Vercara’s Open-Source Intelligence (OSINT) Report – April 18 – April 25, 2025

State-Sponsored Hackers Embrace ClickFix Social Engineering Tactic  

(TLP: CLEAR) ClickFix attacks, a social engineering technique involving fake error messages and manual script execution, are increasingly being adopted by advanced persistent threat (APT) groups from North Korea, Iran, and Russia in recent espionage operations. In a ClickFix attack, victims are lured through phishing or malvertising to spoofed websites impersonating legitimate platforms. They are shown fake errors and instructed to manually run a PowerShell or command-line script, leading to malware installation. Between late 2024 and early 2025, groups like North Korea’s Kimsuky, Iran’s MuddyWater, Russia’s APT28, and UNK_RemoteRogue incorporated ClickFix into their campaigns. Kimsuky targeted think tanks with fake diplomat emails, leading victims to manually register on a spoofed secure drive and unknowingly install QuasarRAT. MuddyWater disguised phishing emails as Microsoft security alerts, resulting in victims installing a remote monitoring tool called ‘Level.’ UNK_RemoteRogue targeted organizations linked to arms manufacturing, using a fake Microsoft Word page and YouTube tutorials to deploy Empire C2. APT28 mimicked Google services, convincing victims to establish SSH tunnels and install Metasploit backdoors. The growing use of ClickFix across multiple state-backed groups highlights its effectiveness, driven largely by users’ unfamiliarity with the risks of executing unsolicited scripts. Users are strongly advised never to run unverified commands, especially with administrator privileges. 

(TLP: CLEAR) Comments: The rising adoption of ClickFix techniques by multiple state-sponsored groups highlights a growing trend in social engineering that prioritizes manual victim engagement over automated exploitation. By convincing targets to manually execute malicious PowerShell or command-line scripts, malicious actors effectively bypass traditional security controls such as email attachment scanning, URL filtering, and endpoint detection systems designed to monitor automated threats. This tactic exploits a critical human vulnerability: the tendency to trust prompts that appear urgent, technical, and authoritative. The adoption of ClickFix by advanced persistent threat (APT) groups like Kimsuky, MuddyWater, APT28, and UNK_RemoteRogue signals that this method is considered reliable and low-cost for establishing initial access, particularly in high-value espionage campaigns. These groups craft convincing phishing lures, often impersonating trusted entities like Microsoft or diplomatic contacts, and carefully guide victims into taking self-compromising actions. The use of detailed, professional-looking instructions and the incorporation of familiar platforms such as fake secure drives or spoofed Office pages enhances the credibility of the attack, significantly raising the likelihood of success. The broader implication of ClickFix’s rise is the continued weakness in human-centered security defenses. Even highly targeted, security-aware individuals can fall victim to persuasive prompts, particularly when they invoke urgent operational or security needs. Organizations must recognize that technical defenses alone are insufficient. Regular and scenario-based security training that stresses the dangers of executing unsolicited commands, combined with fostering a strong culture of skepticism toward unexpected IT instructions, is essential for mitigating this evolving threat. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2), as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 
Source: https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix-social-engineering-tactic/ 

Hackers Attacking Network Edge Devices to Compromise SMB Organizations 

(TLP: CLEAR) Small and medium-sized businesses (SMBs) are increasingly targeted by cyberattacks exploiting vulnerabilities in network edge devices such as firewalls, VPN appliances, and remote access systems. Recent findings show that these devices are the initial point of compromise in over a quarter of confirmed breaches, with ransomware remaining the most significant threat. Sophos researchers report that ransomware accounts for 70% of small business incidents and over 90% for midsized organizations. Cybercriminals are focusing on the “digital detritus” of outdated and unpatched devices, using vulnerabilities to gain unauthorized access, deploy malware, and conduct data exfiltration and extortion attacks. Attackers are rapidly weaponizing disclosed vulnerabilities, often exploiting them within weeks. In some cases, attackers maintain persistence even after patches are applied, as seen with incidents involving Citrix Netscaler gateways. The exploitation of network edge devices represents the largest share of initial access methods in ransomware and data theft campaigns against SMBs. Security experts recommend urgent measures, including prioritizing edge device patching, enforcing multifactor authentication, replacing obsolete equipment, and conducting regular audits of external attack surfaces to mitigate these growing threats. 

