concept (PoC), using malicious code to force the AI to grab sensitive CRM data like email addresses. The code tricked the AI into stuffing the data inside the web address for an image. When the system viewed that image, the private data was transmitted to the researchers’ server, confirming the successful theft.

****Stolen Data and Immediate Fixes****

The data at risk included sensitive information like customer contact details, sales pipeline data revealing business strategy, internal communications, and historical records. The vulnerability impacted any organisation using Salesforce Agentforce with the Web-to-Lead feature enabled, especially those in sales and marketing.

The attack also involved exploiting an outdated part of the system’s security rules (Content Security Policy, or CSP). Researchers discovered that a domain (my-salesforce-cms.com) that was still considered ‘trusted’ had actually expired and was available to purchase for just $5. An attacker could use this expired, but trusted, domain to secretly send stolen data out of the system.

After being informed about the issue on July 28th, 2025, Salesforce quickly investigated. By September 8th, 2025, the company had implemented fixes, including enforcing “Trusted URLs” for Agentforce and its Einstein AI, to stop data from being sent to untrusted web addresses, and re-securing the expired domain.

The firm advised users to immediately “enforce Trusted URLs for Agentforce and Einstein AI” and audit all existing lead data for unusual submissions. The vulnerability was made public on September 25th, 2025.

In a statement to Hackread.com, a Salesforce spokesperson said that the company is aware of the vulnerability reported by Noma and has released patches to stop Agentforce agents from sending output to untrusted URLs.

> _“Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs. The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface.”_
> 
> Salesforce Spokesperson

****Why It’s Important****

The ForcedLeak flaw is particularly important to discuss in light of the massive Salesforce-linked data breaches that have surfaced this year. Salesforce sits at the heart of business operations for thousands of organisations, holding sensitive customer records, financial details, and sales strategies.

A vulnerability in its AI-powered Agentforce system means attackers could exploit a trusted platform not just to steal isolated records, but to automate large-scale data extraction through everyday business processes.

With CRM data often being the crown jewels for enterprises, combining AI vulnerabilities with already high-value Salesforce environments greatly increases the risk, making it critical for organisations to reassess their exposure and security controls.

****Expert View****

“It’s advisable to secure the systems around the AI agents in use, which include APIs, forms, and middleware, so that prompt injection is harder to exploit and less harmful if it succeeds,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck.

She stressed that true prevention is around maintaining configuration and establishing guardrails around the agent design, software supply chain, web application, and API testing.

ForcedLeak Flaw in Salesforce Agentforce AI Agent Exposed CRM Data

Urgent warning for Fortra GoAnywhere MFT users. A CVSS 10.0 deserialization vulnerability (CVE-2025-10035) in the License Servlet allows command injection. Patch to v7.8.4 immediately to prevent system takeover.

Thousands of companies using Fortra’s GoAnywhere Managed File Transfer (MFT) solution are facing an immediate threat of full system takeover. The issue, officially labelled CVE-2025-10035 and published on September 18, 2025, carries the maximum risk score of 10.0, meaning criminals could gain complete control of systems designed to handle sensitive organisational data.

****What’s the Risk?****

This critical problem is rooted in Fortra’s GoAnywhere MFT’s License Servlet, a component that deals with license checks. It is essentially a deserialization vulnerability. To put it simply, MFT solutions are used by businesses to safely and reliably move large amounts of electronic data (like customer records/financial information) between systems. The software converts complex data into a simple format for transfer (serialisation) and then converts it back (deserialization).

The flaw allows a malicious person to trick the software during the reversal (deserialization) process by using a “validly forged license response signature” to load a harmful object, Fortra’s advisory explains. This can lead to command injection, letting an attacker run their own code on the system.

For your information, GoAnywhere MFT is a high-security solution that automates and protects data exchange for enterprises, including Fortune 500 deployments. So, this flaw may let an attacker seize the entire file transfer infrastructure, risking highly sensitive corporate and government data.

According to long technical analysis from watchTowr Labs, shared with Hackread.com, highlighted the gravity of the situation, noting that there are “over 20,000 instances exposed to the Internet. A playground APT groups dream about.”

Source: watchTowr Labs

Their analysis points to a significant mystery: despite the perfect CVSS 10.0 score, exploiting the bug appears difficult on paper due to a required signature verification check. Yet, the high score, combined with the vendor deleting and updating advisories, suggests the threat is very real as “no vendor assigns a CVSS 10 to a purely theoretical bug.”

This isn’t the first time we’ve seen this; back in 2023, a similar pre-authentication command injection flaw (CVE-2023-0669) in the same product was widely exploited by the cl0p ransomware gang.

****Immediate Action Needed to Protect Data****

The good news is that Fortra has released updates in version 7.8.4 and Sustain Release 7.6.3 to fix the flaw. Organisations are strongly urged to upgrade to one of these patched versions right away.

