Cybersecurity researchers have called attention to a new campaign that's actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware.
"Attackers use the vulnerability to execute downloader scripts on compromised Langflow servers, which in turn fetch and install the Flodrix malware," Trend Micro researchers Aliakbar Zahravi, Ahmed Mohamed

New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks

These groups suffered three times the cyberattacks as the year previous, with DDoS attacks dominating and vulnerability scans and SQL injection also more common.

Cyberattacks on Humanitarian Orgs Jump Worldwide

A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks.
Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that

Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of proxy and anonymity services nested at some of America's largest Internet service providers (ISPs).

Image: Mark Rademaker, via Shutterstock.

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).

The findings come in a report examining how the Russian invasion has affected Ukraine’s domestic supply of **Internet Protocol Version 4** (IPv4) addresses. Researchers at **Kentik**, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.

For example, Ukraine’s incumbent ISP **Ukrtelecom** is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s **Doug Madory** they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.”

“Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began,” Ukrtelecom told Madory.

Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs — **Amazon** (AS16509), **AT&T** (AS7018), and **Cogent** (AS174).

Another Ukrainian Internet provider — **LVS** (AS43310) — in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T.

IP addresses routed over time by Ukrainian provider LVS (AS43310) shows a large chunk of it being routed by AT&T (AS7018). Image: Kentik.

Ditto for the Ukrainian ISP **TVCOM**, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and **Microsoft**.

The Ukrainian ISP **Trinity** (AS43554) went offline in early March 2022 during the bloody siege of Mariupol, but its address space eventually began showing up in more than 50 different networks worldwide. Madory found more than 1,000 of Trinity’s IPv4 addresses suddenly appeared on AT&T’s network.

Why are all these former Ukrainian IP addresses being routed by U.S.-based networks like AT&T? According to **spur.us**, a company that tracks VPN and proxy services, nearly all of the address ranges identified by Kentik now map to commercial proxy services that allow customers to anonymously route their Internet traffic through someone else’s computer.

From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used for several business purposes, such as price comparisons, sales intelligence, web crawlers and content-scraping bots. However, proxy services also are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

IPv4 address ranges are always in high demand, which means they are also quite valuable. There are now multiple companies that will pay ISPs to lease out their unwanted or unused IPv4 address space. Madory said these IPv4 brokers will pay between $100-$500 per month to lease a block of 256 IPv4 addresses, and very often the entities most willing to pay those rental rates are proxy and VPN providers.

A cursory review of all Internet address blocks currently routed through AT&T — as seen in public records maintained by the Internet backbone provider **Hurricane Electric** — shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.

AT&T’s IPv4 address space seems to be routing a great deal of proxy traffic, including a large number of IP address ranges that were until recently routed by ISPs in Ukraine.

Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in a February 2025 update to AT&T’s terms of service, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).

“To ensure our customers receive the best quality of service, we changed our terms for dedicated internet in February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer permit static routes with IP addresses that we have not provided. We have been in the process of identifying and notifying affected customers that they have 90 days to transition to Border Gateway Protocol routing using their own autonomous system number.”

Ironically, the co-mingling of Ukrainian IP address space with proxy providers has resulted in many of these addresses being used in cyberattacks against Ukraine and other enemies of Russia. Earlier this month, the European Union sanctioned **Stark Industries Solutions Inc.**, an ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDoS attacks and spear-phishing attempts by Russian state-sponsored hacking groups. A deep dive into Stark’s considerable address space showed some of it was sourced from Ukrainian ISPs, and most of it was connected to Russia-based proxy and anonymity services.

According to Spur, the proxy service IPRoyal is the current beneficiary of IP address blocks from several Ukrainian ISPs profiled in Kentik’s report. Customers can chose proxies by specifying the city and country they would to proxy their traffic through. Image: Trend Micro.

Spur’s Chief Technology Officer **Riley Kilmer** said AT&T’s policy change will likely force many proxy services to migrate to other U.S. providers that have less stringent policies.

“AT&T is the first one of the big ISPs that seems to be actually doing something about this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses, and it will be very interesting to see what happens to those services come September.”

Still, Kilmer said, there are several other large U.S. ISPs that continue to make it easy for proxy services to bring their own IP addresses and host them in ranges that give the appearance of residential customers. For example, Kentik’s report identified former Ukrainian IP ranges showing up as proxy services routed by **Cogent** **Communications** (AS174), a tier-one Internet backbone provider based in Washington, D.C.

Kilmer said Cogent has become an attractive home base for proxy services because it is relatively easy to get Cogent to route an address block.

“In fairness, they transit a lot of traffic,” Kilmer said of Cogent. “But there’s a reason a lot of this proxy stuff shows up as Cogent: Because it’s super easy to get something routed there.”

