Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.
"From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

Thursday, April 17, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I've found myself thinking about these differences in the context of online interactions, particularly with search engines. I've become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It's often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It's easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It's not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

1.  You can try one of the public instances and check if you like it before you go all-in.
2.  You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
3.  With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

*   “:en”, “:de” or “:fr” to search in a given language 
*   “!social\_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven't explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it's wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

**Why do I care? **

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

**So now what? **

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

**Top security headlines of the week **

*   **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
*   **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
*   **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
*   **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

**Can’t get enough Talos? **

*   **Unmasking the new XorDDoS controller and infrastructure.** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
*   **Talos Takes: Year in Review Special (Pt. 2).** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA    
*   PIVOTcon (May 7 – 9) Malaga, Spain    
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA    
*   Cisco Connect UK & Ireland (May 20) London, UK  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385**   
MD5: 01b521c78f5bbdaba0cc221bc893e2b8   
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385   
Typical Filename: toyboy.exe     
Detection Name: Gen:Variant.Tedy.758566 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**   
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277   
Typical Filename: Rainmeter-4.5.22.exe    
Detection Name: Artemis!Trojan 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: IMG001.exe    
Detection Name: Win.Trojan.Miner-9835871-0

Care what you share

Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.

Thursday, April 17, 2025 06:00

*   Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. 
*   A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. 
*   The language settings of the muti-layer controller, XorDDoS builder and controller binding tool strongly suggest that the operators are Chinese-speaking individuals. 
*   Talos discovered the latest version of the XorDDoS controller, called the “VIP version,” and its corresponding central controller were used to build the DDoS bot network for more sophisticated and widespread attacks. 
*   Talos' analysis exposes the network connection between central controller, sub-controller and XorDDoS malware in order to highlight the XorDDoS trojan network pattern. This may help victims identify when they are targeted by these trojans.

**Linux XorDDoS trojan trend and victimology  **

The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals. 

From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence. This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots. It employs a strategy of Secure Shell (SSH) brute-force attacks to gain remote access to target devices. Once it obtains valid SSH credentials, the attacker leverages root privileges to execute a script that downloads and installs XorDDoS on the compromised device. 

Even though numerous security vendors have already provided solutions and detection methods to capture them, Talos continues to observe attempts to deliver XorDDoS malware.

__Figure 1. Cisco Secure Firewall’s monthly malware connection detection statistics.__

Between November 2023 and February 2025, Talos observed that the XorDDoS trojan continued to have a global impact, with nearly 50 percent of its successfully compromised victims located in the United States. Additionally, we noted that the compromised systems attempted to target and attack several countries, including Spain, the United States, Taiwan, Canada, Japan, Brazil, Paraguay, Argentina, the United Kingdom, the Netherlands, Italy, Ukraine, Germany, Thailand, China, India, Israel, Venezuela, Switzerland, Singapore, Finland, Australia, Saudi Arabia, France, Turkey, the United Arab Emirates and South Korea.

__Figure 2. Percentage of XorDDoS successfully-compromised machines across all regions.__

Talos also used our Cisco Secure Network/Cloud Analysis to observe actors using those compromised machines to launch DDoS attack and the attacks are globalized. Notably, we found that the United States accounted for over 70 percent of attempted attacks employing XorDDoS.

__Figure 3. Percentage of XorDDoS attempted targets across all regions.__

**Infection chain  **

XorDDoS has long relied on SSH brute-force attacks to spread. It deploys a malicious shell script that attempts numerous root credential combinations across thousands of servers until it successfully accesses a target Linux device. Once inside the machine, XorDDoS implements persistence mechanisms to ensure it launches automatically at system startup, therefore evading detection and termination by security products. To maintain persistence, the malware installs an init script and a cron job script. These scripts are embedded within the malware and perform actions consistent with those outlined in previous reports.

__Figure 4. Inint script and cron script embedded in trojan.__

The latest version of XorDDoS malware continues to use the same decryption function and the XOR key "BB2FA36AAA9541F0" to decrypt its embedded configuration. Once the URLs or IPs are decrypted, they are added to a remote list. This list is then used to establish communication and retrieve commands from the C2 server. Talos used CyberChef to successfully decrypt one of the examples.

__Figure 5. Talos CyberChef decryption.__

**XorDDoS new sub-controller and central controller **

Although the sub-controller for XorDDoS was exposed in 2015, attacks have persisted over the last decade. The panel from 2015 was for version 1.4, the oldest version, which we believe is no longer in use by threat actors. In 2024, Talos discovered a new “VIP” version of the XorDDoS sub-controller, which can control the "VIP version” of the XorDDoS trojan, the first instance of which we traced back to 2017. With the newest version of the XorDDoS sub-controller and trojan builder, Talos believes that this collection is a product suite developed for sale.