It is worth noting that this attack relies on the system being directly connected to the public internet, a situation common for these kinds of software. Therefore, as an additional safeguard, administrators should immediately ensure the GoAnywhere Admin Console is not open to the public. Limiting access by placing the service behind a firewall or a VPN is a vital first step, along with monitoring system logs for any unusual activity.

Ryan Dewhurst, a threat intelligence expert at watchTowr, considers this extremely serious, saying, “This issue is almost certain to be weaponised for in-the-wild exploitation soon.”

“The newly disclosed vulnerability in Fortra’s GoAnywhere MFT solution impacts the same license code path in the Admin Console as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit,_“_ he emphasised.

“With thousands of GoAnywhere MFT instances exposed to the Internet, this issue is almost certain to be weaponised for in-the-wild exploitation soon,_“_ Ryan warned.

“While Fortra notes exploitation requires external exposure, these systems are generally Internet-facing by design, so organisations should assume they are vulnerable. Organisations should apply the official patches immediately and take steps to restrict external access to the Admin Console,” Dewhurst noted in his comments shared with Hackread.com.

Critical CVSS 10 Flaw in GoAnywhere File Transfer Threatens 20,000 Systems

China-backed UNC5221 targets US legal and tech firms by deploying BRICKSTORM malware on neglected VMware and Linux/BSD appliances, Google's Mandiant reports.

A group of hackers with links to China has been caught running a long-term spying operation against US companies. Cybersecurity researchers at Mandiant (part of the Google Threat Intelligence Group) are tracking this threat, named BRICKSTORM, which targets specialised operating systems like Linux and BSD (Berkeley Software Distribution).

Mandiant’s investigation shows the group’s mission to steal valuable intellectual property and sensitive information related to national security and international trade. These hackers have maintained access for a worryingly lengthy time, averaging 393 days, mostly targeting the legal services, technology, SaaS, and Business Process Outsourcers (BPOs) sectors since at least March 2025.

Industries targeted by BRICKSTORM (Image credit: Mandiant)

****BRICKSTORM Malware****

The hackers, tracked by Mandiant as UNC5221, which was also behind the widespread exploitation of the Ivanti VPN zero-day in January 2025, use a new and custom-designed Go-language BRICKSTORM malware. In this case as well, the group exploits zero-day vulnerabilities to infect network appliances and servers with malware.

According to Mandiant’s blog post, this initial access is consistently used to move to high-value systems, particularly VMware vCenter and ESXi hosts. To achieve this, the attackers first deploy BRICKSTORM to a network appliance, steal valid credentials, and then move laterally via SSH to the vCenter server

Researchers further explain that BRICKSTORM features SOCKS proxy functionality, enabling attackers to tunnel traffic and move quietly through the network. Once that is complete, they capture high-privilege user logins while using the organisation’s own network devices to hide their activity.

The malware is under active development, using “advanced obfuscation” (like the tool Garble and a custom internal library) to continuously evade security measures.

****What’s the Big Goal?****

Mandiant believes the hackers are focused on long-term objectives, beginning with the compromise of Software as a Service (SaaS) providers and extending to the networks of their customers.

Additionally, a common objective observed in these attacks is to access the emails of critical personnel, particularly system administrators and developers relevant to the economic and espionage interests of the People’s Republic of China (PRC). To infiltrate any mailbox, threat actors employed Microsoft Entra ID Enterprise Applications with elevated access scopes (like mail.read or full_access_as_app).

Mandiant strongly suggests that companies must work on their cybersecurity. The company has also shared a free scanner script on its GitHub page that organisations can use to check their Linux-based systems for the BRICKSTORM backdoor.

****Expert Takeaway****

Ensar Seker, CISO at SOCRadar, reflected on the seriousness of the campaign. In his exclusive insight shared with Hackread.com, Seker stated that BRICKSTORM is a “wake-up call.” He explained that the attackers’ strategy gives them a “multiplier effect on reach” because by getting into service providers, they gain “pathways into their clients and partners.”

Seker emphasised that this operation is about “building capabilities that can support multiple future attacks” by stealing internal designs and learning how to bypass defences. From a defence standpoint, he advises companies to “assume that any vendor they trust may be compromised, not eventually, but right now,” requiring them to adopt stricter security measures and “zero-trust architectures” around vendor connections.

“In a nutshell, Brickstorm is a wake-up call: adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires that we think in ecosystems and assume compromise, not just for ourselves, but for every connected party,” Seker advised.