Cogent declined a request to comment on Kentik’s findings.

Proxy Services Feast on Ukraine’s IP Address Exodus

On Christmas Day in 2014 hackers knocked out the Xbox and PlayStation gaming networks, impacting how video game companies handled cybersecurity for years.

The Andersons are Christmas traditionalists. Dan says it’s more his wife Paige than him, but secretly he also loves all the fuss.

So, there they were on the sofa in their pajamas in front of the twinkling Christmas tree before the sun had risen over a chilly morning in Buffalo, New York. Thirty-two-year-old Dan was proud and smug as he handed over his gift to Paige—a “fancy new Kindle Voyage.” She loved it. Then it was his turn, and he excitedly ripped into the wrapping paper watched over by his confused dogs—one of which was tellingly named after Dan’s favorite computer-game character (Vivi from _Final Fantasy_). As the present revealed itself, the avid gamer saw the instantly recognizable and much-loved logo—it was a brand-new PlayStation 4. Straight away he unpacked it, rigged it up to the TV, and switched it on. The plan was to get it fired up and download _LittleBigPlanet 3_ to play for a few hours before meeting up with family.

Paige had been looking forward to it since she bought the new console. However, it wasn’t to be. “We didn’t even make it as far as starting to download the game, because it wouldn’t let me log in to PlayStation Network,” Dan said. “Nothing was online at all, so we couldn’t even try and download games.” Disappointedly they headed out for the day’s events and couldn’t try again until that evening, when they discovered that the network was still down. A $400 gift they couldn’t play. Dan had to work the next day too, so he couldn’t even try it then. He was gutted.

Five hundred and fifty miles north, in Toronto, 16-year-old Mustafa Aijaz was pumped. Christmas Day—particularly the evening—was the best game time of the year. It’s always been a bit of a holiday within the holiday for serious players. The tradition revolves around a phenomenon called “Christmas Noobs.” At Christmas, so many new players receive new games and consoles that online games are flooded with a tidal wave of gamers who often fumble their way through the top games and act like cannon fodder for the waiting legions of seasoned veterans. Mustafa and his mates were skilled at _Call of Duty: Advanced Warfare_. “We were all ready for a night of easy wins, quick XP \[experience points\] farming, and were looking forward to leveling up like crazy.” So, they waited like crocodiles anticipating herds of migrating buffalo to enter the river. But just as the bullets started flying they were all unceremoniously chucked out of their matches and knocked offline. “None of us could log back in, and party chat was down too, so we couldn’t even talk to each other to figure out what was happening,” Mustafa said.

It was all over social media: A group of hackers called Lizard Squad were bragging about their massive DDoS attack on Xbox Live and PlayStation Network—the crucial services that linked tens of millions of gamers to the Microsoft and Sony servers. Mustafa had seen that the group had already carried out smaller-scale attacks and had for weeks been taunting and threatening a big attack. Apparently it was all linked to some silly and incomprehensible spat with a rival but minor hacking group. Mustafa was angry but also fascinated by the attack and the incredible reaction online. “The fallout was instantaneous. People were furious,” he said.

PlayStation Network at the time had about 110 million subscribers, and Xbox Live had roughly 48 million. Xbox was back to normal within 24 hours—on Boxing Day. But PlayStation struggled for longer. It didn’t just affect existing subscribers. Before you can use any new games, consoles, or vouchers, you need to register them via the gaming company’s servers. It was a catastrophe for the games industry, especially Sony, which had already been having a tough time after a different cyberattack the previous month.

Services were down around the world. Error messages in dozens of languages were being posted as screenshots on YouTube and Twitter. There was nothing anyone could do until the engineers at Sony and Microsoft figured it out or Lizard Squad stopped the attack.

Late in the evening on Boxing Day, BBC Radio 5 Live aired an interview with two members of the group. They showed zero remorse for the impact they’d had on people around the world. Twelve hours later I walked into the newsroom and was given the seemingly impossible task of “getting a Lizard” on the evening TV bulletin at Sky News.

It took hours of trawling Twitter and speaking to dozens of wannabes and fakes, but I eventually succeeded in finding contact details for a British man called Vinnie Omari. Incredibly, he lived a few miles from our newsroom in west London. He agreed to come to us for the interview and was pale, skinny, wore all black and talked fast. He was at pains to distance himself from the gang but left the studios promising that a Lizard Squad hacker called “Ryan” would be in touch. I had no idea at the time of course that this “Ryan” was Julius Kivimäki—an already infamous teenage hacker and delinquent from Finland. It was later that afternoon—at around 3 pm —that “Ryan” called through on Skype. Just in time for us to edit our conversation with him into our news piece.