(TLP: CLEAR) Comments: The growing wave of cyberattacks targeting network edge devices among small and medium-sized businesses (SMBs) reflects a significant shift in attacker tactics toward infrastructure exploitation. Malicious actors are increasingly aware that devices like firewalls, VPNs, and remote access systems often operate with outdated firmware, weak configurations, or poor credential policies, making them ideal targets for initial compromise. Unlike endpoint attacks, gaining control of a network edge device offers immediate access to an organization’s internal environment, often bypassing endpoint security and detection tools entirely. The concept of “digital detritus,” introduced by Sophos, highlights a systemic vulnerability: many SMBs lack the resources, staffing, or operational maturity to consistently update or replace aging systems. This challenge is compounded by the speed at which threat actors weaponize newly disclosed vulnerabilities, often exploiting them within weeks. The persistence of attacks even after patches are deployed—such as through unreset sessions—demonstrates that patching alone cannot be viewed as a complete solution once a breach has occurred. Moreover, the trend toward data exfiltration without encryption shows that attackers are adapting their monetization strategies, focusing on extortion through data theft rather than solely through ransomware encryption. This growing threat landscape demands a more proactive cybersecurity posture from SMBs. Critical defenses must include strict patch management, robust session hygiene practices, multifactor authentication on all remote access points, regular external vulnerability assessments, and continuous monitoring for signs of lateral movement or unauthorized access. Failure to address these risks leaves organizations exposed to persistent, increasingly sophisticated attacks that specifically exploit the structural weaknesses of SMB environments. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole. 
Source: https://cybersecuritynews.com/hackers-attacking-network-edge-devices/ 

Researchers Uncovered Latest Version of Lumma InfoStealer with Code Flow Obfuscation  

(TLP: CLEAR) A new variant of the Lumma InfoStealer malware has been uncovered, showcasing advanced code flow obfuscation techniques designed to evade modern security defenses. Originally emerging in late 2022 as a Malware-as-a-Service (MaaS) offering, Lumma has evolved significantly, with the latest iteration employing multiple layers of obfuscation, including control flow flattening, dead code injection, and opaque predicates, making static analysis extremely difficult. This variant continues to target sensitive data such as stored passwords, cryptocurrency wallets, and financial information across infected systems. Primary attack vectors remain phishing emails with malicious attachments and compromised websites pushing fake software updates. Once executed, the malware establishes persistence through registry modifications and scheduled tasks while using anti-analysis measures to detect virtualized environments and security tools. Trellix researchers found that this enhanced version has already led to data breaches affecting over 3,000 systems across 40 countries, impacting financial, healthcare, and government sectors. Stolen credentials are being sold on underground forums or used in financial fraud and unauthorized network intrusions. Due to the sophisticated obfuscation techniques employed, security experts recommend implementing endpoint protection with behavioral analysis capabilities and strengthening employee security awareness training. Proactive monitoring for unusual data exfiltration patterns is also critical to detecting compromises early and mitigating potential damage. 

(TLP: CLEAR) Comments: The latest Lumma InfoStealer variant highlights the increasing sophistication of malware development, particularly in the use of advanced code flow obfuscation techniques to defeat traditional security defenses. By employing control flow flattening, dead code injection, and opaque predicates, malicious actors make static analysis nearly impossible, forcing defenders to rely more heavily on dynamic and behavioral analysis. This evolution reflects a broader trend where threat actors prioritize anti-analysis and evasion tactics as much as the data theft itself. The adoption of dynamic execution paths ensures that each infected system may behave slightly differently at runtime, reducing the effectiveness of traditional signature-based detection solutions. The combination of runtime obfuscation with standard attack vectors—such as phishing emails and compromised websites—allows Lumma to maintain high infection rates while evading many enterprise defenses. The malware’s targeting of financial, healthcare, and government sectors further demonstrates a clear focus on high-value data that can be quickly monetized or exploited for deeper intrusions. The appearance of stolen credentials on underground markets shortly after compromise underscores the rapid monetization lifecycle attackers now employ. This ongoing escalation between malware authors and security defenders necessitates a shift in defensive strategies. Organizations must prioritize behavior-based detection systems, network monitoring for early signs of data exfiltration, and comprehensive security awareness training to reduce initial infection opportunities. Reactive defenses are no longer sufficient against malware strains like Lumma that are specifically engineered to evade conventional detection and persist undetected across critical sectors. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR 

Source: https://cybersecuritynews.com/researchers-uncovered-latest-version-of-lumma-infostealer/ 

