Sarina

I. Targeted Entities

• Financial Institutions
• E-commerce Platforms
• Cryptocurrency Exchanges
• Government Agencies
• Individual Users with High-Value Accounts

II. Introduction

Gorilla Bot is an advanced malware strain first detected in early 2025, specializing in automated credential stuffing, web scraping, and distributed denial-of-service (DDoS) attacks. The malware operates as a botnet-as-a-service, allowing cybercriminals to rent botnet capabilities for various malicious purposes. Gorilla Bot leverages advanced evasion techniques, including rotating IP addresses, encrypted command-and-control (C2) communications, and AI-driven attack automation.

Gorilla Bot traces its lineage to the infamous Mirai botnet, which gained notoriety in 2016 for exploiting Internet of Things (IoT) devices to launch massive DDoS attacks. Mirai’s source code was leaked publicly, leading to the creation of numerous variants. Gorilla Bot is one such derivative, distinguished by its enhanced capabilities and operational sophistication.

While initially believed to have surfaced in late 2024, further research indicates that Gorilla Bot has been active for over a year, suggesting a more prolonged development and deployment phase than previously understood.

Gorilla Bot has been observed infiltrating corporate networks through phishing campaigns and exploiting web application vulnerabilities. Once inside, it rapidly expands by exploiting weak credentials, unpatched software, and misconfigured cloud environments. The malware has been linked to multiple high-profile data breaches, exfiltrating sensitive information from financial institutions and large-scale e-commerce platforms.

III. Additional Background Information

Between September 4 and September 27, 2024, GorillaBot issued over 300,000 attack commands, averaging 20,000 per day. These attacks targeted over 100 countries, with China, the United States, Canada, and Germany being the most affected. Victim sectors included universities, government websites, telecommunications, banking, gaming, and gambling industries. This widespread impact underscores the botnet’s global reach and the diverse range of targets it affects.

The malware’s primary monetization strategies include selling stolen credentials on dark web marketplaces, launching paid DDoS-for-hire attacks, and reselling scraped data to third parties.

Capabilities:

• UDP Flood: Overwhelms the target with User Datagram Protocol packets.
• ACK BYPASS Flood: Exploits TCP acknowledgment packets to bypass filters.
• SYN Flood: Initiates multiple connection requests to exhaust system resources.
• Valve Source Engine (VSE) Flood: Targets gaming servers using the Valve gaming platform.
• ACK Flood: Similar to ACK BYPASS but uses acknowledgment packets more broadly.

Mechanics of the Malware:

GorillaBot operates by infecting a diverse array of devices, including routers, IoT gadgets, and cloud hosts. It supports multiple CPU architectures such as ARM, MIPS, x86_64, and x86, allowing it to compromise a wide range of systems. Upon execution, the malware connects to one of five predefined command-and-control (C2) servers to receive instructions.

Service Installation: It creates a service file named custom.service in the /etc/systemd/system/ directory to ensure it runs at system startup.

Script Execution: The malware downloads and executes a shell script (lol.sh) from a remote server, embedding commands in system files like /etc/inittab, /etc/profile, and /boot/bootcmd to maintain its presence.

Anti-Honeypot Measures: GorillaBot includes checks to detect and avoid analysis environments, such as verifying the existence of the /proc filesystem, a common feature in honeypots.

IV. MITRE ATT&CK Tactics and Techniques

• Initial Access (T1071.001): Gained via phishing emails, malicious browser extensions, and exploit kits.

• Persistence (T1053.005): Uses scheduled tasks and rootkits to maintain long-term control of infected systems.

• Credential Access (T1110.003): Conducts large-scale credential stuffing and brute-force attacks.

• Command and Control (T1095): Employs encrypted channels for stealthy communications with C2 servers.

• Impact (T1498.001): Executes DDoS attacks to disrupt business operations.

V. Recommendations

To mitigate the risk of Gorilla Bot infections, organizations and individuals should implement the following security measures:

Network and Infrastructure Security

• Deploy Web Application Firewalls (WAF) to block automated bot traffic.

• Enable rate-limiting to prevent excessive login attempts.

• Implement multi-factor authentication (MFA) on all critical accounts.

• Regularly update software and patch known vulnerabilities.

User Awareness and Training

• Conduct phishing awareness training to recognize suspicious emails.

• Warn employees about the risks of using reused passwords across services.

Threat Detection and Monitoring

• Monitor logs for unusual login attempts and API abuse.

• Employ behavioral analysis tools to detect automated bot activity.

• Use IP reputation services to block known malicious addresses.

Incident Response Preparedness

• Establish a response plan for large-scale DDoS attacks.

• Ensure data backups are regularly updated and stored securely.