Figure 6 shows translated screenshots of the XorDDoS trojan sub-controller and builder. The builder also contains new feature descriptions, which strengthens Talos’ assessment that this is a product meant to be sold. The VIP version of the XorDDoS trojan builder includes new feature descriptions. When translated, the description in Figure 7 reads, "Stable Anti-Kick, 100% Packet Sending, Fixes for Over Ten Thousand Online Without Lag. Supports Domain Online, IP Online, with New Packet Sending Code and Wall-Penetration Optimization. Can Send 1024 Packets with Resource Utilization Optimization."

__Figure 6. VIP version sub-controller.__

__Figure 7. Feature description in the VIP version of the XorDDoS trojan builder.__

Talos observed a new version of the sub-controller, which we call the "central controller." Specifically created for the XorDDoS trojan, the central controller enables threat actors to manage multiple XorDDoS controllers simultaneously. This updated central controller enhances cybercriminals’ ability to coordinate and execute attacks more efficiently, indicating an evolution in their tactics and capabilities.

__Figure 8. Example view of central controller controlling each sub-controller__.

The central controller can generate a controller binder that will inject a DLL file to the XorDDoS controller to bind network connection and command operation to the sub-controller, allowing the central controller to fully remote control the sub-controllers.

__Figure 9. Generator Setting__

The controller binder will establish a connection with the central controller. When running the controller binder on the host, the actor can enter the controller's process name, allowing them to inject into the process and take control. This straightforward strategy allows the actor to send the DDoS commands to multiple controllers simultaneously. There are two notable facts Talos observed from this central controller. First, when the actor opens the central controller, there is a feature description in its mission list column that, when translated, includes the following:

*    "Check the SYN packet length to make it a large packet, otherwise it will be a small packet. 
*   A round-robin attack is a task performed by all online hosts.
*   Select the host and click the test mode, which means a single host sends a packet.
*   Multiple measurement modes cannot be selected, only one at a time!
*   The round-robin attack needs to be stopped manually.
*   Supports 1024 packages but requires a corresponding sub-controller.
*   The sub-controller of version 1.4 and 1.8 on the underground market cannot use the central controller to send 1024 packages."

Second, the controller's creator left their Tencent QQ instant message contact number and nickname on the central controller, while also mentioning other sub-controller versions available on the underground market. This further supports Talos’ assessment that these tools are for sale.

__Figure 10. Central controller and controller binder.__

**Advanced XorDDoS traffic analysis **

Talos’ detailed analysis of these new tools suggests cybercriminals’ continued investment in the development and deployment of the XorDDoS trojan, allowing for more sophisticated and widespread attacks. The entire control flow of these operations demonstrates the adaptability and resilience of these threat actors, emphasizing the ongoing challenge in combating this form of cybercrime. Talos completed a traffic analysis in our sandbox environment, first to analyze how the XorDDoS trojan is connected to the sub-controller, and then to understand how the central controller manages the sub-controller.

__Figure 11. XorDDoS control flow diagram.__

The connection between the sub-controller and DDoS trojan is the orange line in Figure 11. When the malware is successfully installed in the target system, it will attempt to send encrypted data, including "phone home," which consists of the CRC Header, uname string release, uname string machine, magic string and hardcoded version string. Talos used CyberChef to provide a decryptor function for this data.

__Figure 12. Example of decrypted phone home data.__

We noticed that the latest VIP version's "phone home" CRC header remains unchanged from what Unit 42 previously detailed in a blog post. Since the blog post has already covered the encryption of the XorDDoS trojan's phone home data, we will focus here on the behavior of the controller's responses and any modifications in the CRC header.

Once the XorDDoS trojan successfully establishes a connection, the CRC header changes to "5343f096000000000200000000000000000000000000000000000000", as shown in Figure 13. This functions similarly to basic client-server authentication for establishing a connection. When the controller issues a command to the XorDDoS trojan, it uses the same CRC header to attach the encrypted command, sending it to the trojan. This process, illustrated in Figure 14, helps the XorDDoS trojan verify that the commands are authorized and safe to execute.

__Figure 13. The CRC header changes after successfully establishing a connection.__

__Figure 14. Network flow of sub-controller sending the command to XorDDoS trojan.__

Next, Talos explored the connection between the central controller and the sub-controller, represented by the purple line in Figure 11. The central controller can create a controller binder to inject the sub-controller, thereby gaining full access to it. Once the controller binder successfully takes control of the sub-controller, it sends the sub-controller's machine information back to the central controller as a "phone home" beacon. This phone home data uses plaintext to send information, which includes the message number, packet size, IP address, hostname and connection port.

__Figure 15. Network flow of the phone home connection.__

Talos used the central controller to establish a connection with the sub-controller to monitor network traffic. During this process, we observed that the MSG number in the packets increases with each command sent to either the client controller or back to the central controller. As shown in Figure 16, Talos used the central controller to issue commands to start a SYN DDoS attack, stop the attack, and target specific IPs or domains. For every command sent, the MSG number increments. Similarly, each received packet also sees an increase in its MSG number. However, it's important to note that the MSG numbers for sent packets and received packets are not directly related to each other.