New Rust Botnet Hijacking Routers to Inject Commands Remotely  

(TLP: CLEAR) A new sophisticated botnet malware called RustoBot, written in the Rust programming language, has been discovered targeting vulnerable router devices worldwide. Researchers found that RustoBot exploits critical command injection vulnerabilities in TOTOLINK and DrayTek router models. For TOTOLINK devices such as the N600R, A830R, and others, RustoBot leverages flaws in the cstecgi.cgi script to achieve remote code execution. Similarly, DrayTek Vigor2960 and Vigor300B routers are vulnerable through CVE-2024-12987, an OS command injection in the router’s web interface. Initial exploitation involves crafted requests that download and execute architecture-specific malware binaries. RustoBot supports multiple architectures, including arm5, arm6, arm7, mips, and mpsl, ensuring wide compatibility across diverse embedded systems. The malware uses advanced techniques such as retrieving system API functions from the Global Offset Table (GOT) and encoding configuration data with XOR encryption to hinder analysis. Once installed, compromised devices connect to command and control (C2) servers hosted on domains like dvrhelper.anondns.net and rustbot.anondns.net, awaiting further instructions. RustoBot is capable of launching large-scale DDoS attacks, such as UDP flooding, by generating massive volumes of traffic to overwhelm targeted infrastructure. This discovery underscores the persistent threat posed by insecure IoT and network devices and reflects the increasing sophistication of botnet malware that leverages modern, cross-platform programming languages like Rust for enhanced stability and efficiency. 

(TLP: CLEAR) Comments: The emergence of RustoBot illustrates the growing convergence between advanced malware development and the persistent exploitation of network infrastructure for distributed denial-of-service (DDoS) operations. By targeting widely deployed but often poorly maintained routers, RustoBot enables malicious actors to rapidly amass large botnets capable of launching highly disruptive DDoS attacks. Its use of Rust, a modern and efficient programming language, enhances its cross-platform compatibility and operational stability, allowing it to infect a broad range of architectures with minimal adjustment. RustoBot’s strategic exploitation of command injection vulnerabilities in TOTOLINK and DrayTek routers highlights an ongoing weakness in IoT and network device security. Many organizations, particularly in small and mid-sized markets, leave edge devices unpatched, creating ideal conditions for botnet expansion. Once compromised, these devices are weaponized for volumetric DDoS attacks such as UDP floods, generating massive amounts of traffic designed to overwhelm targeted systems. The use of UDP flood attacks remains a preferred method due to its simplicity and the difficulty of filtering high-volume stateless traffic without specialized defenses. The growing adoption of advanced techniques, such as XOR-encrypted configuration data and GOT-based function resolution, shows how DDoS botnets are becoming harder to detect, analyze, and disrupt. This trend demands a stronger focus on network hygiene, including patch management, IoT device hardening, and proactive DDoS mitigation strategies. As botnets like RustoBot continue to evolve, organizations must view router and IoT device security as integral components of their broader DDoS defense posture. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.” 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets, whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks can be mitigated within seconds. 
Source: https://cybersecuritynews.com/new-rust-botnet-hijacking-routers/ 

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT  

(TLP: CLEAR) Cybersecurity researchers have issued new warnings about the persistent threat posed by XorDDoS, a distributed denial-of-service (DDoS) malware that primarily targets Linux systems. Between November 2023 and February 2025, 71.3% of XorDDoS attacks targeted the United States, with significant activity also observed in Japan, Canada, Denmark, Italy, Morocco, and China. Cisco Talos researchers note that XorDDoS infections have grown due to the global distribution of the malware and an increase in malicious DNS requests tied to its command-and-control (C2) infrastructure. XorDDoS, active for over a decade, initially infects devices through SSH brute-force attacks, gaining valid credentials before downloading and installing the malware. Once established, it ensures persistence through embedded initialization scripts and cron jobs, and decrypts its configuration using a hardcoded XOR key to retrieve C2 server addresses. 

Recent observations highlight the appearance of a new “VIP version” of XorDDoS, including a central controller that manages multiple sub-controllers, indicating that the malware is being actively developed and possibly sold. The tools’ language settings suggest the operators are Chinese-speaking individuals. The malware’s reach has expanded beyond traditional Linux systems to Docker servers, converting infected hosts into bots for launching large-scale DDoS attacks. This evolution underscores the continued threat XorDDoS poses to internet-connected infrastructure globally. 