VI. IOCs (Indicators of Compromise)

GorillaBot operates by infecting a diverse array of devices.

Suspicious IP Addresses:

193[.]143[.]1[.]70 (C2 server)

193[.]143[.]1[.]59 (C2 server)

Malicious Domains:

• gorillabot[.]net

• auth-bypass[.]cc

• datastealer[.]ru

File Hashes (SHA-256):

• e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

• 1f3870be274f6c49b3e31a0c6728957f6c5d7d17b22f0a073b3e3b8e7f23b07f

VII. Additional OSINT Information

• Gorilla Bot operators actively recruit on underground forums using aliases such as “ShadowKing” and “BotMasterX.” 
• The malware is frequently distributed through cracked software downloads and malicious browser extensions. 
• Security researchers have linked Gorilla Bot’s infrastructure to past cybercrime operations, including ransomware deployment and data exfiltration schemes. 

VIII. References

https://www.thousandguards.com/post/gorilla-strength-denial-of-service-for-work-and-play-industries 

https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html

https://www.darkreading.com/cyberattacks-data-breaches/gorillabot-goes-ape-cyberattacks-worldwide

https://seniortechinfo.com/gorilla-botnet-launches-300k-ddos-attacks-in-100-countries/

Threat Advisory created by The Cyber Florida Security Operations Center. 

Contributing Security Analysts: Nahyan Jamil

To learn more about Cyber Florida visit: www.cyberflorida.org 

I. Targeted Entities

Systems and applications using Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, 9.0.0.M1 through 9.0.98.

II. Introduction

CVE-2025-24813 describes a vulnerability in Apache Tomcat which would allow a malicious actor to perform a variety of attacks such as remote code execution, information disclosure, and injecting malicious payloads or content into uploaded files. This type of vulnerability is caused by improper handling of path equivalence, which normally ensures that different file paths point to the same resource. This improper handling within the Default Servlet is related to write-enabled configurations in Apache Tomcat and it impacts several versions of the application prior to the fix.

III. Additional Background Information

CVE-2025-24813 is a vulnerability affecting Apache Tomcat that can occur when the default servlet is configured to allow write functionality which is normally disabled by default. This vulnerability can be exploited when combined with the default behavior of allowing for partial PUT requests. In this scenario, an attacker could upload a specially crafted serialized session file, or simply, a malicious payload, to a writable directory within the system. Once the file is uploaded, a subsequent HTTP request triggers Tomcat to deserialize the file’s contents, executing the embedded malicious payload.

While exploiting CVE-2025-24813 can lead to significant impact, successful remote code execution requires several prerequisites:

1. Write Capability on the Default Servlet: The default servlet has to be explicitly configured to allow write functionality, which is not normally enabled by default.
2. Partial PUT Requests: The target system must allow for partial PUT requests.
3. File-Based Session Persistence: The web application has to use file-based session persistence with a default storage location, providing an accessible and writable directory for uploading malicious payloads.
4. Deserialization Vulnerability: The application must have a deserialization-vulnerable library which would enable the malicious payload to be executed during the deserialization process.
5. Knowledge of Internal File System: The attacker needs to understand the file naming conventions and directory structure of the target system for successful exploitation of the vulnerability.

IV. MITRE ATT&CK

• T1006 – File System Logical Link
  T1006 or File System Logical Link refers to when adversaries have the ability to create symbolic links or shortcuts to files in order to abuse the way some operating systems handle file paths.This is relevant since CVE-2025-24813 involves manipulating file paths to access and modify unintended files, fitting the pattern of abusing file system logical links.

V. Recommendations

To mitigate attacks leveraging this vulnerability, these are the recommendations for CVE-2025-24813:

Upgrading Apache Tomcat to a Patched Version

By immediately upgrading to:

• Tomcat 0.99 (for 9.x series)
• Tomcat 1.35 (for 10.x series)
• Tomcat 0.3 (for 11.x series)

It provides a fix for the improper handling of partial PUT requests and path equivalency issues that could be exploited for remote code execution or file manipulation.

Disabling Partial PUT Support

Configure Tomcat to disallow partial PUT requests, which allow clients to send file content in chunks or ranges. Recommended actions include:

• Modifying Tomcat’s configuration files (server.xml and/or web.xml) to block or ignore PUT methods if your application doesn’t use them.
• Implementing an HTTP filter to reject incoming PUT requests altogether (unless those requests are required for your needs)

Since this vulnerability exploits partial PUT behavior to inject content into files. If partial PUT is not supported, this attack vector is closed.

