Polish authorities arrest 4 behind major DDoS-for-hire sites used in global attacks. Europol, US, Germany, and Dutch forces…

Polish authorities arrest 4 behind major DDoS-for-hire sites used in global attacks. Europol, US, Germany, and Dutch forces assist in takedown.

In a coordinated international operation, law enforcement has shut down a major slice of the DDoS-for-hire business. Polish authorities, supported by Europol and agencies in the US, Germany, and the Netherlands, have arrested four individuals accused of running six separate stresser/booter platforms that fueled thousands of cyberattacks between 2022 and 2025.

The arrested suspects are believed to be behind platforms including:

*   Cfxapi
*   Zapcut
*   Jetstress
*   Neostress
*   Cfxsecurity
*   Quickdown

These services offered anyone with a few euros the power to carry out DDoS attacks and knock websites and servers offline with little more than a login and a target IP address. Prices reportedly started as low as €10.

The screenshot shows cfxsecurity’s internal panel (Image credit: Fox\_threatintel  
@banthisguy9349)

According to Europol’s press release, these platforms were used to hit schools, public services, businesses, and online gaming platforms. The attacks flooded systems with overwhelming amounts of fake traffic, leaving legitimate users locked out and services down.

****An Industry of On-Demand Attacks****

Stresser and booter services market themselves as legitimate tools for stress-testing servers. In reality, they’re often used to carry out coordinated denial-of-service attacks. By centralizing and automating the process, these platforms make it easy for nearly anyone to carry out disruptions at scale, with no technical expertise required.

All it takes is entering the target’s IP address, choosing the method of attack, and paying the fee. The backend handles the rest, launching a wave of junk traffic that can knock offline even well-protected systems.

****International Crackdown Gains Momentum****

The operation, part of the ongoing Operation PowerOFF, highlights how global authorities are stepping up pressure on the people running these services. Dutch law enforcement has gone a step further, launching fake booter sites designed to warn users and gather intelligence on would-be attackers.

Data recovered from seized servers in the Netherlands played a key role in helping Polish investigators track and arrest the suspects. Germany contributed to the investigation by identifying one of the administrators, while US agencies seized nine domains linked to similar services during the same week.

This operation not only dismantles part of the infrastructure used to sell and deliver DDoS attacks but also sends a message to both operators and customers. Law enforcement isn’t just tracking the platforms, they’re watching the users too.

Nevertheless, in the end, by taking down these services, authorities are making it harder for casual users to access and weaponize DDoS attacks. At the same time, they’re showing how international cooperation can make a meaningful dent in online criminal activity.

Europol, Poland Bust Major DDoS-for-Hire Operation, Arrest 4

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

Cloudflare’s Q1 2025 DDoS Threat Report: DDoS attacks surged 358% YoY to 20.5M. Germany hit hardest; gaming and…

Cloudflare’s Q1 2025 DDoS Threat Report: DDoS attacks surged 358% YoY to 20.5M. Germany hit hardest; gaming and telecom were among the top targets.

The digital world faced an unprecedented onslaught of Distributed Denial of Service (DDoS) attacks in the first quarter of 2025, according to Cloudflare’s latest threat report. The sheer volume of these malicious attempts to disrupt online services reached a staggering 20.5 million, marking an astounding 358% increase compared to the same period last year.

Cloudflare’s report shows a concerning 198% QoQ increase in attack numbers this year with the number of blocked DDoS attacks reaching 96% in the first three months of 2025, compared to the entire year of 2024. These findings corroborate the latest Link11 European Cyber Report, which also found DDoS attacks increasing substantially in 2025.

Source: Cloudflare

Around 6.6 million of these malicious attacks directly targeted Cloudflare’s network infrastructure in an 18-day multi-vector campaign, using techniques like SYN floods, Mirai botnet attacks, and SSDP amplification. This highlights the vulnerability of security service providers themselves to sophisticated attempts to overwhelm their defences, highlighting the need for continuous security measures.

Furthermore, the report highlighted a disturbing trend in the rise of hyper-volumetric DDoS attacks, those exceeding the massive threshold of 1 Terabit per second (Tbps) or 1 Billion packets per second (Bpps). In the first quarter alone, Cloudflare successfully mitigated over 700 of these colossal attacks, averaging about eight such events every single day.

In Q1 2025, Germany became the most attacked country, followed by Turkey and China whereas Hong Kong became the top source of DDoS attacks followed by Indonesia and Argentina.

