For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Canva Affinity vulnerabilities
Discovered by KPC of Cisco Talos.
Canva Affinity is a free-to-use tool for pixel and vector art manipulation used in graphic and document design.
Talos researchers found 19 vulnerabilities in Affinity. Eighteen of them are out-of-bounds read vulnerabilities in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.
The last vulnerability is TALOS-2025-2297 (CVE-2025-66342), a type confusion vulnerability in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.
TP-Link vulnerabilities
Discovered by Lilith >_> of Cisco Talos.
The TP-Link Archer AX53 is a dual band gigabit Wi-Fi router. Talos researchers found 10 vulnerabilities in the router functionality.
TALOS-2025-2290 (CVE-2025-62673) is a stack-based buffer overflow vulnerability in the tdpServer ssh port update functionality of Tp-Link AX53. A specially crafted network packet can lead to stack-based buffer overflow.
These eight vulnerabilities exist in the tmpServer opcode of the AX53:
A specially crafted set of network packets can be sent to trigger these vulnerabilities, which can lead to arbitrary code execution.
TALOS-2025-2291 (CVE-2025-62501) is a misconfiguration vulnerability in the SSH Hostkey functionality. A specially crafted man-in-the-middle attack can lead to credentials leak.
HikVision buffer overflow vulnerability
Discovered by a member of Cisco Talos.
HikVision creates AI-trained machine perception for use in security surveillance and other monitoring hardware, including Ultra Face Recognition Terminals for authentication.
Talos researchers foundTALOS-2025-2281 (CVE-2025-66176), a stack-based buffer overflow vulnerability, in the SADP XML parsing functionality of Hangzhou Hikvision Digital Technology Co., Ltd. Ultra Face Recognition Terminal 3.7.60_250613 and Face Recognition Terminal for Turnstyle 3.7.0_240524 (under emulation). A specially crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.
Welcome to this week’s edition of the Threat Source newsletter.
Anyone who spoke with me in the last several weeks has had to deal with me loudly waiting in anticipation for the long-awaited “Project Hail Mary” movie adaptation. I read (and cried over) the book by Andy Weir, who’s also the author of “The Martian,” about a year ago and, shortly after, found out it was being made into a movie.
(I know what you’re thinking: Two movie-themed editions in two weeks? It’s every cinephile’s dream!)
Anyway, the story centers around a biologist and science teacher named Ryland Grace (Ryan Gosling), who wakes up from a coma on a spaceship lightyears away from Earth, his two crewmembers long dead. Our planet’s sun is slowly dimming, its energy being consumed by alien microbes called “astrophage” that are infecting all the stars in our stellar neighborhood — except one. Grace’s task is to figure out why this star is unaffected and send the solution back to Earth. It’s a one-way trip, and he’ll eventually die in space alone… or so he thinks.
The movie met 99.9% of my expectations, which is rare for an adaptation. The humor was spot-on, the soundtrack was gorgeous, and the puppetry — yes, the puppetry (mild spoilers for Rocky, Grace’s new alien friend) — was out-of-this-world.
While it is a story about space, it’s first and foremost about communication, trust, and collaboration — things we’re no strangers to at Talos, especially when creating the Year in Review report (which isavailable now). The entire processof creating this report, from raw data to final design, is only a little bit less monumental than stopping alien microbes from plunging the earth into an ice age.
The process begins with Talos’ Strategic Analysis team, who leverage the vast amount of Cisco’s telemetry, Talos research, and data from Talos Incident Response cases to analyze trends over the past year. This analysis is synthesized into a comprehensive report, which undergoes rigorous review and proofing at multiple levels. While the report is being drafted, the Strategic Comms team develops a detailed schedule of content and collateral to promote it both internally and externally, meeting weekly to track our progress. Once the text is finalized, it moves to our design team, who transform the data into a visually stunning, accessible format. Even after the report launches, the work continues: We produce videos, answer your questions on Reddit (today only!), record podcasts, create social media graphics, and collaborate across Cisco to ensure our findings reach the right people.
We do this for the good of the community. Our report isn’t gated, and it never will be; you can read it right in your browser without filling out fake names and emails in annoying forms. Talos’ job is to keep as many people as safe as possible, and that means free access to critical information. Here’s a taste of our findings:
React2Shell was the No. 1 most targeted CVE in 2025 despite only being discovered in December. ToolShell was No. 3 despite being released in June.
About 25% of the vulnerabilities on our top 100 list affect widely used frameworks and libraries, highlighting the risk of supply chain-style attacks.
Nearly a third of MFA spray attacks targeted identity and access management (IAM) applications.
Attackers continued to rely heavily on phishing for initial access, observed in 40% of Talos IR cases. 35% of cases involved internal phishing.
Qilin was the most seen ransomware variant in 2025, with over 40 victims each month except January.
We also offer insights on AI and state-sponsored threats, so be sure to view the full report.
In “Project Hail Mary,” Grace and his alien friend, Rocky, realize that they can’t save their respective worlds alone. The Talos Year in Review is the result of a massive, cross-functional mission. It takes collaboration between all of Talos’ teams to turn complex, often daunting telemetry into actionable intelligence for the community.
When we share knowledge, communicate clearly, and work together, the results are, to quote Rocky, “Amaze! Amaze! Amaze!”
Stay tuned over the coming days and weeks as we break each section down into the most important 2025 Year in Review findings you need to know.
The one big thing
One of the main themes from the 2025Year in Review’s vulnerability data is that attackers are targeting identity by compromising the infrastructure that sits around it, including physical hardware devices, software, and management platforms. Network components act as de facto identity gateways, allowing adversaries to impersonate users, bypass MFA, and traverse networks undetected. Attackers overwhelmingly prefer high-access targets that require minimal exploitation steps and yield maximum operational payoff.
Why do I care?
Identity-centric network components act as control points for the entire environment, meaning their compromise can invalidate MFA, bypass segmentation, and grant immediate access to high-value resources. Network management platforms give adversaries direct access to privileged administrative functions, device credentials, and automation pipelines that touch hundreds of downstream systems. Compromising a single ADC or management platform can expose dozens of downstream systems, making these devices powerful force multipliers.
So now what?
Organizations should consider the impact on identity when prioritizing the patching of network devices. ADCs must be protected as identity control points, not merely performance appliances. Defenders should focus on these high-leverage vulnerability classes that enable identity compromise, policy manipulation, and infrastructure-wide escalation. Read the full Year in Review for more information.