The 17-year-old looked very young and pale and had a shaved head and soft features. In spite of everything, he was polite and seemed in no rush. But he was also utterly unremorseful and arrogant, struggling to stifle a smirk throughout the interview. When I started by asking him why he wanted to ruin Christmas for tens of millions of people, he gave me the same boilerplate answer about the boys doing it to amuse themselves and embarrass these tech mega corps. “These companies make tens of millions every month from just their subscriber fees, and they should have more than enough funding to be able to protect against these attacks.” We went back and forth for about 15 minutes without him giving any hint of regret or awareness for how many people had been affected by his stunt.

“I’d be worried if those people didn’t have anything better to do than play games on their consoles at Christmas Eve and Christmas Day,” he said. “I mean, I can’t really say I feel bad. I might have forced a couple of kids to spend their time with their families instead of playing games.”

The interview blew up online, with more than a million views on YouTube and thousands of comments on Twitter, where many four-letter words were hurled at the Lizards. PlayStation and Xbox also received a torrent of abuse. Later they would offer a five-day extension to players’ subscription periods and 10 percent off as compensation. The resulting bill for the company must easily have been in the millions.

Kivimäki went on to speak to other reporters, sometimes calling himself Ryan Cleary (a reference to another hacker he had vague and likely acrimonious link to from a previous teen hacker gang called LulzSec). In one interview and debate on YouTube channel DramaAlert he is implored by Kim Dotcom to stop the silly hacker rivalries that were impacting so many innocent people. “Hackers used to be respected; they used to have a magic about them,” Kim said, accusing Lizard Squad of harming the image of hackers around the world with their actions. Kivimäki’s response is fascinating: He laughed it off as old-fashioned thinking. “It’s wrong to connect groups like Lizard Squad with, for example, L0pht from a couple of decades back,” he said. “There’s really no connection with the hacking groups of today and the hacking groups of two decades ago. The meaning is totally different now.”

Although many security experts angrily railed against the media’s portrayal of Lizard Squad as “sophisticated,” people grudgingly came to accept that the Christmas attack did have a big impact on cybersecurity and the gaming industry. There’s little doubt that this was not the group’s motive—despite their clumsy attempts to claim so in interviews. But it was a wake-up call. Security website SecurityAffairs wrote a “lessons learned” piece by dissecting my interview with Kivimäki. Many people considered Lizard Squad script kiddies, they wrote, adding, “This approach is totally wrong.”

The size of the attack unleashed on that day would be shrugged off by most modern sites, but DDoS attacks are still commonplace and are getting more powerful. Expensive protection services are now a must-have for any organization that needs to stay online.

The attacks also started something of a cybercrime trend. In 2024 Europol unveiled an international law enforcement operation to take DDoS services down in December: “The festive season has long been a peak period for hackers to carry out some of their most disruptive DDoS attacks, causing severe financial loss, reputational damage, and operational chaos for their victims,” the organization said in a statement.

At the time of Lizard Squad’s attacks, the general public was stunned. Despite Lizard Squad being on the tail end of a wave of teenage hacking groups in the 2010s, there was little awareness of the power that could be wielded by these otherwise amateur attackers. There might have been a vague feeling in the zeitgeist that “hackers in hoodies in their bedrooms” were increasingly causing problems, but this attack was immediate, unmissable, and easy to understand. It was of course also easy to get angry about. Over the next couple of days I came back to the story with follow-ups about the fallout as other Lizard Squad members spoke to YouTubers about the so-called “drama.” But the big thing the newsroom kept asking me was, When would these kids be arrested?

Vinnie Omari was the first. On New Year’s Eve he was raided by the South East Regional Organized Crime Unit, which collared him on suspicion of cyber fraud offenses committed in 2013 and 2014. It looked like the raid was for other alleged offenses involving PayPal fraud, but the search warrant, which later surfaced online, also referenced the Christmas DDoS attacks. “They took everything: Xbox One, phones, laptops, computer USBs, etc.,” Omari told reporter William Turton from the Daily Dot. He was later cleared of any involvement.

After Omari’s arrest, other Lizards were taken out too. On January 16, 2015, police announced that they had arrested an 18-year-old in Southport, near Liverpool. They didn’t give a name, but reporters at the Daily Mail identified him: “The ‘quiet’ teenager, named locally as Jordan Lee-Bevan, was arrested during a raid at his semi-detached home in Southport, Merseyside, today, with officers seizing computers as he was taken away in a police car.”

In 2016 teenager Zachary Buchta from Maryland was also arrested for his role in Lizard Squad and another group called PoodleCorp. As a boy he had been warned in 2014 about his criminal path by police who had caught him carrying out minor cybercrime activity. But he was undeterred and even changed his Twitter profile at one stage to @fbiarelosers to taunt the cops.