Restricting Default Servlet Write Permissions

Ensure that the default servlet (the part of Tomcat that serves static files) cannot accept uploads or write to sensitive directories. To do so, you must:

• Tighten file system permissions (chmod, chown) to ensure Tomcat processes run with minimal privileges.
• Ensure the /webapps directory and static content directories are read-only unless absolutely necessary.
• Review DefaultServlet configuration for <init-param> like readonly and set it to true.

If the default servlet has write permissions, attackers could upload or modify arbitrary files which could lead to defacement, data theft, or execution of malicious scripts.

Enforcing Strong Web Application Firewall (WAF) Policies

You should deploy or tune your WAF to:

• Detect and block unusual PUT, PATCH, or malformed HTTP methods.
• Flag requests targeting .jsp, .war, or sensitive file types.

Having a WAF can act as an additional protective layer by stopping attacks even if Tomcat is not yet patched or misconfigured.

Monitoring Server Logs Aggressively

Continuously monitor access logs (e.g., access_log, catalina.out) and security logs for:

• Unexpected PUT or PATCH requests.
• External requests targeting .jsp files in unusual locations.

Early detection of attempts allows you to respond quickly to intrusions before they escalate. Using tools such as Splunk, ELK stack, or Wazuh can make for efficient log review and analysis, with trigger alerts on anomalies.

VI. IOCs (Indicators of Compromise)

Figure 2: File paths of attack payloads (using .session extensions)

Figure 3: Payload in the request body, attempting to call the .session file (Akamai)

VII. Additional OSINT Information

Figure 1: Exposed Tomcat instances on Shodan showing being geolocated in China, Brazil, Morroco, and the U.S (Recorded Future

Figure 2: Proof of Concept for exploiting CVE-2025-24813 (GitHub – absholi7ly)

Figure 3: Signature for CVE-2025-24813 (Recorded Future)

VIII. References

Absholi7ly. (2025, March 22). POC-CVE-2025-24813: Proof of concept for CVE-2025-24813 in Apache Tomcat [Source code]. GitHub. https://github.com/absholi7ly/POC-CVE-2025-24813

Apache Software Foundation. (2025, March 10). CVE-2025-24813 Detail. National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-24813

Detecting and mitigating Apache Tomcat CVE-2025-24813 | Akamai. Akamai Security Intelligence Group. (2025, March 25). https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations

Group, I. (2025, March 28). Apache tomcat: CVE-2025-24813: Active exploitation. Recorded Future. https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis

[SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT. Lists.apache.org. (2025, March 10). https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analysts: Jason Doan

To learn more about Cyber Florida visit: www.cyberflorida.org

I. Targeted Entities

Financial Sector, Crypto Space, ByBit, Bybit affiliates, and Bybit customers.

II. Introduction

On February 21, 2025, Bybit, a major cryptocurrency exchange, experienced a security breach that resulted in the loss of $1.5 billion worth of Ethereum. This incident is the largest digital heist in the history of cryptocurrency. Bybit is currently collaborating with experts to trace the stolen assets. They have launched a recovery bounty program, offering up to 10% of the recovered amount to individuals who can assist in retrieving the stolen crypto.

The Lazarus Group, a well-known hacking collective believed to be based in North Korea, has claimed responsibility for the attack. This group is notorious for orchestrating high-profile cyberattacks, particularly targeting financial institutions. In this instance, the attackers infiltrated a developer’s computer associated with the Gnosis Safe wallet, a widely used multi-signature wallet designed for secure management of cryptocurrency assets. Gnosis Safe operates by requiring multiple private key approvals to authorize transactions, providing an added layer of security to prevent unauthorized transfers.

However, the Lazarus Group managed to manipulate the Safe user interface (UI) that was specifically employed for Bybit transactions. By injecting malicious JavaScript into the UI, they were able to create the illusion that Bybit was authorizing a legitimate transaction. This allowed the attackers to bypass security protocols and facilitate the unauthorized transfer of funds, effectively masking their illicit actions as legitimate business operations. This attack highlights the vulnerabilities associated with software development environments and the potential for targeted manipulation of trusted tools like the Gnosis Safe.

III. Additional Background Information

The Lazarus group also known as APT38, has been active since at least 2009. Lazarus group was reportedly responsible for the November 2014 attack against Sony Pictures Entertainment as a part of a campaign named Operation blockbuster by Novetta. The group has been correlated to other campaigns including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.

In 2017, Lazarus group was reportedly responsible for the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh bank; and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The largest cryptocurrency heist attributed to Lazarus prior was in 2024 with the $308 million attack on Japan-based exchange DMM Bitcoin, the compromise of the Japanese cryptocurrency wallet software firm swiftly led to the company’s collapse and was largely known as the single largest crypto theft until now.

