Login
We were testing a black-box service for a client with an interesting software platform. They'd provided an SDK with minimal documentation—just enough to show basic usage, but none of the underlying service definitions. The SDK binary was obfuscated, and the gRPC endpoints it connected to had reflection disabled.
After spending too much time piecing together service names from SDK string dumps and network traces, we built grpc-scan to automate what we were doing manually: exploiting how gRPC implementations handle invalid requests to enumerate services without any prior knowledge.
Unlike REST APIs where you can throw curl at an endpoint and see what sticks, gRPC operates over HTTP/2 using binary Protocol Buffers. Every request needs:
Miss any of these and you get nothing useful. There's no OPTIONS request, typically limited documentation, no guessing /api/v1/users might exist. You either have the proto files or you're blind.
Most teams rely on server reflection—a gRPC feature that lets clients query available services. But reflection is usually disabled in production. It’s an information disclosure risk, yet developers rarely provide alternative documentation.
But gRPC have varying error messages which inadvertently leak service existence through different error codes:
# Calling non-existent\`unknown service FakeService``real service, wrong method``unknown method FakeMethod for service UserService``real service and method``missing authentication token`
These distinct responses let us map the attack surface. The tool automates this process, testing thousands of potential service/method combinations based on various naming patterns we've observed.
The enumeration engine does a few things
1. Even when reflection is "disabled," servers often still respond to reflection requests with errors that confirm the protocol exists. We use this for fingerprinting.
2. For a base word like "User", we generate likely services
FreshRSS UserUserServiceUsersUserAPIuser.Userapi.v1.Usercom.company.UserEach pattern tested with common method names: Get, List, Create, Update, Delete, Search, Find, etc.
3. Different gRPC implementations return subtly different error codes:
UNIMPLEMENTED vs NOT_FOUND for missing servicesINVALID_ARGUMENT vs INTERNAL for malformed requests4. gRPC's HTTP/2 foundation means we can multiplex hundreds of requests over a single TCP connection. The tool maintains a pool of persistent connections, improving scan speed.
What do we commonly see in pentests using RPC?
Service Sprawl from Migrations
SDK analysis often reveals parallel service implementations, for example
UserService - The original monolith endpointAccountManagementService - New microservice, full authUserDataService - Read-only split-off, inconsistent authUserProfileService - Another team's implementationThese typically emerge from partial migrations where different teams own different pieces. The older services often bypass newer security controls.
Method Proliferation and Auth Drift
Real services accumulate method variants over time, for example
GetUser - Original, added auth in v2GetUserDetails - Different team, no auth checkFetchUserByID - Deprecated but still activeGetUserWithPreferences - Calls GetUser internally, skips authSo newer methods that compose older ones sometimes bypass security checks the original methods later acquired.
Package Namespace Archaeology
Service discovery reveals organizational history
com.startup.api.Users - Original serviceplatform.users.v1.UserAPI - Post-merge standardization attemptinternal.batch.UserBulkService - "Internal only" but on same endpointEach namespace generation typically has different security assumptions. Internal services exposed on the same port as public APIs are surprisingly common—developers assume network isolation that doesn't exist.
UserService/CreateUser exists, but crafting a valid User message requires either the proto definition or guessing or reverse engineering of the SDK's serialization.Available at https://github.com/Adversis/grpc-scan. Pull requests welcome.
The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.
Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.
The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.
As Aisuru’s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google’s DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.
By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru’s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.
A measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet. Image: DDoS Analyzer Community on Telegram.
Aisuru’s overlords aren’t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption.
For the past several weeks, ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.
Steven Ferguson is principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.
Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer.
“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” he said, explaining that TCPShield is now solely protected by GSL.
Traces from the recent spate of crippling Aisuru attacks on gaming servers can be still seen at the website blockgametracker.gg, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.
An Aisuru botnet attack on TCPShield (AS64199) on Sept. 28 can be seen in the giant downward spike in the middle of this uptime graphic. Image: grafana.blockgametracker.gg.
Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.
Multiple DDoS attacks from Aisuru can be seen against the Minecraft host Cosmic on Sept. 28. The sharp downward spikes correspond to brief but enormous attacks from Aisuru. Image: grafana.blockgametracker.gg.
Ferguson said he’s been tracking Aisuru for about three months, and recently he noticed the botnet’s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.
AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile and Verizon, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.