Top security headlines of the week
U.S. Department of Energy publishes five-year energy security plan The three goals are to develop ‘world-class’ security technologies, to harden the US energy infrastructure, and establish emergency preparedness for response and recovery from incidents. (SecurityWeek)
Someone has publicly leaked an exploit kit that can hack millions of iPhones Researchers are warning that this will allow any hacker to easily use the tools to target iPhone users running older versions of Apple’s operating systems who have not yet updated to its latest iOS 26 software. (TechCrunch)
CheckmarxKICScodescannertargeted inwideningsupplychainhit Specifically, the cybercriminals infiltrated KICS GitHub Action, which organizations use to run KICS scans within their CI/CD pipelines, and poisoned multiple versions of the software. (Dark Reading)
Attackers hide infostealer in copyright infringement notices Aimed at organizations in critical sectors, including healthcare, government, hospitality, and education, it attempts to install PureLog Stealer, a low-cost infostealer easy for threat actors to use. (Dark Reading)
Oracle releases emergency patch for critical identity manager vulnerability CVE-2026-21992 can be used without authentication for remote code execution and it may have been exploited in the wild. (SecurityWeek)
Can’t get enough Talos?
Today only: Ask us anything Talos and Splunk researchers are standing by on Reddit to answer your questions about the Year in Review, Top 50 Cybersecurity Threats report, or just about anything else you want to know. It’s halfway over, so post your questions now!
Year in Review highlights In 2025, attackers moved fast, but they also played the long game. This short video highlights the biggest trends from the 2025 Talos Year in Review and what they reveal about where the threat landscape is headed.
Gravy, glutes, and the Talos Year in Review Hazel, Bill, Joe, and Dave discuss the 2025 Year in Review, supported as always by the Turkey Lurkey Man. We also discuss the cyber activity tied to the situation in the Middle East.
Cybersecurity’s double-header With the recent release of the Year in Review and Splunk’s Top 50 Cybersecurity Threats report, Amy, Bill, and Lou break down the most critical trends that shaped the security landscape last year.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-26 19:06:452026-03-26 19:06:45A puppet made me cry and all I got was this t-shirt
In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a “double-header” discussion. With the recent release of the Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats report, we’re breaking down the most critical trends that shaped the security landscape last year — all based on Cisco telemetry, Talos’ original research, and Talos Incident Response engagements.
From the professionalization of ransomware-as-a-service to the persistent challenge of decade-old vulnerabilities, this episode moves beyond the headlines to provide a practical roadmap for defenders. You’ll get tips on how to prioritize your defenses and reduce your attack surface for the year ahead.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-26 14:22:332026-03-26 14:22:33Talos Takes: 2025 insights from Talos and Splunk
Spammers are constantly seeking new ways to reach the widest audience possible while dodging email filters — all to ensure their “tempting” offers land in your inbox rather than the spam folder. To pull this off, bad actors are increasingly pivoting to legitimate platforms, dreaming up sophisticated ways to weaponize them for their own gain.
We’ve previously covered scam attacks using Google Forms, where fraudulent emails were sent directly from Google’s mail servers. In those cases, links were shielded by the reputable forms.gle domain, allowing them to breeze past spam filters. Now, a similar tactic has been implemented using Yandex Surveys. Here’s a look at how this new scam works, and how you can stay safe.
Everything looks fine at first glance…
Online survey tools are fairly common these days. Marketing professionals use them to gather feedback, HR departments use them for employee engagement, and researchers use them to study target audiences. But how are scammers getting in on the action?
They create a survey, embed links to fraudulent websites within the body, and blast out emails containing the survey link to their mailing lists. Standard anti-spam filters see URLs like yandex.com/poll/… as legitimate. Recipients often have the same reaction, reasonably assuming, “It’s a link to a well-known service — what could go wrong?”
Our experts have tracked a massive spike in these emails. In January, Kaspersky Premium blocked just over 2200 of these messages; by February, that number soared to over 32 000. We’re looking at aggressive scaling here — nearly a 15-fold increase in just one month.
Here’s a survey page containing a scam message and link. The visible portion features a well-known crypto exchange logo and an active link to the attackers’ site. At the bottom, you’ll notice a couple of dots — more on these later
Spammers distribute these survey links through their own channels, often hijacking website feedback forms that lack sender verification. The fact that the message originates from a legitimate network provides yet another green flag for anti-spam filters to let these emails slide right through.
A crypto scam email in English sent through a feedback form on a Greek website
The most popular themes for this type of spam currently involve crypto scams — promising users a windfall in digital currency — and links to sketchy dating sites.
How scammers exploit Yandex Surveys
To build a survey that doesn’t actually look like one, attackers take advantage of the platform’s extended survey mode.
Yandex Surveys allows users to swap out a simple question for a text block, which can include descriptions, images, or videos. This is exactly where scammers embed their pitch and the link to their phishing site. They use the built-in “Upload media” feature to add official-looking logos and other embellishments that sell the illusion.
To make sure the victim doesn’t see the “Next” button or the standard disclaimer — which warns that surveys are created by third parties and that Yandex isn’t responsible for the content — the scammers pad the space below the scam block with invisible characters. For instance, they might add dozens of lines of transparent emojis; you can’t see them, but they still take up screen real estate. Further down, past the point where most people would stop scrolling, they simply drop in punctuation marks, one per line.
To understand how these surveys are built, we used a test survey to retrace the scammers’ steps. Transparent emojis are used to create dead space under the scam block, followed by punctuation marks further down where few users are likely to scroll
The result? The user sees nothing but the fraudulent offer and the link, while everything else is pushed off-screen. It’s the same technique we’ve seen used with Google Forms.
Beyond the benefit of using legitimate URLs, another perk for the scammers is that this method doesn’t cost them a dime. They aren’t paying the service for promotion, or using the built-in targeting tools; they simply blast the link to their own database. In this scenario, the service is essentially being used as good-reputation web page hosting.
To top it off, the scammers can jump into the “Statistics” section of the survey to track click-through rates in real-time and then export the data into a spreadsheet. This is basically a turnkey analytics suite.
Once a victim clicks the link in the survey and lands on the attackers’ website, they are greeted by a professional-looking site running a classic “prize giveaway” scheme.
A popular scam involving a prize draw. First, you have to enter your name…
…Then, you pick one of the boxes containing a potential prize…
…And you “win” nearly an entire Bitcoin! But to claim it you have to “contact the operator”…
…Provide your Bitcoin wallet address…
…And pay a $47 “fee”, handing the scammers both your money and your payment credentials in the process
How to avoid taking the bait:
Don’t blindly trust “reputable domain names”. Seeing yandex.com or forms.gle in the address bar is no longer a guarantee that the content is safe. Anyone can create a survey at those addresses.
Stay alert if you receive an unexpected email. Be especially wary if it promises a payout, a prize, or asks you to “confirm” something urgently. These are scammers’ tricks of choice.
Always scroll to the bottom of the page. If the content abruptly cuts off and you’re left with a wall of empty space, that should set off alarm bells. Check the footer — you’ll often find service disclaimers or other clues that prove you’re looking at a fraudulent survey.
Don’t click links in suspicious surveys. If you do happen to click through, never enter any personal or financial information on the resulting site.
Use a trusted security tool. Kaspersky Premium detects these fraudulent sites and blocks access before you have a chance to hand over your data or risk infecting your device through a zero-click vulnerability.