__Figure 16. Network flow of central controller sending the command to sub-controller.__

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64669, 64668 and 64667.

ClamAV detections are also available for this threat: Unix.Dropper.Xorddos::in07.talos

**Indicators of Compromise**

IOCs for this threat can be found in our GitHub repository here.

Unmasking the new XorDDoS controller and infrastructure

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and…

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and leaked its source code. Investigation is ongoing.

The infamous imageboard **4chan** is facing a major security incident. Users and researchers have flagged a possible breach resulting in the leak of 4chan’s custom source code, widely known as Yotsuba. What makes the incident ironic is the claim that the attacker is affiliated with Soyjak.st, a lesser-known but competing imageboard community.

****Unusual Downtime****

As of this writing, 4chan was offline or loading inconsistently, with broken images and non-functional links across multiple boards. The outage began in the early hours of April 15th, and speculation quickly spread across social media and rival platforms.

The screenshot shows the current status of 4chan (Image credit: Hackread.com)

Some users initially blamed server issues or a possible **DDoS attack**. However, what followed was far more serious: a user on Soyjak.st claimed responsibility for accessing admin credentials and leaking 4chan’s internal codebase.

Shortly after the claim surfaced, links to what appear to be portions of the Yotsuba source code began circulating across multiple platforms, including Telegram, GitHub Gists and private paste sites.

While the full extent of the leak is still being verified, early samples appear to be consistent with 4chan’s long-running backend structure. The leaked files also include core PHP scripts, administrative tools, and configuration files, some containing outdated coding practices that raise security concerns.

Although 4chan does not rely on user accounts or store typical sensitive information like emails or passwords, a codebase leak can still be serious. With access to internal logic, attackers could exploit undocumented behaviour and server-level compromises. It may also provide insights into moderation workflows or board-level permissions that were never intended to be public.

****The Soyjak.st Connection****

Soyjak.st, though much smaller than 4chan, has managed to grow its own dedicated niche in the imageboard world. With a focus on parody, satire, and meme content, the community has a complicated and often hostile relationship with 4chan.

Whether the claimed attacker is truly affiliated with Soyjak.st or is simply using its name remains to be seen. No formal attribution has been made. Nevertheless, if verified, the breach may be the first major incident where one imageboard’s userbase actively compromises the infrastructure of another.

****No Official Word from 4chan****

At the time of publication, 4chan has not released a public statement addressing the outage or confirming the breach. The site’s front page remains reachable worldwide, but many boards continue to load inconsistently or not at all.

In the meantime, if you are a 4chan user, it’s a good idea to be cautious with any links or files claiming to be from 4chan. There’s always a risk of fakes or **phishing attempts** popping up after something like this

4chan Breached? Hacker from Rival Soyjak Forum Claims Source Code Leak

Though the exact details of the situation have not been confirmed, community infighting seems to have spilled out in a breach of the notorious image board.

The anonymous image board 4chan has survived years of controversy. It weathered user and advertiser boycotts as well as damning accusations that it incubated hate speech that may have fueled mass shootings. Users have convened on 4chan to plan hacks like DDoS attacks, and conspiracy theories that festered on 4chan even reportedly inspired the January 6 insurrection at the United States Capitol. On Monday night and Tuesday, though, the platform faced its latest test after a series of outages led to speculation that the site had been hacked.

The core feature 4chan provides is public anonymity to post text and images, but the platform itself does collect information about users, such as their IP addresses. As a result, a breach of the website could represent a significant exposure of data that was intended to be private.

“4chan is an anonymous message board that enables often offensive and hateful content. The content leaked, if genuine, would remove some of the anonymity from 4chan administrators, moderators, and janitors,” says Ian Gray, director of analysis and research at the security firm Flashpoint. The image board’s billing as an “anonymous” platform may have given users a “false sense of security,” Gray says. “Some users may have registered their email addresses years ago when they were less aware or concerned about their operational security.”

Reports about the apparent hack began circulating after a previously banned board on 4chan briefly appeared online and the site was defaced with a message saying, “U GOT HACKED XD.” Subsequently, an online account on a rival forum known as Soyjak.party posted screenshots allegedly showing 4chan’s backend systems, plus a list of alleged 4chan administrator and moderator usernames, with associated email addresses. Following this post of 4chan administrator email addresses, Soyjak.party users started posting alleged doxes, including photos and personal information, of the accounts included in the leak.

WIRED has not been able to confirm whether the data is legitimate. A press email address associated with 4chan as well as two alleged administrator emails from the leaked data did not immediately respond to WIRED’s requests for comment on the hack and its validity. One of the site’s moderators said they believed the hack and leaks were real, according to a report by TechCrunch.

Rumors also started circulating on Tuesday that the breach is the result of 4chan running legacy, unpatched software that exposed the platform to attack. After a breach a decade ago, 4chan founder Christopher Poole, known online as “moot,” wrote in a blog post, “\[We\] have spent—and will continue to spend—dozens of hours poring over our software and systems to help mitigate and prevent future intrusions. We’re sorry it happened, and will do our best to ensure it doesn’t happen again.”