“The impact extends beyond victim networks,” Ferguson said. “For instance we have seen 500 gigabits of traffic via Comcast’s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.”
Roland Dobbins is principal engineer at Netscout. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.
“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” Dobbin said. “We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.”
“The crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,” Dobbins continued. “A lot of network operators are learning that lesson now, and there’s going to be a period ahead where there’s some scrambling and potential disruption going on.”
KrebsOnSecurity sought comment from the ISPs named in Ferguson’s report. Charter Communications pointed to a recent blog post on protecting its network, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.
“In addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,” Charter wrote in an emailed response to questions. “With the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.”
A spokesperson for Comcast responded, “Currently our network is not experiencing impacts and we are able to handle the traffic.”
Aisuru is built on the bones of malicious code that was leaked in 2016 by the original creators of the Mirai IoT botnet. Like Aisuru, Mirai quickly outcompeted all other DDoS botnets in its heyday, and obliterated previous DDoS attack records with a 620 gigabit-per-second siege that sidelined this website for nearly four days in 2016.
The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.
A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016. Source: Downdetector.com.
Dobbins said Aisuru’s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.
“The people who operate this botnet are also selling (it as) residential proxies,” he said. “And that’s being used to reflect application layer attacks through the proxies on the bots as well.”
The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle “9gigsofram,” which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe that was heavily targeted in 2016 by the original Mirai botmasters.
Robert Coelho co-ran Proxypipe back then along with his business partner Erik “9gigsofram” Buckingham, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru’s botmasters chose Buckingham’s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.
“The Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,” Coelho said.
Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn’t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.
“It’s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,” he said.
Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab, the Chinese security company that was the first to profile Aisuru’s rise in 2024, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink, a maker of low-cost routers and other networking gear.
“Multiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,” XLab wrote on September 15. “The node count is currently reported to be around 300,000.”
A malicious script implanted into a Totolink update server in April 2025. Image: XLab.
Aisuru’s operators received an unexpected boost to their crime machine in August when the U.S. Department Justice charged the alleged proprietor of Rapper Bot, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.
Once Rapper Bot was dismantled, Aisuru’s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government’s takedown, Dobbins said.
“Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”
A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name “Ethan J. Foltz” in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.
XLab’s September blog post cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: “Snow,” who’s responsible for botnet development; “Tom,” tasked with finding new vulnerabilities; and “Forky,” responsible for botnet sales.
KrebsOnSecurity interviewed Forky in our May 2025 story about the record 6.3 Tbps attack from Aisuru. That story identified Forky as a 21-year-old man from Sao Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. The FBI has seized Forky’s DDoS-for-hire domains several times over the years.
Like the original Mirai botmasters, Forky also operates a DDoS mitigation service called Botshield. Forky declined to discuss the makeup of his ISP’s clientele, or to clarify whether Botshield was more of a hosting provider or a DDoS mitigation firm. However, Forky has posted on Telegram about Botshield successfully mitigating large DDoS attacks launched against other DDoS-for-hire services.
In our previous interview, Forky acknowledged being involved in the development and marketing of Aisuru, but denied participating in attacks launched by the botnet.
Reached for comment earlier this month, Forky continued to maintain his innocence, claiming that he also is still trying to figure out who the current Aisuru botnet operators are in real life (Forky said the same thing in our May interview).
But after a week of promising juicy details, Forky came up empty-handed once again. Suspecting that Forky was merely being coy, I asked him how someone so connected to the DDoS-for-hire world could still be mystified on this point, and suggested that his inability or unwillingness to blame anyone else for Aisuru would not exactly help his case.
At this, Forky verbally bristled at being pressed for more details, and abruptly terminated our interview.
“I’m not here to be threatened with ignorance because you are stressed,” Forky replied. “They’re blaming me for those new attacks. Pretty much the whole world (is) due to your blog.”
Article tags
by Harshil Patel and Prabudh Chakravorty
*EDITOR’S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub repositories mentioned in the following research have been reported to GitHub and taken down.
Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.
McAfee’s Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.
Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy.
But in the recent campaign, it seems to be largely focused on Brazil.
Figure 1: Geographical Prevalence
Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations.
Figure 2 : Infection chain
The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file.
Figure 3: Phishing Email
Figure 4: Phishing Email
Figure 5: Phishing Email
JavaScript Downloader
The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe.
This command simply fetches more javascript code from the following URL:
To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography.