Finally, it’s worth noting that scammers didn’t actually hack Yandex Surveys; instead, they took a creative — albeit malicious — approach to repurposing the tool for their own ends. Since Yandex Surveys is scheduled to shut down on April 6, 2026, this specific scheme will soon hit a dead end. Still, scammers are constantly hunting for the next loophole to exploit. Your best defense remains a healthy dose of skepticism toward any unexpected email — even if the links point to a domain you know and trust.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-26 11:19:482026-03-26 11:19:48How scammers use legitimate surveys to link to malicious sites | Kaspersky official blog
A large-scale magecart operation remained active for over 24 months, leveraging an infrastructure of 100+ domains. While the targeted victims are e-commerce websites, the actual pressure falls on banks and payment systems.
As ANY.RUN’s analysis shows, threat actors applied multi-step checkout hijacking, payment page mimicry, and WebSocket-based exfiltration of card data.
This report provides both executive-level insights and technical analysis of the campaign.
Key Takeaways
The campaign demonstrates long-term persistence (24+ months) supported by highly resilient infrastructure.
Banks (not merchants) bear the primary impact, as stolen card data leads to fraud losses and reputational risk.
Payment system mimicry (notably Redsys) significantly increases attack success by embedding fraud into trusted user flows.
Use of WebSocket exfiltration reduces visibility in traditional security monitoring tools.
Multi-stage, dynamically delivered payloads allow attackers to adapt quickly and evade disruption.
The campaign is global but regionally tailored, leveraging localized payment ecosystems to enhance credibility.
Campaign Overview
A large-scale magecart operation has been identified, active for at least 24 months and supported by over 100 domains. In observed cases, threat actors deployed a multi-stage checkout hijacking framework, incorporating:
Payment step substitution
WebSocket-based exfiltration of payment card data
Payment page mimicry, including infrastructure-level impersonation of legitimate providers (notably Redsys)
Dynamic frontend adaptation of payment interfaces matching different storefronts and scenarios
A total of 17 WooCommerce websites were infected between February 2024 and April 2025 and are likely linked to this campaign, reflecting its longevity and operational stability.
Industrial and Regional Context Behind Global Impact
The geographic scope is of the campaign is global. Among the victims are organizations from at least 12 countries, including the United Kingdom and Denmark. However, there’s a notable concentration of such incidents in Spain, France, and United States.
Some cases are confirmed directly via telemetry and network traffic, while others are identified via infrastructural correlation.
From an industry perspective, mostly retail e-commerce companies were targeted, although in some cases, non-commercial organizations have been affected, too.
However, the primary pressure here falls on banks, as cardholders faced financial exposure and their trust in payment systems suffered.
Protect your company with early visibility To reduce dwell time, pressure, and losses
Despite the global impact, the ties to Spain and its payment ecosystem in particular are obvious in this magecart campaign.
Mimicry of RedSys, a payment system used in Spain, lies in the foundation of the attacks. The campaign infrastructure features domains and visual artifacts designed to fit Spanish payment context. In some cases, user payment flows included legitimate Redsys domain sis.redsys.es for added credibility.
The approach made the malicious activity of the campaign convincing within Spanish payment context.
What Makes This Campaign Durable
Payment Mimicry
A significant portion of the infrastructure is registered via NICENIC INTERNATIONAL GROUP and disguised as legitimate web services, including analytics platforms, CDN resources, jQuery libraries, andpayment services. If you access them directly, they’ll act as technical placeholders or will simulate legitimate redirects. This complicates attribution.
Multi-Stage Delivery Architecture
The injected JavaScript contains only a minor loader that connects to external infrastructure, receives configuration data, and loads the next stage. The loader uses the fallback mechanism: it iterates through backup domains until a valid response is received. This allows the campaign to go on even if some components of the infrastructure get blocked.
Dynamic Payload Delivery
The next stage isn’t openly stored inside an infected file. It’s delivered dynamically via a staging response. Thanks to this, the operators modify delivery domains, payload paths, and control infrastructurewithout infecting the website again.
Different domains aren’t necessarily serve different campaigns. Instead, they have different roles: staging responses, payload delivery, or for WebSocket/C2 and command handlers.
Other Factors
State persistence in localStorage
Masquerading as legitimate external dependencies
WebSocket usage as a channel for control and exfiltration
As a result, the compromised website becomes only an initial access point. Subsequent payload delivery and data exfiltration can be flexibly modified inside the external infrastructure.
Technical analysis
Initial Loader Delivery and Execution
Following the compromise of a website, attackers modify one of the site’s embedded JavaScript files with a small, obfuscated loader. It doesn’t feature the main card-stealing logic but acts as an initialdelivery tool. It executes in the victim’s browser and receives parameters for the next stage from external infrastructure.
Injected JavaScipt
Next, the obfuscated part of the loader refers to one of the pre-determined domains from the fallback infrastructure list. It returns a JSON configuration featuring the next stage’s address, WebSocket/C2 server address, and an extra HTTP handler for auxiliary communication.
Domain examples
These values are delivered as encoded arrays of numeric character codes, which are then decrypted in the victim’s browser.
An example of JSON configuration. ANY.RUN Interactive Sandbox
In case no response was received or the JSON was invalid, the loader automatically switches to the next domain from the list. This mechanism ensures continued operation even in the presence of partial infrastructure disruption or blocking.
Stage 1: Malicious Payload Delivery and Execution
After receiving a valid staging response, the loader takes the URL of the next JavaScript and dynamically adds it to the DOM via a new <script src=…> element.
Code fragment responsible for the execution of the malicious activity
At this point, the primary malicious payload is loaded into the page. Notably, this payload may be delivered from different domains, such as:
jquerybootstrap[.]com
newassetspro[.]com
assetsbundle[.]com
bundlefeedback[.]com
and others.
In any case, the delivery stage is the same. The operators rotate payload sources to increase the infrastructure’s durability.
Get started with ANY.RUN Catch emerging threats in under a minute early visibility
After loading, the main payload begins executing within the context of the store’s webpage and waits for the checkout/payment DOM to appear.
At this stage, it:
monitors the opening of the payment step;
interacts with checkout elements;
replaces or overlays the legitimate payment interface;
injects its own elements, including iframes and custom buttons;
hides the real payment confirmation elements.
Once checkout is loaded, payment hijacking begins.
Observed Code Patterns Indicative of Payment Hijacking
Delayed activation ensures the user follows through until they reach the required payment step
Attackers conceal the legitimate payment button and replace it with a fake one
The script not only runs in the background but fully overlays/replaces the interface
The form isn’t static but controlled and manageable
In some cases, the mimicry is built around a payment scenario that is visually and logically close to a legitimate PSP flow. In cases related to Spain Redsys mimicry is especially notable, but payment overall can adapt to storefronts, countries, and local PSPs.
Script Deobfuscation
The core payload waits for the checkout form to appear and is responsible for the reception, validation, and sending payment data from the fake payment form.
Notable Code Features Inside the Script
The payload adapts to user environments with frontend localization capabilities and supports multiple languages: English, Spanish, Arabic, French.
There’s a state machine with the following states: init, return, confirm, alert, getData, allowing for controlled progression through the attack lifecycle.