IV. MITRE ATT&CK

Initial Access via Supply Chain Compromise (T1071.001): Attackers gained access by compromising a developer’s machine associated with Safe {Wallet}, the platform used by Bybit for managing multi-signature wallets.

User Interface Manipulation (T1071.001): They injected malicious JavaScript into the Safe {Wallet} interface, altering transaction details to mislead wallet signers into approving unauthorized transactions.

Transaction Manipulation (T1071.001): By modifying the appearance and details of transactions, the attackers ensured that the signers unknowingly authorized the transfer of funds to addresses under their control.

Command and Control (T1071.001): The use of malicious JavaScript indicates a command-and-control mechanism to deliver and execute payloads on compromised systems.

V. Recommendations

Some recommendations we can offer to ensure your cryptocurrency is secure and mitigate risks of this hack occurring:

• Enhance security around multi-signature wallets
  • Improving key management ensures they are used correctly with separate keys stored in different secure locations.
  • With regular key rotation, rotating keys are used for signing and it ensures they are in the hands of trusted individuals.
• Harden social engineering defenses
  • Having users trained and aware of such attacks significantly reduces the chances of these attacks happening.
  • Training around phishing and data handling practices strengthens awareness as a whole.

• Use hardware wallets (cold storage)
  • Hardware wallets allow users to store their private keys offline, making them immune to online attacks.
  • A way to avoid keeping larger amounts on exchanges.

• Use a trustworthy cryptocurrency exchange – backed by MFA
  • A trustworthy exchange can mitigate risks to wallets on the platform if they are backed by multi-factor authentication and require verification for each transaction.
  • NEVER sharing your backup codes with anyone.

VI. IOCs (Indicators of Compromise)

The following is a screenshot showing that at the time of transaction signing, cache files containing Javascript resources were created on the Chrome browser of all three signers’ hosts. (From Sygnia’s Investigation Report)

The following shows screenshots of the injected code which activates under the condition that the transaction source matches one of two contract addresses, believed to be the associated threat actor. (From Sygnia’s Investigation Report) 

The following shows screenshots of comparisons between the original legitimate JavaScript resources within Safe {Wallet}’s code and the one with the modified malicious resource. (From Sygnia’s Investigation Report)

VII. Additional OSINT Information

The following Ethereum addresses are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors:

• 0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D

• 0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8

• 0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950

• 0x83Ef5E80faD88288F770152875Ab0bb16641a09E

• 0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9

• 0x3A21F4E6Bbe527D347ca7c157F4233c935779847

• 0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49

• 0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465

• 0xb172F7e99452446f18FF49A71bfEeCf0873003b4

• 0x6d46bd3AfF100f23C194e5312f93507978a6DC91

• 0xf0a16603289eAF35F64077Ba3681af41194a1c09

• 0x23Db729908137cb60852f2936D2b5c6De0e1c887

• 0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e

• 0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3

• 0x684d4b58Dc32af786BF6D572A792fF7A883428B9

• 0xBC3e5e8C10897a81b63933348f53f2e052F89a7E

• 0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D

• 0xBCA02B395747D62626a65016F2e64A20bd254A39

• 0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67

• 0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a

• 0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd

• 0xD3C611AeD139107DEC2294032da3913BC26507fb

• 0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305

• 0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806

• 0x1bb0970508316DC735329752a4581E0a4bAbc6B4

• 0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57

• 0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9

• 0x09278b36863bE4cCd3d0c22d643E8062D7a11377

• 0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d

• 0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6

• 0x30a822CDD2782D2B2A12a08526452e885978FA1D

• 0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2

• 0x0e8C1E2881F35Ef20343264862A242FB749d6b35

• 0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab

• 0xe69753Ddfbedbd249E703EB374452E78dae1ae49

• 0x2290937A4498C96eFfb87b8371a33D108F8D433f

• 0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4

• 0x52207Ec7B1b43AA5DB116931a904371ae2C1619e

• 0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b

• 0x1542368a03ad1f03d96D51B414f4738961Cf4443

• 0x21032176B43d9f7E9410fB37290a78f4fEd6044C

• 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e

• 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734

• 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6

• 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92

• 0x1512fcb09463A61862B73ec09B9b354aF1790268

• 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be

• 0x723a7084028421994d4a7829108D63aB44658315

• 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1

• 0xEB0bAA3A556586192590CAD296b1e48dF62a8549

• 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489

The list of addresses associated with the Bybit hack are still continuously being updated and the blocklist can be found here.