The gambling and casinos industry claimed the top spot, while Telecommunications, Service Providers, Carriers, Cyber Security, Airlines, Aviation & Aerospace industries were among the most targeted industries in DDoS attacks. Major cloud computing and hosting providers like Hetzner, OVH, and DigitalOcean consistently appeared as significant sources of HTTP DDoS attacks.

Source: Cloudflare

Moreover, Cloudflare observed and blocked “dozens of hyper-volumetric DDoS attacks” in the latter half of April. These included record-breaking events, with one attack peaking at an astonishing 4.8 Bpps, a 52% increase over the previous record. Separately, they defended against a massive 6.5 Tbps flood, matching the highest bandwidth attack ever publicly reported.

Interestingly, most targeted customers didn’t know the attackers’ identities, but those who had some insight cited competitors (39%) as key threats, particularly in the gaming and gambling sectors. Other identified threat actors included state-level actors (17%), disgruntled users or customers (11%), and self-inflicted DDoS attacks (11%).

Network layer attacks were dominated by SYN floods, followed by DNS floods. A significant shift saw Mirai botnet attacks rise to the third most common, pushing UDP floods down. In HTTP attacks, over 60% originated from known botnets, highlighting their continued effectiveness.

The report also identified major emerging threats with substantial quarter-over-quarter growth: CLDAP reflection/amplification surged by 3,488%, and ESP reflection/amplification increased by 2,301%.

While large attacks get attention, most DDoS attacks in Q1 2025 were small: 99% of Layer 3/4 attacks were under 1 Gbps/1 Mpps, and 94% of HTTP attacks were below 1 Mrps. The report stresses that even these “small” attacks can overwhelm unprotected systems. Additionally, most attacks are brief: 89% of Layer 3/4 and 75% of HTTP attacks lasted under 10 minutes, necessitating always-on, automated mitigation.

Germany Most Targeted Country in Q1 2025 DDoS Attacks

Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the…

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the site, plan return, deny seizure, and warn of clones.

In early April 2025, the well-known cybercrime and data breach forum BreachForums disappeared from the internet without explanation. The forum, administered and **owned by the hacker group ShinyHunters**, went offline without any farewell note or clarification, triggering widespread speculation about a possible law enforcement seizure.

Despite these concerns, DNS records for BreachForums remained unchanged, showing the original nameservers at **DDoS-Guard**, not the typical Cloudflare nameservers seen when the FBI seizes criminal infrastructure. This consistency hinted that the site had not fallen into the hands of authorities but left many questions unanswered.

    BreachForums.st DNS Records:
    
    185.129.101.200
    
    185.129.103.200
    
    ns1.ddos-guard.net
    
    ns2.ddos-guard.net
    
    Typical FBI Seizure DNS Records:
    
    plato.ns.cloudflare.com
    
    jocelyn.ns.cloudflare.com

****BreachForums Plans to Return****

Earlier today (April 28, 2025), visitors to Breachforums.st have been met with a new development: a detailed message posted on the homepage, allegedly from the forum’s administration, signed with a PGP key.

According to the statement, the administrators shut down operations after confirming the existence of a MyBB 0day vulnerability that left the forum exposed to infiltration attempts by law enforcement agencies.

It is worth noting that in June 2023, when BreachForums was revived under ShinyHunters’ control, it **suffered a data breach**. The forum administrator attributed the incident to a MyBB 0day vulnerability, which led to the leak of personal details belonging to over 4,000 members.

However, in the latest update, the administrators claimed they acted quickly once they received credible information about the security risk through trusted contacts. They initiated an incident response protocol, shut down infrastructure, and conducted an audit of their systems.

Their findings suggested that although the forum software was vulnerable, the infrastructure had not been compromised and no data had been stolen. The statement also apologized to staff and users for the extended silence, citing operational security as the top priority during the crisis. BreachForums announced that work is underway on a complete rewrite of the forum backend to prevent future vulnerabilities.

Additionally, the message warned users against engaging with various BreachForums clones that have surfaced online, suggesting that these are likely law enforcement honeypots designed to lure and identify cyber criminals. The administrators emphasized that no arrests had taken place and that the original team remained intact.

Screenshot from the BreachForums’ homepage (Image credit: Hackread.com)

****But Some Questions Remain Unanswered****

What the message does not explain is why ShinyHunters deleted their Telegram account. BreachForums had a large and active community on Telegram. What happened to that account, and why were no updates provided on Telegram before taking down the forum?