(TLP: CLEAR) Comments: The ongoing evolution of XorDDoS highlights the persistent threat that legacy DDoS malware can pose when adapted to modern infrastructure. By expanding from traditional Linux systems to Docker environments, malicious actors show an understanding of contemporary enterprise architectures, ensuring continued scalability of their botnets. The malware’s reliance on brute-force SSH attacks emphasizes that weak authentication practices remain a major vulnerability, despite increased awareness around credential security. The emergence of a “VIP version” and centralized control structure suggests that XorDDoS is being actively maintained and possibly sold within cybercriminal markets. This structure, enabling simultaneous control of multiple botnets, allows for larger, faster, and more coordinated DDoS attacks. Indicators suggesting Chinese-speaking operators point to a level of organization consistent with broader underground ecosystems offering DDoS-as-a-Service. XorDDoS’s persistence mechanisms—embedded initialization scripts and cron jobs—underscore the need for hardening server configurations and maintaining vigilant system monitoring. The malware’s ability to survive reboots and operate autonomously after initial infection makes early detection critical. Furthermore, the use of malicious DNS infrastructure for command-and-control highlights the necessity for DNS traffic monitoring as part of a comprehensive defense strategy. As XorDDoS increasingly targets containerized environments, organizations must adapt their security strategies beyond traditional Linux endpoints to include Docker and cloud-native workloads. Without proactive measures—such as SSH hardening, behavior-based anomaly detection, and strict network segmentation—organizations remain at risk of being incorporated into increasingly sophisticated and large-scale DDoS campaigns driven by malware like XorDDoS. 

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.” 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 
Source: https://thehackernews.com/2025/04/experts-uncover-new-xorddos-controller.html 

Threat Actors Turn More Sophisticated & Exploiting Zero-Day Vulnerabilities – Google Warns 

(TLP: CLEAR) The newly released M-Trends 2025 report highlights the increasing sophistication of cyber threats, with adversaries adopting more advanced methods to bypass modern defense systems. Threat actors are developing custom malware ecosystems, exploiting zero-day vulnerabilities in security appliances, and employing advanced evasion techniques to maintain long-term access to compromised networks. China-nexus threat groups, in particular, have demonstrated specialized capabilities, tailoring attack tools to specific targets and leveraging proxy networks and edge devices to exploit blind spots in security monitoring. The report also notes a broader trend of attackers using custom obfuscators in malware to hinder detection and analysis. As a result, the global median dwell time—the duration attackers remain undetected—has risen to 11 days in 2024, up from 10 days the previous year. Exploits remain the primary method of initial compromise, accounting for 33% of cases, while stolen credentials have grown to 16%, reflecting the rising impact of infostealer malware operations. Zero-day exploitation is identified as one of the most dangerous tactics, giving attackers a substantial advantage as no defenses are initially available. Modern zero-day attacks involve detailed reconnaissance and carefully crafted payloads designed to avoid detection. Defending against these threats requires a layered approach, emphasizing fundamentals like system hardening, least privilege policies, and widespread implementation of FIDO2-compliant multi-factor authentication, especially for privileged accounts. 

(TLP: CLEAR) Comments: The M-Trends 2025 report highlights the growing sophistication of threat actors and the widening challenge for cybersecurity defenders. The increased use of custom malware ecosystems and exploitation of edge devices reflects a deliberate targeting of weaker, less-monitored points in enterprise networks. Threat actors understand that compromising these overlooked areas offers a direct path to persistence, bypassing traditional endpoint detection systems. The widespread use of custom obfuscators and advanced evasion techniques marks a strategic shift toward maximizing attacker dwell time. With the global median dwell time rising to 11 days, it is evident that organizations are still struggling to detect and remediate breaches swiftly. Attackers are investing heavily in remaining undetected, complicating traditional detection and response models and requiring defenders to move beyond signature-based approaches. Zero-day exploitation remains a significant concern, offering attackers substantial advantage by targeting vulnerabilities before patches or defenses exist. However, the report’s focus on fundamental security practices—such as system hardening, enforcing least privilege, and adopting FIDO2-compliant multi-factor authentication—reinforces that many successful attacks still exploit basic lapses rather than purely technical superiority. These findings suggest that while the threat landscape is becoming more complex, many breaches can still be prevented through rigorous, layered security strategies. Behavioral analysis, continuous threat hunting, strict credential management, and proactive network monitoring must become standard practices for organizations seeking to counter increasingly stealthy and persistent adversaries. Without a disciplined focus on fundamentals, even the most advanced security technologies will struggle to stop these evolving threats. 

(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 
Source: https://cybersecuritynews.com/threat-actors-turn-more-sophisticated-exploiting-zero-day-vulnerabilities-google-warns/