Code for handling WebSocket connections to the C2 server for the control of the attack flow. Part 1.
Code for handling WebSocket connections to the C2 server. Part 2
An example of the final result of the mimicry can be seen below:
Base64-encoded HTML page is responsible for displaying a fake payment interface
PayPlug SAS payment window imitation
There’s a heavily obfuscated JavaScript inside the HTML page. It uses techniques like that to avoid detection:
Anti-tampering: code integrity is verified via function serialization, as well as bitwise & arithmetical operations.
The strings that are stored in an obfuscated form are decrypted using the VM:
Raw obfuscated strings
Deobfuscated strings
The payload is responsible for the formatting and validation of Visa/Mastercard payment data that are entered into the fake form, as well as UI state modification, and event or data delivery via postMessagemethod:
PostMessage method for data delivery
Stage 3: Connecting to Control Infrastructure
After activation, the malicious payload establishes a connection to the control infrastructure, e.g., via WebSocket.
WebSocket exfiltration code
This channel is used for:
transmitting service events;
sending BIN (Bank Identification Number) data;
transmitting full payment card details;
receiving additional commands to control the replaced payment flow.
In one of the analyzed cases, WebSocket was used as the primary channel for card data exfiltration, while the C2 server was disguised as a Redsys domain (redsysgate[.]com).
During the skimmer’s operation, it retrieves malicious JavaScripts from URLs that look like so: hxxps://<c2_domain>/<base64_text>.js?_=<digits>
Then, WebSocket connections are used for control and data transmission at: wss://<c2_domain>/?token=<base64_data>
When the user enters their data, an event is sent containing the exfiltrated information. In response, the server provides instructions on what to do next and what content to display, such as the logo of the payment system associated with the entered card (Visa/MasterCard).
Card data (random numbers used an example) in a code fragment
This is important for the understanding of the campaign: attackers are not simply stealing card data, they embed exfiltration into a seemingly legitimate payment context.
Stage 4: Interception and Transmission of Payment Data
When a user enters their card details into the spoofed payment interface, the payload takes them to the attackers’ external infrastructure.
The following data was being transmitted in network traffic:
BIN
full card number
expiration date
CVV
The transmission does not occur via a standard form POST request, but instead through a separate WebSocket channel, making detection via conventional HTTP logs more difficult.
Importantly, within the same cluster, the visual scenario of the attack may vary. In some cases, Redsys-themed mimicry is observed; in others, PayPlug-like or generic card form scenarios are used.
This does not necessarily indicate different campaigns: within a single malware family, the same loader, staging infrastructure, and exfiltration mechanism may be reused while applying different front-end disguises.
Additional Vector: Distribution of Android APK via the Same Inject
In addition to manipulating the payment step and stealing card data, the same malicious payload was also used as a platform to push the installation of an Android application in APK format.
The script checked the user’s environment and, if certain conditions were met, displayed a separate mobile scenario offering the user to download an app. This included promises of discounts or bonuses, along with instructions on how to enable installation from “Unknown Sources.”
Reduce breach risks with ANY.RUN Android, macOS, Windows, and Linux analysis support
Based on the contents of the payloads, this scenario was localized into at least several languages, including English, Spanish, Arabic, and French. This indicates that the campaign was targeting a broad international audience and relied on a prepared, rather than ad hoc, infrastructure.
Code fragment for Android-specific flow
This scenario had several localization options, including English, Spanish, Arabian, and French, indicating the campaign’s global focus targeting particular, not random infrastructures.
Conclusion
This magecart campaign reflects a shift from opportunistic skimming toward structured, infrastructure-driven payment attacks. By combining checkout hijacking, high-fidelity payment mimicry, and real-time exfiltration, attackers embed malicious activity directly into legitimate transaction flows. This not only increases effectiveness but also complicates detection and response.
Deep visibility into active attacks and continuous threat monitoring are required for efficient detection and prevention of such breachers.
About ANY.RUN
ANY.RUN delivers interactive malware analysis and actionable threat intelligence, enabling security teams to investigate threats more efficiently, gain clearer visibility into attacker behavior, and respond with greater confidence.
Case 2: The same loader cluster and staging infrastructure but without confirmed card exfiltration (possibly due to redirection to a legitimate external payment flow)
View analysis Case 3: Confirmed use of the same loader cluster and staging infrastructure.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-26 11:19:472026-03-26 11:19:47Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud
ANY.RUN has been recognized at Global InfoSec Awards 2026 by Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.
We’re especially proud and grateful that our impact for the industry has been acknowledged in two categories at once:
Innovative Malware Analysis for Sandbox
Market Leader Threat Intelligence
This dual recognition reflects the approach to cybersecurity we prioritize: supporting the full SOC workflow by combining advanced malware and phishing analysis with integrated threat intelligence.
What Made This Possible
As highlighted by the award founders at CDM, ANY.RUN matched the values they looked for in participants:
“ANY.RUN embodies three major features we judges look for to become winners: understanding tomorrow’s threats, today, providing a cost-effective solution and innovating in unexpected ways that can help mitigate cyber risk and get one step ahead of the next breach.”
Gary S. Miliefsky, Publisher of Cyber Defense Magazine.
ANY.RUN’s CCO received the award at the Global InfoSec Awards
We believe that ANY.RUN’s repeated presence high in industry rankings reflects its ability to address operational challenges across the investigation cycle. Our solutions support enterprise security teams as they successfully:
Unify SOC Workflow: ANY.RUN offers a single ecosystem that streamlines monitoring, triage, and incident response without tool switching.
Accelerate Decision-Making: Interactive malware analysis combined with contextual threat intelligence delivers immediate insights, no external double-checking needed.
Scale Operations for SOCs and MSSPs: Standardized workflows and integrated intelligence empower teams of any size.
36% higher DR. 3× stronger SOC performance. Achieve more with ANY.RUN.
ANY.RUN is used by SOC teams at companies and organizations worldwide
ANY.RUN is used broadly by organizations with high security requirements, including the world’s largest enterprises:
We support 15,000+ SOCs and 600,000+ analysts in accelerating investigations, reducing risk, and improving operational outcomes across industries.
74% of Fortune 100 companies rely on ANY.RUN for malware analysis and threat investigation workflows.
We’re deeply thankful for customers, partners, and community for their continued trust. We appreciate every contribution and piece of feedback and process them to maintain high standards we set for our solutions.
Unify your SOC with ANY.RUN. Integrate for faster, smarter operations.
Global InfoSec Awards 2026 is organized by Cyber Defense Magazine, a premier source of cyber security news and information for InfoSec professions in business and government.
With a mission is to share cutting-edge knowledge, real-world stories and awards on the best ideas, products, and services in the information technology industry, they deliver monthly magazines, as well as special editions for the RSAC Conferences.
The award’s judges are CISSP, FMDHS, CEH, certified security professionals who voted based on their independent review of the company submitted materials on the website of each submission including but not limited to data sheets, white papers, product literature and other market variables.
