VulnHub

An international law enforcement operation has successfully dismantled SocksEscort, a criminal proxy service that had infected around 369,000 residential and small business routers across 163 countries. The U.S. Department of Justice revealed that this botnet was used for large-scale fraud, leveraging malware to control the infected routers. Users of these routers were largely unaware that their devices had been compromised. The operation underscores the ongoing threat posed by botnets and the importance of securing home and business networks. With thousands of routers involved, this incident serves as a reminder for individuals and businesses to regularly update their devices and apply security patches to protect against such malware infections.

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.

Researchers have identified a new botnet named SSHStalker that uses the Internet Relay Chat (IRC) protocol for its command-and-control operations. This botnet targets Linux systems, employing older kernel exploits to gain access. It features tools for hiding its activities, including log tampering and rootkit-like components. The existence of SSHStalker is concerning as it demonstrates that attackers are still leveraging outdated vulnerabilities to compromise systems. Organizations running Linux servers should assess their security measures and patch any known vulnerabilities to mitigate potential risks from this botnet.

A new botnet named SSHStalker has emerged, targeting Linux servers and infecting around 7,000 systems. This botnet exploits vulnerabilities from older 2009-era software, utilizing IRC bots and mass-scanning techniques to gain access. Researchers from Flare discovered SSHStalker while monitoring SSH honeypots over a two-month period, specifically using weak credentials to attract attackers. The presence of this botnet underscores the ongoing risk posed by outdated security measures, especially for systems that have not been updated in years. Users and administrators of Linux servers need to be vigilant and ensure their systems are secure against such legacy exploits.

A new botnet called SSHStalker has compromised approximately 7,000 Linux systems, primarily those hosted in the cloud. This botnet uses Internet Relay Chat (IRC) for control and automates attacks via Secure Shell (SSH) to gain access to these systems. The attackers are exploiting weak SSH credentials, making it crucial for system administrators to strengthen their password policies and implement key-based authentication. This incident highlights the ongoing vulnerability of Linux servers to automated attacks and the importance of maintaining strong security practices. Users need to be vigilant and consider regular audits of their SSH configurations to prevent unauthorized access.

A new Linux botnet named 'SSHStalker' has reportedly infected around 7,000 systems. This botnet employs a mass-compromise strategy, utilizing various scanners and malware to gain control over vulnerable devices. The attackers are likely taking advantage of outdated security practices, which makes this incident a reminder for system administrators to enhance their security measures. The widespread nature of this botnet indicates that many users might be at risk, especially if their systems are not properly secured. Addressing these vulnerabilities is crucial to prevent further infections and potential data breaches.

The Prometei botnet has compromised a UK construction firm's server by taking advantage of weak or default passwords through the Remote Desktop Protocol (RDP). This incident raises serious concerns about the security practices within the construction industry, which may not prioritize strong password policies. Attackers exploiting such vulnerabilities can gain unauthorized access to sensitive data, potentially leading to data breaches or further malicious activities. Companies are urged to implement stronger password policies and consider using multi-factor authentication to protect against similar attacks. This incident serves as a reminder of the importance of basic cybersecurity hygiene for all organizations, regardless of their sector.

A UK construction firm has fallen victim to an attack by the Russian Prometei botnet, as detailed by cybersecurity firm eSentire. The attack involved the use of TOR for anonymity, and attackers focused on stealing passwords and employing decoy tactics to mislead security measures. This incident raises concerns about the security of critical infrastructure in the construction sector, which may not be as fortified against cyber threats as other industries. The implications are significant, as compromised systems can lead to operational disruptions and financial losses for businesses. Companies in similar sectors should take note and assess their own cybersecurity defenses to prevent similar attacks.

In November 2025, a massive DDoS attack reached a peak of 31.4 terabits per second, making it one of the largest ever recorded. The attack was executed by the AISURU/Kimwolf botnet and lasted for just 35 seconds. Fortunately, Cloudflare's security systems were able to automatically detect and block the attack before it could cause significant disruption. This incident is part of a worrying trend of increasingly powerful and brief DDoS attacks that can overwhelm even the most robust defenses. Organizations must remain vigilant as such attacks not only threaten individual services but also have the potential to disrupt broader internet infrastructure.

The AISURU/Kimwolf botnet has launched a massive DDoS attack that peaked at an astonishing 31.4 Terabits per second, lasting just 35 seconds. This attack is part of a growing trend of extremely high-volume HTTP DDoS assaults that the botnet has been executing throughout the fourth quarter of 2025. Cloudflare, a cybersecurity company that monitors these incidents, successfully detected and mitigated the attack, preventing potential disruptions to online services. Such high-capacity attacks pose significant risks to internet infrastructure and can overwhelm even the most fortified systems, affecting businesses and users alike. As these types of attacks become more common, organizations need to bolster their defenses against DDoS threats.

Researchers have discovered that the SystemBC botnet has hijacked over 10,000 IP addresses, indicating that the botnet is still being actively developed despite previous efforts to disrupt it through 'Operation Endgame.' This ongoing activity raises concerns for internet security, as the SystemBC botnet is known for facilitating various cybercriminal activities, including the distribution of malware. The persistence of this threat suggests that attackers are adapting and finding new ways to maintain their operations, which could lead to increased risks for businesses and individual users alike. Companies should remain vigilant and consider strengthening their defenses against such botnets to protect their networks and data.

Researchers have identified the SystemBC malware, which is currently active across approximately 10,000 infected systems. This botnet is particularly concerning as it poses risks to sensitive government infrastructure, potentially exposing critical data and functionalities to malicious actors. The malware's widespread presence raises alarms about the security of various networks, especially those that manage important public services. Organizations, particularly in the public sector, need to take immediate action to secure their systems against this threat. Failure to address this could lead to significant operational disruptions and data breaches.

A massive distributed denial-of-service (DDoS) attack has reached a staggering 31.4 terabits per second, setting new records for online attacks. This incident is attributed to a powerful botnet known as the 'apex' botnet, which has been exploiting consumer devices, such as routers and smart home gadgets, to amplify its attack capabilities. As attackers increasingly turn ordinary home devices into tools for cyber warfare, businesses and individuals alike are at risk of service disruptions. The scale of this attack serves as a wake-up call for users to secure their connected devices and for companies to enhance their defenses against such overwhelming assaults. The implications are serious, as these attacks can cripple online services and affect a vast number of users worldwide.