China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware

Luxembourg, Luxembourg, 25th September 2025, CyberNewsWire

**Luxembourg, Luxembourg, September 25th, 2025, CyberNewsWire**

Gcore, the global edge AI, cloud, network, and security solutions provider, today announced the findings of its Q1-Q2 2025 Radar report into DDoS attack trends. DDoS attacks have reached unprecedented scale and disruption in 2025, and businesses need to act fast to protect themselves from this evolving threat. The report reveals a significant escalation in the total number of DDoS attacks and their magnitude, measured in terabits per second (Tbps).

It also highlights a clear shift: attackers are growing more strategic, blending brute-force volume with precise application-layer manipulation.

**Key Insights From Q1-Q2 2025**

·      Attack volumes increased by 41% compared to Q1-Q2 2024, evidencing dangerous long term growth trends predicted in prior Radar reports.

·      The largest attack peaked at 2.2 Tbps in Q1-Q2, surpassing the 2 Tbps peak recorded in late 2024.

·      DDoS attacks are becoming longer in duration but more harmful.

·      Attackers are shifting focus to financial services and tech, with tech overtaking gaming as the most targeted sector.

·      DDoS attacks at the application layer have increased by 10% from Q3-Q4 2024 to Q1-Q2 2025.

·      The total number of DDoS attacks climbed from 969,000 in H2 2024 to 1.17 million in H1 2025.

> Andrey Slastenov, Head of Security at Gcore, commented: “The latest Gcore Radar should be a wake-up call to businesses across all industries. Not only are the number and intensity of attacks increasing, but attackers are expanding the scope of their attacks to reach an increasingly wide range of sectors. Businesses must invest in robust DDoS detection, mitigation, and protection to prevent the financial and reputational impact of an attack.’’

**Recent Data Shows Shift Toward Longer Sustained Assaults**

Attacks shorter than 10 minutes have decreased by about 33%, while those lasting between 10 and 30 minutes have nearly quadrupled. While previous reports highlighted the dominance of very short, intense DDoS attacks, this change indicates that attackers are adapting to the improved automatic detection and mitigation systems employed by companies to handle brief attacks. By extending attack durations, threat actors can circumvent these temporary defense thresholds, cause more extensive damage, and test infrastructure resilience over time.

Multi-vector attacks have also increasingly become a preferred tactic of attackers. By masking malicious activity within seemingly legitimate traffic, attackers complicate detection and extend their window to cause damage. This shift toward more sophisticated attacks underscores the need for an equally layered defense approach that anticipates attacker strategies and protects critical digital assets holistically.

**Data Indicates Rise in Attacks on Vulnerable Sectors**

Gaming is no longer the dominant target it once was. Its share of total DDoS attacks has dropped significantly (30% in the last year). This notable decline suggests attackers are shifting focus to other sectors such as tech (attacks increased by 15%) and financial services (attacks increased by 15%). These sectors are favored targets because they may be less protected against threat actors and have higher disruption potential.

**The Domino Effect of Cyberattacks**

Hosting providers, in particular, have become prime targets due to their role supporting SaaS, e-commerce, gaming, and financial clients. An attack on one hosting provider can have dangerous ripple effects: massive service outages and reputation damage to dozens of dependent companies.

**Geographical Distribution of DDoS Attacks**

With a presence that spans six continents, Gcore can accurately track the geographical sources of DDoS attacks. Gcore derives these insights from the attackers’ IP addresses and the geographic locations of the data centers where malicious traffic is targeted.

Although the **United States** and the **Netherlands** remain top sources for attacks (as found in previous Radar reports), Hong Kong is a new source of threats. **Hong Kong** now accounts for 17% of all network-layer and 10% of application-layer attacks. These findings indicate that attackers are expanding into emerging areas, highlighting the need for proactive and adaptive defenses across diverse regions.

**Emerging Origins of Attacks**

The rapid increase in application layer attacks (28% to 38% from Q3-Q4 2024 to Q1-Q2 2025) also reveals an overall trend toward multi-layered attacks targeting web application and API vulnerabilities, which particularly impact sectors with a high degree of customer interaction (ranging from e-commerce and online banking to logistics and public services).

To access the full report, please visit: https://gcore.com/resources/gcore-radar-attack-trends-q1-q2-2025

**About Gcore**

Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 210 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.

Further information is available at gcore.com and updates are also shared on LinkedIn, Twitter, and Facebook.

**Gcore Press Contact**   

\[email protected\] 

**PR Agency Contact**  

\[email protected\]

**Contact**

**Ms.**  
**Kira Kurepina**  
**Gcore**  
**\[email protected\]**

Gcore Radar Report Reveals 41% Surge in DDoS Attack Volumes

The Python Software Foundation (PSF) warns developers of phishing emails leading to a fake PyPI login site designed to steal account credentials.

The Python Software Foundation (PSF) is warning developers about a fresh phishing campaign that targets users of the Python Package Index (PyPI) with convincing but fake emails and a fake login site.

