FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 12, column 93: Self reference doesn't match document location [help]

... rel="self" type="application/rss+xml" />
                                             ^

line 66, column 0: content:encoded should not contain decoding attribute (43 occurrences) [help]
```
<img decoding="async" class="aligncenter wp-image-72438" src="https://kre ...
```
line 66, column 0: content:encoded should not contain sizes attribute (27 occurrences) [help]
```
<img decoding="async" class="aligncenter wp-image-72438" src="https://kre ...
```
line 73, column 0: content:encoded should not contain loading attribute (42 occurrences) [help]
```
<img decoding="async" loading="lazy" class="aligncenter wp-image-31323" s ...
```
line 107, column 0: content:encoded should not contain aria-describedby attribute (35 occurrences) [help]
```
<div id="attachment_72441" style="width: 760px" class="wp-caption aligncente ...
```

Source: http://feeds.feedburner.com/krebsonsecurity/TEjH

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Krebs on Security</title>
<atom:link href="https://krebsonsecurity.com/feed/" rel="self" type="application/rss+xml" />
<link>https://krebsonsecurity.com</link>
<description>In-depth security news and investigation</description>
<lastBuildDate>Sat, 01 Nov 2025 14:28:23 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.2.2</generator>
<item>
<title>Aisuru Botnet Shifts from DDoS to Residential Proxies</title>
<link>https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/</link>
<comments>https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Wed, 29 Oct 2025 00:51:05 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[DDoS-for-Hire]]></category>
<category><![CDATA[Internet of Things (IoT)]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[360Proxy]]></category>
<category><![CDATA[911Proxy]]></category>
<category><![CDATA[922Proxy]]></category>
<category><![CDATA[ABCProxy]]></category>
<category><![CDATA[Aisuru botnet]]></category>
<category><![CDATA[Benjamin Brundage]]></category>
<category><![CDATA[Bright Data]]></category>
<category><![CDATA[Cherry Proxy]]></category>
<category><![CDATA[Denas Grybauskas]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[HK Network]]></category>
<category><![CDATA[internet of things]]></category>
<category><![CDATA[IP2World]]></category>
<category><![CDATA[LibreNews]]></category>
<category><![CDATA[LunaProxy]]></category>
<category><![CDATA[NETSCOUT]]></category>
<category><![CDATA[Oxylabs]]></category>
<category><![CDATA[Philippe Caturegli]]></category>
<category><![CDATA[PIA S5 Proxy]]></category>
<category><![CDATA[PyProxy]]></category>
<category><![CDATA[Reddit]]></category>
<category><![CDATA[residential proxy]]></category>
<category><![CDATA[Riley Kilmer]]></category>
<category><![CDATA[roland dobbins]]></category>
<category><![CDATA[Roxlabs]]></category>
<category><![CDATA[Seralys]]></category>
<category><![CDATA[spur.us]]></category>
<category><![CDATA[Synthient]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72424</guid>
<description><![CDATA[Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts says a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.]]></description>
<content:encoded><![CDATA[Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.
<img decoding="async" class="aligncenter wp-image-72438" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/aisuru-ipidea.png" alt="Image credit: vxdb" width="749" height="415" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/aisuru-ipidea.png 1421w, https://krebsonsecurity.com/wp-content/uploads/2025/10/aisuru-ipidea-768x425.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/aisuru-ipidea-782x433.png 782w" sizes="(max-width: 749px) 100vw, 749px" />
First identified in August 2024, Aisuru has spread to at least 700,000 IoT systems, such as poorly secured Internet routers and security cameras. Aisuru’s overlords have used their massive botnet to clobber targets with headline-grabbing DDoS attacks, flooding targeted hosts with blasts of junk requests from all infected systems simultaneously.
In June, Aisuru hit KrebsOnSecurity.com with a DDoS <a href="https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/" target="_blank" rel="noopener">clocking at 6.3 terabits per second</a> — the biggest attack that Google had ever mitigated at the time. In the weeks and months that followed, Aisuru’s operators demonstrated DDoS capabilities of nearly 30 terabits of data per second — well beyond the attack mitigation capabilities of most Internet destinations.
These digital sieges have been particularly disruptive this year for U.S.-based Internet service providers (ISPs), in part because Aisuru recently succeeded in <a href="https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/" target="_blank" rel="noopener">taking over a large number of IoT devices in the United States</a>. And when Aisuru launches attacks, the volume of outgoing traffic from infected systems on these ISPs is often so high that it can disrupt or degrade Internet service for adjacent (non-botted) customers of the ISPs.
“Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,” wrote Roland Dobbins, principal engineer at Netscout, in a recent <a href="https://www.netscout.com/blog/asert/asert-threat-summary-aisuru-and-related-turbomirai-botnet-ddos" target="_blank" rel="noopener">executive summary on Aisuru</a>. “Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE) devices has caused significant disruption to wireline and wireless broadband access networks. High-throughput attacks have caused chassis-based router line card failures.”
The incessant attacks from Aisuru have caught the attention of federal authorities in the United States and Europe (many of Aisuru’s victims are customers of ISPs and hosting providers based in Europe). Quite recently, some of the world’s largest ISPs have started informally sharing block lists identifying the rapidly shifting locations of the servers that the attackers use to control the activities of the botnet.
Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers. These proxy services allow paying customers to route their Internet communications through someone else’s device, providing anonymity and the ability to appear as a regular Internet user in almost any major city worldwide.
<img decoding="async" loading="lazy" class="aligncenter wp-image-31323" src="https://krebsonsecurity.com/wp-content/uploads/2015/06/proxy.png" alt="" width="631" height="264" />
From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence. But they are massively abused for hiding cybercrime activity (think advertising fraud, credential stuffing) because they can make it difficult to trace malicious traffic to its original source.
And as we’ll see in a moment, this entire shadowy industry appears to be shifting its focus toward enabling aggressive content scraping activity that continuously feeds raw data into large language models (LLMs) built to support various AI projects.
<h2>‘INSANE’ GROWTH</h2>
Riley Kilmer is co-founder of <a href="https://spur.us" target="_blank" rel="noopener">spur.us</a>, a service that tracks proxy networks. Kilmer said all of the top proxy services have grown substantially over the past six months.
“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said. “That is insane. That is so high of a number, it’s unheard of. These proxies are absolutely everywhere now.”
Today, Spur says it is tracking an unprecedented spike in available proxies across all providers, including;
LUMINATI_PROXY 11,856,421 
NETNUT_PROXY 10,982,458 
ABCPROXY_PROXY 9,294,419 
OXYLABS_PROXY 6,754,790 
IPIDEA_PROXY 3,209,313 
EARNFM_PROXY 2,659,913 
NODEMAVEN_PROXY 2,627,851 
INFATICA_PROXY 2,335,194 
IPROYAL_PROXY 2,032,027 
YILU_PROXY 1,549,155
Reached for comment about the apparent rapid growth in their proxy network, Oxylabs (#4 on Spur’s list) said while their proxy pool did grow recently, it did so at nowhere near the rate cited by Spur.
“We don’t systematically track other providers’ figures, and we’re not aware of any instances of 10× or 100× growth, especially when it comes to a few bigger companies that are legitimate businesses,” the company said in a written statement.
Bright Data was formerly known as Luminati Networks, the name that is currently at the top of Spur’s list of the biggest residential proxy networks. Bright Data likewise told KrebsOnSecurity that Spur’s current estimates of its proxy network are dramatically overstated and inaccurate.
“We did not actively initiate nor do we see any 10x or 100x expansion of our network, which leads me to believe that someone might be presenting these IPs as Bright Data’s in some way,” said Rony Shalit, Bright Data’s chief compliance and ethics officer. “In many cases in the past, due to us being the leading data collection proxy provider, IPs were falsely tagged as being part of our network, or while being used by other proxy providers for malicious activity.”
“Our network is only sourced from verified IP providers and <a href="https://brightdata.com/trustcenter/bright-sdk-ethical-data-practices" target="_blank" rel="noopener">a robust opt-in only residential peers</a>, which we work hard and in complete transparency to obtain,” Shalit continued. “Every DC, ISP or SDK partner is reviewed and approved, and every residential peer must actively opt in to be part of our network.”
<h2>HK NETWORK</h2>
Even Spur acknowledges that Luminati and Oxylabs are unlike most other proxy services on their top proxy providers list, in that these providers actually adhere to “know-your-customer” policies, such as requiring video calls with all customers, and strictly blocking customers from reselling access.
Benjamin Brundage is founder of <a href="https://synthient.com" target="_blank" rel="noopener">Synthient</a>, a startup that helps companies detect proxy networks. Brundage said if there is increasing confusion around which proxy networks are the most worrisome, it’s because nearly all of these lesser-known proxy services have evolved into highly incestuous bandwidth resellers. What’s more, he said, some proxy providers do not appreciate being tracked and have been known to take aggressive steps to confuse systems that scan the Internet for residential proxy nodes.
Brundage said most proxy services today have created their own software development kit or SDK that other app developers can bundle with their code to earn revenue. These SDKs quietly modify the user’s device so that some portion of their bandwidth can be used to forward traffic from proxy service customers.
“Proxy providers have pools of constantly churning IP addresses,” he said. “These IP addresses are sourced through various means, such as bandwidth-sharing apps, botnets, Android SDKs, and more. These providers will often either directly approach resellers or offer a reseller program that allows users to resell bandwidth through their platform.”
Many SDK providers say they require full consent before allowing their software to be installed on end-user devices. Still, those opt-in agreements and consent checkboxes may be little more than a formality for cybercriminals like the Aisuru botmasters, who can earn a commission each time one of their infected devices is forced to install some SDK that enables one or more of these proxy services.
Depending on its structure, a single provider may operate hundreds of different proxy pools at a time — all maintained through other means, Brundage said.
“Often, you’ll see resellers maintaining their own proxy pool in addition to an upstream provider,” he said. “It allows them to market a proxy pool to high-value clients and offer an unlimited bandwidth plan for cheap reduce their own costs.”
Some proxy providers appear to be directly in league with botmasters. Brundage identified one proxy seller that was aggressively advertising cheap and plentiful bandwidth to content scraping companies. After scanning that provider’s pool of available proxies, Brundage said he found a one-to-one match with IP addresses he’d previously mapped to the Aisuru botnet.
Brundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network. IPidea is #5 on Spur’s Top 10, and Brundage said its brands include ABCProxy (#3), Roxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy. Spur’s Kilmer said they also track Yilu Proxy (#10) as IPidea.
Brundage said all of these providers operate under a corporate umbrella known on the cybercrime forums as “HK Network.”
“The way it works is there’s this whole reseller ecosystem, where IPidea will be incredibly aggressive and approach all these proxy providers with the offer, ‘Hey, if you guys buy bandwidth from us, we’ll give you these amazing reseller prices,'” Brundage explained. “But they’re also very aggressive in recruiting resellers for their apps.”
<div id="attachment_72441" style="width: 760px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2025/10/synthient-hknetwork.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-72441" decoding="async" loading="lazy" class="wp-image-72441" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/synthient-hknetwork.png" alt="" width="750" height="517" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/synthient-hknetwork.png 1126w, https://krebsonsecurity.com/wp-content/uploads/2025/10/synthient-hknetwork-768x529.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/synthient-hknetwork-782x539.png 782w, https://krebsonsecurity.com/wp-content/uploads/2025/10/synthient-hknetwork-100x70.png 100w" sizes="(max-width: 750px) 100vw, 750px" /></a>A graphic depicting the relationship between proxy providers that Synthient found are white labeling IPidea proxies. Image: Synthient.com.</div>
Those apps include a range of low-cost and “free” virtual private networking (VPN) services that indeed allow users to enjoy a free VPN, but which also turn the user’s device into a traffic relay that can be rented to cybercriminals, or else parceled out to countless other proxy networks.