Constantly improving Interactive Sandbox, Threat Intelligence Lookup, and Threat Intelligence Feeds for support across monitoring, triage, and response SOC processes.
Helping SOC and MSSP teams accelerate analysis, gain deeper context during investigations, and identify emerging threats earlier.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-26 07:06:362026-03-26 07:06:36ANY.RUN Recognized for Innovations and Market Leadership at Global InfoSec Awards 2026
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-26 04:06:372026-03-26 04:06:37Virtual machines, virtually everywhere – and with real security gaps
Millions of automated software development pipelines rely on security tools, such as Trivy and Checkmarx AST, integrated into the build process. It is precisely these trusted solutions recently became the entry point for one of the largest and most dangerous supply chain attacks in modern history. In this post we discuss how to audit automated workflows and secure corporate cloud infrastructure.
Timeline of the attack and known consequences
On March 19, a successful targeted supply chain attack was carried out via Trivy, an open-source vulnerability scanning tool widely used in CI/CD pipelines. The attackers, a group known as TeamPCP, managed to inject malware into official GitHub Actions workflows and Docker images associated with Trivy. As a result, every automated pipeline scan made triggered malware that stole SSH keys, cloud access tokens, cryptocurrency wallets, and other valuable data from compromised systems. Given the critical nature of the incident, it was assigned the identifier CVE-2026-33634 with a near-maximum CVSS4B score of 9.4.
Later that same day, the Trivy team detected the attack and removed malicious artifacts from the distribution channels, halting this phase of the attack. However, the attackers had already gained access to the environments of many Trivy users.
On March 23, a similar incident was discovered in another application security tool: a GitHub Action for Checkmarx KICS, as well as Checkmarx AST. Three hours later, the malicious code was removed from there as well. TeamPCP also managed to compromise OpenVSX extensions supported by Checkmarx: cx-dev-assist 1.7.0 and ast-results. Reports on when this part of the incident was resolved vary.
On March 24, a popular project using Trivy’s code scanning — the LiteLLM AI gateway, a universal library for access to various LLM providers — was attacked. Versions 1.82.7 and 1.82.8, uploaded to PyPI repository, were compromised. These versions were publicly available for about 5 hours.
But the fact that the attack lasted only a few hours is no reason to dismiss it. Given the popularity of the affected projects, the malicious code could have been executed thousands of times, including within the infrastructures of very large companies.
This allowed attackers to deploy persistent backdoors in Kubernetes clusters, as well as launch the self-replicating CanisterWorm worm across the JavaScript npm ecosystem.
The attackers’ code has destructive capabilities that wipe out a Kubernetes cluster and all its nodes if it detects Farsi as the primary language or the Tehran time zone on the compromised system. In other regions, the malware simply steals data using CanisterWorm.
According to experts, more than 20,000 repositories are considered potentially vulnerable. The attackers claim to have stolen hundreds of gigabytes of data and more than 500,000 accounts.
How Trivy Was Attacked
To compromise Trivy, the attackers used credentials stolen in a previous incident. The previous Trivy compromise, which occurred in late February, was likely not fully contained, and the attackers — the TeamPCP group — returned with a new attack. Trivy’s developers, Aqua Security, speculate that because credentials were being phased out gradually following the previous incident, the attackers were able to generate new access tokens for themselves before compromised old ones had been revoked.
As a result, TeamPCP was able to compromise GitHub Actions used in CI/CD pipelines. Using credentials with tag-writing privileges, the attackers forcibly overrode 76 out of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy, redirecting existing trusted versions to malicious commits. This resembles tactics observed in the Shai-Hulud 2.0 campaign. As a result, workflows throughout the pipeline began executing the attackers’ code, while the release metadata showed no visible changes.
At the same time, the attackers published an infected Trivy binary (v0.69.4) to official distribution channels, including GitHub Releases and container registries.
LiteLLM Compromise
The compromise of the popular language model access tool LiteLLM could itself trigger a major wave of attacks across the chain of projects that use it. The attack took place on March 24, 2026, when TeamPCP directly published malicious versions of the library (1.82.7 and 1.82.8) on PyPI. Between 10:39 UTC and 16:00 UTC, these compromised packages contained a malware that stole credentials. It was embedded in the proxy_server.py file, and version 1.82.8 also contained a malicious litellm_init file. The stolen data was exfiltrated to the server models.litellm[.]cloud.
Customers using LiteLLM Cloud or the official LiteLLM Proxy Docker image were not affected due to strict version locking, whereas developers and downstream projects that installed unpinned versions via pip during the specified time window were compromised.
Within 3 hours, the malicious packages were removed from PyPI repository, and the LiteLLM team suspended new releases, rotated credentials, and engaged an external incident response process. Teams that use LiteLLM in their projects are advised to immediately check for the litellm_init.pth compromise indicator and routinely rotate all potentially compromised secrets.
Features of the TeamPCP Cloud Stealer malware
Attackers added new logic to GitHub Actions and the Trivy executable while preserving the original functionality. Vulnerability scan results via Trivy appeared normal, but at the same time, valuable data was being searched for and extracted. Malicious code was:
performing reconnaissance (collected network data and environment variables);
searching for tokens and credentials to access AWS and GCP cloud environments;
scanning memory (/proc/*/mem) to extract secrets stored in the memory of Runner.Worker and Runner.Listener processes;
collecting data for connecting to database servers (MySQL, PostgreSQL, MongoDB, Redis, Vault);
collecting any other API keys and secrets from environment files and CI/CD configuration files (.env, .json, .yml);
searching for webhooks for Slack and Discord channels;
searching for data related to crypto wallets (variables related to the Solana blockchain, as well as rpcuser and rpcpassword data).
The collected data was encrypted and uploaded to a server with a name similar to the name of the Trivy’s developers (scan.aquasecurtiy[.]org). As a backup mechanism, the attackers provided a way for uploading data to a repository named docs-tpcp.
The attack on CheckMarx and LiteLLM used a similar tactic with other typosquatting domains: models.litellm[.]cloud and checkmarx[.]zone.
Response and Defense Strategies for CVE-2026-33634
Existing signature-based checks and dependency scanning in public registries are no longer sufficient, as the malicious code was injected directly into trusted, signed actions and evaded detection until behavioral monitoring was applied. CI/CD pipelines have become the “new perimeter” of security.
Immediate Actions. Ensure that all workflows use secure versions (Trivy binary 0.69.3, trivy-action 0.35.0, setup-trivy 0.2.6).
CI/CD pipeline administrators and security teams should immediately review their dependances to Checkmarx (kics-github-action, ast-github-action) and Trivy (setup-trivy and trivy-action) solutions. If workflows referenced a version tag rather than a specific SHA hash, carefully review your workflow execution logs for the duration of the active supply chain attack.
You should also check your network logs for traffic to the domains scan.aquasecurtiy[.]org, checkmarx[.]zone, and models.litellm[.]cloud. The presence of such traffic indicates that sensitive data has been successfully exfiltrated.