The emails ask recipients to verify their account details for “maintenance and security procedures.” Those who don’t follow the instructions are threatened with account suspensions, and the link they are urged to click leads to a spoofed site hosted at pypi-mirror.org.

Seth Larson, a developer at the PSF, explained that anyone who entered their credentials on the phishing site should change their PyPI password right away and review their account’s Security History for any unusual activity. He also encouraged users to report suspicious emails or phishing attempts directly to [email protected].

The danger behind these attacks is not limited to individual accounts. Once threat actors obtain login details, they can tamper with trusted packages already published to PyPI or push out new ones with malware. This could expose developers and companies that rely on those packages, impacting anyone who relies on those packages

This campaign is not the first of its kind. A similar attempt in July used the domain pypj.org to trick developers into handing over their login details. The latest attack follows the same structure, suggesting that more phishing domains could appear in the future.

PyPI maintainers have already taken action by contacting registrars and content delivery networks to remove malicious domains, submitting them to browser blocklists, and coordinating with other open source platforms to improve response times. They are also exploring ways to strengthen two-factor authentication so that phishing attempts are less effective.

****Advice from an Expert****

Shane Barney, Chief Information Security Officer at Keeper Security, said phishing is not disappearing; it is adapting. Attackers will continue spinning up new domains to trick users, but the real focus for security leaders should be on limiting the damage when someone inevitably clicks.

According to Barney, this starts with stronger authentication methods, such as hardware-based keys like YubiKeys, which resist phishing attempts. Combined with password managers that only auto-fill credentials on verified domains, the two approaches shut down the most common paths attackers rely on.

For enterprises, he added, privileged access management plays a critical role by enforcing least privilege, restricting lateral movement, and monitoring activity. Even if malicious code makes it through, it cannot spread unchecked. “The aim isn’t to eliminate all risk, but to build enough guardrails so one stolen password doesn’t escalate into a full-blown breach,” Barney said.

Nevertheless, do not click on links in emails unless you initiated the action yourself, rely on verified legitimate domains, and consider using hardware keys for phishing-resistant two-factor authentication. Sharing suspicious emails with peers or community channels is also encouraged, since being cautious helps protect not just one developer but the Python community overall.

PSF Warns of Fake PyPI Login Site Stealing User Credentials

Darktrace researchers have uncovered ShadowV2, a new botnet that operates as a DDoS-for-hire service by infecting misconfigured Docker containers on AWS cloud servers.

Cybersecurity researchers at Darktrace have identified a new botnet called ShadowV2 is structured as a DDoS-for-hire service, offering attackers an easy way to launch large-scale attacks on demand.

This means anyone can rent access to its network to launch a distributed denial-of-service (DDoS) attack, making it easier for attackers to generate massive traffic surges similar to those seen in record-breaking incidents across the internet.

ShadowV2 doesn’t go after typical home computers; it infects misconfigured Docker containers on Amazon Web Services (AWS) cloud servers. Docker is a technology that lets developers package and run applications in isolated environments called containers. These containers are a modern way to build and run software, but if they’re not set up correctly, they can be exploited by cybercriminals.

****The Attack****

The attack starts with a Python script hosted on GitHub CodeSpaces, which creates a temporary ‘setup’ container on a victim’s machine. The botnet then installs its core malware, a Go-based Remote Access Trojan (RAT), into this setup. The botnet then uses this container to create a new, infected container.

According to Darktrace, this is a major example of ‘cybercrime-as-a-service’ (CaaS), where illegal activities are now being treated like professional business ventures. The attackers have built a complete platform with a user login screen and a user-friendly control panel. The system is well-designed enough to mirror “legitimate cloud-native applications in both design and usability,” researchers noted in the blog post.

ShadowV2 Login UI (Screenshot via Darktrace)

Additionally, the botnet regularly checks in with a central server using a “RESTful registration and polling mechanism” to get its commands. It uses advanced tactics like a Cloudflare under attack mode (UAM) bypass and “HTTP/2 rapid reset,” which allows it to send massive amounts of traffic at once.

****Fake Law Enforcement Seizure Notice****

Darktrace first spotted the attack on June 24 and found older versions of the malware that had been submitted to a public threat database on June 25 and July 30. The botnet’s main website even displays a fake law enforcement seizure notice as a trick, though the system itself remains fully functional.

Fake seizure notice (Image Source: Darktrace)

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), sees the botnet as evidence of a “maturing criminal market where specialisation beats sprawl.”

He notes that the operators have simplified their business by focusing only on DDoS attacks and selling access, which “reduces operational risk, simplifies tooling, and aligns incentives with paying customers.”

Soroko adds that the use of a professional API and full user interface turns the botnet into a “platform, which shifts detection from host indicators toward control plane behaviours.” He advises defenders to treat this botnet as a “product with a roadmap,” and to watch for upgrades and new tactics.

Source

HackRead