At the same time that Buchta was arrested, Dutch police raided and arrested another 19-year-old. Bradley van Rooy, who used the names “Uchiha” or “UchihaLS,” was accused of conspiring with other members of Lizard Squad to operate websites that provided cyberattack-for-hire services, facilitating thousands of DDoS attacks and trafficking stolen payment card account information for thousands of victims.

Bradley was put on bail for two years and eventually given a two-year suspended sentence and 180 hours of community service. The vast majority of charges against him were dropped as they had taken place when he was a minor. He ended up being convicted of the DDoS-for-hire operation and handling stolen credit cards. I tracked him down, and he openly talked about that period of his life, which he had put behind him a long time ago. “I’m now 27, and I see the damage that I did and understand that there could have been a higher punishment,” he says. “But then I also see that I was just a kid, and I had a troubled time at school and just fell into the hacking life after meeting the wrong people when I was playing the game _RuneScape_.”

Bradley’s journey and words track so perfectly to the experiences of almost every hacker I have met or interviewed. It’s as though there is a universal constant, whereby a subset of gamers in every generation is pulled into cybercrime in exactly the same way. There are literally billions of gamers in the world, so these people represent only a tiny fraction. But it seems to be inevitable and cyclical as hacker groups rise and fall.

The differentiating and more important aspect, though, is how these boys and young men react when they cross the line and are caught.

So what of Julius Kivimäki, aka “Ryan,” aka “Ryan Cleary” and many other aliases including the by now infamous “Zeekill”?

Surely, after appearing on TV and radio admitting that he was part of the gang, he too would be rearrested sharpish? Officers did indeed visit Kivimäki to interview him, but they did not arrest him—contrary to reports in the international media. It’s not clear why they took no further action, but perhaps when the teenager confidently said that police would find nothing on his computer he was right. “They’d have to let me go,” he had cockily asserted in our interview. If so, maybe his run-in with police years earlier had taught him to cover his tracks more effectively. Or maybe he hadn’t taken as much of a leading role in the DDoS attacks as he had claimed.

For Finnish cybercrime cop Antti Kurittu, seeing Kivimäki on TV was especially galling. Antti had raided and arrested Kivimaki two years earlier for other cyberattacks carried out with a different teenage cyber gang called HTP. “I remember watching your Sky News interview and just thinking ‘wow, this guy is not even trying to cover up his crimes. He’s just a different sort of person,’” Antti recalls.

It wasn’t until July 2015 that Kivimäki received his first criminal conviction. He was found guilty of the rather preposterous total of 50,700 instances of aggravated computer break-ins—one for every computer enslaved into HTPs botnet. He was also convicted of other offenses including data breach, money laundering, and being in possession of, and using, stolen credit cards. For all of these offenses, he was handed a two-year suspended sentence. If he had been an adult he could have got years behind bars, but as a minor and first-time offender he served no time in prison. So Kivimäki, just a few weeks from his 18th birthday, remained free. He began calling himself the “Untouchable Hacker God” on Twitter.

A year after Kivimäki’s sentencing, in a bizarre coincidence, Antti bumped into Kivimäki in Amsterdam. It was April 2016 and Antti was walking through the departures lounge of Schiphol Airport when he passed the by-then 18-year-old. Antti did a double take, gobsmacked to see him. It was so surreal that they both found it amusing and took a selfie. After a short chat, Antti asked Kivimäki if he was now “staying out of trouble.” Kivimäki replied, “Of course.” But when Antti asked him for a contact email address, he made one up with “@FBI.gov” at the end. They laughed and went their separate ways.

But, as Antti predicted, the Untouchable Hacker God would be back. Four years later he was. And this time he was linked to the cruelest cyberattack in history and had a new alias: ransom\_man.

_Excerpt adapted from_ Ctrl+Alt+Chaos: How Teenage Hackers Hijack the Internet _by Joe Tidy. Published by arrangement with Elliott & Thompson. Copyright © 2025 by Joe Tidy._

What Really Happened in the Aftermath of the Lizard Squad Hacks

Today, your internet presence is much more than just a website or social media profile, it’s like your…

Today, your internet presence is much more than just a website or social media profile, it’s like your business card, reputation and main medium of staying connected. However, with this visibility comes genuine danger. Do you know what’s one of the most troublesome threats hiding out there? DDoS attacks! If you have not heard this term before, no need to worry. Let’s simplify it and understand how to protect your online space from it.

****DDoS: What it Means****

DDoS is short for Distributed Denial of Service. It may sound complicated, but basically, it means overwhelming a server or website with excessive fake traffic until it falls apart. Imagine a coffee shop where suddenly many people arrive at the same time, not to buy anything, just to block the space. In this situation, real customers are unable to enter and the business comes to a halt. This is primarily what occurs during a DDoS attack – it’s bots that cause this blockage.