“They have all this bandwidth to offload,” Brundage said of IPidea and its sister networks. “And they can do it through their own platforms, or they go get resellers to do it for them by advertising on sketchy hacker forums to reach more people.”
One of IPidea’s core brands is 922S5Proxy, which is a not-so-subtle nod to the 911S5Proxy service that was hugely popular between 2015 and 2022. In July 2022, KrebsOnSecurity published <a href="https://krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/" target="_blank" rel="noopener">a deep dive into 911S5Proxy’s origins and apparent owners in China</a>. Less than a week later, 911S5Proxy announced it was closing down after <a href="https://krebsonsecurity.com/2022/07/911-proxy-service-implodes-after-disclosing-breach/" target="_blank" rel="noopener">the company’s servers were massively hacked</a>.
That 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy service. In May 2024, the U.S. Department of Justice <a href="https://krebsonsecurity.com/2024/05/treasury-sanctions-creators-of-911-s5-proxy-botnet/" target="_blank" rel="noopener">arrested Mr Wang</a>, alleging that his network was used to steal billions of dollars from financial institutions, credit card issuers, and federal lending programs. At the same time, the U.S. Treasury Department announced sanctions against Wang and two other Chinese nationals for operating 911S5Proxy.
<div id="attachment_72454" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72454" decoding="async" loading="lazy" class=" wp-image-72454" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/922proxy.png" alt="" width="749" height="494" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/922proxy.png 1182w, https://krebsonsecurity.com/wp-content/uploads/2025/10/922proxy-768x507.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/922proxy-782x516.png 782w" sizes="(max-width: 749px) 100vw, 749px" />The website for 922Proxy.</div>
<h2>DATA SCRAPING FOR AI</h2>
In recent months, multiple experts who track botnet and proxy activity have shared that a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. That’s because by routing it through residential IP addresses, content scraping firms can make their traffic far trickier to filter out.
“It’s really difficult to block, because there’s a risk of blocking real people,” Spur’s Kilmer said of the LLM scraping activity that is fed through individual residential IP addresses, which are often shared by multiple customers at once.
Kilmer says the AI industry has brought a veneer of legitimacy to residential proxy business, which has heretofore mostly been associated with sketchy affiliate money making programs, automated abuse, and unwanted Internet traffic.
“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer said. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.”
Kilmer said many LLM-related scrapers rely on residential proxies in cases where the content provider has restricted access to their platform in some way, such as forcing interaction through an app, or keeping all content behind a login page with multi-factor authentication.
“Where the cost of data is out of reach — there is some exclusivity or reason they can’t access the data — they’ll turn to residential proxies so they look like a real person accessing that data,” Kilmer said of the content scraping efforts.
Aggressive AI crawlers increasingly <a href="https://arstechnica.com/ai/2025/03/devs-say-ai-crawlers-dominate-traffic-forcing-blocks-on-entire-countries/" target="_blank" rel="noopener">are overloading community-maintained infrastructure</a>, causing what amounts to persistent DDoS attacks on vital public resources. A <a href="https://thelibre.news/foss-infrastructure-is-under-attack-by-ai-companies/" target="_blank" rel="noopener">report</a> earlier this year from LibreNews found some open-source projects now see as much as 97 percent of their traffic originating from AI company bots, dramatically increasing bandwidth costs, service instability, and burdening already stretched-thin maintainers.
Cloudflare is now experimenting with tools that will allow content creators to charge a fee to AI crawlers to scrape their websites. The company’s “<a href="https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/what-is-pay-per-crawl/" target="_blank" rel="noopener">pay-per-crawl</a>” feature is currently in a private beta, and it lets publishers set their own prices that bots must pay before scraping content.
On October 22, the social media and news network Reddit <a href="https://redditinc.com/hubfs/Reddit%20Inc/Content/Reddit%20v.%20SerpApi.pdf" target="_blank" rel="noopener">sued Oxylabs (PDF)</a> and several other proxy providers, alleging that their systems enabled the mass-scraping of Reddit user content even though Reddit had taken steps to block such activity.
“Recognizing that Reddit denies scrapers like them access to its site, Defendants scrape the data from Google’s search results instead,” the lawsuit alleges. “They do so by masking their identities, hiding their locations, and disguising their web scrapers as regular people (among other techniques) to circumvent or bypass the security restrictions meant to stop them.”
Denas Grybauskas, chief governance and strategy officer at Oxylabs, said the company was shocked and disappointed by the lawsuit.
“Reddit has made no attempt to speak with us directly or communicate any potential concerns,” Grybauskas said in a written statement. “Oxylabs has always been and will continue to be a pioneer and an industry leader in public data collection, and it will not hesitate to defend itself against these allegations. Oxylabs’ position is that no company should claim ownership of public data that does not belong to them. It is possible that it is just an attempt to sell the same public data at an inflated price.”
As big and powerful as Aisuru may be, it is hardly the only botnet that is contributing to the overall broad availability of residential proxies. For example, on June 5 the FBI’s Internet Crime Complaint Center <a href="https://www.ic3.gov/PSA/2025/PSA250605" target="_blank" rel="noopener">warned</a> that an IoT malware threat dubbed <a href="https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" target="_blank" rel="noopener">BADBOX 2.0</a> had compromised millions of smart-TV boxes, digital projectors, vehicle infotainment units, picture frames, and other IoT devices.
In July, Google filed <a href="https://www.courtlistener.com/docket/70683171/google-llc-v-does-1-25/" target="_blank" rel="noopener">a lawsuit</a> in New York federal court against the Badbox botnet’s alleged perpetrators. Google said the Badbox 2.0 botnet “compromised more than 10 million uncertified devices running Android’s open-source software, which lacks Google’s security protections. Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes.”
<h2>A FAMILIAR DOMAIN NAME</h2>
Brundage said the Aisuru botmasters have their own SDK, and for some reason part of its code tells many newly-infected systems to query the domain name fuckbriankrebs[.]com. This may be little more than an elaborate “screw you” to this site’s author: One of the botnet’s alleged partners goes by the handle “Forky,” and was <a href="https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/" target="_blank" rel="noopener">identified in June by KrebsOnSecurity as a young man from Sao Paulo, Brazil</a>.
Brundage noted that only systems infected with Aisuru’s Android SDK will be forced to resolve the domain. Initially, there was some discussion about whether the domain might have some utility as a “kill switch” capable of disrupting the botnet’s operations, although Brundage and others interviewed for this story say that is unlikely.
<div id="attachment_72457" style="width: 745px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72457" decoding="async" loading="lazy" class="wp-image-72457 " src="https://krebsonsecurity.com/wp-content/uploads/2025/10/fbk-seralys-r.png" alt="" width="735" height="707" />A tiny sample of the traffic after a DNS server was enabled on the newly registered domain fuckbriankrebs dot com. Each unique IP address requested its own unique subdomain. Image: Seralys.</div>
For one thing, they said, if the domain was somehow critical to the operation of the botnet, why was it still unregistered and actively for-sale? Why indeed, we asked. Happily, the domain name was deftly snatched up last week by Philippe Caturegli, “chief hacking officer” for the security intelligence company <a href="https://seralys.com/" target="_blank" rel="noopener">Seralys</a>.
Caturegli enabled a passive DNS server on that domain and within a few hours received more than 700,000 requests for <a href="https://z3zhnw7npvig.fuckbriankrebs.com/" target="_blank" rel="noopener">unique subdomains on fuckbriankrebs[.]com</a>.
But even with that visibility into Aisuru, it is difficult to use this domain check-in feature to measure its true size, Brundage said. After all, he said, the systems that are phoning home to the domain are only a small portion of the overall botnet.
“The bots are hardcoded to just spam lookups on the subdomains,” he said. “So anytime an infection occurs or it runs in the background, it will do one of those DNS queries.”
<div id="attachment_72463" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72463" decoding="async" loading="lazy" class=" wp-image-72463" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/cat-fbk.png" alt="" width="748" height="800" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/cat-fbk.png 823w, https://krebsonsecurity.com/wp-content/uploads/2025/10/cat-fbk-768x821.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/cat-fbk-782x836.png 782w" sizes="(max-width: 748px) 100vw, 748px" />Caturegli briefly configured all subdomains on fuckbriankrebs dot com to display this ASCII art image to visiting systems today.</div>
The domain fuckbriankrebs[.]com has a storied history. On its initial launch in 2009, it was <a href="https://krebsonsecurity.com/2010/01/tough-talk-from-those-who-hide/" target="_blank" rel="noopener">used to spread malicious software by the </a><a href="https://krebsonsecurity.com/?s=cutwail" target="_blank" rel="noopener">Cutwail</a><a href="https://krebsonsecurity.com/2010/01/tough-talk-from-those-who-hide/" target="_blank" rel="noopener"> spam botnet</a>. In 2011, the domain was involved in a notable DDoS against this website from a botnet powered by Russkill (a.k.a. “Dirt Jumper”).
Domaintools.com finds that in 2015, fuckbriankrebs[.]com was registered to an email address attributed to David “Abdilo” Crees, a 27-year-old Australian man <a href="https://databreaches.net/2025/05/17/australian-national-known-as-dr32-sentenced-in-u-s-federal-court/" target="_blank" rel="noopener">sentenced in May 2025 to time served</a> for cybercrime convictions related to the <a href="https://krebsonsecurity.com/?s=lizard+squad" target="_blank" rel="noopener">Lizard Squad hacking group</a>.
Update, Nov. 1, 2025, 10:25 a.m. ET: An earlier version of this story erroneously cited Spur’s proxy numbers from earlier this year; Spur said those numbers conflated residential proxies — which are rotating and attached to real end-user devices — with “ISP proxies” located at AT&T. ISP proxies, Spur said, involve tricking an ISP into routing a large number of IP addresses that are resold as far more static datacenter proxies.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/feed/</wfw:commentRss>
<slash:comments>40</slash:comments>
</item>
<item>
<title>Canada Fines Cybercrime Friendly Cryptomus $176M</title>
<link>https://krebsonsecurity.com/2025/10/canada-fines-cybercrime-friendly-cryptomus-176m/</link>
<comments>https://krebsonsecurity.com/2025/10/canada-fines-cybercrime-friendly-cryptomus-176m/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Wed, 22 Oct 2025 17:21:36 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[Russia's War on Ukraine]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Cryptomus]]></category>
<category><![CDATA[CTV National News]]></category>
<category><![CDATA[Financial Transactions and Reports Analysis Center of Canada]]></category>
<category><![CDATA[FINTRAC]]></category>
<category><![CDATA[Investigative Journalism Foundation]]></category>
<category><![CDATA[Richard Sanders]]></category>
<category><![CDATA[Sarah Paquet]]></category>
<category><![CDATA[Xeltox Enterprises Ltd]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72407</guid>
<description><![CDATA[Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada's anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus's Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.]]></description>
<content:encoded><![CDATA[Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.
<img decoding="async" loading="lazy" class="aligncenter wp-image-69762" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/cryptomusblack.png" alt="" width="745" height="156" />
On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.
FINTRAC <a href="https://fintrac-canafe.canada.ca/new-neuf/nr/2025-10-22-eng" target="_blank" rel="noopener">found</a> that Cryptomus failed to submit suspicious transaction reports in cases where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion.
“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” said Sarah Paquet, director and CEO at the regulatory agency.