Emiliano De Cristofaro, a computer science and engineering professor at UC Riverside, who has researched the impact of 4chan on the web, says the ramifications could be large if the hack is confirmed.

“It seems true that 4chan hasn't been properly maintained and patched for years, which might indicate that a hack would have definitely been a possibility,” De Cristofaro says. “There might be some ‘high profile’ users exposed as moderators—traditionally, 4chan users hate them, so they might be targeted. It might be hard or at least painfully slow and costly for 4chan to recover from this, so we might really see the end of 4chan as we know it.”

Initial reports posted on Soyjak.party referencing a 4chan hack appeared to say that Soyjak.party members may have been involved in the attack. One post claimed that a hacker had been in 4chan’s systems “for over a year” and exposed personal information allegedly linked to 4chan users and administrators. And multiple screenshots posted on Soyjak.party appear to show someone accessing 4chan’s internal systems. These include images of someone with administrator access to a 4chan backend database, stats about users on various sections of 4chan, a page showing deleted posts and the IP addresses they were made from, as well as other internal documentation. Some reports also claim that hackers stole 4chan’s source code.

In recent years, 4chan has increasingly been on the radar of US government officials. The website has reportedly been kept online due in part to investment by a Japanese company. In June 2023, WIRED reported on internal 4chan documents that showed how the site’s policies shaped the highly toxic nature of the platform—including how moderators explicitly allow racism. In most cases, the documents showed, calls for violence on 4chan are not met with user bans.

“If the data is legitimate, information on members and posting could be useful for law enforcement investigations,” Flashpoint’s Gray says. “4chan has been around since at least 2003, which is extremely notable for any online service. Aside from the offensive and often extremist content, a lot of internet culture has originated from 4chan. If this is a death knell for 4chan, other services will likely fill its place. However, the effect of 4chan on the internet cannot be overstated.”

Suspected 4chan Hack Could Expose Longtime, Anonymous Admins

Luxembourg, Luxembourg, 9th April 2025, CyberNewsWire

**Luxembourg, Luxembourg, April 9th, 2025, CyberNewsWire**

Gcore, the global edge AI, cloud, network, and security solutions provider, has launched Super Transit, a cutting-edge DDoS protection and acceleration feature, designed to safeguard enterprise infrastructure while delivering lightning-fast connectivity. 

This comes as organizations face a 56% year-on-year increase in high-volume, complex DDoS attacks that disrupt operations, increase latency, and compromise network security. Traditional solutions often require expensive, complex integrations, but Super Transit is delivered as part of the Gcore DDoS Protection Suite. Using the Gcore global network of 180+ points of presence (PoP), traffic is automatically routed through the Gcore Anycast backbone, and any malicious traffic is intelligently split from legitimate traffic in real-time. This proactive detection, filtering, and mitigation of DDoS attacks means an uninterrupted user experience, so even during an attack, users remain unaffected and continue to experience stable, secure, high-speed connectivity. 

Gcore Super Transit, which is available to all customers now, optimizes performance and security through the following key differentiators: 

**1\. Real-time DDoS threat mitigation:** Detects and blocks malicious traffic in real-time at the nearest Gcore PoP, before it can reach user networks – minimizing impact on performance. 

**2\. Global-scale protection:** Comprehensive defense against DDoS attacks of any size, backed by a total filtering network capacity exceeding 200 Tbps. 

**3\. Consistent performance:** Traffic is filtered at the edge with legitimate traffic routed via the optimal path within Gcore’s high-performance backbone, eliminating unnecessary rerouting to external scrubbing centers and reducing latency. 

**4\. Cost-effective protection:** Optimizes security spending with flexible, integrated deployment options that balance performance and affordability. 

> Andrey Slastenov, Head of Security at Gcore, commented: “This is a hugely important launch for many reasons. Primarily, Super Transit allows for fast, worldwide access to our DDoS protection services, with real-time intelligent data analysis and filtering ensuring legitimate data is routed to servers efficiently. These are crucial capabilities as advanced DDoS protection for real-time services mitigates latency and outages that significantly impact user experience and enterprises’ business success.” 

**About Gcore** 

Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 180 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.

Users can learn more at gcore.com or follow them on LinkedIn, Twitter, and Facebook.

**Contact**

**Gcore PR team**  
**gcore.com**  
**\[email protected\]**

Gcore Super Transit Brings Advanced DDoS Protection and Acceleration for Superior Enterprise Security and Speed

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over…

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over the world to immerse themselves in **virtual worlds**, participate in competitive matches, or simply relax with friends.

However, while gaming offers exciting experiences, it also exposes players to a range of cybersecurity threats and privacy risks. The risks are real, from data breaches and identity theft to malware infections and in-game scams.