The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server:
Figure 6: Downloaded Files
Here,
”Corsair.Yoga.06342.8476.366.log” is AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter,
“stack.tmp” is an encrypted payload (Astaroth),
and “dump.log” is an encrypted malware configuration.
AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process.
Figure 7: AutoIt script building shellcode
The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory.
To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint.
Figure 8: Hooking LocalCompact API
Shellcode’s $LOADOFFSET starts by resolving a set of APIs that are used for loading a DLL in memory. The API addresses are stored in a jump table at the very beginning of the shellcode memory.
Figure 9: APIs resolved by shellcode
Here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the final payload into newly created RegSvc.exe process.
The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed.
It checks for the following tools in the system:
Figure 10: List of analysis tools
It also makes sure that system locale is not related to the United States or English.
Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes.
Figure 11: Hooking keyboard events
Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.
Many banking-related sites are targeted, some of which are mentioned below:
caixa.gov.br
safra.com.br
Itau.com.br
bancooriginal.com.br
santandernet.com.br
btgpactual.com
We also observed some cryptocurrency-related sites being targeted:
etherscan.io
binance.com
bitcointrade.com.br
metamask.io
foxbit.com.br
localbitcoins.com
The stolen banking credentials and other information are sent to C2 server using a custom binary protocol.
Figure 12: C2 communication
Figure 13: C2 infrastructure
Malware config is stored in dump.log encrypted, following is the information stored in it:
Figure 14: Malware configuration
Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image.
hxxps://bit[.]ly/4gf4E7H —> hxxps://raw.githubusercontent[.]com//dridex2024//razeronline//refs/heads/main/razerlimpa[.]png
Image file keeps the configuration hidden by storing it in the following format:
We found more such GitHub repositories having image files with above pattern and reported them to GitHub, which they have taken down.
For persistence, Astaroth drops a LNK file in startup folder which runs the AutoIT script to launch the malware when the system starts.
McAfee has extensive coverage for Astaroth:
Trojan:Shortcut/SuspiciousLNK.OSRT
Trojan:Shortcut/Astaroth.OJS
Trojan:Script/Astaroth.DL
Trojan:Script/Astaroth.AI
Trojan:Script/AutoITLoader.LC!2
Trojan:Shortcut/Astaroth.STUP
| IOC | Hash / URL |
|
7418ffa31f8a51a04274fc8f610fa4d5aa5758746617020ee57493546ae35b70 7609973939b46fe13266eacd1f06b533f8991337d6334c15ab78e28fa3b320be 11f0d7e18f9a2913d2480b6a6955ebc92e40434ad11bed62d1ff81ddd3dda945 |
|
| ZIP URL | https://91.220.167.72.host.secureserver[.]net/peHg4yDUYgzNeAvm5.zip |
| LNK | 34207fbffcb38ed51cd469d082c0c518b696bac4eb61e5b191a141b5459669df |
| JS Downloader | 28515ea1ed7befb39f428f046ba034d92d44a075cc7a6f252d6faf681bdba39c |
| Download server |
clafenval.medicarium[.]help sprudiz.medicinatramp[.]click frecil.medicinatramp[.]beauty stroal.medicoassocidos[.]beauty strosonvaz.medicoassocidos[.]help gluminal188.trovaodoceara[.]sbs scrivinlinfer.medicinatramp[.]icu trisinsil.medicesterium[.]help brusar.trovaodoceara[.]autos gramgunvel.medicoassocidos[.]beauty blojannindor0.trovaodoceara[.]motorcycles |
| AutoIT compiled script | a235d2e44ea87e5764c66247e80a1c518c38a7395291ce7037f877a968c7b42b |
| Injector dll | db9d00f30e7df4d0cf10cee8c49ee59a6b2e518107fd6504475e99bbcf6cce34 |
| payload | 251cde68c30c7d303221207370c314362f4adccdd5db4533a67bedc2dc1e6195 |
| Startup LNK | 049849998f2d4dd1e629d46446699f15332daa54530a5dad5f35cc8904adea43 |
| C2 server |
1.tcp.sa.ngrok[.]io:20262 1.tcp.us-cal-1.ngrok[.]io:24521 5.tcp.ngrok[.]io:22934 7.tcp.ngrok[.]io:22426 9.tcp.ngrok[.]io:23955 9.tcp.ngrok[.]io:24080 |
| Config update URL |
https://bit[.]ly/49mKne9 https://bit[.]ly/4gf4E7H https://raw.githubusercontent[.]com/dridex2024/razeronline/refs/heads/main/razerlimpa.png |
| GitHub Repositories hosting config images |
https://github[.]com/dridex2024/razeronline
https://github[.]com/Config2023/01atk-83567z https://github[.]com/S20x/m25 https://github[.]com/Tami1010/base https://github[.]com/balancinho1/balaco https://github[.]com/fernandolopes201/675878fvfsv2231im2 https://github[.]com/polarbearfish/fishbom https://github[.]com/polarbearultra/amendointorrado https://github[.]com/projetonovo52/master https://github[.]com/vaicurintha/gol |
The post Astaroth: Banking Trojan Abusing GitHub for Resilience appeared first on McAfee Blog.