In December 2024, KrebsOnSecurity covered research by blockchain analyst and investigator Richard Sanders, who’d spent several months signing up for various cybercrime services, and then tracking where their customer funds go from there. The <a href="https://krebsonsecurity.com/2024/12/how-cryptocurrency-turns-to-cash-in-russian-banks/" target="_blank" rel="noopener">122 services targeted in Sanders’s research</a> all used Cryptomus, and included some of the more prominent businesses advertising on the cybercrime forums, such as:
-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and <a href="https://krebsonsecurity.com/tag/pq-hosting/" target="_blank" rel="noopener">PQHosting</a>; 
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store; 
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster; 
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.
<div id="attachment_69745" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-69745" decoding="async" loading="lazy" class=" wp-image-69745" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney.png" alt="" width="749" height="429" srcset="https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney.png 1399w, https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney-768x440.png 768w, https://krebsonsecurity.com/wp-content/uploads/2024/12/flymoney-782x448.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus. The image from this website has been machine translated from Russian.</div>
Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.
“These platforms were built for Russian speakers, and they each advertised the ability to anonymously swap one form of cryptocurrency for another,” the December 2024 story noted. “They also allowed the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.”
Reached for comment on FINTRAC’s action, Sanders told KrebsOnSecurity he was surprised it took them so long.
“I have no idea why they don’t just sanction them or prosecute them,” Sanders said. “I’m not let down with the fine amount but it’s also just going to be the cost of doing business to them.”
The $173 million fine is a significant sum for FINTRAC, which imposed 23 such penalties last year totaling less than $26 million. But Sanders says FINTRAC still has much work to do in pursuing other shadowy money service businesses (MSBs) that are registered in Canada but are likely money laundering fronts for entities based in Russia and Iran.
<img decoding="async" loading="lazy" class="aligncenter wp-image-69766" src="https://krebsonsecurity.com/wp-content/uploads/2024/12/happycanada.png" alt="" width="750" height="458" />
In an investigation published in July 2024, CTV National News and the Investigative Journalism Foundation (IJF) <a href="https://theijf.org/msb-cluster-investigation" target="_blank" rel="noopener">documented dozens of cases</a> across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.
Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But the news outlets found none of the MSBs or currency dealers were paying for services at that co-working space.
The reporters also found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence any of these companies had ever arranged for any business services at that address.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/10/canada-fines-cybercrime-friendly-cryptomus-176m/feed/</wfw:commentRss>
<slash:comments>47</slash:comments>
</item>
<item>
<title>Email Bombs Exploit Lax Authentication in Zendesk</title>
<link>https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-in-zendesk/</link>
<comments>https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-in-zendesk/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Fri, 17 Oct 2025 11:26:27 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[CapCom]]></category>
<category><![CDATA[Carolyn Camoens]]></category>
<category><![CDATA[CompTIA]]></category>
<category><![CDATA[Discord]]></category>
<category><![CDATA[GMAC]]></category>
<category><![CDATA[NordVPN]]></category>
<category><![CDATA[The Washington Post]]></category>
<category><![CDATA[Tinder]]></category>
<category><![CDATA[Zendesk]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72392</guid>
<description><![CDATA[Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.]]></description>
<content:encoded><![CDATA[Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.
Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.
The abusive missives sent via Zendesk’s platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults.
Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names — not from Zendesk. In the example below, replying to any of the junk customer support responses from The Washington Post’s Zendesk installation shows the reply-to address is help@washpost.com.
<div id="attachment_72398" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72398" decoding="async" loading="lazy" class=" wp-image-72398" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/zendeskwapo.png" alt="" width="749" height="362" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/zendeskwapo.png 2110w, https://krebsonsecurity.com/wp-content/uploads/2025/10/zendeskwapo-768x371.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/zendeskwapo-1536x743.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/10/zendeskwapo-2048x990.png 2048w, https://krebsonsecurity.com/wp-content/uploads/2025/10/zendeskwapo-782x378.png 782w" sizes="(max-width: 749px) 100vw, 749px" />One of dozens of messages sent to me this week by The Washington Post.</div>
Notified about the mass abuse of their platform, Zendesk said the emails were ticket creation notifications from customer accounts that configured their Zendesk instance to allow anyone to submit support requests — including anonymous users.
“These types of support tickets can be part of a customer’s workflow, where a prior verification is not required to allow them to engage and make use of the Support capabilities,” said Carolyn Camoens, communications director at Zendesk. “Although we recommend our customers to permit only verified users to submit tickets, some Zendesk customers prefer to use an anonymous environment to allow for tickets to be created due to various business reasons.”
Camoens said requests that can be submitted in an anonymous manner can also make use of an email address of the submitter’s choice.
“However, this method can also be used for spam requests to be created on behalf of third party email addresses,” Camoens said. “If an account has enabled the auto-responder trigger based on ticket creation, then this allows for the ticket notification email to be sent from our customer’s accounts to these third parties. The notification will also include the Subject added by the creator of these tickets.”
Zendesk claims it uses rate limits to prevent a high volume of requests from being created at once, but those limits did not stop Zendesk customers from flooding my inbox with thousands of messages in just a few hours.
“We recognize that our systems were leveraged against you in a distributed, many-against-one manner,” Camoens said. “We are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow.”
In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne’er-do-wells to sully the sender’s brand in service of disruptive and malicious email floods.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-in-zendesk/feed/</wfw:commentRss>
<slash:comments>49</slash:comments>
</item>
<item>
<title>Patch Tuesday, October 2025 ‘End of 10’ Edition</title>
<link>https://krebsonsecurity.com/2025/10/patch-tuesday-october-2025-end-of-10-edition/</link>
<comments>https://krebsonsecurity.com/2025/10/patch-tuesday-october-2025-end-of-10-edition/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 14 Oct 2025 22:57:38 +0000</pubDate>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[CVE-2025-24990]]></category>
<category><![CDATA[CVE-2025-59227]]></category>
<category><![CDATA[CVE-2025-59230]]></category>
<category><![CDATA[CVE-2025-59234]]></category>
<category><![CDATA[CVE-2025-59287]]></category>
<category><![CDATA[Immersive]]></category>
<category><![CDATA[Kev Breen]]></category>
<category><![CDATA[Microsoft Office]]></category>
<category><![CDATA[Microsoft Patch Tuesday October 2025]]></category>
<category><![CDATA[Satnam Narang]]></category>
<category><![CDATA[Tenable]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72318</guid>
<description><![CDATA[Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least three vulnerabilities that are already being actively exploited. October's Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you're running a Windows 10 PC and you're unable or unwilling to migrate to Windows 11, read on for other options.]]></description>
<content:encoded><![CDATA[Microsoft today released software updates to plug a whopping 172 security holes in its Windows operating systems, including at least two vulnerabilities that are already being actively exploited. October’s Patch Tuesday also marks the final month that Microsoft will ship security updates for Windows 10 systems. If you’re running a Windows 10 PC and you’re unable or unwilling to migrate to Windows 11, read on for other options.
<img decoding="async" loading="lazy" class="aligncenter wp-image-52647" src="https://krebsonsecurity.com/wp-content/uploads/2020/08/windowsec.png" alt="" width="748" height="549" />
The first zero-day bug addressed this month (<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24990" target="_blank" rel="noopener">CVE-2025-24990</a>) involves a third-party modem driver called Agere Modem that’s been bundled with Windows for the past two decades. Microsoft responded to active attacks on this flaw by completely removing the vulnerable driver from Windows.
The other zero-day is <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59230" target="_blank" rel="noopener">CVE-2025-59230</a>, an elevation of privilege vulnerability in Windows Remote Access Connection Manager (also known as RasMan), a service used to manage remote network connections through virtual private networks (VPNs) and dial-up networks.
“While RasMan is a frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022, this is the first time we’ve seen it exploited in the wild as a zero day,” said Satnam Narang, senior staff research engineer at Tenable.
Narang notes that Microsoft Office users should also take note of <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59227" target="_blank" rel="noopener">CVE-2025-59227</a> and <a href="http://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59234" target="_blank" rel="noopener">CVE-2025-59234</a>, a pair of remote code execution bugs that take advantage of “Preview Pane,” meaning that the target doesn’t even need to open the file for exploitation to occur. To execute these flaws, an attacker would social engineer a target into previewing an email with a malicious Microsoft Office document.
Speaking of Office, Microsoft <a href="https://www.windowscentral.com/microsoft/microsoft-office/microsoft-is-making-word-automatically-save-new-documents-to-onedrive-by-default" target="_blank" rel="noopener">quietly announced this week</a> that Microsoft Word will now automatically save documents to OneDrive, Microsoft’s cloud platform. Users who are uncomfortable saving all of their documents to Microsoft’s cloud can change this in Word’s settings; ZDNet has <a href="https://www.zdnet.com/article/microsoft-word-forcing-you-to-save-new-files-to-the-cloud-heres-how-to-stop-it/" target="_blank" rel="noopener">a useful how-to</a> on disabling this feature.
Kev Breen, senior director of threat research at Immersive, called attention to <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287" target="_blank" rel="noopener">CVE-2025-59287</a>, a critical remote code execution bug in the Windows Server Update Service (WSUS) — the very same Windows service responsible for downloading security patches for Windows Server versions. Microsoft says there are no signs this weakness is being exploited yet. But with a threat score of 9.8 out of possible 10 and marked “exploitation more likely,” CVE-2025-59287 can be exploited without authentication and is an easy “patch now” candidate.
“Microsoft provides limited information, stating that an unauthenticated attacker with network access can send untrusted data to the WSUS server, resulting in deserialization and code execution,” Breen wrote. “As WSUS is a trusted Windows service that is designed to update privileged files across the file system, an attacker would have free rein over the operating system and could potentially bypass some EDR detections that ignore or exclude the WSUS service.”
For more on other fixes from Redmond today, check out the SANS Internet Storm Center <a href="https://isc.sans.edu/forums/diary/Microsoft%20Patch%20Tuesday%20October%202025/32368/" target="_blank" rel="noopener">monthly roundup</a>, which indexes all of the updates by severity and urgency.
Windows 10 isn’t the only Microsoft OS that is reaching end-of-life today; Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are some of the other products that Microsoft is sunsetting today.
<img decoding="async" loading="lazy" class="aligncenter wp-image-72385" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/win10pcrequirements.png" alt="" width="747" height="474" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/win10pcrequirements.png 2050w, https://krebsonsecurity.com/wp-content/uploads/2025/10/win10pcrequirements-768x487.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/win10pcrequirements-1536x974.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/10/win10pcrequirements-2048x1299.png 2048w, https://krebsonsecurity.com/wp-content/uploads/2025/10/win10pcrequirements-782x496.png 782w" sizes="(max-width: 747px) 100vw, 747px" />
If you’re running any Windows 10 systems, you’ve probably already determined whether your PC meets the technical hardware specs recommended for the Windows 11 OS. If you’re reluctant or unable to migrate a Windows 10 system to Windows 11, there are alternatives to simply continuing to use Windows 10 without ongoing security updates.
One option is to pay for another year’s worth of security updates through <a href="https://www.microsoft.com/en-ie/windows/extended-security-updates?r=1" target="_blank" rel="noopener">Microsoft’s Extended Security Updates</a> (ESU) program. The cost is just $30 if you don’t have a Microsoft account, and apparently free if you register the PC to a Microsoft account. This <a href="https://www.youtube.com/watch?v=SZH7MlvOoPM" target="_blank" rel="noopener">video breakdown</a> from Ask Your Computer Guy does a good job of walking Windows 10 users through this process. Microsoft emphasizes that ESU enrollment does not provide other types of fixes, feature improvements or product enhancements. It also does not come with technical support.