If a repository named docs-tpcp has appeared on organization’s GitHub, this may also indicate a successful data breach.
In any case, a proactive threat hunting should be conducted, assuming that the systems have been successfully compromised and that the attackers have rapidly advanced within the affected systems.
It is recommended to restore the affected environments from verified backups.
Dependency pinning and secret management. Ensure that exact dependency versions are pinned using cryptographic hashes in all pipelines and Dockerfiles. We advise transition from long-lived tokens to short-lived credentials by using a secrets manager tool and implementing OIDC integrations where they are supported. Minimize the injection of secrets into the runtime environment — do so only when it is absolutely necessary. Ensure that secrets are not stored on disk or in temporary files, and are not reused across different processes.
Other security measures. Allow only GitHub Actions from a list approved by the organization; block new and unverified processes. Configure GITHUB_TOKEN and other access keys in accordance with the principle of least privilege. Do not grant write permissions unless absolutely necessary.
To enhance the security of GitHub Actions, there are several open-source tools available:
zizmor — a tool for static analysis and detection of configuration errors in GitHub Actions;
gato and Gato-X — two versions of a tool that helps identify structurally vulnerable pipelines;
allstar — a GitHub application developed by OpenSSF to configure and enforce security policies in GitHub organizations and repositories.
If you want to learn more about supply chain attacks, we invite you to look at our analytical report Supply chain reaction: securing the global digital ecosystem in an age of interdependence. It’s based on insights from technical experts and reveals how often organizations face supply chain and trusted relationship risks, where protection gaps remain, and what strategies to employ to improve resilience against this kind of threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-25 17:06:362026-03-25 17:06:36Trojanization of Trivy, Checkmarx, and LiteLLM solutions | Kaspersky official blog
ANY.RUN spoke with the Interim CISO and Director of Cyber Operations at Health Shared Services, who provided insights into how their team addressed alert fatigue, improved MTTD and MTTR, and strengthened their investigation workflow with ANY.RUN.
In this new addition to our success story series, we explore how the healthcare organization’s SOC team improved detection, triage, and response efficiency while maintaining the existing operational processes.
Organization Overview
Health Shared Services is a healthcare support organization based in Alberta, Canada. Its SOC team consists of 16 analysts with approximately 130,000 endpoints and 160,000 employees to secure.
Key Challenge: Limited Threat Visibility During Investigations
For SOCs supporting large organizations, it’s critical to recognize the time to scale to keep pace with growing infrastructure and current threat landscape.
At Health Shared Services, the security team eventually traced several operational issues back to a single underlying limitation: their previous solution did not provide enough visibility into what suspicious files and URLs actually did after execution.
Analysts often lacked the behavioral context needed to quickly understand whether a threat was real and how it could impact their environment.
“Missing critical pieces of information for executed samples reduced our time to investigate, which was frustrating and preventable.”
Without detailed behavioral insights, faced several consequences:
Extended incident resolution time: Limited threat context, e.g., lack of logs and information on executed payloads in their previous solutions, increased MTTR, leaving the infrastructure more exposed to potential threats.
Limited time for proper investigation: Missing critical pieces of information on analyzed samples also led to rushed decisions, leaving little room for deeper insights.
Team morale challenges: Visibility gaps that could have been addressed with a more context-rich solution led to frustration and fatigue among SOC team members.
That’s why when Health Shared Services’ previous security solution expired, the team’s leader took the opportunity to reassess their approach and look for a solution that could support their work better.
Why Health Shared Services Chose ANY.RUN
When searching for a new security solution, the organization’s Interim CISO considered several key factors:
Community reputation
Cost efficiency
Investigative capabilities
According to the security leader, ANY.RUN’s Interactive Sandbox stood out in each of these areas.
The solution is acknowledged and frequently recommended among cybersecurity experts, remains a reasonably priced option for enterprise teams, and provides unique capabilities not commonly offered by other solutions.
Deeper visibility drives faster investigations.
Build a better SOC with ANY.RUN.
Decision-makers at the healthcare organization also viewed ANY.RUN’s sandbox as more than a solution that simply facilitates malware analysis, but a driver for better metrics across SOC processes:
“ANY.RUN provided not only the fundamentals needed to complete our investigations but also improved our mean time to resolve incidents.”
How Health Shared Services Implemented ANY.RUN’s Sandbox
The organization’s Interim CISO shared that when implementing ANY.RUN’s solution, the team didn’t need to redesign their core processes. Instead, the SOC refined their investigation cycle and reached better results without significant workflow changes.
They saw improvements across several operational areas since adopting ANY.RUN:
Better detection: detailed threat data empowers analysts to process incidents with higher accuracy.
Stronger triage: low false-positive rate (FPR) makes it easier and faster to process alerts.
Faster response: efficient reporting and behavioral artifacts support more confident decisions.
The Interim CISO noted that the solution also improved the team’s ability to communicate investigation findings to leadership:
“It enhanced our team’s time to complete investigations and aided us in providing specific details for executive questions.”
Performance Impact
By executing suspicious files in ANY.RUN and reviewing behavioral artifacts, analysts were able to gather the context that had previously been missing during investigations.
From a leadership standpoint, the most important improvement has been the impact on SOC performance metrics and investigation confidence. For analysts, this looks like the ability to understand threats faster and deeper.
Key benefits observed by the SOC team
Metric-based impact
Operational benefits
Human-centric values
Lower MTTD and MTTR
High-confidence decision-making
Reduced alert fatigue
Higher alert closure rate
Faster investigations
Intuitive and user-friendly interface
Maintained SLA compliance
Transparent and structured reporting
Clear insights for analysts and leadership
Through these outcomes, the team was able to strengthen their ability to respond to security incidents effectively, covering all key challenges they had to face, from alert fatigue to high MTTR.
“ANY.RUN has bettered our SOC’s key metrics like MTTD and MTTR by providing a mature solution to sandboxing that is both well received by executives and the analysts.”
The organization continues to use ANY.RUN and plans to integrate our solutions with their SOAR platform in the future.
Strong SOC starts with confident decisions.
Improve your investigation cycle across processes today.
For Health Shared Services, adopting ANY.RUN strengthened their existing SOC operations without requiring major workflow changes.
This case highlights how large enterprises across industries benefit from deep threat context, real-time behavioral insights, and efficient reporting ANY.RUN offers.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, integrates seamlessly into modern SOC operations. It supports investigations from triage to incident response, improving metrics like DR and MTTR.
Over 600,000 SOC analysts across 15,000+ teams rely on ANY.RUN’s solutions. SOC 2 Type II certification allows us to protect customer data and maintain strong security controls.
DDoS attacks are no longer only an infrastructure problem. They can quickly turn into a business issue, affecting uptime, customer experience, and operational stability. Kamasers is a strong example of this new reality, with broad attack capabilities and resilient command-and-control mechanisms that allow it to remain active under pressure.