Compiled Node.js files (.node files) are compiled binary files that allow Node.js applications to interface with native code written in languages like C, C++, or Objective-C as native addon modules.
Unlike JavaScript files which are mostly readable, assuming they’re not obfuscated and minified, .node files are compiled binaries that can contain machine code and run with the same privileges as the Node.js process that loads them, without the constraints of the JavaScript sandbox. These extensions can directly call system APIs and perform operations that pure JavaScript code cannot, like making system calls.
These addons can use Objective-C++ to leverage native macOS APIs directly from Node.js. This allows arbitrary code execution outside the normal sandboxing that would constrain a typical Electron application.
When an Electron application uses a module that contains a compiled .node file, it automatically loads and executes the binary code within it. Many Electron apps use the ASAR (Atom Shell Archive) file format to package the application's source code. ASAR integrity checking is a security feature that checks the file integrity and prevents tampering with files within the ASAR archive. It is disabled by default.
When ASAR integrity is enabled, your Electron app will verify the header hash of the ASAR archive on runtime. If no hash is present or if there is a mismatch in the hashes, the app will forcefully terminate.
This prevents files from being modified within the ASAR archive. Note that it appears the integrity check is a string that you can regenerate after modifying files, then find and replace in the executable file as well. See more here.
But many applications run from outside the verified archive, under app.asar.unpacked since the compiled .node files (the native modules) cannot be executed directly from within an ASAR archive.
And so even with the proper security features enabled, a local attacker can modify or replace .node files within the unpacked directory - not so different than DLL hijacking on Windows.
We wrote two tools - one to find Electron applications that aren’t hardened against this, and one to simply compile Node.js addons.
.node filesInteresting data point from CISA's latest emergency directive - supply chain attacks have increased 250% from 2021-2024 (62→219 incidents).
Technical breakdown: - Primary attack vector: Third-party vendor compromise (45% of incidents) - Average dwell time in supply chain attacks: 287 days vs 207 days for direct attacks - Detection gap remains significant - Cost differential: $5.12M (supply chain) vs $4.45M (direct attacks)
CISA's directive focuses on: - Zero-trust architecture implementation - SBOM (Software Bill of Materials) requirements - Continuous vendor risk assessment
Massachusetts highlighted as high-risk due to tech sector density and critical infrastructure.
Would be interested in hearing from those implementing SBOM strategies - what tools/frameworks are working?
CISA's Automated Indicator Sharing (AIS) program is showing concerning metrics on AI-driven phishing campaigns:
Technical Overview: - 300% YoY increase in AI-generated phishing attempts - Attack sophistication score: 3.2 → 8.7 (out of 10) - 85% targeting US infrastructure - ML algorithms analyzing target orgs' communication patterns, employee behavior, business relationships - Real-time generation of unique, personalized vectors
Threat Intelligence: FBI Cyber Division reports campaigns using advanced NLP to create contextually relevant emails that mimic legitimate business comms. Over 200 US organizations compromised in 30 days.
Attack Chain Evolution: Traditional phishing relied on generic templates + basic social engineering. Current wave utilizes ML to generate thousands of unique, personalized emails in real-time, making signature-based detection largely ineffective.
NIST predicts 90% of successful breaches in 2025 will originate from AI-powered campaigns.
Detailed analysis with case studies and mitigation frameworks: https://cyberupdates365.com/ai-phishing-attacks-surge-300-percent-us-cisa-emergency-alert/
Interested in technical discussion on effective countermeasures beyond traditional email filtering.
We just published a case study about an Australian law firm that noticed two employees accessing a bunch of sensitive files. The behavior was flagged using UEBA, which triggered alerts based on deviations from normal access patterns. The firm dug in and found signs of lateral movement and privilege escalation attempts.