<div id="attachment_72386" style="width: 756px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72386" decoding="async" loading="lazy" class=" wp-image-72386" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/esu-winupdate.png" alt="" width="746" height="436" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/esu-winupdate.png 2226w, https://krebsonsecurity.com/wp-content/uploads/2025/10/esu-winupdate-768x449.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/esu-winupdate-1536x897.png 1536w, https://krebsonsecurity.com/wp-content/uploads/2025/10/esu-winupdate-2048x1196.png 2048w, https://krebsonsecurity.com/wp-content/uploads/2025/10/esu-winupdate-782x457.png 782w" sizes="(max-width: 746px) 100vw, 746px" />If your Windows 10 system is associated with a Microsoft account and signed in when you visit Windows Update, you should see an option to enroll in extended updates. Image: https://www.youtube.com/watch?v=SZH7MlvOoPM</div>
Windows 10 users also have the option of installing some flavor of Linux instead. Anyone seriously considering this option should check out the website <a href="https://endof10.org/" target="_blank" rel="noopener">endof10.org</a>, which includes a plethora of tips and a DIY installation guide.
Linux Mint is a great option for Linux newbies. Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.
Linux Mint also is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.
If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. <a href="https://www.youtube.com/watch?v=_qZI6i21jB4" target="_blank" rel="noopener">Here’s a fairly thorough tutorial</a> that walks through exactly how to do all this.
And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.
As ever, if you experience any difficulties during or after applying this month’s batch of patches, please leave a note about it in the comments below.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/10/patch-tuesday-october-2025-end-of-10-edition/feed/</wfw:commentRss>
<slash:comments>63</slash:comments>
</item>
<item>
<title>DDoS Botnet Aisuru Blankets US ISPs in Record DDoS</title>
<link>https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/</link>
<comments>https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Fri, 10 Oct 2025 16:10:43 +0000</pubDate>
<category><![CDATA[DDoS-for-Hire]]></category>
<category><![CDATA[Internet of Things (IoT)]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[9gigsofram]]></category>
<category><![CDATA[Aisuru]]></category>
<category><![CDATA[AT&T]]></category>
<category><![CDATA[Botshield]]></category>
<category><![CDATA[Charter Communications]]></category>
<category><![CDATA[Comcast]]></category>
<category><![CDATA[Cosmic]]></category>
<category><![CDATA[DDoS]]></category>
<category><![CDATA[ddos-for-hire]]></category>
<category><![CDATA[Erik Buckingham]]></category>
<category><![CDATA[Forky]]></category>
<category><![CDATA[Global Secure Layer]]></category>
<category><![CDATA[Minecraft]]></category>
<category><![CDATA[mirai]]></category>
<category><![CDATA[NETSCOUT]]></category>
<category><![CDATA[OVH]]></category>
<category><![CDATA[Project Shield]]></category>
<category><![CDATA[ProxyPipe]]></category>
<category><![CDATA[Rapper Bot]]></category>
<category><![CDATA[Robert Coelho]]></category>
<category><![CDATA[roland dobbins]]></category>
<category><![CDATA[Steven Ferguson]]></category>
<category><![CDATA[T-Mobile]]></category>
<category><![CDATA[TCPShield]]></category>
<category><![CDATA[Totolink]]></category>
<category><![CDATA[U.S. Department of Justice]]></category>
<category><![CDATA[Verizon]]></category>
<category><![CDATA[XLab]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72321</guid>
<description><![CDATA[The world's largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet's attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.]]></description>
<content:encoded><![CDATA[The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.
Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.
The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.
As Aisuru’s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was <a href="https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/" target="_blank" rel="noopener">hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru,</a> which was then the largest assault that Google’s DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.
By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru’s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.
<div id="attachment_72353" style="width: 753px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72353" decoding="async" loading="lazy" class=" wp-image-72353" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/29-69t.png" alt="" width="743" height="93" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/29-69t.png 841w, https://krebsonsecurity.com/wp-content/uploads/2025/10/29-69t-768x96.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/29-69t-782x98.png 782w" sizes="(max-width: 743px) 100vw, 743px" />A measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet. Image: DDoS Analyzer Community on Telegram.</div>
Aisuru’s overlords aren’t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption.
For the past several weeks, ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.
Steven Ferguson is principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.
Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer.
“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” he said, explaining that TCPShield is now solely protected by GSL.
Traces from the recent spate of crippling Aisuru <a href="https://www.youtube.com/watch?v=OAzk1K4sn7k" target="_blank" rel="noopener">attacks on gaming servers</a> can be still seen at the website <a href="https://grafana.blockgametracker.gg/d/nlKArnQ4k/global-playercount-by-as?orgId=1&viewPanel=3&from=1759040061640&to=1759161701743" target="_blank" rel="noopener">blockgametracker.gg</a>, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.
<div id="attachment_72328" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72328" decoding="async" loading="lazy" class=" wp-image-72328" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/tcpshield-aisuru.png" alt="" width="750" height="457" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/tcpshield-aisuru.png 1436w, https://krebsonsecurity.com/wp-content/uploads/2025/10/tcpshield-aisuru-768x468.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/tcpshield-aisuru-782x476.png 782w" sizes="(max-width: 750px) 100vw, 750px" />An Aisuru botnet attack on TCPShield (AS64199) on Sept. 28 can be seen in the giant downward spike in the middle of this uptime graphic. Image: grafana.blockgametracker.gg.</div>
Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.
<div id="attachment_72333" style="width: 757px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2025/10/cosmic-aisuru.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-72333" decoding="async" loading="lazy" class="wp-image-72333" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/cosmic-aisuru.png" alt="" width="747" height="463" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/cosmic-aisuru.png 1343w, https://krebsonsecurity.com/wp-content/uploads/2025/10/cosmic-aisuru-768x476.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/cosmic-aisuru-782x484.png 782w" sizes="(max-width: 747px) 100vw, 747px" /></a>Multiple DDoS attacks from Aisuru can be seen against the Minecraft host Cosmic on Sept. 28. The sharp downward spikes correspond to brief but enormous attacks from Aisuru. Image: grafana.blockgametracker.gg.</div>
<h2>BOTNETS R US</h2>
Ferguson said he’s been tracking Aisuru for about three months, and recently he noticed the botnet’s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.
AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile and Verizon, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.
“The impact extends beyond victim networks,” Ferguson said. “For instance we have seen 500 gigabits of traffic via Comcast’s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.”
Roland Dobbins is principal engineer at Netscout. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.
“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
KrebsOnSecurity sought comment from the ISPs named in Ferguson’s report. Charter Communications pointed to <a href="https://policy.charter.com/protecting-our-networks" target="_blank" rel="noopener">a recent blog post on protecting its network</a>, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.
“In addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,” Charter wrote in an emailed response to questions. “With the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.”
A spokesperson for Comcast responded, “Currently our network is not experiencing impacts and we are able to handle the traffic.”
<h2>9 YEARS OF MIRAI</h2>
Aisuru is built on the bones of malicious code that was <a href="https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/" target="_blank" rel="noopener">leaked in 2016</a> by <a href="https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" target="_blank" rel="noopener">the original creators of the Mirai IoT botnet</a>. Like Aisuru, Mirai quickly outcompeted all other DDoS botnets in its heyday, and obliterated previous DDoS attack records with a 620 gigabit-per-second siege that <a href="https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/" target="_blank" rel="noopener">sidelined this website for nearly four days in 2016</a>.
The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.
<div id="attachment_36755" style="width: 743px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-36755" decoding="async" loading="lazy" class=" wp-image-36755" src="https://krebsonsecurity.com/wp-content/uploads/2016/10/l3outage-580x330.png" alt="" width="733" height="417" srcset="https://krebsonsecurity.com/wp-content/uploads/2016/10/l3outage-580x330.png 580w, https://krebsonsecurity.com/wp-content/uploads/2016/10/l3outage-768x437.png 768w, https://krebsonsecurity.com/wp-content/uploads/2016/10/l3outage.png 778w" sizes="(max-width: 733px) 100vw, 733px" />A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016. Source: Downdetector.com.</div>
Dobbins said Aisuru’s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.
“The people who operate this botnet are also selling (it as) residential proxies,” he said. “And that’s being used to reflect application layer attacks through the proxies on the bots as well.”
The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle “9gigsofram,” which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe that was <a href="https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" target="_blank" rel="noopener">heavily targeted in 2016 by the original Mirai botmasters</a>.
Robert Coelho co-ran Proxypipe back then along with his business partner Erik “9gigsofram” Buckingham, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru’s botmasters chose Buckingham’s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.
“The Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,” Coelho said.
Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn’t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.
“It’s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,” he said.
<h2>RAPID SPREAD</h2>
Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab, the Chinese security company that was the <a href="https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/" target="_blank" rel="noopener">first to profile Aisuru’s rise in 2024</a>, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers and other networking gear.
“Multiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,” XLab <a href="https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" target="_blank" rel="noopener">wrote</a> on September 15. “The node count is currently reported to be around 300,000.”
<div id="attachment_72354" style="width: 716px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72354" decoding="async" loading="lazy" class="size-full wp-image-72354" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/xlab-totoscript.png" alt="" width="706" height="190" />A malicious script implanted into a Totolink update server in April 2025. Image: XLab.</div>
Aisuru’s operators received an unexpected boost to their crime machine in August when the U.S. Department Justice <a href="https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/" target="_blank" rel="noopener">charged the alleged proprietor of Rapper Bot</a>, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.
Once Rapper Bot was dismantled, Aisuru’s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government’s takedown, Dobbins said.
“Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
<div id="attachment_72344" style="width: 748px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72344" decoding="async" loading="lazy" class=" wp-image-72344" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/xlabs-aisuru.png" alt="" width="738" height="810" />A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name “Ethan J. Foltz” in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.</div>
<h2>BOTMASTERS AT LARGE</h2>
XLab’s <a href="https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" target="_blank" rel="noopener">September blog post</a> cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: “Snow,” who’s responsible for botnet development; “Tom,” tasked with finding new vulnerabilities; and “Forky,” responsible for botnet sales.
KrebsOnSecurity interviewed Forky in our <a href="https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/" target="_blank" rel="noopener">May 2025 story</a> about the record 6.3 Tbps attack from Aisuru. That story identified Forky as a 21-year-old man from Sao Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. The FBI has seized Forky’s DDoS-for-hire domains several times over the years.
<img decoding="async" loading="lazy" class="aligncenter wp-image-71314" src="https://krebsonsecurity.com/wp-content/uploads/2025/05/forky.png" alt="" width="750" height="500" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/05/forky.png 779w, https://krebsonsecurity.com/wp-content/uploads/2025/05/forky-768x512.png 768w" sizes="(max-width: 750px) 100vw, 750px" />
Like the original Mirai botmasters, Forky also operates a DDoS mitigation service called Botshield. Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.
In our previous interview, Forky acknowledged being involved in the development and marketing of Aisuru, but denied participating in attacks launched by the botnet.
Reached for comment earlier this month, Forky continued to maintain his innocence, claiming that he also is still trying to figure out who the current Aisuru botnet operators are in real life (Forky said the same thing in our May interview).
But after a week of promising juicy details, Forky came up empty-handed once again. Suspecting that Forky was merely being coy, I asked him how someone so connected to the DDoS-for-hire world could still be mystified on this point, and suggested that his inability or unwillingness to blame anyone else for Aisuru would not exactly help his case.
At this, Forky verbally bristled at being pressed for more details, and abruptly terminated our interview.