Let’s explore the Kamasers botnet through both technical and behavioral analysis, looking at the commands it receives, the geographic distribution of its attacks, and the functions implemented in the malware sample. Together, these elements help reveal how Kamasers operates and why it poses a serious threat to organizations worldwide
Key Takeaways
Kamasers is a sophisticated DDoS botnet that supports both application-layer and transport-layer attacks, including HTTP, TLS, UDP, TCP, and GraphQL-based flooding.
The malware can also act as a loader, downloading and executing additional payloads, which raises the risk of further compromise, data theft, and ransomware deployment.
Its C2 infrastructure is resilient, using a Dead Drop Resolver (DDR) through legitimate public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and even Etherscan to retrieve active C2 addresses.
Analysis showed that Railnet ASN repeatedly appeared in malicious activity tied to multiple malware families, making it a notable infrastructure element in the broader threat landscape.
Kamasers was observed being distributed through GCleaner and Amadey, showing that it fits into established malware delivery chains.
The botnet’s activity is international, with strong submission visibility in Germany and the United States, while targeting extends across sectors including education, telecom, and technology.
The Business Risk Behind Kamasers
Kamasers is a flexible attack platform that can turn compromised enterprise systems into operational liabilities, external attack infrastructure, and potential entry points for deeper compromise:
Corporate infrastructure can be turned against others: Infected enterprise systems may be used to launch DDoS attacks on third parties, creating reputational, contractual, and even legal risk for the organization.
A broader incident can follow quickly: Because Kamasers can function as a loader, a single infection may lead to additional payload delivery, raising the risk of data theft, ransomware, and deeper intrusion.
Visibility gaps become harder to defend: The malware uses legitimate public services to retrieve C2 information, making malicious communication more difficult to detect and increasing the chance of delayed response.
Response costs rise fast: Investigating infected hosts, validating external impact, restoring systems, and handling possible IP blacklisting can create significant operational and financial strain.
Business trust can be affected early: If company infrastructure is linked to malicious traffic, customers, partners, and providers may react before the full incident is even understood.
Kamasers highlights a serious enterprise risk: attackers can use resilient C2 discovery, flexible attack methods, and follow-on payload delivery to turn a single compromise into an incident with operational, financial, compliance, and reputational consequences.
Gain earlier visibility into disruptive threats Reduce the risk of downtime, pressure, and loss
Kamasers is a malware botnet family designed to carry out DDoS attacks using both application-layer and transport-layer vectors. It supports HTTP GET/POST floods, API-targeted attacks, defense evasion techniques, TLS handshake exhaustion, connection-holding methods, as well as UDP and TCP floods. Infected nodes receive commands from the command-and-control infrastructure and generate the corresponding traffic. In addition, Kamasers can also function as a loader, downloading and executing files from the network.
ANY.RUN previously observed activity associated with Udados, which is most likely an evolution or updated version of Kamasers. As such, Udados can be considered part of the Kamasers family.
You can find public sandbox analysis sessions related to the Kamasers family with the following Threat Intelligence Lookup query:
ANY.RUN’s sandbox sessions related to the Kamasers attacks displayed inside TI Lookup
If a corporate host becomes part of a botnet and is used to carry out DDoS attacks, the organization may face financial risks related to incident response, system recovery, network costs, and potential contractual penalties, as well as regulatory scrutiny if inadequate security measures are identified, especially in cases involving data compromise.
An additional risk stems from the malware’s ability to act as a loader, downloading and executing third-party payloads. This increases the likelihood of further intrusion, data exfiltration, ransomware deployment, and the resulting operational and reputational damage.
C2 and Infrastructure
As part of the analysis, it was observed that the bot received the !httpbypass control command, which initiates an HTTP flood attack against a specified URL with defined intensity and duration parameters. After completing the attack, the bot reported its status and returned to standby mode.
Communication between the infected host and the C2 server
In the sandbox analysis session, we can see how a DDoS attack targets a domain:
DDoS attack targeting a domain, exposed inside ANY.RUN sandbox
In a number of analysis sessions, the command-and-control server was used not only to coordinate DDoS activity, but also to deliver additional payloads. Specifically, the bot received the !downloadcommand, after which it downloaded and executed a file from an external domain, then confirmed successful session completion to the C2 server:
Example of a C2 command used to download a malicious file
In one observed case, the bot received the !descargar command, the Spanish-language equivalent of !download, to retrieve an executable file from an external domain.
C2 command in Spanish used to download a malicious file observed inside ANY.RUN sandbox
In some cases, the Kamasers botnet was observed using public blockchain infrastructure as an auxiliary mechanism for obtaining the C2 address. Specifically, infected hosts queried the Etherscan API(api.etherscan.io) to retrieve data containing the URL of the command-and-control server:
Querying the Etherscan API (api.etherscan.io) to retrieve data
After obtaining the URL, the bot connects to the C2 server and sends information about its ID, command execution status, bot version, privileges on the infected host, C2 discovery source, and system information:
Victim request to the C2 server
In a number of cases, Kamasers uses public services, including GitHub, as an auxiliary source of configuration:
Railnet is regularly mentioned in public reporting as a legitimate front for the hosting provider Virtualine. This provider is known for the absence of KYC procedures, and some research has noted that the associated infrastructure is used to host malicious services and facilitate attacks.
Railnet infrastructure has previously been observed in campaigns targeting both government and private-sector organizations across several European countries, including Switzerland, Germany, Ukraine, Poland, and France.
There are also documented cases of Railnet infrastructure being used to distribute other malware families, including Latrodectus, which a number of reports link to activity associated with groups such as TA577.
At the time of analysis, ANY.RUN data showed that Railnet’s ASN consistently appeared in reports tied to a wide range of malicious activity and was being used by multiple malware families. These were not isolated incidents, but a recurring pattern: the same ASN was repeatedly involved across different campaigns, making it a convenient infrastructure hub for threat actors.
The current picture of Railnet activity can be quickly verified using ANY.RUN’s Threat Intelligence Lookup. Searching by ASN makes it possible to assess how extensively it is involved in malicious chains, which malware families interact with it, and how the nature of that activity changes over time:
In the analyzed sandbox sessions, Kamasers was distributed via GCleaner and Amadey, a delivery pattern that has also been observed in other DDoS campaigns.
Attack Geography and Targeting
Among the observed DDoS targets were companies in the LATAM region. However, according to ANY.RUN’s threat intelligence data, the targeting profile is broader: the education sector is affected most often, along with telecommunications and technology organizations.
Query in ANY.RUN TI to search for the Kamasers malware family
By geographic distribution of observed submissions, the largest share comes from Germany and the United States, with separate cases also recorded in Poland and other countries. During the analysis, control commands in Spanish were also observed. This may indirectly suggest that the botnet may have originated from, or evolved within, a Spanish-speaking operator environment, although its actual activity is clearly international in scope.
It is also important to consider that the botnet uses the infrastructure of infected hosts to carry out attacks. If corporate systems are compromised, the organization may not only become a potential target itself, but also inadvertently serve as a source of attacks against third parties. This creates reputational risks, the possibility of IP address blacklisting, and additional financial costs related to investigation and infrastructure recovery.