The following shows how the attackers moved funds off Bybit after the initial hack as shown by TRM Labs. (The following is derived from TRM Labs) 

The following shows the rapid laundering process as of March 2, 2025, this includes transfers through multiple wallets and conversions into different cryptocurrencies. (The following is derived from TRM Labs)

The following shows the rapid laundering process as of March 2, 2025, this includes transfers through multiple wallets and conversions into different cryptocurrencies. (The following is derived from TRM Labs)

VIII. References

Bybit Confirms Security Integrity Amid Safe{Wallet} Incident – No Compromise in Infrastructure. Bybit Press. (2025, February 26). https://www.bybit.com/en/press/post/bybit-confirms-security-integrity-amid-safe-wallet-incident-no-compromise-in-infrastructure-blt9986889e919da8d2

Greig, J. (2024, December 25). FBI attributes largest crypto hack of 2024 to North Korea’s TraderTraitor. Cyber Security News | The Record. https://therecord.media/fbi-largest-crypto-hack-2024-tradertraitor

Internet Crime Complaint Center (IC3) | North Korea responsible for $1.5 billion bybit hack. (2025, February 26). https://www.ic3.gov/PSA/2025/PSA250226

North Korean Regime-Backed Programmer Charged With Conspiracy to. (2025, February 6). https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

Team, C. (2025, February 27). Leveraging transparency for collaboration in the wake of Record-Breaking Bybit theft [UPDATED 2/27/25]. Chainalysis. https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/

The Bybit hack: following North Korea’s largest exploit | TRM Insights. (n.d.). https://www.trmlabs.com/post/the-bybit-hack-following-north-koreas-largest-exploit

Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Nahyan Jamil and Jason Doan

I. Targeted Entities

• Energy Sector
• Healthcare Sector
• Transportation Sector
• Financial Services
• Critical Infrastructure
• Telecommunications
• Higher Education

II. Introduction

DieNet first emerged on March 7^th, 2025. According to Radware, a global cybersecurity and application provider, they have claimed 61 attacks against 19 United States organizations. DieNet has also claimed 17 attacks against many organizations in countries such as Iraq, Netherlands, Egypt, and Israel. DieNet is known to target critical infrastructure particularly in the sectors of transportation, energy, finance, telecommunications, and healthcare. DieNet has been seen carrying out Distributed Denial of Service (DDoS) attacks against organizations to gain headline attention as a form of protest. They have targeted military and government entities around the time of political decisions.

• This hacktivist group has many political and social motives. They have stated to be anti-Trump and anti-Zionist. Some pro-Palestinian hacktivist groups have endorsed DieNet, sharing the same ideologies and frameworks. It appears any organizations or groups in support of the United States President Donald Trump or receiving federal funding are targets. These cyber criminals often frame their attacks around retaliation for military actions or political decisions.
• This group includes bold and aggressive messages, threats, and taunts within their attacks. These bold and aggressive messages include statements such as “We are watching you”. These attacks are strategically carried out to maximize visibility. It has been noted that the persistence seen within these DDoS attacks would be near impossible for most botnets. These attacks are short but fierce, taking down and defacing websites and services.

III. Additional Background Information

• Hacktivists are individuals or groups that conduct cyber-attacks to bring awareness to specific political, social, religious, or global causes. These actions are carried out to gain visibility or make a statement, supporting a cause they are promoting. Hacktivism is carried out in many forms such as Distributed Denial of Service (DDOS) attacks, doxing, or defacement of websites. DDoS attacks work by using multiple botnets which can be scattered across various geographic locations and flood an organizations server infrastructure with traffic making the resources unavailable. This can cause large disruptions in service. Botnets are networks of computers that have been infected with malware, hijacked, and now carry out various cyberattacks. These are specifically important when it comes to large Distributed Denial of Service (DDoS) attacks as they require heavy computing power.
• DieNet stated on Telegram, a messaging service commonly used by this group’s members, that DieNet v2 has begun service, which includes larger botnets and increased membership. Currently, a report from the Center for Internet Security stated another Telegram message from DieNet was released on March 21^st that told the public they had breached a United States Federal Government agency and acquired government employees Personally Identifiable Information (PII). If this claim becomes verified, it could result in a large escalation of DieNet’s Tactics, Techniques, and Procedures (TTPs).
• At the time of this being written, Recorded Future, a leading cyber threat intelligence platform, has seen DieNet carry out suspected attacks in the United States against the Port of Los Angeles, Chicago Transit, Lumen Technologies, the North American Electric Reliability Corporation, U.S. Department of Commerce, International Trade Administration, Nasdaq, Inc., Northeastern University, Meditech, Pacific Gas and Electric Company, WaterOne, CoinBase, the National Emergency Medical Services Information System, U.S. Postal Service, Epic Systems, NASA, Veterans of Foreign Wars, FBI Crime Data Explorer, X, Axos Bank, Lyft, ProductionHUB, and Azure.
• Although there is currently limited information, as this group was established less than 3 weeks ago at the time this advisory was written, the exploit seems to use exploit tactics that are defined in the MITRE ATT&CK framework, such as T1498, Network Denial of Service, and T1491.002, Defacement: External Defacement.
• Previous DDoS attacks that involve hacktivists bring major concern to the target industries as these attacks can cause service interruptions, societal concern, and financial losses.
• Organizations are strongly urged to maintain proper security practices. These practices should include security awareness training, applying the latest patches and monitoring for indicators of compromise (IoC). Failure to follow these procedures could result in severe disruptions and possible data breaches.