“I’m not here to be threatened with ignorance because you are stressed,” Forky replied. “They’re blaming me for those new attacks. Pretty much the whole world (is) due to your blog.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/feed/</wfw:commentRss>
<slash:comments>79</slash:comments>
</item>
<item>
<title>ShinyHunters Wage Broad Corporate Extortion Spree</title>
<link>https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/</link>
<comments>https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 07 Oct 2025 22:45:35 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[ASYNCRAT]]></category>
<category><![CDATA[Austin Larsen]]></category>
<category><![CDATA[Charles Carmakal]]></category>
<category><![CDATA[Crimson Collective]]></category>
<category><![CDATA[CVE-2025-61882]]></category>
<category><![CDATA[Oracle E-Business Suite]]></category>
<category><![CDATA[Salesforce]]></category>
<category><![CDATA[Salesloft]]></category>
<category><![CDATA[Scattered LAPSUS$ Hunters]]></category>
<category><![CDATA[ShinyHunters]]></category>
<category><![CDATA[UNC6040]]></category>
<category><![CDATA[UNC6395]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72279</guid>
<description><![CDATA[A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.]]></description>
<content:encoded><![CDATA[A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.
<div id="attachment_72275" style="width: 1285px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72275" decoding="async" loading="lazy" class="size-full wp-image-72275" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/sf-extortionsite.png" alt="" width="1275" height="879" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/sf-extortionsite.png 1275w, https://krebsonsecurity.com/wp-content/uploads/2025/10/sf-extortionsite-768x529.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/sf-extortionsite-782x539.png 782w, https://krebsonsecurity.com/wp-content/uploads/2025/10/sf-extortionsite-100x70.png 100w" sizes="(max-width: 1275px) 100vw, 1275px" />The new extortion website tied to ShinyHunters (UNC6040), which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.</div>
In May 2025, a prolific and amorphous English-speaking cybercrime group known as ShinyHunters launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.
The first real details about the incident came in early June, when the Google Threat Intelligence Group (GTIG) <a href="https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion" target="_blank" rel="noopener">warned</a> that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce data, and that the group was poised to launch a data leak site to publicly shame victim companies into paying a ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign.
Last week, a new victim shaming blog dubbed “Scattered LAPSUS$ Hunters” began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.
“Contact us to negotiate this ransom or all your customers data will be leaked,” the website stated in a message to Salesforce. “If we come to a resolution all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc.”
Below that message were more than three dozen entries for companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The entries for each company specified the volume of stolen data available, as well as the date that the information was retrieved (the stated breach dates range between May and September 2025).
<div id="attachment_72312" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72312" decoding="async" loading="lazy" class=" wp-image-72312" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/mandiant-sf.png" alt="" width="749" height="480" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/mandiant-sf.png 866w, https://krebsonsecurity.com/wp-content/uploads/2025/10/mandiant-sf-768x492.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/mandiant-sf-782x501.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Image: Mandiant.</div>
On October 5, the Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 Git code repositories, including more than 5,000 Customer Engagement Reports (CERs).
“Alot of folders have their client’s secrets such as artifactory access tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their client’s infrastructure details in the CERs like the audits that were done for them, and a whole LOT more, etc.,” the hackers claimed.
Their claims came several days after a previously unknown hacker group calling itself the Crimson Collective took credit for the Red Hat intrusion on Telegram.
Red Hat <a href="https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance" target="_blank" rel="noopener">disclosed on October 2</a> that attackers had compromised a company GitLab server, and said it was in the process of notifying affected customers.
“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.
Separately, Discord has started emailing users affected by another breach claimed by ShinyHunters. Discord <a href="https://discord.com/press-releases/update-on-security-incident-involving-third-party-customer-service" target="_blank" rel="noopener">said</a> an incident on September 20 at a “third-party customer service provider” impacted a “limited number of users” who communicated with Discord customer support or Trust & Safety teams. The information included Discord usernames, emails, IP address, the last four digits of any stored payment cards, and government ID images submitted during age verification appeals.
The Scattered Lapsus$ Hunters claim they will publish data stolen from Salesforce and its customers if ransom demands aren’t paid by October 10. The group also claims it will soon begin extorting hundreds more organizations that lost data in August after a cybercrime group stole <a href="https://krebsonsecurity.com/2025/09/the-ongoing-fallout-from-a-breach-at-ai-chatbot-maker-salesloft/" target="_blank" rel="noopener">vast amounts of authentication tokens from Salesloft</a>, whose AI chatbot is used by many corporate websites to convert customer interaction into Salesforce leads.
In a communication sent to customers today, Salesforce emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortion demands.
“Salesforce will not engage, negotiate with, or pay any extortion demand,” the message to customers read. “Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities.”
The GTIG tracked the group behind the Salesloft data thefts as UNC6395, and says the group has been observed harvesting the data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.
Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) because it is thought to be an amalgamation of three hacking groups — Scattered Spider, Lapsus$ and ShinyHunters. The members of these groups hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.
The Scattered Lapsus$ Hunters darknet blog is currently offline. The outage appears to have coincided with the disappearance of the group’s new clearnet blog — breachforums[.]hn — which vanished after shifting its Domain Name Service (DNS) servers from DDoS-Guard to Cloudflare.
But before it died, the websites disclosed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. Oracle has since <a href="https://www.oracle.com/security-alerts/alert-cve-2025-61882.html" target="_blank" rel="noopener">confirmed</a> that a security flaw tracked as CVE-2025-61882 allows attackers to perform unauthenticated remote code execution, and is urging customers to apply an emergency update to address the weakness.
Mandiant’s Charles Carmakal <a href="https://www.linkedin.com/posts/charlescarmakal_oracle-security-alert-advisory-cve-2025-activity-7380595612443893760-JNd_/" target="_blank" rel="noopener">shared on LinkedIn</a> that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal data from Oracle E-Business Suite servers. Bleeping Computer <a href="https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/" target="_blank" rel="noopener">writes</a> that news of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.
On Monday evening, KrebsOnSecurity received a malware-laced message from a reader that threatened physical violence unless their unstated demands were met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to visit a page on limewire[.]com to view their demands.
<div id="attachment_72306" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72306" decoding="async" loading="lazy" class=" wp-image-72306" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/sh-malwareemail.png" alt="" width="750" height="251" />A screenshot of the phishing message linking to a malicious trojan disguised as a Windows screensaver file.</div>
KrebsOnSecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.
The link in the message fetches a malicious trojan disguised as a Windows screensaver file (Virustotal’s analysis on this malware is <a href="https://www.virustotal.com/gui/file/9abe847b497e68919143d4da1bb34e565a7fa9991f51c8f6bb7e5911cee01a24" target="_blank" rel="noopener">here</a>). Simply viewing the booby-trapped screensaver on a Windows PC is enough to cause the bundled trojan to launch in the background.
Mandiant’s Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.
<div id="attachment_72292" style="width: 759px" class="wp-caption aligncenter"><a href="https://krebsonsecurity.com/wp-content/uploads/2025/10/shmalware-vt.png" target="_blank" rel="noopener"><img aria-describedby="caption-attachment-72292" decoding="async" loading="lazy" class="wp-image-72292" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/shmalware-vt.png" alt="" width="749" height="427" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/shmalware-vt.png 1334w, https://krebsonsecurity.com/wp-content/uploads/2025/10/shmalware-vt-768x438.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/shmalware-vt-782x446.png 782w" sizes="(max-width: 749px) 100vw, 749px" /></a>A scan of the malicious screensaver file at Virustotal.com shows it is detected as bad by nearly a dozen security and antivirus tools.</div>
“Downloaded plugins may be executed directly in memory or stored in the registry,” Larsen wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”
Malware-laced targeted emails are not out of character for certain members of the Scattered Lapsus$ Hunters, who have previously harassed and threatened security researchers and even law enforcement officials who are investigating and warning about the extent of their attacks.
With so many big data breaches and ransom attacks now coming from cybercrime groups operating on the Com, law enforcement agencies on both sides of the pond are under increasing pressure to apprehend the criminal hackers involved. In late September, prosecutors in the U.K. charged two alleged Scattered Spider members aged 18 and 19 with <a href="https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/" target="_blank" rel="noopener">extorting at least $115 million in ransom payments</a> from companies victimized by data theft.
U.S. prosecutors heaped their own charges on the 19 year-old in that duo — U.K. resident Thalha Jubair — who is alleged to have been involved in data ransom attacks against Marks & Spencer and Harrods, the British food retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Entertainment. Jubair also was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of technology companies beginning in late 2021.
<div id="attachment_72294" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72294" decoding="async" loading="lazy" class=" wp-image-72294" src="https://krebsonsecurity.com/wp-content/uploads/2025/10/beaumont-sh.png" alt="" width="749" height="218" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/10/beaumont-sh.png 1039w, https://krebsonsecurity.com/wp-content/uploads/2025/10/beaumont-sh-768x224.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/10/beaumont-sh-782x228.png 782w" sizes="(max-width: 749px) 100vw, 749px" />A Mastodon post by Kevin Beaumont, lamenting the prevalence of major companies paying millions to extortionist teen hackers, refers derisively to Thalha Jubair as a part of an APT threat known as “Advanced Persistent Teenagers.”</div>
In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael Urban was <a href="https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-gets-10-years/" target="_blank" rel="noopener">sentenced to 10 years in federal prison</a> and ordered to pay roughly $13 million in restitution to victims.
In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spider member was <a href="https://krebsonsecurity.com/2025/04/alleged-scattered-spider-member-extradited-to-u-s/" target="_blank" rel="noopener">extradited from Spain to the U.S.</a>, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.
Update, Oct. 8, 8:59 a.m. ET: A previous version of this story incorrectly referred to the malware sent by the reader as a Windows screenshot file. Rather, it is a Windows screensaver file.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/feed/</wfw:commentRss>
<slash:comments>44</slash:comments>
</item>
<item>
<title>Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms</title>
<link>https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/</link>
<comments>https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Wed, 24 Sep 2025 11:48:31 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Data Breaches]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[Allison Nixon]]></category>
<category><![CDATA[ALPHV]]></category>
<category><![CDATA[Amtrak]]></category>
<category><![CDATA[Asyntax]]></category>
<category><![CDATA[BlackCat]]></category>
<category><![CDATA[Caesars Entertainment]]></category>
<category><![CDATA[Com]]></category>
<category><![CDATA[EarthtoStar]]></category>
<category><![CDATA[Everlynn]]></category>
<category><![CDATA[Flashpoint]]></category>
<category><![CDATA[Harrods]]></category>
<category><![CDATA[Infinity Recursion]]></category>
<category><![CDATA[Lopiu]]></category>
<category><![CDATA[Marks & Spencer]]></category>
<category><![CDATA[MGM Resorts]]></category>
<category><![CDATA[microsoft]]></category>
<category><![CDATA[Noah Michael Urban]]></category>
<category><![CDATA[NVIDIA]]></category>
<category><![CDATA[Okta]]></category>
<category><![CDATA[Owen David Flowers]]></category>
<category><![CDATA[RocketAce]]></category>
<category><![CDATA[Rockstar Games]]></category>
<category><![CDATA[Samsung]]></category>
<category><![CDATA[Scattered Spider]]></category>
<category><![CDATA[Star Chat]]></category>
<category><![CDATA[Star Sanctuary]]></category>
<category><![CDATA[T-Mobile]]></category>
<category><![CDATA[Thalha Jubair]]></category>
<category><![CDATA[Transport for London]]></category>
<category><![CDATA[Uber]]></category>
<category><![CDATA[Unit 221B]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72208</guid>
<description><![CDATA[U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.]]></description>
<content:encoded><![CDATA[U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.
At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area.