The sudden disappearance and equally sudden reappearance of BreachForums have raised further concerns within cybercrime circles. While the operators insist the platform remained secure, the revelation of a zero-day vulnerability in the forum software raises new questions about the operational risks associated with underground forums.

**ShinyHunters**, the hacker group tied to the forum’s ownership, has been linked to several high-profile data breaches over the past few years, which places BreachForums under constant scrutiny by law enforcement agencies worldwide.

The situation is likely to develop as cybersecurity researchers, law enforcement, and threat actors react to the forum’s unexpected return. Until then, BreachForums’ future remains uncertain.

BreachForums Displays Message About Shutdown, Cites MyBB 0day Flaw

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.
"From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

Thursday, April 17, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I've found myself thinking about these differences in the context of online interactions, particularly with search engines. I've become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It's often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It's easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It's not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

1.  You can try one of the public instances and check if you like it before you go all-in.
2.  You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
3.  With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

*   “:en”, “:de” or “:fr” to search in a given language 
*   “!social\_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven't explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it's wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

**Why do I care? **

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

**So now what? **

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

**Top security headlines of the week **

*   **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
*   **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
*   **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
*   **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

**Can’t get enough Talos? **

*   **Unmasking the new XorDDoS controller and infrastructure.** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
*   **Talos Takes: Year in Review Special (Pt. 2).** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA    
*   PIVOTcon (May 7 – 9) Malaga, Spain    
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA    
*   Cisco Connect UK & Ireland (May 20) London, UK  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385**   
MD5: 01b521c78f5bbdaba0cc221bc893e2b8   
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385   
Typical Filename: toyboy.exe     
Detection Name: Gen:Variant.Tedy.758566 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**   
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277   
Typical Filename: Rainmeter-4.5.22.exe    
Detection Name: Artemis!Trojan 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: IMG001.exe    
Detection Name: Win.Trojan.Miner-9835871-0

Care what you share

Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.

Thursday, April 17, 2025 06:00

*   Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. 
*   A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. 
*   The language settings of the muti-layer controller, XorDDoS builder and controller binding tool strongly suggest that the operators are Chinese-speaking individuals. 
*   Talos discovered the latest version of the XorDDoS controller, called the “VIP version,” and its corresponding central controller were used to build the DDoS bot network for more sophisticated and widespread attacks. 
*   Talos' analysis exposes the network connection between central controller, sub-controller and XorDDoS malware in order to highlight the XorDDoS trojan network pattern. This may help victims identify when they are targeted by these trojans.

**Linux XorDDoS trojan trend and victimology  **

The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals. 

From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence. This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots. It employs a strategy of Secure Shell (SSH) brute-force attacks to gain remote access to target devices. Once it obtains valid SSH credentials, the attacker leverages root privileges to execute a script that downloads and installs XorDDoS on the compromised device. 

Even though numerous security vendors have already provided solutions and detection methods to capture them, Talos continues to observe attempts to deliver XorDDoS malware.

__Figure 1. Cisco Secure Firewall’s monthly malware connection detection statistics.__

Between November 2023 and February 2025, Talos observed that the XorDDoS trojan continued to have a global impact, with nearly 50 percent of its successfully compromised victims located in the United States. Additionally, we noted that the compromised systems attempted to target and attack several countries, including Spain, the United States, Taiwan, Canada, Japan, Brazil, Paraguay, Argentina, the United Kingdom, the Netherlands, Italy, Ukraine, Germany, Thailand, China, India, Israel, Venezuela, Switzerland, Singapore, Finland, Australia, Saudi Arabia, France, Turkey, the United Arab Emirates and South Korea.

__Figure 2. Percentage of XorDDoS successfully-compromised machines across all regions.__

Talos also used our Cisco Secure Network/Cloud Analysis to observe actors using those compromised machines to launch DDoS attack and the attacks are globalized. Notably, we found that the United States accounted for over 70 percent of attempted attacks employing XorDDoS.

__Figure 3. Percentage of XorDDoS attempted targets across all regions.__

**Infection chain  **

XorDDoS has long relied on SSH brute-force attacks to spread. It deploys a malicious shell script that attempts numerous root credential combinations across thousands of servers until it successfully accesses a target Linux device. Once inside the machine, XorDDoS implements persistence mechanisms to ensure it launches automatically at system startup, therefore evading detection and termination by security products. To maintain persistence, the malware installs an init script and a cron job script. These scripts are embedded within the malware and perform actions consistent with those outlined in previous reports.

