Cybersecurity researchers are calling attention to a new botnet malware called HTTPBot that has been used to primarily single out the gaming industry, as well as technology companies and educational institutions in China.
"Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks," NSFOCUS said in a report published this week. "By

New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors

ClickFunnels is investigating a data breach after hackers leaked detailed business data, including emails, phone numbers, and company…

ClickFunnels is investigating a data breach after hackers leaked detailed business data, including emails, phone numbers, and company profiles.

A hacking group calling itself “Satanic” claims to have breached ClickFunnels, a popular US-based software platform used by marketers and entrepreneurs to build sales funnels. The group is known for using BreachForums to announce its breaches but since the forum is down; it made the announcement via Telegram, claiming that data from the company was stolen on April 29, 2025.

In their post, the hackers alleged that they accessed ClickFunnels through a third party and published details of what they say was taken. According to the message, the breach includes:

*   **Adyen-related data**: 90,000 unique phone numbers and 69,000 unique email addresses.

*   **ClickFunnels data**: Two large data tables, one with 514,000 entries and another with 460,000.

Hackers on Telegram (Image credit Hackread.com))

****Who’s Adyen?****

For your information, Adyen is a global financial technology company based in the Netherlands that provides payment processing services for businesses. Despite the hacker group “Satanic” mentioning “Adyen” in their breach claims, there is no indication that Adyen itself was compromised (_Unless hackers can prove otherwise_).

The group referenced 90,000 unique phone numbers and 69,000 unique email addresses under the “Adyen” label, but this likely refers to data processed via ClickFunnels’ integration with Adyen, not a direct breach of Adyen’s systems.

However, earlier in April 2025, Adyen did suffer a DDoS attack that temporarily disrupted services in parts of Europe, but the company confirmed that no customer data was exposed during that incident. As of now, Adyen has not reported any breach, and the claims made by the hacker group remain unverified.

****ClickFunnels Responds After Being Notified****

Hackread.com contacted ClickFunnels about the claims. The company was unaware of any such breach prior to being informed by Hackread. In response, a ClickFunnels spokesperson said: “We have not observed any suspicious activity or evidence indicating a data breach involving ClickFunnels systems.”

The company requested Hackread.com to share the data to allow for internal review. Hackread complied, and the investigation is now ongoing.

****Data Analysis****

The data linked to the alleged ClickFunnels breach appears to be structured and highly detailed, suggesting it could be legitimate. Each entry includes fields such as company domain, estimated tech spend, sales revenue, employee roles, and multiple contact points, including phone numbers and emails.

The presence of metadata like Tranco and Page Rank scores, social media profiles, and timestamps such as “First Detected” and “Last Indexed” indicates that this is not randomly scraped data, but rather information likely pulled from a marketing analytics or CRM system.

The dataset also reflects business-level profiling typically used for lead generation or sales targeting, not just raw user records. Its level of organization and depth supports the possibility that it came from within a legitimate system tied to ClickFunnels or one of its integrated third-party services. However, only ClickFunnels can definitively confirm its authenticity.

Screenshot from the alleged ClickFunnels leak (redacted for privacy – image via Hackread.com)

****Questions Around Third-Party Risk****

While the hacker group specifically mentioned a breach “from a third-party,” they did not clarify whether this was a vendor, service provider, or integration point. That detail could matter greatly, as breaches through third-party services are often harder to detect and attribute.

At the time of writing, there is no public confirmation of a breach from ClickFunnels or Adyen. The hacker group’s claims remain unverified, though ClickFunnels is now reviewing the shared data.

If validated, this would mark a major breach given the size of the alleged dataset and the nature of the platform’s user base, which includes a large number of small business owners and online marketers.

ClickFunnels, founded in 2014, has grown rapidly without external funding and is used by thousands of companies to manage digital sales operations. The platform handles significant volumes of customer data through its landing pages, payment integrations, and email systems.

Hackread.com will continue to monitor the situation and update its reporting based on the outcome of ClickFunnels’ internal investigation. For now, users of ClickFunnels should remain alert for any unusual account activity and consider reviewing their account settings, especially if they use shared credentials across platforms.

ClickFunnels Investigates Breach After Hackers Leak Business Data

Europol has announced the takedown of distributed denial of service (DDoS)-for-hire services that were used to launch thousands of cyber-attacks across the world.
In connection with the operation, Polish authorities have arrested four individuals and the United States has seized nine domains that are associated with the now-defunct platforms.
"The suspects are believed to be behind six separate

Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks

Polish authorities arrest 4 behind major DDoS-for-hire sites used in global attacks. Europol, US, Germany, and Dutch forces…

Polish authorities arrest 4 behind major DDoS-for-hire sites used in global attacks. Europol, US, Germany, and Dutch forces assist in takedown.