<div id="attachment_72226" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72226" decoding="async" loading="lazy" class=" wp-image-72226" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/paw-flowers-jubair.png" alt="" width="749" height="470" />A court artist sketch of Owen Flowers (left) and Thalha Jubair appearing at Westminster Magistrates’ Court last week. Credit: Elizabeth Cook, PA Wire.</div>
On July 10, 2025, KrebsOnSecurity <a href="https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/" target="_blank" rel="noopener">reported</a> that Flowers and Jubair had been arrested in the United Kingdom in connection with recent Scattered Spider <a href="https://www.thetimes.com/uk/technology-uk/article/ransoms-hackers-cyber-crime-t5kjldwwm" target="_blank" rel="noopener">ransom attacks</a> against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group.
That story cited sources close to the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.
The story also noted that Jubair’s alleged handles on cybercrime-focused Telegram channels had far lengthier rap sheets involving some of the more consequential and headline-grabbing data breaches over the past four years. What follows is an account of cybercrime activities that prosecutors have attributed to Jubair’s alleged hacker handles, as told by those accounts in posts to public Telegram channels that are closely monitored by multiple cyber intelligence firms.
<h2>EARLY DAYS (2021-2022)</h2>
Jubair is alleged to have been a core member of the LAPSUS$ cybercrime group that <a href="https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/" target="_blank" rel="noopener">broke into dozens of technology companies beginning in late 2021</a>, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.
That is, according to the former leader of the now-defunct LAPSUS$. In April 2022, KrebsOnSecurity <a href="https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/" target="_blank" rel="noopener">published internal chat records</a> taken from a server that LAPSUS$ used, and those chats indicate Jubair was working with the group using the nicknames Amtrak and Asyntax. In the middle of the gang’s cybercrime spree, Asyntax told the LAPSUS$ leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.
The leader of LAPSUS$ responded by gleefully posting Asyntax’s real name, phone number, and other hacker handles into a public chat room on Telegram:
<div id="attachment_59487" class="wp-caption aligncenter">
<div id="attachment_59487" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-59487" decoding="async" loading="lazy" class="wp-image-59487" src="https://krebsonsecurity.com/wp-content/uploads/2022/04/amtraxdox.png" alt="" width="749" height="207" aria-describedby="caption-attachment-59487" />In March 2022, the leader of the LAPSUS$ data extortion group exposed Thalha Jubair’s name and hacker handles in a public chat room on Telegram.</div>
</div>
That story about the leaked LAPSUS$ chats also connected Amtrak/Asyntax to several previous hacker identities, including “Everlynn,” who in April 2021 began offering a cybercriminal service that <a href="https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/" target="_blank" rel="noopener">sold fraudulent “emergency data requests”</a> targeting the major social media and email providers.
In these so-called “fake EDR” schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data (e.g. username, IP/email address), while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
<div id="attachment_59127" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-59127" decoding="async" loading="lazy" class=" wp-image-59127" src="https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion.png" alt="" width="750" height="623" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion.png 864w, https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion-768x638.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/03/infinityrecursion-782x650.png 782w" sizes="(max-width: 750px) 100vw, 750px" />The roster of the now-defunct “Infinity Recursion” hacking team, which sold fake EDRs between 2021 and 2022. The founder “Everlynn” has been tied to Jubair. The member listed as “Peter” became the leader of LAPSUS$ who would later post Jubair’s name, phone number and hacker handles into LAPSUS$’s chat channel.</div>

<h2>EARTHTOSTAR</h2>
Prosecutors in New Jersey last week <a href="https://www.justice.gov/opa/pr/united-kingdom-national-charged-connection-multiple-cyber-attacks-including-critical" target="_blank" rel="noopener">alleged</a> Jubair was part of a threat group variously known as Scattered Spider, 0ktapus, and UNC3944, and that he used the nicknames EarthtoStar, Brad, Austin, and Austistic.
Beginning in 2022, EarthtoStar co-ran a bustling Telegram channel called Star Chat, which was home to a prolific SIM-swapping group that relentlessly used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K.
<div id="attachment_71644" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71644" decoding="async" loading="lazy" class=" wp-image-71644" src="https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat.png" alt="" width="750" height="307" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat.png 1153w, https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat-768x314.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/07/ace-earth2star-starchat-782x320.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Jubair allegedly used the handle “Earth2Star,” a core member of a prolific SIM-swapping group operating in 2022. This ad produced by the group lists various prices for SIM swaps.</div>
The group would then use that access to sell a SIM-swapping service that could redirect a target’s phone number to a device the attackers controlled, allowing them to intercept the victim’s phone calls and text messages (including one-time codes). Members of Star Chat targeted multiple wireless carriers with SIM-swapping attacks, but they focused mainly on phishing T-Mobile employees.
In February 2023, KrebsOnSecurity scrutinized more than seven months of these SIM-swapping solicitations on Star Chat, which almost daily peppered the public channel with “Tmo up!” and “Tmo down!” notices indicating periods wherein the group claimed to have active access to T-Mobile’s network.
<div id="attachment_72238" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72238" decoding="async" loading="lazy" class=" wp-image-72238" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/rocketace-tmobile.png" alt="" width="750" height="848" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/rocketace-tmobile.png 809w, https://krebsonsecurity.com/wp-content/uploads/2025/09/rocketace-tmobile-768x869.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/rocketace-tmobile-782x884.png 782w" sizes="(max-width: 750px) 100vw, 750px" />A redacted receipt from Star Chat’s SIM-swapping service targeting a T-Mobile customer after the group gained access to internal T-Mobile employee tools.</div>
The data showed that Star Chat — along with two other SIM-swapping groups operating at the same time — <a href="https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/" target="_blank" rel="noopener">collectively broke into T-Mobile over a hundred times in the last seven months of 2022</a>. However, Star Chat was by far the most prolific of the three, responsible for at least 70 of those incidents.
<div id="attachment_62908" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-62908" decoding="async" loading="lazy" class=" wp-image-62908" src="https://krebsonsecurity.com/wp-content/uploads/2023/02/tmodates.png" alt="" width="749" height="496" srcset="https://krebsonsecurity.com/wp-content/uploads/2023/02/tmodates.png 1040w, https://krebsonsecurity.com/wp-content/uploads/2023/02/tmodates-768x509.png 768w, https://krebsonsecurity.com/wp-content/uploads/2023/02/tmodates-782x518.png 782w" sizes="(max-width: 749px) 100vw, 749px" />The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools. Star Chat was responsible for a majority of these incidents. Image: krebsonsecurity.com.</div>
A review of EarthtoStar’s messages on Star Chat as indexed by the threat intelligence firm Flashpoint shows this person also sold “AT&T email resets” and AT&T call forwarding services for up to $1,200 per line. EarthtoStar explained the purpose of this service in post on Telegram:
<blockquote>“Ok people are confused, so you know when u login to chase and it says ‘2fa required’ or whatever the fuck, well it gives you two options, SMS or Call. If you press call, and I forward the line to you then who do you think will get said call?”</blockquote>
New Jersey prosecutors allege Jubair also was involved in a <a href="https://krebsonsecurity.com/2022/08/how-1-time-passcodes-became-a-corporate-liability/" target="_blank" rel="noopener">mass SMS phishing campaign during the summer of 2022</a> that stole single sign-on credentials from employees at hundreds of companies. The text messages asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page, saying recipients needed to review pending changes to their upcoming work schedules.
The phishing websites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.
That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.
<div id="attachment_61104" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-61104" decoding="async" loading="lazy" class=" wp-image-61104" src="https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico.png" alt="" width="750" height="441" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico.png 1427w, https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico-768x452.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/08/amitaico-782x460.png 782w" sizes="(max-width: 750px) 100vw, 750px" />A visual depiction of the attacks by the SMS phishing group known as 0ktapus, ScatterSwine, and Scattered Spider. Image: Amitai Cohen twitter.com/amitaico.</div>
<h2>DA, COMRADE</h2>
EarthtoStar’s group Star Chat specialized in phishing their way into business process outsourcing (BPO) companies that provide customer support for a range of multinational companies, including a number of the world’s largest telecommunications providers. In May 2022, EarthtoStar posted to the Telegram channel “Frauwudchat”:
<blockquote>“Hi, I am looking for partners in order to exfiltrate data from large telecommunications companies/call centers/alike, I have major experience in this field, [including] a massive call center which houses 200,000+ employees where I have dumped all user credentials and gained access to the [domain controller] + obtained global administrator I also have experience with REST API’s and programming. I have extensive experience with VPN, Citrix, cisco anyconnect, social engineering + privilege escalation. If you have any Citrix/Cisco VPN or any other useful things please message me and lets work.”</blockquote>
At around the same time in the Summer of 2022, at least two different accounts tied to Star Chat — “RocketAce” and “Lopiu” — introduced the group’s services to denizens of the Russian-language cybercrime forum Exploit, including:
-SIM-swapping services targeting Verizon and T-Mobile customers; 
-Dynamic phishing pages targeting customers of single sign-on providers like Okta; 
-Malware development services; 
-The sale of extended validation (EV) code signing certificates.
<div id="attachment_72222" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72222" decoding="async" loading="lazy" class=" wp-image-72222" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/kela-lopiu.png" alt="" width="749" height="414" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/kela-lopiu.png 1010w, https://krebsonsecurity.com/wp-content/uploads/2025/09/kela-lopiu-768x424.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/kela-lopiu-782x432.png 782w" sizes="(max-width: 749px) 100vw, 749px" />The user “Lopiu” on the Russian cybercrime forum Exploit advertised many of the same unique services offered by EarthtoStar and other Star Chat members. Image source: ke-la.com.</div>
These two accounts on Exploit created multiple sales threads in which they claimed administrative access to U.S. telecommunications providers and asked other Exploit members for help in monetizing that access. In June 2022, RocketAce, which appears to have been just one of EarthtoStar’s many aliases, posted to Exploit:
<blockquote>Hello. I have access to a telecommunications company’s citrix and vpn. I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me ! Looking for someone with knowledge in citrix/privilege escalation</blockquote>
On Nov. 15, 2022, EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits, backdoors and malware loaders.
“Optional: Endorsed by advanced APT Groups (e.g. Conti, Ryuk),” the ad concluded, referencing two of Russia’s most rapacious and destructive ransomware affiliate operations. “Part of a nation-state / ex-3l (3 letter-agency).”
<h2>2023-PRESENT DAY</h2>
The Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a loose-knit network known as the Com, an English-speaking cybercrime community consisting mostly of individuals living in the United States, the United Kingdom, Canada and Australia.
Many of these Com chat servers have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.
These “<a href="https://krebsonsecurity.com/2022/09/violence-as-a-service-brickings-firebombings-shootings-for-hire/" target="_blank" rel="noopener">violence-as-a-service</a>” solicitations typically involve “brickings,” where someone is hired to toss a brick through the window at a specified address. Other IRL jobs for hire include tire-stabbings, molotov cocktail hurlings, drive-by shootings, and even home invasions. The people targeted by these services are typically other criminals within the community, but it’s not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimes.
It remains unclear what precipitated this incident or what followed directly after, but on January 13, 2023, a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting U.S. federal prosecutor from New York. That post included a photo of the prosecutor taken from the Justice Department’s website, along with the message:
<blockquote>“Need irl niggas, in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas either”</blockquote>
Throughout late 2022 and early 2023, EarthtoStar’s alias “Brad” (a.k.a. “Brad_banned”) frequently advertised Star Chat’s malware development services, including custom malicious software designed to hide the attacker’s presence on a victim machine:
<blockquote>We can develop KERNEL malware which will achieve persistence for a long time, 
bypass firewalls and have reverse shell access.
This shit is literally like STAGE 4 CANCER FOR COMPUTERS!!!
Kernel meaning the highest level of authority on a machine. 