__Figure 4. Inint script and cron script embedded in trojan.__

The latest version of XorDDoS malware continues to use the same decryption function and the XOR key "BB2FA36AAA9541F0" to decrypt its embedded configuration. Once the URLs or IPs are decrypted, they are added to a remote list. This list is then used to establish communication and retrieve commands from the C2 server. Talos used CyberChef to successfully decrypt one of the examples.

__Figure 5. Talos CyberChef decryption.__

**XorDDoS new sub-controller and central controller **

Although the sub-controller for XorDDoS was exposed in 2015, attacks have persisted over the last decade. The panel from 2015 was for version 1.4, the oldest version, which we believe is no longer in use by threat actors. In 2024, Talos discovered a new “VIP” version of the XorDDoS sub-controller, which can control the "VIP version” of the XorDDoS trojan, the first instance of which we traced back to 2017. With the newest version of the XorDDoS sub-controller and trojan builder, Talos believes that this collection is a product suite developed for sale.

Figure 6 shows translated screenshots of the XorDDoS trojan sub-controller and builder. The builder also contains new feature descriptions, which strengthens Talos’ assessment that this is a product meant to be sold. The VIP version of the XorDDoS trojan builder includes new feature descriptions. When translated, the description in Figure 7 reads, "Stable Anti-Kick, 100% Packet Sending, Fixes for Over Ten Thousand Online Without Lag. Supports Domain Online, IP Online, with New Packet Sending Code and Wall-Penetration Optimization. Can Send 1024 Packets with Resource Utilization Optimization."

__Figure 6. VIP version sub-controller.__

__Figure 7. Feature description in the VIP version of the XorDDoS trojan builder.__

Talos observed a new version of the sub-controller, which we call the "central controller." Specifically created for the XorDDoS trojan, the central controller enables threat actors to manage multiple XorDDoS controllers simultaneously. This updated central controller enhances cybercriminals’ ability to coordinate and execute attacks more efficiently, indicating an evolution in their tactics and capabilities.

__Figure 8. Example view of central controller controlling each sub-controller__.

The central controller can generate a controller binder that will inject a DLL file to the XorDDoS controller to bind network connection and command operation to the sub-controller, allowing the central controller to fully remote control the sub-controllers.

__Figure 9. Generator Setting__

The controller binder will establish a connection with the central controller. When running the controller binder on the host, the actor can enter the controller's process name, allowing them to inject into the process and take control. This straightforward strategy allows the actor to send the DDoS commands to multiple controllers simultaneously. There are two notable facts Talos observed from this central controller. First, when the actor opens the central controller, there is a feature description in its mission list column that, when translated, includes the following:

*    "Check the SYN packet length to make it a large packet, otherwise it will be a small packet. 
*   A round-robin attack is a task performed by all online hosts.
*   Select the host and click the test mode, which means a single host sends a packet.
*   Multiple measurement modes cannot be selected, only one at a time!
*   The round-robin attack needs to be stopped manually.
*   Supports 1024 packages but requires a corresponding sub-controller.
*   The sub-controller of version 1.4 and 1.8 on the underground market cannot use the central controller to send 1024 packages."

Second, the controller's creator left their Tencent QQ instant message contact number and nickname on the central controller, while also mentioning other sub-controller versions available on the underground market. This further supports Talos’ assessment that these tools are for sale.

__Figure 10. Central controller and controller binder.__

**Advanced XorDDoS traffic analysis **

Talos’ detailed analysis of these new tools suggests cybercriminals’ continued investment in the development and deployment of the XorDDoS trojan, allowing for more sophisticated and widespread attacks. The entire control flow of these operations demonstrates the adaptability and resilience of these threat actors, emphasizing the ongoing challenge in combating this form of cybercrime. Talos completed a traffic analysis in our sandbox environment, first to analyze how the XorDDoS trojan is connected to the sub-controller, and then to understand how the central controller manages the sub-controller.

__Figure 11. XorDDoS control flow diagram.__

The connection between the sub-controller and DDoS trojan is the orange line in Figure 11. When the malware is successfully installed in the target system, it will attempt to send encrypted data, including "phone home," which consists of the CRC Header, uname string release, uname string machine, magic string and hardcoded version string. Talos used CyberChef to provide a decryptor function for this data.