IV. MITRE ATT&CK

• T1498-Network Denial of Service
  This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausts the network bandwidth, rendering websites and services unavailable.
• T1491.002-Defacement: External Defacement
  This type of sub attack is used to deface external systems of a group or organization in an attempt to display a message. In this case, DieNet is using this as a way to intimidate the organizations and gain visibility.

V. Recommendations

• Implement a Defense-In-Depth Strategy
  • Implement many different layers of security. This can include reducing your organization’s DDoS attack surface by restricting access to areas and blocking communication on unused or unsecure ports, protocols, and services. Other layers include configuring Endpoint Detection and Response (EDR) software, firewalls, and robust Anti-Virus (AV) to all devices and systems. Always perform both online and offline backups. Preforming both will ensure that copies of data are in various locations, one of which being inaccessible to the attacker.
• Apply Rate Limiting and Load Balancers
  • Rate limiting puts a threshold on how often an action can be repeated in a certain timeframe. Implementation of rate limiting through network configuration settings can help prevent botnet activity. Load Balancers are the first line of defense against DDoS attacks. Having proper load balancers in place will also make sure your websites and services stay available during a DDoS attack. In the event of a DDoS attack, load balancers can distribute traffic across multiple servers, allowing the ability for services to remain available in some cases.
• Implement a Web Application Firewall (WAF)
  • A WAF works dynamically using custom policies based on your organizations environment to filter and analyze network traffic. The WAF can change and add new policies to combat any emerging attacks by continuously monitoring network traffic for changes.
• Establish an Incident Response Plan
  • Create or revise an incident response plan that includes steps for handling a Denial of Service or Distributed Denial of Service attack. The reaction team should be equipped and trained to deal with any possible breaches as well.

VI. Indicators of Compromise (IOCs)

The attacks being carried out by DieNet are constantly evolving, have botnets that span across the globe, use encrypted traffic, and employ the use of legitimate IP addresses making it incredibly difficult to find reliable IoCs.

VII. Additional OSINT Information

Image 1 of DDoS Attack on the Nasdaq Stock Exchange

Image 2 of Anti-Trump Verbage

Recorded Future Threat Intelligence Platform

Image 3 of DieNet v2 DDos Attack on Azure

Recorded Future Threat Intelligence Platform

Image 4 of DieNet Website Defacement

Recorded Future Threat Intelligence Platform

Image 5 of DieNet DDoS Affecting Login Pages

Recorded Future Threat Intelligence Platform

Associated Hacktivist Groups:

-Mr Hamza: Pro-Palestinian, pro-Russian, pro-Iranian hacktivist group promoting DieNet.

-LazaGrad Hack: Pro-Palestinian, pro-Russian hacktivist group promoting DieNet.

-Sylhet Gang-SG: Hacktivist group targeting allies of Zionist entities.

VIII. References

Baker, K. (2025). Indicators of compromise (IOC) security. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/indicators-of-compromise-ioc/#:~:text=As%20cyber%20criminals%20become%20more,which%20makes%20detection%20more%20difficult.

Center for Internet Security (CIS). (2025, March 26). Threat Actor Profile – Emerging Hacktivist Group DieNet Claims Distributed Denial-of-Service Attacks against U.S. Critical Infrastructure.

CyberKnow (@cyberknow20). X. (2025). https://twitter.com/Cyberknow20

Defacement: External defacement. Defacement: External Defacement, Sub-technique T1491.002 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1491/002/

DieNet Activity Escalates Against US Organizations. Radware. (2025, March 18). https://www.radware.com/security/threat-advisories-and-attack-reports/dienet-activity-escalates-against-us-organizations/

DieNet Organization. Recorded Future. (2025). https://app.recordedfuture.com/portal/intelligence-card/sMCKdQ/overview

Dos attack vs ddos attack: Key differences? Fortinet. (n.d.-a). https://www.fortinet.com/resources/cyberglossary/dos-vs-ddos#:~:text=What%20Is%20The%20Difference%20Between,to%20flood%20a%20targeted%20resource.