This can range to simple shells to Bootkits.
Bypass all major EDR’s (SentinelOne, CrowdStrike, etc) 
Patch EDR’s scanning functionality so it’s rendered useless!
Once implanted, extremely difficult to remove (basically impossible to even find) 
Development Experience of several years and in multiple APT Groups.
Be one step ahead of the game. Prices start from $5,000+. Message @brad_banned to get a quote</blockquote>
In September 2023 , both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat. Caesars <a href="https://www.courtwatch.news/p/how-the-fbi-tracked-down-the-15-million-caesars-casino-ransom" target="_blank" rel="noopener">reportedly paid a $15 million ransom</a> in that incident.
Within hours of MGM publicly acknowledging the 2023 breach, members of Scattered Spider were claiming credit and telling reporters they’d broken in by social engineering a third-party IT vendor. At a hearing in London last week, U.K. prosecutors told the court Jubair was found in possession of more than $50 million in ill-gotten cryptocurrency, including funds that were linked to the Las Vegas casino hacks.
The Star Chat channel was finally banned by Telegram on March 9, 2025. But U.S. prosecutors say Jubair and fellow Scattered Spider members continued their hacking, phishing and extortion activities up until September 2025.
In April 2025, the Com was buzzing about the publication of “The Com Cast,” a lengthy screed detailing Jubair’s alleged cybercriminal activities and nicknames over the years. This account included photos and voice recordings allegedly of Jubair, and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku (these are both aliases used by Everlynn in connection with their fake EDR services).
<div id="attachment_72224" style="width: 667px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72224" decoding="async" loading="lazy" class="size-full wp-image-72224" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/comcast-jubair.png" alt="" width="657" height="507" />Thalha Jubair (right), without his large-rimmed glasses, in an undated photo posted in The Com Cast.</div>
More recently, the anonymous Com Cast author(s) claimed, Jubair had used the nickname “Operator,” which corresponds to a Com member who ran an automated Telegram-based doxing service that pulled consumer records from hacked data broker accounts. That public outing came after Operator allegedly seized control over the Doxbin, a long-running and highly toxic community that is used to “dox” or post deeply personal information on people.
“Operator/Clark/Miku: A key member of the ransomware group Scattered Spider, which consists of a diverse mix of individuals involved in SIM swapping and phishing,” the Com Cast account stated. “The group is an amalgamation of several key organizations, including Infinity Recursion (owned by Operator), True Alcorians (owned by earth2star), and Lapsus, which have come together to form a single collective.”
The New Jersey <a href="https://s3.documentcloud.org/documents/26103409/thalhajubaircomplaint.pdf" target="_blank" rel="noopener">complaint</a> (PDF) alleges Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025. The complaint alleges the group’s victims paid at least $115 million in ransom payments.
U.S. authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair. The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards, one of which was used at a food delivery company to send food to his apartment. Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubair’s name. U.S. prosecutors said that when they seized that server they also seized $36 million in cryptocurrency.
The complaint also charges Jubair with involvement in a hacking incident in January 2025 against the U.S. courts system that targeted a U.S. magistrate judge overseeing a related Scattered Spider investigation. That other investigation appears to have been the prosecution of Noah Michael Urban, a 20-year-old Florida man <a href="https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/" target="_blank" rel="noopener">charged in November 2024 by prosecutors in Los Angeles</a> as one of five alleged Scattered Spider members.
Urban pleaded guilty in April 2025 to wire fraud and conspiracy charges, and in August he was sentenced to 10 years in federal prison. Speaking with KrebsOnSecurity from jail after his sentencing, Urban asserted that the judge gave him more time than prosecutors requested because <a href="https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-gets-10-years/" target="_blank" rel="noopener">he was mad that Scattered Spider hacked his email account</a>.
<div id="attachment_71970" style="width: 611px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-71970" decoding="async" loading="lazy" class="size-full wp-image-71970" src="https://krebsonsecurity.com/wp-content/uploads/2025/08/kingbobtweets.png" alt="" width="601" height="485" />Noah “Kingbob” Urban, posting to Twitter/X around the time of his sentencing on Aug. 20.</div>
A <a href="https://krebsonsecurity.com/wp-content/uploads/2025/08/urban-status-hack.pdf" target="_blank" rel="noopener">court transcript</a> (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case, and that the hacker accessed the account by impersonating a judge over the phone and requesting a password reset.
Allison Nixon is chief research officer at the New York based security firm Unit 221B, and easily one of the world’s leading experts on Com-based cybercrime activity. Nixon said the core problem with legally prosecuting well-known cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18, and thus difficult to charge under federal hacking statutes.
In the United States, prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them. But until that day comes, she said, Com actors often feel emboldened to continue committing — and very often bragging about — serious cybercrime offenses.
“Here we have a special category of Com offenders that effectively enjoy legal immunity,” Nixon told KrebsOnSecurity. “Most get recruited to Com groups when they are older, but of those that join very young, such as 12 or 13, they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunity.”
Nixon said U.K. authorities face the same challenge when they briefly detain and search the homes of underage Com suspects: Namely, the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute they’re released.
Indeed, the U.K. court heard from prosecutors last week that both Scattered Spider suspects were detained and/or searched by local law enforcement on multiple occasions, only to return to the Com less than 24 hours after being released each time.
“What we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse,” Nixon said. “The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behest.”
Nixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels, and so their entire sense of identity, community and self-worth gets wrapped up in their involvement with these online gangs. She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society, that would probably clear up a lot of this problem.
“If law enforcement was allowed to keep them in jail, they would quit reoffending,” she said.
The Times of London <a href="https://www.thetimes.com/uk/technology-uk/article/teenagers-charged-tfl-cyberattack-scattered-spider-trdhs5rwf" target="_blank" rel="noopener">reports</a> that Flowers is facing three charges under the Computer Misuse Act: two of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of attempting to commit the same act. Maximum sentences for these offenses can range from 14 years to life in prison, depending on the impact of the crime.
Jubair is reportedly facing two charges in the U.K.: One of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of failing to comply with a section 49 notice to disclose the key to protected information.
In the United States, Jubair is charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If extradited to the U.S., tried and convicted on all charges, he faces a maximum penalty of 95 years in prison.
In July 2025, the United Kingdom barred victims of hacking from paying ransoms to cybercriminal groups unless approved by officials. U.K. organizations that are considered part of critical infrastructure <a href="https://www.thetimes.com/uk/technology-uk/article/ransoms-hackers-cyber-crime-t5kjldwwm" target="_blank" rel="noopener">reportedly</a> will face a complete ban, as will the entire public sector. U.K. victims of a hack are now required to notify officials to better inform policymakers on the scale of Britain’s ransomware problem.
For further reading (bless you), check out <a href="https://www.bloomberg.com/news/features/2025-09-19/multimillion-dollar-hacking-spree-scattered-spider-teen-s-jailhouse-confessions" target="_blank" rel="noopener">Bloomberg’s poignant story</a> last week based on a year’s worth of jailhouse interviews with convicted Scattered Spider member Noah Urban.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/feed/</wfw:commentRss>
<slash:comments>46</slash:comments>
</item>
<item>
<title>Self-Replicating Worm Hits 180+ Software Packages</title>
<link>https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/</link>
<comments>https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 16 Sep 2025 14:08:02 +0000</pubDate>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[Web Fraud 2.0]]></category>
<category><![CDATA[Aikido]]></category>
<category><![CDATA[Ashish Kurmi]]></category>
<category><![CDATA[Charlie Eriksen]]></category>
<category><![CDATA[GitHub]]></category>
<category><![CDATA[International Computer Science Institute]]></category>
<category><![CDATA[Nicholas Weaver]]></category>
<category><![CDATA[NPM]]></category>
<category><![CDATA[Shai-Hulud worm]]></category>
<category><![CDATA[StepSecurity]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72190</guid>
<description><![CDATA[At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.]]></description>
<content:encoded><![CDATA[At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.
<div id="attachment_72194" style="width: 714px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72194" decoding="async" loading="lazy" class=" wp-image-72194" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud.png" alt="" width="704" height="619" />Image: https://en.wikipedia.org/wiki/Sandworm_(Dune)</div>
The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”
“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm <a href="https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again" target="_blank" rel="noopener">Aikido</a>. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”
At the center of this developing maelstrom are code libraries available on <a href="https://www.npmjs.com/" target="_blank" rel="noopener">NPM</a> (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.
The Shai-Hulud worm emerged just days after unknown attackers <a href="https://krebsonsecurity.com/2025/09/18-popular-code-packages-hacked-rigged-to-steal-crypto/" target="_blank" rel="noopener">launched a broad phishing campaign</a> that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.
<div id="attachment_72195" style="width: 759px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72195" decoding="async" loading="lazy" class=" wp-image-72195" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages.png" alt="" width="749" height="440" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages.png 961w, https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages-768x451.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/shai-hulud-packages-782x459.png 782w" sizes="(max-width: 749px) 100vw, 749px" />Image: aikido.dev</div>
In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.
Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool <a href="https://github.com/trufflesecurity/trufflehog" target="_blank" rel="noopener">TruffleHog</a> to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.
“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.
The security-focused code development platform socket.dev <a href="https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages" target="_blank" rel="noopener">reports</a> the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.
In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”
A <a href="https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised" target="_blank" rel="noopener">writeup on the attack</a> from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.
StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.
“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.
Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.
“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”
For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.
“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/self-replicating-worm-hits-180-software-packages/feed/</wfw:commentRss>
<slash:comments>36</slash:comments>
</item>
<item>
<title>Bulletproof Host Stark Industries Evades EU Sanctions</title>
<link>https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/</link>
<comments>https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Thu, 11 Sep 2025 17:40:22 +0000</pubDate>
<category><![CDATA[A Little Sunshine]]></category>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[Ne'er-Do-Well News]]></category>
<category><![CDATA[Russia's War on Ukraine]]></category>
<category><![CDATA[Andrey Nesterenko]]></category>
<category><![CDATA[AS209847]]></category>
<category><![CDATA[domaintools]]></category>
<category><![CDATA[Ivan Neculiti]]></category>
<category><![CDATA[MIRhosting]]></category>
<category><![CDATA[Misfits Media]]></category>
<category><![CDATA[PQ Hosting]]></category>
<category><![CDATA[PQ Hosting Plus S.R.L.]]></category>
<category><![CDATA[Recorded Future]]></category>
<category><![CDATA[Stark Industries Solutions Ltd]]></category>
<category><![CDATA[WorkTitans B.V.]]></category>
<category><![CDATA[WT Hosting]]></category>
<category><![CDATA[Youssef Zinad]]></category>
<category><![CDATA[Yuri Neculiti]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72088</guid>
<description><![CDATA[In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new data shows those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.]]></description>
<content:encoded><![CDATA[In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.
<div id="attachment_58061" style="width: 751px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-58061" decoding="async" loading="lazy" class="wp-image-58061" src="https://krebsonsecurity.com/wp-content/uploads/2022/01/wbrkb.jpg" alt="" width="741" height="495" />Image: Shutterstock.</div>
Materializing just two weeks before Russia invaded Ukraine in 2022, Stark Industries Solutions became a frequent source of massive DDoS attacks, Russian-language proxy and VPN services, malware tied to Russia-backed hacking groups, and fake news. ISPs like Stark are called “bulletproof” providers when they cultivate a reputation for ignoring any abuse complaints or police inquiries about activity on their networks.
In May 2025, the European Union <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500965" target="_blank" rel="noopener">sanctioned</a> one of Stark’s two main conduits to the larger Internet — Moldova-based PQ Hosting — as well as the company’s Moldovan owners Yuri and Ivan Neculiti. The EU Commission said the Neculiti brothers and PQ Hosting were linked to Russia’s hybrid warfare efforts.