__Figure 12. Example of decrypted phone home data.__

We noticed that the latest VIP version's "phone home" CRC header remains unchanged from what Unit 42 previously detailed in a blog post. Since the blog post has already covered the encryption of the XorDDoS trojan's phone home data, we will focus here on the behavior of the controller's responses and any modifications in the CRC header.

Once the XorDDoS trojan successfully establishes a connection, the CRC header changes to "5343f096000000000200000000000000000000000000000000000000", as shown in Figure 13. This functions similarly to basic client-server authentication for establishing a connection. When the controller issues a command to the XorDDoS trojan, it uses the same CRC header to attach the encrypted command, sending it to the trojan. This process, illustrated in Figure 14, helps the XorDDoS trojan verify that the commands are authorized and safe to execute.

__Figure 13. The CRC header changes after successfully establishing a connection.__

__Figure 14. Network flow of sub-controller sending the command to XorDDoS trojan.__

Next, Talos explored the connection between the central controller and the sub-controller, represented by the purple line in Figure 11. The central controller can create a controller binder to inject the sub-controller, thereby gaining full access to it. Once the controller binder successfully takes control of the sub-controller, it sends the sub-controller's machine information back to the central controller as a "phone home" beacon. This phone home data uses plaintext to send information, which includes the message number, packet size, IP address, hostname and connection port.

__Figure 15. Network flow of the phone home connection.__

Talos used the central controller to establish a connection with the sub-controller to monitor network traffic. During this process, we observed that the MSG number in the packets increases with each command sent to either the client controller or back to the central controller. As shown in Figure 16, Talos used the central controller to issue commands to start a SYN DDoS attack, stop the attack, and target specific IPs or domains. For every command sent, the MSG number increments. Similarly, each received packet also sees an increase in its MSG number. However, it's important to note that the MSG numbers for sent packets and received packets are not directly related to each other.

__Figure 16. Network flow of central controller sending the command to sub-controller.__

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64669, 64668 and 64667.

ClamAV detections are also available for this threat: Unix.Dropper.Xorddos::in07.talos

**Indicators of Compromise**

IOCs for this threat can be found in our GitHub repository here.

Unmasking the new XorDDoS controller and infrastructure

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and…

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and leaked its source code. Investigation is ongoing.

The infamous imageboard **4chan** is facing a major security incident. Users and researchers have flagged a possible breach resulting in the leak of 4chan’s custom source code, widely known as Yotsuba. What makes the incident ironic is the claim that the attacker is affiliated with Soyjak.st, a lesser-known but competing imageboard community.

****Unusual Downtime****

As of this writing, 4chan was offline or loading inconsistently, with broken images and non-functional links across multiple boards. The outage began in the early hours of April 15th, and speculation quickly spread across social media and rival platforms.

The screenshot shows the current status of 4chan (Image credit: Hackread.com)

Some users initially blamed server issues or a possible **DDoS attack**. However, what followed was far more serious: a user on Soyjak.st claimed responsibility for accessing admin credentials and leaking 4chan’s internal codebase.

Shortly after the claim surfaced, links to what appear to be portions of the Yotsuba source code began circulating across multiple platforms, including Telegram, GitHub Gists and private paste sites.

While the full extent of the leak is still being verified, early samples appear to be consistent with 4chan’s long-running backend structure. The leaked files also include core PHP scripts, administrative tools, and configuration files, some containing outdated coding practices that raise security concerns.

Although 4chan does not rely on user accounts or store typical sensitive information like emails or passwords, a codebase leak can still be serious. With access to internal logic, attackers could exploit undocumented behaviour and server-level compromises. It may also provide insights into moderation workflows or board-level permissions that were never intended to be public.

****The Soyjak.st Connection****

Soyjak.st, though much smaller than 4chan, has managed to grow its own dedicated niche in the imageboard world. With a focus on parody, satire, and meme content, the community has a complicated and often hostile relationship with 4chan.

Whether the claimed attacker is truly affiliated with Soyjak.st or is simply using its name remains to be seen. No formal attribution has been made. Nevertheless, if verified, the breach may be the first major incident where one imageboard’s userbase actively compromises the infrastructure of another.

****No Official Word from 4chan****

At the time of publication, 4chan has not released a public statement addressing the outage or confirming the breach. The site’s front page remains reachable worldwide, but many boards continue to load inconsistently or not at all.

In the meantime, if you are a 4chan user, it’s a good idea to be cautious with any links or files claiming to be from 4chan. There’s always a risk of fakes or **phishing attempts** popping up after something like this

Tag

#ddos