Usually, these kinds of attacks are started by using networks of computers that have been taken over – many times they belong to people who don’t even know. This is what is meant by “distributed”. When it starts, your website could either become very slow or completely unavailable.

****Why You Should Care (Even If You’re a Small Business)****

At this point, it’s normal to think, “I don’t have a major brand, just a small business” or “I just run a personal blog.” DDoS attacks can also be used against much smaller businesses. Smaller sites are targeted quite often because attackers believe their security is not as strong. Truth is, when your website goes down, even briefly, it affects your reputation, and your budget and makes your customers or users unhappy.

In addition, a DDoS attack can stop your service or online store from operating. People can’t order or get answers which causes them to doubt the business. It can be very irritating, but it can also be truly harmful.

****Start with Strong Hosting****

A solid first action is to select a reliable hosting provider. Hosting providers are not all the same and some are better prepared to handle DDoS attacks than others. Find hosting providers that guarantee or promote DDoS protection through their services. This is because they have effective steps to prevent and handle an attack early on.

Don’t hesitate and ask your hosting provider which security measures they have for your website. If their responses are unclear or they treat security lightly, this is a warning sign. You should choose a provider that handles the back-end work and protects your site from malicious users at the same time.

****Get a CDN Working for You****

For even better performance, allow your website to tap into a CDN. A Content Delivery Network uses multiple servers worldwide to distribute the activities involved in content delivery. Therefore, all the requests are not delivered to your main server at the same time. If there is a DDoS attack, the distribution system can save you.

****Firewalls and Rate Limiting****

Firewalls act like filters, they inspect incoming traffic and stop suspicious things before reaching your main systems. Web Application Firewalls (WAFs) are specially designed to block the kind of unwanted traffic that DDoS attacks cause.

Next, we have rate limiting – this is a background function that restricts how frequently someone can interact with your site. If something is making constant requests to your server, it will be flagged or stopped.

****Keep an Eye on What’s Happening****

A lot of damage from DDoS attacks happens because people don’t notice it early enough. So, make sure to monitor your site’s traffic. Sudden increases, constant hits to one page or visits from strange places can all suggest concerns. 

Many tools exist today that make website monitoring easy. Some of these are included in hosting plans, while others can be added by you manually. You don’t need advanced coding skills – just some understanding of this domain is quite helpful.

****Have a Contingency Plan****

Regardless of how strong your security is, things can still go wrong. So it’s smart to have a plan in case you do get hit. Be aware of who you should reach out to when problems occur – this could be your host, a protective service or someone experienced in such matters.

Maintain updated backups and ensure you are familiar with quick restoration. Additionally, inform your users about the ongoing situations. Clear communication can go a long way in keeping trust intact during tough times.

****Call in the Pros if You Need to****

Feeling overwhelmed? Managed security services exist for a reason. These individuals are experts in detecting threats and reacting quickly, so you don’t need to be on guard all the time.

Yes, it costs money. However, if your business relies on your online presence, the expense may be worthwhile simply for the reassurance. Think of it as employing a security guard for the night shift at your virtual store.

****Keep Everything up to Date****

This may seem like the basics of cybersecurity, but it’s important to keep your devices updated. Old plugins, CMS versions or themes can be great opportunities for hackers. Fix those gaps before anyone else discovers them.

Nevertheless, DDoS attacks are very serious, but they’re not impossible to defeat. By using intelligent strategies such as improving hosting services, CDNs, traffic filters and constant monitoring you can significantly reduce your risk.

(Image by Free stock photos from www.rupixen.com from Pixabay)

How to Protect Your Online Presence from Devastating DDoS Attacks

Shift in cyberattack focus puts APAC region under growing pressure.

India, China and the US were the top DDoS attacks targets in Q1 2025, with APAC facing over half of global attacks, according to new data from cybersecurity firm StormWall.

A new report from cybersecurity firm StormWall reveals that nearly half of all DDoS attacks in the first quarter of 2025 were aimed at China, India and the United States. Instead of focusing heavily on the usual targets, attackers are now directing more of their efforts toward infrastructure in the Asia-Pacific region.

According to StormWall’s analytics center, India topped the chart with 18.1% of the global DDoS traffic, followed by China at 16.2% and the US at 14.7%. Japan (12.3%) and Taiwan (10.2%) rounded out the top five. When it comes to industry-wise attacks, Telecommunications became the top target in APAC, with 136% year-over-year (YOY) growth.