This article will explore the common cybersecurity risks in online gaming and provide practical strategies to avoid them.

****Why Online Gaming Is a Target for Cybercriminals****

The online gaming industry has grown exponentially in recent years, with global revenues expected to reach $200 billion by 2025. This massive audience makes it an attractive target for cybercriminals.

Hackers and scammers exploit **vulnerabilities in gaming platforms**, user accounts, and in-game assets to make illicit gains. Gamers often store sensitive information, such as credit card details, addresses, and personal identifiers, which can be used for malicious purposes if compromised.

Furthermore, the popularity of multiplayer games and the constant online interaction provide ample opportunities for social engineering attacks and the spread of malware.

****Common Cybersecurity Risks in Online Gaming********Phishing Scams****

Phishing is one of the most common types of attacks targeting online gamers. Cybercriminals often impersonate game developers, customer support teams, or even fellow players to trick individuals into revealing sensitive information, such as login credentials or financial details.

****How to Avoid Phishing Scams:****

*   **Be cautious with emails and messages**: Always verify the sender’s email address or message source before clicking on any links or attachments. Legitimate gaming companies rarely ask for sensitive information via email.

*   **Check website URLs**: Before logging into any gaming platform, ensure that the website’s URL is correct and starts with “https://” to confirm it’s secure.

*   **Enable two-factor authentication (2FA)**: Most major gaming platforms offer 2FA, which provides an extra layer of security by requiring a second form of verification (such as a code sent to your phone) when logging in.

****Account Hacking and Credential Stuffing****

Many gamers use the same login credentials across multiple sites, making them easy targets for hackers who can obtain this information in a breach.

Credential stuffing attacks occur when hackers use previously leaked usernames and passwords from one breach to access accounts on other platforms.

****How to Avoid Account Hacking:****

*   **Use unique passwords**: Create strong, unique passwords for each gaming account to make it harder for hackers to gain access.

*   **Utilize password managers**: Password managers can generate and store complex passwords for all your accounts, reducing the risk of password reuse.

*   **Enable two-factor authentication (2FA)**: As mentioned earlier, 2FA is essential for protecting your accounts from unauthorized access.

****Malware and Ransomware****

Malware can be introduced into gaming systems in several ways, such as through malicious links, downloads, or third-party applications. Cybercriminals can **disguise malware as a legitimate game** or cheat tool to gain control of a gamer’s device, steal information, or lock it until a ransom is paid.

****How to Avoid Malware:****

*   **Download games from trusted sources**: Always download games and updates from official sources like the game developer’s website or recognized gaming platforms (e.g., Steam, PlayStation Store, Xbox Live).

*   **Use antivirus software**: Install reliable antivirus software that can detect and block harmful files and applications before they infect your system.

*   **Avoid third-party tools**: Be cautious when using third-party mods, cheat tools, or unofficial game servers, as they can often contain malware.

****In-Game Scams and Fraud****

Online gaming environments are ripe for scams, especially in multiplayer games with virtual economies. Scammers often target players by promising rare **in-game items**, currency, or cheats in exchange for real money, but once the transaction is made, the scammer disappears.

****How to Avoid In-Game Scams:****

*   **Stick to official transaction platforms**: Only buy in-game items or currency through trusted, official sources such as the game’s marketplace.

*   **Beware of “too good to be true” offers**: If someone promises rare items for an unreasonably low price, it’s likely a scam.

*   **Report suspicious behavior**: Many games have built-in reporting systems for fraudulent players. Always report suspicious activity to the developers or moderators.

****Social Engineering and Doxxing****

Social engineering attacks exploit a player’s trust, often through manipulation and deceit, to gain access to private information.

One of the more alarming risks is doxxing, where cybercriminals gather personal details about a gamer (such as real names, addresses, and phone numbers) and publish them online with malicious intent.

****How to Avoid Social Engineering and Doxxing:****

*   **Limit personal information sharing**: Avoid sharing personal details (like full name, address, or phone number) in online gaming communities, forums, or chat rooms.

*   **Review privacy settings**: Adjust privacy settings on gaming platforms and social media accounts to restrict who can access your information.

*   **Be cautious of friend requests**: Only accept friend requests or direct messages from people you know or trust in the game.

****DDoS Attacks****

Distributed Denial-of-Service (**DDoS**) attacks involve overwhelming a gaming server or player’s network with massive amounts of traffic, causing disruptions, lag, or crashes.

These attacks can also be used as a form of extortion, with hackers threatening to shut down a server unless a ransom is paid.

****How to Avoid DDoS Attacks:****

*   **Use VPN services**: A VPN can help mask your IP address and prevent attackers from targeting your network.

*   **Play on secure servers**: Opt for gaming platforms and servers that implement strong anti-DDoS measures.

*   **Monitor traffic patterns**: If you manage a gaming server, regularly monitor traffic and set up intrusion detection systems (IDS) to detect unusual activities.  
    