In a coordinated international operation, law enforcement has shut down a major slice of the DDoS-for-hire business. Polish authorities, supported by Europol and agencies in the US, Germany, and the Netherlands, have arrested four individuals accused of running six separate stresser/booter platforms that fueled thousands of cyberattacks between 2022 and 2025.

The arrested suspects are believed to be behind platforms including:

*   Cfxapi
*   Zapcut
*   Jetstress
*   Neostress
*   Cfxsecurity
*   Quickdown

These services offered anyone with a few euros the power to carry out DDoS attacks and knock websites and servers offline with little more than a login and a target IP address. Prices reportedly started as low as €10.

The screenshot shows cfxsecurity’s internal panel (Image credit: Fox\_threatintel  
@banthisguy9349)

According to Europol’s press release, these platforms were used to hit schools, public services, businesses, and online gaming platforms. The attacks flooded systems with overwhelming amounts of fake traffic, leaving legitimate users locked out and services down.

****An Industry of On-Demand Attacks****

Stresser and booter services market themselves as legitimate tools for stress-testing servers. In reality, they’re often used to carry out coordinated denial-of-service attacks. By centralizing and automating the process, these platforms make it easy for nearly anyone to carry out disruptions at scale, with no technical expertise required.

All it takes is entering the target’s IP address, choosing the method of attack, and paying the fee. The backend handles the rest, launching a wave of junk traffic that can knock offline even well-protected systems.

****International Crackdown Gains Momentum****

The operation, part of the ongoing Operation PowerOFF, highlights how global authorities are stepping up pressure on the people running these services. Dutch law enforcement has gone a step further, launching fake booter sites designed to warn users and gather intelligence on would-be attackers.

Data recovered from seized servers in the Netherlands played a key role in helping Polish investigators track and arrest the suspects. Germany contributed to the investigation by identifying one of the administrators, while US agencies seized nine domains linked to similar services during the same week.

This operation not only dismantles part of the infrastructure used to sell and deliver DDoS attacks but also sends a message to both operators and customers. Law enforcement isn’t just tracking the platforms, they’re watching the users too.

Nevertheless, in the end, by taking down these services, authorities are making it harder for casual users to access and weaponize DDoS attacks. At the same time, they’re showing how international cooperation can make a meaningful dent in online criminal activity.

Europol, Poland Bust Major DDoS-for-Hire Operation, Arrest 4

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

Cloudflare’s Q1 2025 DDoS Threat Report: DDoS attacks surged 358% YoY to 20.5M. Germany hit hardest; gaming and…

Cloudflare’s Q1 2025 DDoS Threat Report: DDoS attacks surged 358% YoY to 20.5M. Germany hit hardest; gaming and telecom were among the top targets.

The digital world faced an unprecedented onslaught of Distributed Denial of Service (DDoS) attacks in the first quarter of 2025, according to Cloudflare’s latest threat report. The sheer volume of these malicious attempts to disrupt online services reached a staggering 20.5 million, marking an astounding 358% increase compared to the same period last year.

Cloudflare’s report shows a concerning 198% QoQ increase in attack numbers this year with the number of blocked DDoS attacks reaching 96% in the first three months of 2025, compared to the entire year of 2024. These findings corroborate the latest Link11 European Cyber Report, which also found DDoS attacks increasing substantially in 2025.

Source: Cloudflare

Around 6.6 million of these malicious attacks directly targeted Cloudflare’s network infrastructure in an 18-day multi-vector campaign, using techniques like SYN floods, Mirai botnet attacks, and SSDP amplification. This highlights the vulnerability of security service providers themselves to sophisticated attempts to overwhelm their defences, highlighting the need for continuous security measures.

Furthermore, the report highlighted a disturbing trend in the rise of hyper-volumetric DDoS attacks, those exceeding the massive threshold of 1 Terabit per second (Tbps) or 1 Billion packets per second (Bpps). In the first quarter alone, Cloudflare successfully mitigated over 700 of these colossal attacks, averaging about eight such events every single day.

In Q1 2025, Germany became the most attacked country, followed by Turkey and China whereas Hong Kong became the top source of DDoS attacks followed by Indonesia and Argentina.

The gambling and casinos industry claimed the top spot, while Telecommunications, Service Providers, Carriers, Cyber Security, Airlines, Aviation & Aerospace industries were among the most targeted industries in DDoS attacks. Major cloud computing and hosting providers like Hetzner, OVH, and DigitalOcean consistently appeared as significant sources of HTTP DDoS attacks.