Four of the five most targeted countries now sit in the APAC region, with 57% of all malicious requests focused there. This shows that attackers are moving their focus away from the usual targets in Europe and North America, at least for now. The reasons may be geopolitical, economic, or a combination of both.

“You can always count on US targets attracting a lot of attention,” said Ramil Khantimirov, founder of StormWall. It’s the world’s largest GDP and hackers are always going to target that, but we’ve never seen so much activity in APAC and so densely concentrated.”

According to StormWall’s report shared with Hackread.com ahead of publishing on Thursday, the main force behind these attacks is botnets. These networks of infected devices were responsible for nearly 70% of all DDoS traffic tracked by StormWall in the first quarter of 2025.

Botnets, often run by state-sponsored groups, hacktivists, or organized cyber criminals, allow attackers to direct massive traffic at targeted systems. One such botnet identified in the report, named “Eleven11bot,” used a network of 86,000 compromised IP cameras and DVRs. It was frequently used in politically motivated campaigns.

While APAC faced an increase in DDoS attacks, other regions haven’t been spared. Belgium, though much smaller, experienced significant attacks, with 9.7% of global DDoS activity aimed at its national digital infrastructure, including MyGov.be and the Walloon Parliament. Saudi Arabia was also hit hard, at 6.8%, largely due to pro-Palestinian attacks linked to ongoing regional tensions.

Countries like Italy, Russia, and Switzerland appeared further down the list with lower attack volumes, but experts caution that even minor increases in activity can pose serious threats to unprepared networks.

Via StormWall

StormWall’s data paints a picture of a fast-evolving threat environment, driven by automation, political motives, and shifting strategic interests. While botnet-powered campaigns grow in scale, the need for mitigation services is more important than ever.

However, separate research from NordPass shows that many industries still fall short on basic cybersecurity. In most cases, weak and easily guessed passwords like 123456 and passwords@, are still in use, making systems vulnerable to breaches and turning devices into part of larger botnets.

StormWall Reveals India, China and US Faced Most DDoS Attacks in Q1 2025

Among all ages, Minecraft still rules the gaming scene as a preferred choice. The game provides a broad…

Among all ages, Minecraft still rules the gaming scene as a preferred choice. The game provides a broad spectrum of activities from building huge constructions and joining multiplayer servers to investigating blocky environments. But your PC configuration is more important than you would realize for seamless, lag-free gameplay.

Minecraft may seem visually basic, but depending on shaders, modifications, or custom servers it may be shockingly resource-intensive. Performance depends on your computer’s meeting of the optimal system criteria. Equally crucial, particularly in multiplayer settings, is having access to a solid good Minecraft hosting to maintain server-side gaming robust and responsive.

****Minimum against Suggested System Requirements****

Your playing style will affect Minecraft’s performance needs. Most entry-level systems let Vanilla Minecraft (unmodified) operate. The demand rises greatly, though, if you’re experimenting with high-end shaders or diving into sophisticated modpacks.

****Here’s what you should know:****

**Vanilla Minecraft’s minimum requirements:**

*   CPU: Intel Core i3-3210 / AMD A8-7600  
    
*   RAM: 4 GB  
    
*   GPU: Intel HD4000 / AMD Radeon R5 integrated graphics  
    
*   Storage: Free 2 GB  
    
*   OS: Windows 7 or anything later  
    

**For Modded or Shader-Enhanced Minecraft, recommended requirements:**

*   CPU: Intel Core i5, AMD Ryzen 5 or above  
    
*   RAM: 8 GB or above  
    
*   GPU: Specifically designed graphics (GTX 1650 / RX 570 or above)  
    
*   Storage: SSD with at least 4 GB free capacity  
    
*   OS: latest macOS/Linux or Windows 10/11  
    

Although these requirements offer a minimum, gaming may also be impacted by Java settings and background apps.

****What Affects Minecraft Performance?****

Especially in single-player or slightly modified gameplay, Minecraft mostly depends on CPU and RAM rather than GPU. But when you include shaders or higher-resolution texture packs, GPU capability becomes crucial. Storage also plays a part; loading worlds on SSDs is clearly faster than on conventional hard disks.

New performance requirements are presented by server-based games. Stuttering, latency, or crashes might result from hosting your own server on the same system you are using for play. Many players thus choose outside solutions that guarantee a better experience for the host and users by providing solid Minecraft hosting with 24/7 uptime, mod support, and DDoS protection.

****Single-Player Versus Multiplayer: Hardware Division****

Running Minecraft in single-player mode mostly runs on resources from your machine, but adding multiplayer alters the dynamic. Even a little server calls for more RAM and CPU when hosted. Particularly if your environment has farms, redstone contraventions, or modified material, more players mean an exponentially increasing burden.