Goldman, L. (2023, March 17). Why load balancers should be part of your security architecture. Spiceworks Inc. https://www.spiceworks.com/it-security/network-security/guest-article/load-balancers-security-architecture/#:~:text=Load%20balancers%20offer%20an%20extra,the%20importance%20of%20load%20balancers.

How to prevent ddos attacks | methods and tools. Cloudflare. (n.d.-a). https://www.cloudflare.com/learning/ddos/how-to-prevent-ddos-attacks/

Network denial of service. Network Denial of Service, Technique T1498 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1498/

What is API rate limiting and how to implement it on your website. DataDome. (2020). https://datadome.co/bot-management-protection/what-is-api-rate-limiting/

What is hacktivism? meaning, types, and more. Fortinet. (n.d.-b). https://www.fortinet.com/resources/cyberglossary/what-is-hacktivism

What is load balancing? | how load balancers work. Cloudflare. (n.d.-b). https://www.cloudflare.com/learning/performance/what-is-load-balancing/

What is rate limiting? | rate limiting and bots . Cloudflare. (n.d.-c). https://www.cloudflare.com/learning/bots/what-is-rate-limiting/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analyst(s): Tim Kircher

I. Targeted Entities

This campaign does not target any specific industry and has been observed attacking a wide variety of individuals and organizations. However, the malware utilized by this campaign (njRAT) was found to have originated in the Middle East and is primarily used to target Arabic-speaking countries [1][7].

II. Introduction

Part of the Microsoft Azure official toolkit and used by developers to test apps and sync local testing environments securely over the internet, the ‘dev tunnels’ service has made a surprising appearance in a recent threat campaign leveraging a new variant of the popular njRAT Remote Access Trojan [9]. A blog post published on the SANS Internet Storm Center by security researcher Xavier Mertens (@xme) announced the discovery of the malware, highlighting its creative use of Microsoft’s dev tunnels for communication between infected devices and identified command-and-control (C2) servers [8].

Mertens says he spotted this strain of njRAT sending continuous status updates to C2 servers via dev tunnel URLs. A deeper analysis of captured samples revealed hardcoded server listening ports, the suspected botnet name, client version and capabilities of the malware [8].

JSON extraction of recent njRAT sample (Source: SANS Internet Storm Center)

Reconstructed code showing USB propagation ability (Source: SANS Internet Storm Center)

In his findings, he also discusses the ability of this malware to detect and propagate to external hard drives via USB. Shown in the code snippet below, if the ‘OK.usb’ variable is set to True, the malware will attempt to copy itself to any mounted USB devices [8].

Reconstructed code showing USB propagation ability (Source: SANS Internet Storm Center)

III. Background

First observed in 2012, njRAT has become one of the most widely accessible Remote Access Trojan (RATs) on the market. It features an abundance of educational information with many tutorials available online [1]. This, combined with its open-source nature, has ranked it among the most popular RATs in the world. According to ANY.RUN, a prominent online malware analysis service, the njRAT malware family currently holds the #2 spot for all time total submission count [3]. Though historically used for browser cookie and credential theft, njRAT boasts a wide range of capabilities including keylogging, webcam/screen recording, cryptocurrency theft and wallet enumeration, registry modifications, file uploads, and USB drive propagation [7].

The use of legitimate services to mask command and control communication and data exfiltration, often called ‘C2 tunneling’, is hardly a novel concept. Cloudflare Tunnel (cloudflared), ngrok, and the DNS protocol, have and continue to be exploited by bad actors to conceal this malicious network activity [6]. Interestingly, previous njRAT campaigns have also abused services like Pastebin for C2 tunneling, only this time, there is the added certificate authority trust inherited by routing traffic through Microsoft’s Azure infrastructure [5]. However, the use of dev tunnels for stealth data exfiltration has existed as a proof of concept as early as 2023, when the tool was first released alongside Visual Studio 2022 v17.6 [4][10].

The setup of dev tunnels for C2 redirection is a relatively straightforward process. The threat actor needs only a valid GitHub or Microsoft account and the free executable available on Windows, MacOS, and Linux [11]. With that, they would need to authenticate via the tool with one of the following commands:

After verification, a secure, persistent channel can be deployed by issuing the following:

With the dev tunnel active, all the attacker has to do is bind the channel to their C2 listener port on the same host machine [4]. Now, the control server and infected devices will direct all C2 traffic through a trusted proxy hosted within Microsoft’s Azure cloud infrastructure.

It is worth noting that regardless of the actual traffic direction or protocol being used, the tunnel always presents itself to the victim’s network as outbound TLS traffic. This means that even when an adversary is actively connecting inbound to a victim’s system, the connection appears in network logs and monitoring tools as a standard outbound HTTPS connection originating from the victim’s network [11].