Source: Cloudflare

Moreover, Cloudflare observed and blocked “dozens of hyper-volumetric DDoS attacks” in the latter half of April. These included record-breaking events, with one attack peaking at an astonishing 4.8 Bpps, a 52% increase over the previous record. Separately, they defended against a massive 6.5 Tbps flood, matching the highest bandwidth attack ever publicly reported.

Interestingly, most targeted customers didn’t know the attackers’ identities, but those who had some insight cited competitors (39%) as key threats, particularly in the gaming and gambling sectors. Other identified threat actors included state-level actors (17%), disgruntled users or customers (11%), and self-inflicted DDoS attacks (11%).

Network layer attacks were dominated by SYN floods, followed by DNS floods. A significant shift saw Mirai botnet attacks rise to the third most common, pushing UDP floods down. In HTTP attacks, over 60% originated from known botnets, highlighting their continued effectiveness.

The report also identified major emerging threats with substantial quarter-over-quarter growth: CLDAP reflection/amplification surged by 3,488%, and ESP reflection/amplification increased by 2,301%.

While large attacks get attention, most DDoS attacks in Q1 2025 were small: 99% of Layer 3/4 attacks were under 1 Gbps/1 Mpps, and 94% of HTTP attacks were below 1 Mrps. The report stresses that even these “small” attacks can overwhelm unprotected systems. Additionally, most attacks are brief: 89% of Layer 3/4 and 75% of HTTP attacks lasted under 10 minutes, necessitating always-on, automated mitigation.

Germany Most Targeted Country in Q1 2025 DDoS Attacks

Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the…

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the site, plan return, deny seizure, and warn of clones.

In early April 2025, the well-known cybercrime and data breach forum BreachForums disappeared from the internet without explanation. The forum, administered and **owned by the hacker group ShinyHunters**, went offline without any farewell note or clarification, triggering widespread speculation about a possible law enforcement seizure.

Despite these concerns, DNS records for BreachForums remained unchanged, showing the original nameservers at **DDoS-Guard**, not the typical Cloudflare nameservers seen when the FBI seizes criminal infrastructure. This consistency hinted that the site had not fallen into the hands of authorities but left many questions unanswered.

    BreachForums.st DNS Records:
    
    185.129.101.200
    
    185.129.103.200
    
    ns1.ddos-guard.net
    
    ns2.ddos-guard.net
    
    Typical FBI Seizure DNS Records:
    
    plato.ns.cloudflare.com
    
    jocelyn.ns.cloudflare.com

****BreachForums Plans to Return****

Earlier today (April 28, 2025), visitors to Breachforums.st have been met with a new development: a detailed message posted on the homepage, allegedly from the forum’s administration, signed with a PGP key.

According to the statement, the administrators shut down operations after confirming the existence of a MyBB 0day vulnerability that left the forum exposed to infiltration attempts by law enforcement agencies.

It is worth noting that in June 2023, when BreachForums was revived under ShinyHunters’ control, it **suffered a data breach**. The forum administrator attributed the incident to a MyBB 0day vulnerability, which led to the leak of personal details belonging to over 4,000 members.

However, in the latest update, the administrators claimed they acted quickly once they received credible information about the security risk through trusted contacts. They initiated an incident response protocol, shut down infrastructure, and conducted an audit of their systems.

Their findings suggested that although the forum software was vulnerable, the infrastructure had not been compromised and no data had been stolen. The statement also apologized to staff and users for the extended silence, citing operational security as the top priority during the crisis. BreachForums announced that work is underway on a complete rewrite of the forum backend to prevent future vulnerabilities.

Additionally, the message warned users against engaging with various BreachForums clones that have surfaced online, suggesting that these are likely law enforcement honeypots designed to lure and identify cyber criminals. The administrators emphasized that no arrests had taken place and that the original team remained intact.

Screenshot from the BreachForums’ homepage (Image credit: Hackread.com)

****But Some Questions Remain Unanswered****

What the message does not explain is why ShinyHunters deleted their Telegram account. BreachForums had a large and active community on Telegram. What happened to that account, and why were no updates provided on Telegram before taking down the forum?

The sudden disappearance and equally sudden reappearance of BreachForums have raised further concerns within cybercrime circles. While the operators insist the platform remained secure, the revelation of a zero-day vulnerability in the forum software raises new questions about the operational risks associated with underground forums.

**ShinyHunters**, the hacker group tied to the forum’s ownership, has been linked to several high-profile data breaches over the past few years, which places BreachForums under constant scrutiny by law enforcement agencies worldwide.

The situation is likely to develop as cybersecurity researchers, law enforcement, and threat actors react to the forum’s unexpected return. Until then, BreachForums’ future remains uncertain.

BreachForums Displays Message About Shutdown, Cites MyBB 0day Flaw

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.
"From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.

Tag

#ddos