But <a href="https://www.recordedfuture.com/research/one-step-ahead-stark-industries-solutions-preempts-eu-sanctions" target="_blank" rel="noopener">a new report</a> from Recorded Future finds that just prior to the sanctions being announced, Stark rebranded to the[.]hosting, under control of the Dutch entity WorkTitans BV (AS209847) on June 24, 2025. The Neculiti brothers reportedly got a heads up roughly 12 days before the sanctions were announced, when Moldovan and EU media reported on the forthcoming inclusion of the Neculiti brothers in the sanctions package.
In response, the Neculiti brothers moved much of Stark’s considerable address space and other resources over to a new company in Moldova called PQ Hosting Plus S.R.L., an entity reportedly connected to the Neculiti brothers thanks to <a href="https://correctiv.org/faktencheck/russland-ukraine/2024/05/16/hacks-und-propaganda-zwei-brueder-aus-moldau-tragen-russlands-digitalen-krieg-nach-europa/#:~:text=web%20hosting%20service%2C-,Morenehost,-%2C%20writes%20the%20IT" target="_blank" rel="noopener">the re-use of a phone number</a> from the original PQ Hosting.
“Although the majority of associated infrastructure remains attributable to Stark Industries, these changes likely reflect an attempt to obfuscate ownership and sustain hosting services under new legal and network entities,” Recorded Future observed.
Neither the Recorded Future report nor the May 2025 sanctions from the EU mentioned a second critical pillar of Stark’s network that KrebsOnSecurity identified in <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">a May 2024 profile on the notorious bulletproof hoster</a>: The Netherlands-based hosting provider MIRhosting.
MIRhosting is operated by 38-year old Andrey Nesterenko, whose <a href="https://web.archive.org/web/20141221134456/http://www.nesterenko.name/en/index.html" target="_blank" rel="noopener">personal website</a> says he is an accomplished concert pianist who began performing publicly at a young age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
<div id="attachment_67519" style="width: 758px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-67519" decoding="async" loading="lazy" class=" wp-image-67519" src="https://krebsonsecurity.com/wp-content/uploads/2024/05/neculiti-netzwerk-768x1340-1.png" alt="" width="748" height="1305" />Image credit: correctiv.org.</div>
According to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.
Mr. Nesterenko did not respond to requests for comment. In May 2024, Mr. Nesterenko <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">said</a> he couldn’t verify whether StopGeorgia was ever a customer because they didn’t keep records going back that far. But he maintained that Stark Industries Solutions was merely one client of many, and claimed MIRhosting had not received any actionable complaints about abuse on Stark.
However, it appears that MIRhosting is once again the new home of Stark Industries, and that MIRhosting employees are managing both the[.]hosting and WorkTitans — the primary beneficiaries of Stark’s assets.
A copy of the incorporation documents for WorkTitans BV obtained from the Dutch Chamber of Commerce shows WorkTitans also does business under the names Misfits Media and and WT Hosting (considering Stark’s historical connection to Russian disinformation websites, “Misfits Media” is a bit on the nose).
<div id="attachment_72163" style="width: 663px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72163" decoding="async" loading="lazy" class=" wp-image-72163" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/kvk-worktitans.png" alt="" width="653" height="896" />An incorporation document for WorkTitans B.V. from the Netherlands Chamber of Commerce.</div>
The incorporation document says the company was formed in 2019 by a y.zinad@worktitans.nl. That email address corresponds to <a href="https://www.linkedin.com/in/youssef-zinad-mba-a1690a10/" target="_blank" rel="noopener">a LinkedIn account</a> for a Youssef Zinad, who says their personal websites are worktitans[.]nl and custom-solution[.]nl. The profile also links to a website (etripleasims dot nl) that LinkedIn currently blocks as malicious. All of these websites are or were hosted at MIRhosting.
Although Mr. Zinad’s LinkedIn profile does not mention any employment at MIRhosting, virtually all of his LinkedIn posts over the past year have been reposts of advertisements for MIRhosting’s services.
<div id="attachment_72178" style="width: 760px" class="wp-caption aligncenter"><img aria-describedby="caption-attachment-72178" decoding="async" loading="lazy" class=" wp-image-72178" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting.png" alt="" width="750" height="646" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting.png 998w, https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting-768x661.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/zinad-mirhosting-782x673.png 782w" sizes="(max-width: 750px) 100vw, 750px" />Mr. Zinad’s LinkedIn profile is full of posts for MIRhosting’s services.</div>
A Google search for Youssef Zinad reveals multiple startup-tracking websites that list him as the founder of the[.]hosting, which censys.io finds is hosted by PQ Hosting Plus S.R.L.
The Dutch Chamber of Commerce document says WorkTitans’ sole shareholder is a company in Almere, Netherlands called Fezzy B.V. Who runs Fezzy? The phone number listed in a Google search for Fezzy B.V. — 31651079755 — also was used to register a Facebook profile for a Youssef Zinad from the same town, according to the breach tracking service Constella Intelligence.
In a series of email exchanges leading up to KrebsOnSecurity’s <a href="https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/" target="_blank" rel="noopener">May 2024 deep dive on Stark</a>, Mr. Nesterenko included Mr. Zinad in the message thread (youssef@mirhosting.com), referring to him as part of the company’s legal team. The Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere. Mr. Zinad did not respond to requests for comment.
<img decoding="async" loading="lazy" class="aligncenter size-full wp-image-72162" src="https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef.png" alt="" width="1173" height="810" srcset="https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef.png 1173w, https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef-768x530.png 768w, https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef-782x540.png 782w, https://krebsonsecurity.com/wp-content/uploads/2025/09/stage-mir-youssef-100x70.png 100w" sizes="(max-width: 1173px) 100vw, 1173px" />
Given the above, it is difficult to argue with the Recorded Future report on Stark’s rebranding, which concluded that “the EU’s sanctioning of Stark Industries was largely ineffective, as affiliated infrastructure remained operational and services were rapidly re-established under new branding, with no significant or lasting disruption.”
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/feed/</wfw:commentRss>
<slash:comments>25</slash:comments>
</item>
<item>
<title>Microsoft Patch Tuesday, September 2025 Edition</title>
<link>https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/</link>
<comments>https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/#comments</comments>
<dc:creator><![CDATA[BrianKrebs]]></dc:creator>
<pubDate>Tue, 09 Sep 2025 21:21:14 +0000</pubDate>
<category><![CDATA[Latest Warnings]]></category>
<category><![CDATA[The Coming Storm]]></category>
<category><![CDATA[Time to Patch]]></category>
<category><![CDATA[apple]]></category>
<category><![CDATA[CVE-2025-38352]]></category>
<category><![CDATA[CVE-2025-48543]]></category>
<category><![CDATA[CVE-2025-54916]]></category>
<category><![CDATA[CVE-2025-54918]]></category>
<category><![CDATA[CVE-2025-55177]]></category>
<category><![CDATA[CVE-2025-55234]]></category>
<category><![CDATA[google]]></category>
<category><![CDATA[Immersive]]></category>
<category><![CDATA[Kev Breen]]></category>
<category><![CDATA[microsoft]]></category>
<category><![CDATA[NT LAN Manager]]></category>
<category><![CDATA[sans internet storm center]]></category>
<category><![CDATA[Satnam Narang]]></category>
<category><![CDATA[Tenable]]></category>
<category><![CDATA[WhatsApp]]></category>
<category><![CDATA[windows]]></category>
<category><![CDATA[Windows NTLM]]></category>
<guid isPermaLink="false">https://krebsonsecurity.com/?p=72086</guid>
<description><![CDATA[Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited vulnerabilities in this month's bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft's most-dire "critical" label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.]]></description>
<content:encoded><![CDATA[Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
<img decoding="async" loading="lazy" class="aligncenter wp-image-60331" src="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png" alt="" width="750" height="496" srcset="https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate.png 923w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-768x508.png 768w, https://krebsonsecurity.com/wp-content/uploads/2022/07/winupdatedate-782x518.png 782w" sizes="(max-width: 750px) 100vw, 750px" />
Microsoft assigns security flaws a “critical” rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-54918" target="_blank" rel="noopener">CVE-2025-54918</a>. The problem here resides with Windows NTLM, or NT LAN Manager, a suite of code for managing authentication in a Windows network environment.
Redmond rates this flaw as “Exploitation More Likely,” and although it is listed as a privilege escalation vulnerability, Kev Breen at Immersive says this one is actually exploitable over the network or the Internet.
“From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Breen said. “The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.”
Breen said another patch — <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-55234" target="_blank" rel="noopener">CVE-2025-55234</a>, a 8.8 CVSS-scored flaw affecting the Windows SMB client for sharing files across a network — also is listed as privilege escalation bug but is likewise remotely exploitable. This vulnerability was publicly disclosed prior to this month.
“Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,” Breen noted.
<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-54916" target="_blank" rel="noopener">CVE-2025-54916</a> is an “important” vulnerability in Windows NTFS — the default filesystem for all modern versions of Windows — that can lead to remote code execution. Microsoft likewise thinks we are more than likely to see exploitation of this bug soon: The last time Microsoft patched an NTFS bug was in March 2025 and it was already being exploited in the wild as a zero-day.
“While the title of the CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,” Breen said. “This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run.”
Critical and remote code execution bugs tend to steal all the limelight, but Tenable Senior Staff Research Engineer Satnam Narang notes that nearly half of all vulnerabilities fixed by Microsoft this month are privilege escalation flaws that require an attacker to have gained access to a target system first before attempting to elevate privileges.
“For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Narang observed.
On Sept. 3, Google <a href="https://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-android-flaws-in-september-update/" target="_blank" rel="noopener">fixed two flaws</a> that were detected as exploited in zero-day attacks, including CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component.
Also, Apple recently patched its seventh zero-day (CVE-2025-43300) of this year. It was part of <a href="https://techcrunch.com/2025/08/29/whatsapp-fixes-zero-click-bug-used-to-hack-apple-users-with-spyware/" target="_blank" rel="noopener">an exploit chain</a> used along with a vulnerability in the WhatsApp (CVE-2025-55177) instant messenger to hack Apple devices. Amnesty International <a href="https://x.com/DonnchaC/status/1961444710620303653" target="_blank" rel="noopener">reports</a> that the two zero-days have been used in “an advanced spyware campaign” over the past 90 days. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8.
The SANS Internet Storm Center has a <a href="https://isc.sans.edu/forums/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270/" target="_blank" rel="noopener">clickable breakdown</a> of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on <a href="https://www.askwoody.com/2025/september-2025-updates-are-out/" target="_blank" rel="noopener">askwoody.com</a>, which often has the skinny on wonky updates.
AskWoody also reminds us that we’re now just two months out from Microsoft discontinuing free security updates for Windows 10 computers. For those interested in safely extending the lifespan and usefulness of these older machines, check out <a href="https://krebsonsecurity.com/2025/08/microsoft-patch-tuesday-august-2025-edition/" target="_blank" rel="noopener">last month’s Patch Tuesday coverage</a> for a few pointers.
As ever, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.
]]></content:encoded>
<wfw:commentRss>https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
</item>
</channel>
</rss>
<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/
Object Caching 316/316 objects using memcached
Page Caching using memcached (User agent is rejected)
Database Caching using memcached
Served from: krebsonsecurity.com @ 2025-11-01 11:37:19 by W3 Total Cache
-->

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//feeds.feedburner.com/krebsonsecurity/TEjH

Home · About · News · Docs · Terms