V. MITRE ATT&CK

• S0385 – njRAT
  This campaign utilizes a variant of the njRAT Remote Access Trojan.

• TA0011 – Command and Control (C2)
  Following system infection, njRAT will contact a control server awaiting instructions from an attacker. It can be configured to choose from a list of attacker-owned servers.

• T1572 – Protocol Tunneling
  Using the Microsoft dev tunnel service, infected system outreach, data exfiltration, and malicious commands from the control server occur over disposable, encrypted channels, making it harder for traditional security systems to spot and implement effective preventions.

• T1547.001 – Registry Run Keys / Startup Folder
  On infected Windows systems, this variation of njRAT creates a registry value entry under the ‘Software\Microsoft\Windows\CurrentVersion\Run\’ key path. To achieve persistence across reboots, the malicious program references itself using this “run key”, executing each time a user logs in.

• T1082 – System Information Discovery
  The malware performs enumeration of the infected host. It checks the OS version, supported languages, hostname, registry GUID, and other information that is then sent to the control server [2].

• T1091 – Replication Through Removable Media
  njRAT will attempt to detect any removable drives connected to the system. If found, the malware will create a standalone copy of itself to that drive.

V. Indicators of Compromise (IOCs)

VII. Recommendations

Monitor DNS Traffic for Dev Tunnel URLs – Organizations not using dev tunnels should keep an eye on DNS logs for any unexpected dev tunnel URLs (typically ending in “.devtunnels.ms”) that may indicate potential C2 communication [5]. IDS/IPS rules should be applied to automatically alert or block this traffic.

Beware of USB Devices – This variant, as well as previous versions of njRAT, has the ability to detect and spread to external hard drives connected via USB. Users should exercise caution when interacting with unknown USB devices. For critical systems, it may also be advised to locally disable the use of external storage hardware.

Use EDR/Host-Based IDS – The malware’s use of dev tunnels can blend its traffic with normal activity, rendering network intrusion detection efforts less effective. Configuring endpoint protection solutions to detect and flag the use of Microsoft-signed binaries (e.g., devtunnel.exe) by anomalous parent processes or modifications to the auto-run registry can offer another layer of defense to address this gap [5].

Network Segmentation – Botnet malware like njRAT spreads primarily via ‘spray and pray’ orchestration, typically infecting internet-facing devices that lack proper security controls. IoT devices, poorly configured web servers, and routers with deprecated firmware make up a sizable portion of modern botnet infrastructure. If security patches or hardening cannot be applied to such systems, isolating them from the main home or enterprise network is imperative to prevent lateral movement to critical systems.

Stay Informed on the Latest TTPs – As threat actors become more innovative in their detection evasion and exfiltration techniques, security analysts must remain up to speed with the ongoing changes of an evolving threat landscape.

VIII. References

[1] ANY.RUN. (March 9, 2025). NJRAT. https://any.run/malware-trends/njrat

[2] ANY.RUN. (February 27, 2025). dsadasfjamsdf.exe Sandbox Analysis. https://app.any.run/tasks/c01ea110-ecbf-483a-8b0f-d777e255ad9c

[3] ANY.RUN. (March 9, 2025). Malware Trends Tracker. https://any.run/malware-trends/

[4] Au, C. (August 9, 2023). Microsoft Dev Tunnels as C2 Channel. https://www.netero1010-securitylab.com/red-team/microsoft-dev-tunnels-as-c2-channel

[5] Baran, G. (February 28, 2025). Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications. https://cybersecuritynews.com/njrat-attacking-abusing-microsoft-dev/

[6] BlueteamOps. (Oct 23, 2023). Detecting ‘Dev Tunnels.’ https://detect.fyi/detecting-dev-tunnels-16f0994dc3e2

[7] Check Point. (August 15, 2023). What is NJRat Malware? https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/

[8] Mertens, X. (February 27, 2025). Njrat Campaign Using Microsoft Dev Tunnels. https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724

[9] Microsoft. (November 17, 2023). What are dev tunnels? https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview

[10] Montemagno, J. (February 5, 2024) Dev Tunnels: A Game Changer for Mobile Developers. https://devblogs.microsoft.com/dotnet/dev-tunnels-a-game-changer-for-mobile-developers/

[11] Rossouw, F. (December 5, 2024). Malware of the Day – Tunneling Havoc C2 with Microsoft Dev Tunnels. https://www.activecountermeasures.com/malware-of-the-day-tunneling-havoc-c2-with-microsoft-dev-tunnels/

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analyst(s): Isaac Ward