They were able to lock things down before any encryption or data exfiltration happened. No payload, no breach.
It’s a solid example of how behavioral analytics and least privilege enforcement can actually work in practice.
Curious what’s working for others in their hybrid environments?
Domain join accounts are frequently exposed during build processes, and even when following Microsoft’s current guidance they inherit over-privileged ACLs (ownership, read-all, account restrictions) that enable LAPS disclosure, RBCD and other high-impact abuses.
Hardening requires layering controls such as disallowing low privileged users to create machine accounts and ensure that Domain Admins own joined computer objects. In addition, add deny ACEs for LAPS (ms-Mcs-AdmPwd) and RBCD (msDS-AllowedToActOnBehalfOfOtherIdentity) while scoping create/delete rights to specific OUs.
Even with those mitigations, reset-password rights can be weaponised via replication lag plus AD CS to recover the pre-reset machine secret.
Dig into this post to see the lab walkthroughs, detection pointers and scripts that back these claims.
Hey all, I found a phishing campaign that uses Zoom's document share flow as the initial trust vector. It forces victims through a fake "bot protection" gate, then shows a Gmail-like login. When someone types credentials, they are pushed out to the attacker over a WebSocket and the backend validates them.
BsidesNoVA (Oct 10–11 at GMU Mason Square, Arlington VA) is a community-run, volunteer-organized security conference.
Sharing here because several of this year’s talks and workshops are deeply technical and may be of interest to practitioners and researchers in the DMV area:
🔹 Detection / Blue-Team / DFIR
🔹 Adversary / Research / OSINT
🔹 Other Highlights
The agenda & CFP archive: https://bsidesnova.org
📍 Oct 10–11 | GMU Mason Square – Arlington VA
Posting with mod awareness; goal is to highlight technical sessions for anyone nearby who wants to learn or collaborate in person.
TLDR: LLMs generally perform better than existing SAST tools when you need to answer a subjective question that requires context (ie lots of ways to define one thing), but only as good (or worse) when looking for an objective, deterministic output.
AI is all the hype commercially, but at the same time has a pretty negative sentiment from practitioners (at least in my experience). It's true there are lots of reason NOT to use AI but I wrote a blog post that tries to summarize what AI is actually good at in regards to reviewing code.
AMI BMC vulns are on the CISA Known Exploited Vulnerabilities catalog now. I think this is the first BMC vuln to hit the KEV. Here are some Nuclei templates to detect this vuln in your BMCs.
Questions regarding netsec and discussion related directly to netsec are welcome here, as is sharing tool links.
As always, the content & discussion guidelines should also be observed on r/netsec.
Feedback and suggestions are welcome, but don't post it here. Please send it to the moderator inbox.
In version 3.0 of PacketSmith, which we shipped on Monday, we've added an IPv4/IPv6 fragmenter. Today, we're releasing an article describing some of the implementation details behind it.
Latest research from McAfee Labs just announced and the numbers are staggering. If you think you’re immune to scams because you’re “too smart” or “too careful,” you might want to think again. Scammers have stepped up their game in 2025, and they’re coming for everyone.
Let’s start with the most shocking stat: job-related scams exploded by over 1,000% from May through late July 2025. Yes, you read that right. One thousand percent.
Think about that for a moment. In a world where finding decent work feels harder than ever, scammers are weaponizing our most basic need for employment. They’re not just sending random “work from home” nonsense anymore. These criminals are getting sophisticated, using terms like “resume,” “recruit,” “maternity,” and “paternity” to exploit our hopes around benefits and career opportunities.
Here’s the brutal reality: Nearly 1 in 3 Americans have received a job offer scam by text message. That means if you’re in a group of three people, at least one of you has been targeted. Even more disturbing? 45% of Americans have either experienced a job search scam personally or know someone who has. This isn’t some distant threat anymore, it’s hitting close to home.
Amazon Prime Day was a goldmine for scammers. Text scams in the shopping category jumped 250% from May to late July, with much of that spike happening right around Prime Day. Coincidence? Absolutely not.
Scammers know exactly when we’re most vulnerable. They know we’re hunting for deals, expecting delivery notifications, and clicking faster than we’re thinking. Amazon and Apple are the top brand names being impersonated because, let’s face it, we all interact with these companies constantly.