****How to Protect Yourself and Your Data in Online Gaming****

To safeguard your data and protect your gaming experience, here are some additional proactive measures you can take:

****Stay Updated****

Game developers frequently release patches and security updates to address vulnerabilities. Always keep your game software, gaming platforms, and operating systems up to date.

****Use a VPN for Gaming****

A **VPN for gaming** can significantly enhance your online security by masking your IP address and encrypting your internet connection. This helps prevent DDoS attacks and protects your personal information from being exposed to malicious players.

Additionally, a VPN allows you to bypass geo-restrictions, ensuring that you can access games and content from around the world securely.

****Use Secure Payment Methods****

When making in-game purchases, consider using secure payment methods like credit cards, PayPal, or trusted digital wallets instead of debit cards or direct bank transfers. These methods often provide better fraud protection.

****Educate Yourself on Cyber Hygiene****

Good cyber hygiene habits go a long way in securing your online presence. Regularly change passwords, check for unusual account activity, and avoid reusing passwords across different platforms.

****Practice Good Online Behavior****

Always exercise caution when interacting with other players online. Avoid clicking on suspicious links, be careful when downloading files, and never share personal information during gameplay.

****Protecting Yourself****

The thrill of online gaming should not come at the expense of your privacy and security. Cybersecurity risks, such as phishing, malware, account hacking, and in-game scams, are prevalent in the gaming world.

However, you can reduce your exposure to these threats by following best practices like enabling two-factor authentication, using strong passwords, avoiding suspicious links, and exercising caution when interacting with others.

Top/Featured Image by Tyler Lagalo on Unsplash!

Online Gaming Risks and How to Avoid Them

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-translated from Russian.

Researchers at the security firm **Silent Push** mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

The website **legiohliberty\[.\]army** features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a. “Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

The phony version of that website copies the legitimate site — **legionliberty\[.\]army —** providing an interactive **Google Form** where interested applicants can share their contact and personal details. The form asks visitors to provide their name, gender, age, email address and/or Telegram handle, country, citizenship, experience in the armed forces; political views; motivations for joining; and any bad habits.

“Participation in such anti-war actions is considered illegal in the Russian Federation, and participating citizens are regularly charged and arrested,” Silent Push wrote in a report released today. “All observed campaigns had similar traits and shared a common objective: collecting personal information from site-visiting victims. Our team believes it is likely that this campaign is the work of either Russian Intelligence Services or a threat actor with similarly aligned motives.”

Silent Push’s **Zach Edwards** said the fake Legion Liberty site shared multiple connections with **rusvolcorps\[.\]net**. That domain mimics the recruitment page for a Ukrainian far-right paramilitary group called the Russian Volunteer Corps (rusvolcorps\[.\]com), and uses a similar Google Forms page to collect information from would-be members.

Other domains Silent Push connected to the phishing scheme include: **ciagov\[.\]icu**, which mirrors the content on the official website of the **U.S. Central Intelligence Agency**; and **hochuzhitlife\[.\]com**, which spoofs the **Ministry of Defense of Ukraine & General Directorate of Intelligence** (whose actual domain is **hochuzhit\[.\]com**).

According to Edwards, there are no signs that these phishing sites are being advertised via email. Rather, it appears those responsible are promoting them by manipulating the search engine results shown when someone searches for one of these anti-Putin organizations.

In August 2024, security researcher **Artem Tamoian** posted on Twitter/X about how he received startlingly different results when he searched for “Freedom of Russia legion” in Russia’s largest domestic search engine **Yandex** versus Google.com. The top result returned by Google was the legion’s actual website, while the first result on Yandex was a phishing page targeting the group.

“I think at least some of them are surely promoted via search,” Tamoian said of the phishing domains. “My first thread on that accuses Yandex, but apart from Yandex those websites are consistently ranked above legitimate in DuckDuckGo and Bing. Initially, I didn’t realize the scale of it. They keep appearing to this day.”

Tamoian, a native Russian who left the country in 2019, is the founder of the cyber investigation platform malfors.com. He recently discovered two other sites impersonating the Ukrainian paramilitary groups — **legionliberty\[.\]world** and **rusvolcorps\[.\]ru** — and reported both to Cloudflare. When Cloudflare responded by blocking the sites with a phishing warning, the real Internet address of these sites was exposed as belonging to a known “bulletproof hosting” network called **Stark Industries Solutions Ltd**.

Stark Industries Solutions appeared two weeks before Russia invaded Ukraine in February 2022, materializing out of nowhere with hundreds of thousands of Internet addresses in its stable — many of them originally assigned to Russian government organizations. In May 2024, KrebsOnSecurity published a deep dive on Stark, which has repeatedly been used to host infrastructure for distributed denial-of-service (DDoS) attacks, phishing, malware and disinformation campaigns from Russian intelligence agencies and pro-Kremlin hacker groups.

In March 2023, Russia’s Supreme Court designated the Freedom of Russia legion as a terrorist organization, meaning that Russians caught communicating with the group could face between 10 and 20 years in prison.