Separating your games from your hosting will help to ensure the best performance. While the hosting provider manages world data and multiplayer traffic, using an outside host lets your computer concentrate on producing your game.

****Essential Items to Give Minecraft Top Priority****

Here’s the only list you should concentrate on whether you are constructing or updating your PC for Minecraft:

*   **CPU:** Pick a high-performance CPU – AMD Ryzen 5/7 or Intel i5/i7. Particularly with add-ons, Minecraft uses CPU heavily.  
    
*   **RAM:** Try a minimum of 8 GB. Should you be modifying, use the launcher to allot 4–6 GB to Minecraft.  
    
*   **GPU:** Shaders and HD textures call for this. A GTX 1650 or above will offer a smooth ride.  
    
*   **Storage:** For rapid startup times and speedy world loading, use an SSD.  
    
*   **Cooling:** Minecraft may be taxing over long sessions; excellent ventilation helps to reduce overheating.  
    

This configuration guarantees both performance and long-term dependability so you may enjoy every feature of Minecraft free from restrictions.

****Tips for Optimizing Performance: Tweaks****

Changing in-game settings will help to increase performance even with a good machine. FPS may be much improved by cutting render distance, turning off fancy visuals, and decreasing particle count. Another great approach to improving graphic quality and keeping smooth gameplay is installing OptiFine. It also provides sophisticated shader support and visual settings.

Simple actions that increase stability and speed are allocating more RAM through the launcher and maintaining Java runtime updated for your drivers.

****Considerations for Hosting Multiple Player Servers****

If you intend to operate a Minecraft server, especially one available to friends or the public, you should give some thought to an outside hosting provider. While it’s possible to host locally, your performance and security may suffer.

A well-reviewed Minecraft server hosting provider can make all the difference. From one-click modpack installations to reliable support, hosted services ensure that your server remains online, optimized, and protected. It also frees up your personal computer for gameplay instead of acting as both client and server.

****Conclusion: Build Smart, Play Smooth****

Minecraft offers limitless creativity, but your PC’s hardware determines how enjoyable the experience is. From exploring vast modded worlds to managing thriving multiplayer servers, having the right specifications can transform gameplay from sluggish to seamless.

Choosing high-quality components and pairing them with good Minecraft hosting not only enhances your in-game experience but also ensures your community remains connected and lag-free. And if you’re diving into server management, don’t overlook the importance of selecting reliable Minecraft server hosting to handle the backend with efficiency and speed.

Photo by Oberon Copeland @veryinformed.com on Unsplash

Maximize Your Minecraft: Optimal PC Setup and Server Hosting Essentials

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

In a major international operation coordinated by Europol and Eurojust, law enforcement agencies and private sector partners have successfully dismantled the DanaBot malware network.

This global effort, part of the ongoing Operation Endgame, led to federal charges against 16 individuals, the neutralization of approximately 300 servers and 650 domains worldwide between May 19 and 22, 2025, and the issuance of international arrest warrants for 20 targets. Over EUR 21.2 million in cryptocurrency has also been seized in total during Operation Endgame, including EUR 3.5 million during this latest action week.

The DanaBot malware, controlled by a Russia-based cybercrime organization, infected over 300,000 computers globally, causing at least an estimated $50 million in damages through fraud and ransomware. Among those charged by the US Department of Justice (DoJ) are Aleksandr Stepanov, 39, and Artem Aleksandrovich Kalinkin, 34, both from Novosibirsk, Russia, who remain at large.

****DanaBot’s Evolution Tactics****

DanaBot, first identified in May 2018, operated as a _malware-as-a-service_ (MaaS), renting its capabilities to other criminals. It was highly versatile, stealing banking credentials, browsing history, and even cryptocurrency wallet information, while also offering remote access, keylogging, and screen recording. Initial infections often came via spam emails. Hackread.com notably reported on DanaBot’s emergence in 2019, when Proofpoint researchers first detailed its spread.

ESET, which has carefully tracked DanaBot since 2018, confirmed its evolution into a top banking malware, noting that countries like Poland, Italy, Spain, and Turkey were historically among its most targeted.

ESET researcher Tomáš Procházka added, “Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system.”

More recently, a new version of DanaBot has been found hidden in pirated software keys for “free VPN, anti-virus software and pirated games,” tricking users downloading from bogus sites.

DanaBot Infrastructure (Source: ESET)

Beyond financial crime, the investigation revealed DanaBot’s sinister dual purpose. A variant, tracked by CrowdStrike as SCULLY SPIDER, targeted military, diplomatic, and government entities in North America and Europe for espionage, and was observed by ESET launching DDoS attacks against targets like Ukraine’s Ministry of Defense following the Russian invasion.

