VulnHub

The Black Lotus Labs team at Lumen Technologies has taken significant action against the AISURU and Kimwolf botnets by null-routing over 550 command-and-control (C2) servers since early October 2025. These botnets have gained notoriety for their ability to commandeer devices and use them in distributed denial-of-service (DDoS) attacks. By cutting off access to these C2 nodes, researchers aim to disrupt the operations of these botnets, which primarily target Android devices. This move is crucial as it not only protects potential victims from being exploited but also highlights the ongoing battle against cybercriminals who leverage such networks for malicious activities. The impact of these botnets underscores the need for continued vigilance in cybersecurity practices, especially for users of vulnerable devices.

APT28, a Russian cyber espionage group, has been observed targeting entities involved in energy research and defense collaboration. The group has employed tactics that involve impersonating well-known webmail and VPN services, including Microsoft OWA, Google, and Sophos VPN portals, to deceive users into revealing sensitive information. This attack is significant as it aims to infiltrate organizations that play a critical role in energy security and defense, potentially leading to the theft of valuable research and intelligence. The ongoing nature of these attacks poses a serious risk to national security and the integrity of the affected sectors, highlighting the need for organizations to enhance their cybersecurity measures. Users should be cautious and verify the authenticity of services before entering any sensitive information.

Cybersecurity researchers have identified two malicious Chrome extensions that have collectively attracted over 900,000 users. These extensions, named 'Chat GPT for Chrome with GPT-5' and 'Claude Sonnet & DeepSeek AI,' are designed to steal conversations from OpenAI's ChatGPT and DeepSeek, along with users' browsing data. The stolen information is sent to servers controlled by the attackers. This incident raises significant concerns about user privacy and data security, as many individuals may unknowingly be exposing sensitive information through these extensions. Users are urged to remove these extensions immediately and review their online security practices to protect their data.

The Kimwolf Android botnet has expanded significantly, now comprising around 2 million devices. This botnet primarily targets residential proxy networks, allowing its operators to profit through various means, including launching Distributed Denial of Service (DDoS) attacks, installing applications without user consent, and selling proxy bandwidth. The growth of this botnet poses serious risks to users, as it can lead to unauthorized use of their devices and potential data breaches. It also raises concerns for internet service providers and businesses that may be targeted by DDoS attacks. The situation highlights the ongoing challenges in securing IoT devices and the need for users to be vigilant about their device security.

Researchers have discovered a phishing campaign that leverages Google Cloud Application Integration to send emails that mimic legitimate messages from Google. This scheme uses a combination of trusted cloud services, user validation checks, and brand impersonation to trick users into believing the emails are authentic. The attackers aim to capture sensitive information by exploiting the trust associated with Google’s brand. This incident raises concerns for both individuals and organizations that rely on Google services, as it highlights the vulnerabilities in cloud-based email systems. Users are advised to be cautious and verify the authenticity of emails, especially those requesting sensitive data or actions.

Researchers have identified a campaign dubbed 'Zoom Stealer' that targets users of popular web browsers, specifically Chrome, Firefox, and Microsoft Edge. This attack has already impacted around 2.2 million users through 18 malicious browser extensions. These extensions are designed to gather sensitive information related to online meetings, including URLs, IDs, topics, descriptions, and even embedded passwords. The implications of this data theft are significant, as it can lead to unauthorized access to corporate meetings and sensitive discussions. Companies using these browsers should be vigilant and consider removing any unverified extensions to protect their data.

Users of the Trust Wallet Chrome extension have reported significant cryptocurrency losses after a malicious update was released on December 24. This compromised update allowed attackers to drain wallets, leading to millions in losses for affected individuals. In conjunction with this incident, researchers discovered a phishing domain set up by the hackers, further indicating a coordinated effort to exploit Trust Wallet users. The company has responded urgently, advising users to take precautions and remain vigilant to avoid further losses. This incident serves as a stark reminder of the risks associated with browser extensions and the importance of ensuring that software updates are legitimate and secure.

Two malicious Chrome extensions called 'Phantom Shuttle' have been discovered in the Chrome Web Store, masquerading as tools for a proxy service. These extensions are designed to hijack user traffic and steal sensitive information, including login credentials. Users who have installed these extensions are at risk of having their personal data compromised. This incident serves as a reminder for users to be cautious when downloading browser extensions and to regularly review their installed plugins. Google has a responsibility to monitor the extensions available in its store to protect users from such threats.

The Kimwolf Android botnet has been discovered infecting over 1.8 million devices, according to security researchers at XLab. This botnet, which is linked to the previously identified Aisuru botnet, has been responsible for sending more than 1.7 billion commands for Distributed Denial of Service (DDoS) attacks. The scale of these attacks is significant, raising concerns about the potential for disruption to various online services. The fact that millions of devices are compromised highlights the ongoing vulnerability of Android systems to malware. Users should be cautious and consider securing their devices to prevent further infections and attacks.

A new botnet named Kimwolf has compromised around 1.8 million Android-based devices, including TVs, set-top boxes, and tablets. Researchers from QiAnXin XLab report that this botnet may be linked to another one known as AISURU. Kimwolf is built using the Native Development Kit (NDK), which allows attackers to control these devices and use them for large-scale distributed denial-of-service (DDoS) attacks. This incident raises concerns about the security of smart devices, as many consumers may not realize their equipment can be hijacked in this way. Users of affected devices should be vigilant and consider measures to secure their systems against such threats.

Google's threat intelligence team has identified five additional Chinese hacking groups involved in exploiting the React2Shell vulnerability, which allows for remote code execution. This vulnerability is considered highly severe, making it a significant risk for affected systems. The groups are believed to be using this exploit to target various organizations, potentially compromising sensitive data and disrupting operations. The identification of these groups emphasizes the ongoing threat posed by state-sponsored hackers and the need for organizations to bolster their defenses against such attacks. Companies that utilize affected software should take immediate action to mitigate risks associated with this vulnerability.

Apple has released security updates to address two vulnerabilities in WebKit, identified as CVE-2025-14174 and CVE-2025-43529, which are currently being exploited in the wild. The first vulnerability, CVE-2025-14174, was previously patched by Google for its Chrome desktop browser, but details were limited at that time. This flaw allows for out-of-bounds memory access, potentially enabling attackers to execute arbitrary code. Users of Apple devices, particularly those running Safari or any applications reliant on WebKit, should prioritize updating their systems to safeguard against these vulnerabilities. Ignoring these updates could leave devices exposed to active exploitation.

Apple has issued updates for macOS and iOS to address two zero-day vulnerabilities in WebKit that were found to be exploited in a highly sophisticated attack. These vulnerabilities could allow attackers to execute malicious code on affected devices, potentially compromising user data and privacy. The updates are crucial for users of Apple's platforms, as they help protect against active threats that exploit these flaws. Users are encouraged to install the latest updates to ensure their devices are secure. This incident also raises concerns about the interconnectedness of browser vulnerabilities, as these flaws are linked to a Chrome exploit, indicating that security issues can cross platform boundaries.