Tamoian said those searching online for information about these paramilitary groups have become easy prey for Russian security services.

“I started looking into those phishing websites, because I kept stumbling upon news that someone gets arrested for trying to join \[the\] Ukrainian Army or for trying to help them,” Tamoian told KrebsOnSecurity. “I have also seen reports \[of\] FSB contacting people impersonating Ukrainian officers, as well as using fake Telegram bots, so I thought fake websites might be an option as well.”

Search results showing news articles about people in Russia being sentenced to lengthy prison terms for attempting to aid Ukrainian paramilitary groups.

Tamoian said reports surface regularly in Russia about people being arrested for trying carry out an action requested by a “Ukrainian recruiter,” with the courts unfailingly imposing harsh sentences regardless of the defendant’s age.

“This keeps happening regularly, but usually there are no details about how exactly the person gets caught,” he said. “All cases related to state treason \[and\] terrorism are classified, so there are barely any details.”

Tamoian said while he has no direct evidence linking any of the reported arrests and convictions to these phishing sites, he is certain the sites are part of a larger campaign by the Russian government.

“Considering that they keep them alive and keep spawning more, I assume it might be an efficient thing,” he said. “They are on top of DuckDuckGo and Yandex, so it unfortunately works.”

Further reading: Silent Push report, Russian Intelligence Targeting its Citizens and Informants.

When Getting Phished Puts You in Mortal Danger

The Internet Archive (Archive.org), home to the Wayback Machine, is temporarily offline due to a reported power outage.…

The Internet Archive (Archive.org), home to the Wayback Machine, is temporarily offline due to a reported power outage. Engineers are working to restore access as users await updates. This follows recent challenges, including DDoS attacks and a data breach.

The Internet Archive (aka Wayback Machine), an online treasure trove for researchers, history buffs, and anyone looking for a blast from the past, is currently experiencing a service outage.

If you’ve tried to access the Wayback Machine or any of their vast collections recently, you’ve likely been met with a simple “Temporarily Offline” message. The organization has taken to their official social media channels, including Twitter/X, Bluesky, and Mastodon, to let users know they’re dealing with a power outage.

“We are experiencing a power outage. Engineers are working on it now,” they **stated**, offering a brief explanation for the sudden disruption. It’s a simple, straightforward message, but it leaves many wondering about the implications. For a service that relies so heavily on constant uptime, any interruption can be a setback.

Current view of the Internet Archive’s homepage (Screenshot credit: Hackread.com)

This power outage comes at a sensitive time for the Internet Archive. Just a few months ago, **in October 2024**, they were hit with a series of massive DDoS attacks, which are designed to overwhelm a site with traffic and knock it offline. And even more concerning, they also suffered a data breach where hackers made off with details from **31 million user accounts**. That incident left many users understandably worried about their personal information.

While the current outage is being attributed to a power issue, the timing naturally raises questions. Is this just an unfortunate coincidence, or could there be more to it? The Internet Archive hasn’t explicitly mentioned a **DDoS attack** this time around, but the past incidents make it hard not to speculate. For now, we’re left waiting for updates from their engineers as they work to restore service.

The Internet Archive is more than just a website; it’s a vital resource for preserving digital history. From old websites and books to films and music, it’s a place where the past is kept alive. Therefore, the current downtime is more than an inconvenience.

We’ll be keeping an eye on their social media for updates and hoping for a speedy resolution. In the meantime, those of us who rely on the archive will just have to be patient.

Internet Archive (Archive.org) Goes Down Following “Power Outage”

Companies in the EU are starting to look for ways to ditch Amazon, Google, and Microsoft cloud services amid fears of rising security risks from the US. But cutting ties won’t be easy.

The global backlash against the second Donald Trump administration keeps on growing. Canadians have boycotted US-made products, anti–Elon Musk posters have appeared across London amid widespread Tesla protests, and European officials have drastically increased military spending as US support for Ukraine falters. Dominant US tech services may be the next focus.

There are early signs that some European companies and governments are souring on their use of American cloud services provided by the three so-called hyperscalers. Between them, Google Cloud, Microsoft Azure, and Amazon Web Services (AWS) host vast swathes of the internet and keep thousands of businesses running. However, some organizations appear to be reconsidering their use of these companies’ cloud services—including servers, storage, and databases—citing uncertainties around privacy and data access fears under the Trump administration.

“There’s a huge appetite in Europe to de-risk or decouple the over-dependence on US tech companies, because there is a concern that they could be weaponized against European interests,” says Marietje Schaake, a nonresident fellow at Stanford’s Cyber Policy Center and a former, decade-long member of the European Parliament.

The moves may already be underway. On March 18, politicians in the Netherlands House of Representatives passed eight motions asking the government to reduce reliance on US tech companies and move to European alternatives. Days before, more than 100 organizations signed an open letter to European officials calling for the continent to become “more technologically independent” and saying the status quo creates “security and reliability risks.”