Shopping email scams climbed 60% during this same period, with Amazon holding the top spot, Target moving into second place, and Apple rounding out the top three. The fact that Target surged into the number two spot tells us something important: scammers are diversifying their approach and studying our shopping habits more carefully than we might be studying theirs.
Personal finance scams aren’t just growing, they’re surging nearly 150% from May to late July. Email scams in this category literally doubled between June and July. The top bait words? “Loan” and “money.” Because nothing says desperation like targeting people who are already financially stressed.
Credit cards topped the list of email scam keywords, which makes perfect sense. In an economy where everyone’s feeling pinched, the promise of easy credit or debt relief hits different. URL-based finance scams rose 10% in July alone, proving that scammers are hitting us from every digital angle.
Here’s what’s really clever (in a completely evil way): technology scams grew 40% in text messages and saw a staggering 160% increase in email scams across June and July. Apple dominated the scam landscape, but here’s the kicker: Nvidia drove much of the late-July growth.
Think about why that matters. Nvidia isn’t just any tech company; it’s the company behind the AI revolution everyone’s talking about. Scammers are literally using our fascination with AI and cutting-edge tech against us. They’re banking on our FOMO around technology trends.
Let’s step back and think critically about what’s really happening here. These aren’t random increases. Scammers are becoming more sophisticated, more targeted, and more successful because they’re exploiting fundamental human psychology:
Economic anxiety: With inflation concerns and job market uncertainty, financial scams hit when people are most vulnerable.
Technology overwhelm: As tech evolves rapidly, scammers exploit our confusion and excitement about new developments.
Social proof manipulation: Using trusted brand names like Apple, Amazon, and Target because we’ve been conditioned to trust these companies.
Timing exploitation: Hitting during Prime Day, benefit enrollment periods, and job hunting seasons when our guard is down.
But there’s another layer we need to call out, the long-term impact of falling for a fake job. When you’re unemployed, every lead matters. Chasing a fraudulent one doesn’t just waste time; it effectively pauses your real job search. Many people say job hunting is a full-time job in itself, so losing that time can feel like being pushed back to square one. That setback compounds stress and deepens the economic anxiety you were already feeling. It’s not just about losing money, it’s about losing momentum, confidence, and critical opportunities in a competitive market.
Advice like “just be careful” doesn’t cut it anymore. Scammers have leveled up, and their tactics are sophisticated enough to fool even the smartest of people. That’s why having the right tools and awareness matters more than ever. Staying informed isn’t about fear, it’s about empowerment. The more you know, the harder it is for scammers to win.
For job seekers: If someone contacts you about a job you didn’t apply for, especially mentioning benefits or asking for personal information upfront, pump the brakes. Real recruiters don’t typically lead with benefit details or ask for sensitive data in initial communications.
For online shoppers: Those delivery notifications and deal alerts you’re getting? Slow down before clicking. Go directly to the retailer’s official website or app instead of clicking links in texts or emails.
For anyone with financial concerns: If an offer sounds too good to be true (instant loans, credit repair miracles, investment opportunities), it probably is. When you’re stressed about money, that’s exactly when scammers strike hardest.
For tech enthusiasts: Being excited about new technology is great, but scammers are counting on that excitement to make you click faster than you think. Always verify tech-related communications through official channels.
The data is crystal clear: scams aren’t just increasing, they’re exploding across every category that matters to everyday people. Job hunting, shopping, managing money, staying current with technology. These criminals are systematically targeting the most essential aspects of modern life.
But here’s what the scammers don’t want you to know: awareness is your best defense. They rely on speed, emotion, and distraction. The moment you slow down, verify independently, and think critically, their whole game falls apart.
The 2025 scam landscape isn’t just more dangerous, it’s more personal. These aren’t random attempts anymore. They’re calculated attacks designed to hit you exactly when and where you’re most likely to let your guard down. To help job hunters and others, McAfee has launched Scam Detector, an all-in-one protection solution to help keep you safer across text, email and video. McAfee’s Scam Detector runs continuously in the background across all your devices, analyzing incoming emails, texts, and videos to detect potential scams in real-time. When it detects something suspicious, you get an instant alert that explains what raised the red flag and walks you through the specific tactics scammers use, so you can spot similar attempts on your own. For job seekers, Scam Detector can be an invaluable tool to help prevent fraudulent scams.
Stay sharp out there. Your financial security, career prospects, and digital safety depend on it.
The post Scam Alert: The Alarming Reality Behind 2025’s Explosion in Digital Fraud appeared first on McAfee Blog.