According to Europol’s press release, this massive takedown is an evidence to extensive international cooperation. The investigation was spearheaded by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service (DCIS), with significant assistance from Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.

Europol and Eurojust provided crucial coordination, with a command post at Europol HQ involving investigators from Canada, Denmark, France, Germany, Netherlands, UK, and US.

Numerous private cybersecurity companies provided critical technical assistance, including Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Team Cymru, and ZScaler. ESET Research specifically contributed technical analysis of the malware and its backend infrastructure, along with identifying DanaBot’s command and control servers.

German authorities will add 18 suspects to the EU Most Wanted list from May 23, 2025. This coordinated action is a major blow to cybercriminal networks, showing the power of global partnerships against growing cybersecurity threats.

Operation Endgame is aimed at breaking the “ransomware kill chain.” So far authorities have neutralised initial access malware like Bumblebee, Latrodectus, Qakbot, Hijackloader, Trickbot and Warmcookie.

Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling **DanaBot**, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The **FBI** says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

DanaBot’s features, as promoted on its support site. Image: welivesecurity.com.

Initially spotted in May 2018 by researchers at the email security firm **Proofpoint**, DanaBot is a malware-as-a-service platform that specializes in credential theft and banking fraud.

Today, the **U.S. Department of Justice** unsealed a criminal complaint and indictment from 2022, which said the FBI identified at least 40 affiliates who were paying between $3,000 and $4,000 a month for access to the information stealer platform.

The government says the malware infected more than 300,000 systems globally, causing estimated losses of more than $50 million. The ringleaders of the DanaBot conspiracy are named as **Aleksandr Stepanov**, 39, a.k.a. “**JimmBee**,” and **Artem Aleksandrovich Kalinkin**, 34, a.k.a. “**Onix**”, both of Novosibirsk, Russia. Kalinkin is an IT engineer for the Russian state-owned energy giant **Gazprom**. His Facebook profile name is “Maffiozi.”

According to the FBI, there were at least two major versions of DanaBot; the first was sold between 2018 and June 2020, when the malware stopped being offered on Russian cybercrime forums. The government alleges that the second version of DanaBot — emerging in January 2021 — was provided to co-conspirators for use in targeting military, diplomatic and non-governmental organization computers in several countries, including the United States, Belarus, the United Kingdom, Germany, and Russia.

“Unindicted co-conspirators would use the Espionage Variant to compromise computers around the world and steal sensitive diplomatic communications, credentials, and other data from these targeted victims,” reads a grand jury indictment dated Sept. 20, 2022. “This stolen data included financial transactions by diplomatic staff, correspondence concerning day-to-day diplomatic activity, as well as summaries of a particular country’s interactions with the United States.”

The indictment says the FBI in 2022 seized servers used by the DanaBot authors to control their malware, as well as the servers that stored stolen victim data. The government said the server data also show numerous instances in which the DanaBot defendants infected their own PCs, resulting in their credential data being uploaded to stolen data repositories that were seized by the feds.

“In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware,” the criminal complaint reads. “In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake.”

Image: welivesecurity.com

A statement from the DOJ says that as part of today’s operation, agents with the **Defense Criminal Investigative Service** (DCIS) seized the DanaBot control servers, including dozens of virtual servers hosted in the United States. The government says it is now working with industry partners to notify DanaBot victims and help remediate infections. The statement credits a number of security firms with providing assistance to the government, including **ESET**, **Flashpoint**, **Google**, **Intel 471**, **Lumen**, **PayPal**, **Proofpoint**, **Team CYMRU**, and **ZScaler**.

It’s not unheard of for financially-oriented malicious software to be repurposed for espionage. A variant of the **ZeuS Trojan**, which was used in countless online banking attacks against companies in the United States and Europe between 2007 and at least 2015, was for a time diverted to espionage tasks by its author.

As detailed in this 2015 story, the author of the ZeuS trojan created a custom version of the malware to serve purely as a spying machine, which scoured infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents.

The public charging of the 16 DanaBot defendants comes a day after **Microsoft** joined a slew of tech companies in disrupting the IT infrastructure for another malware-as-a-service offering — Lumma Stealer, which is likewise offered to affiliates under tiered subscription prices ranging from $250 to $1,000 per month. Separately, Microsoft filed a civil lawsuit to seize control over 2,300 domain names used by Lumma Stealer and its affiliates.

Further reading:

Danabot: Analyzing a Fallen Empire

ZScaler blog: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense

Flashpoint: Operation Endgame DanaBot Malware

Team CYMRU: Inside DanaBot’s Infrastructure: In Support of Operation Endgame II

March 2022 criminal complaint v. Artem Aleksandrovich Kalinkin

September 2022 grand jury indictment naming the 16 defendants

Tag

#ddos