Two European-based cloud service companies, Exoscale and Elastx, tell WIRED they have seen an uptick in potential customers looking to abandon US cloud providers over the last two weeks—with some already starting to make the jump. Multiple technology advisers say they are having widespread discussions about what it would take to uproot services, data, and systems.

“We have more demand from across Europe,” says Mathias Nöbauer, the CEO of Swiss-based hosting provider Exoscale, adding there has been an increase in new customers seeking to move away from cloud giants. “Some customers were very explicit,” Nöbauer says. “Especially customers from Denmark being very explicit that they want to move away from US hyperscalers because of the US administration and what they said about Greenland.”

“It's a big worry about the uncertainty around everything. And from the Europeans’ perspective—that the US is maybe not on the same team as us any longer,” says Joakim Öhman, the CEO of Swedish cloud provider Elastx. “Those are the drivers that bring people or organizations to look at alternatives.”

Concerns have been raised about the current data-sharing agreement between the EU and US, which is designed to allow information to move between the two continents while protecting people’s rights. Multiple previous versions of the agreement have been struck down by European courts. At the end of January, Trump fired three Democrats from the Privacy and Civil Liberties Oversight Board (PCLOB), which helps manage the current agreement. The move could undermine or increase uncertainty around the agreement. In addition, Öhman says, he has heard concerns from firms about the CLOUD Act, which can allow US law enforcement to subpoena user data from tech companies, potentially including data that is stored in systems outside of the US.

Dave Cottlehuber, the founder of SkunkWerks, a small tech infrastructure firm in Austria, says he has been moving the company’s few servers and databases away from US providers to European services since the start of the year. “First and foremost, it’s about values,” Cottlehuber says. “For me, privacy is a right not a privilege.” Cottlehuber says the decision to move is easier for a small business such as his, but he argues it removes some taxes that are paid to the Trump administration. “The best thing I can do is to remove that small contribution of mine, and also at the same time, make sure that my customers’ privacy is respected and preserved,” Cottlehuber says.

Steffen Schmidt, the CEO of Medicusdata, a company that provides text-to-speech services to doctors and hospitals in Europe, says that having data in Europe has always “been a must,” but his customers have been asking for more in recent weeks. “Since the beginning of 2025, in addition to data residency guarantees, customers have actively asked us to use cloud providers that are natively European companies,” Schmidt says, adding that some of his services have been moved to Nöbauer’s Exoscale.

Harry Staight, a spokesperson for AWS, says it is “not accurate” that customers are moving from AWS to EU alternatives. “Our customers have control over where they store their data and how it is encrypted, and we make the AWS Cloud sovereign-by-design,” Straight says. “AWS services support encryption with customer managed keys that are inaccessible to AWS, which means customers have complete control of who accesses their data.” Staight says the membership of the PCLOB “does not impact” the agreements around EU-US data sharing and that the CLOUD Act has “additional safeguards for cloud content.” Google and Microsoft declined to comment.

The potential shift away from US tech firms is not just linked to cloud providers. Since January 15, visitors to the European Alternatives website increased more than 1,200 percent. The site lists everything from music streaming services to DDoS protection tools, says Marko Saric, a cofounder of European cloud analytics service Plausible. “We can certainly feel that something is going on,” Saric says, claiming that during the first 18 days of March the company has “beaten” the net recurring revenue growth it saw in January and February. “This is organic growth which cannot be explained by any seasonality or our activities,” he says.

While there are signs of movement, the impact is likely to be small—at least for now. Around the world, governments and businesses use multiple cloud services—such as authentication measures, hosting, data storage, and increasingly data centers providing AI processing—from the big three cloud and tech service providers. Cottlehuber says that, for large businesses, it may take many months, if not longer, to consider what needs to be moved, the risks involved, plus actually changing systems. “What happens if you have a hundred petabytes of storage, it's going to take years to move over the internet,” he says.

For years, European companies have struggled to compete with the likes of Google, Microsoft, and Amazon’s cloud services and technical infrastructure, which make billions every year. It may also be difficult to find similar services on the scale of those provided by alternative European cloud firms.

“If you are deep into the hyperscaler cloud ecosystem, you’ll struggle to find equivalent services elsewhere,” says Bert Hubert, an entrepreneur and former government regulator, who says he has heard of multiple new cloud migrations to US firms being put on hold or reconsidered. Hubert has argued that it is no longer “safe” for European governments to be moved to US clouds and that European alternatives can’t properly compete. “We sell a lot of fine wood here in Europe. But not that much furniture,” he says. However, that too could change.

Schaake, the former member of the European Parliament, says a combination of new investments, a different approach to buying public services, and a Europe-first approach or investing in a European technology stack could help to stimulate any wider moves on the continent. “The dramatic shift of the Trump administration is very tangible,” Schaake says. “The idea that anything could happen and that Europe should fend for itself is clear. Now we need to see the same kind of pace and leadership that we see with defense to actually turn this into meaningful action.”

Tag

#ddos