Technical Breakdown of Kamasers
To better understand the Kamasers botnet architecture, a detailed sample analysis was conducted. The starting point was the sample from this ANY.RUN sandboxsession:
ANY.RUN’s analysis session used as a starting point for technical investigation
This was followed by reverse engineering of the binary. The analysis focused primarily on how the malware receives and processes commands from the C2 server, as well as the attack capabilities implemented in the sample.
After launch, the malware begins retrieving commands through a Dead Drop Resolver mechanism. It uses public services such as GitHub Gist, Telegram, Dropbox, and Bitbucket as intermediary sources. From these sources, the bot extracts the address of the real C2 server and then establishes a connection to it.
The bot validates the format of the command sent by the C2 server
Command processing takes place in several stages. First, the bot verifies that the command format is valid. All valid commands must begin with the “!” character. If this prefix is missing, the command is rejected and not executed.
Code for the handler caching mechanism
After validating the prefix, the bot matches the command against an internal handler table. The analysis showed that Kamasers uses a handler caching mechanism. If the previously used handler matches the current command index, the bot takes a fast path without performing another lookup. Otherwise, it triggers the dynamic resolution routine.
Pseudocode of the flowchart showing command receipt and handler caching
This mechanism can be briefly described as shown in the pseudocode above.
One of the most illustrative commands is !udppro. It implements a high-speed UDP flood with support for source IP spoofing. Code analysis shows the standard sequence for creating a UDP socket via the WinSock API using the AF_INET, SOCK_DGRAM, and IPPROTO_UDP parameters.
Disassembled code for the “!udppro” command
After initializing the socket, the malware configures the packet transmission parameters. Support for IP spoofing enables reflection and amplification attacks through public NTP and DNS servers. In such scenarios, the victim receives responses that are significantly larger than the original requests, leading to a sharp increase in load.
The !download command is also present, implementing a Download & Execute mechanism. The bot retrieves an executable file from the specified URL, checks for the MZ signature, allocates memory, maps the sections, and transfers execution to the entry point. If successful, it sends a task completion message; if an error occurs, it generates a failure notification.
Bot status messages related to the download process
Implementation of Dead Drop Resolver Channels
Kamasers uses four Dead Drop Resolver channels: GitHub Gist, a Telegram bot, a file hosted on Dropbox, and a Bitbucket repository. Importantly, links to these services are not stored in the sample in plain form. Instead, they are constructed and unpacked dynamically at runtime, which is why such strings do not appear during static analysis of the binary.
The Dead Drop Resolver (DDR) mechanism serves as an intermediary layer between the bot and the primary C2 server. After launch, the malware sequentially sends HTTP GET requests to each of the public resources. The content hosted there contains the current address of the command-and-control server. Once a response is received, the bot extracts the C2 address and establishes a direct connection to continue receiving commands.
If the first source returns a valid address, no further requests are made. If the connection fails or the response is invalid, the bot automatically falls back to the next channel: Telegram, then Dropbox, and finally Bitbucket.
DDR links in the Kamasers codebase
All of these resources ultimately point to the same C2 infrastructure:
GitHub Gist content used by Kamasers as DDR
Bitbucket content used by Kamasers as DDR
Fallback domains used if the DDR links are unavailable
If none of the DDR channels responds, the malware falls back to a built-in list of backup domains.
Catching Kamasers Early: A Practical Detection Approach
Kamasers shows how a single malware infection can quickly turn into a broader business problem. Beyond DDoS activity, the botnet can also download and execute additional payloads, increasing the risk of deeper compromise.
For security teams, the challenge is not only spotting the malware itself but also understanding whether an infected host is being used for external attacks, communicating with resilient C2 infrastructure, or pulling in follow-on payloads.
Early detection depends on moving quickly from suspicious network activity to confirmed malicious behavior.
1. Monitoring: Spot Malicious Infrastructure and Unusual Network Behavior Early
Kamasers relies on external infrastructure to receive commands, retrieve C2 addresses, and in some cases download additional payloads. It also uses public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and even Etherscan as part of its Dead Drop Resolver logic.
Monitoring for suspicious outbound connections, newly observed infrastructure, and repeated communication with known malicious hosting can help teams detect activity before the infection leads to larger operational impact.
Actionable IOCs delivered by TI Feeds to your existing stack
ANY.RUN’s Threat Intelligence Feeds help surface suspicious indicators early, giving SOC teams faster visibility into malicious domains, IPs, and infrastructure patterns linked to emerging threats.
99% unique threat data for your SOC Catch attacks early to protect your business
2. Triage: Confirm Botnet Activity with Behavior-Based Analysis
With threats like Kamasers, static detection alone may not show the full risk. A suspicious file may appear inconclusive until its real behavior is observed during execution.
Running the sample inside the ANY.RUN interactive sandbox makes it possible to confirm the full execution flow, including:
retrieval of C2 data through Dead Drop Resolver channels
connection to the active command-and-control server
receipt and execution of DDoS commands
download-and-execute behavior through commands like !download or !descargar
status reporting back to the C2 infrastructure
Relevant IOCs automatically gathered in one tab inside ANY.RUN sandbox
This helps teams quickly determine whether the malware is only participating in DDoS activity or whether it also creates risk of further payload delivery and deeper compromise.
74% of Fortune 100 companies rely on ANY.RUN for earlier detection and faster SOC response
3. Threat Hunting: Pivot from One Sample to Related Infrastructure
Once Kamasers is confirmed, the next step is understanding how far the activity may extend.
Using ANY.RUN’s Threat Intelligence Lookup, teams can pivot from the initial sample to uncover related infrastructure, connected sessions, and recurring patterns across the broader campaign.
This makes it possible to:
identify other samples tied to the Kamasers family
trace infrastructure linked to the botnet’s C2 activity
investigate repeated use of ASN-linked hosting such as Railnet
expand detection based on shared behavior and network indicators
ANY.RUN’s sandbox sessions related to the Kamasers attacks displayed inside TI Lookup
By pivoting from one confirmed sample, security teams can turn a single investigation into broader visibility across related botnet activity.
Conclusion
Kamasers is a sophisticated DDoS botnet with a well-designed architecture. Its use of a Dead Drop Resolver through legitimate services makes its C2 infrastructure highly resilient to takedown efforts. The presence of 16 different attack methods, including modern vectors such as GraphQL and HTTP bypass, along with advanced implementations of classic techniques, makes Kamasers a highly versatile tool for carrying out DDoS attacks.
For business leaders, Kamasers shows that resilient, multi-vector botnets can threaten not only infrastructure, but also uptime, customer experience, and revenue-critical operations.
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, fits naturally into modern SOC workflows and supports investigations from initial alert to final containment.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an interactive environment, enrich indicators with immediate context through TI Lookup, and continuously monitor emerging infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN also meets enterprise security and compliance expectations. The company is SOC 2 Type II certified, reinforcing its commitment to protecting customer data and maintaining strong security controls.
Complete List of Kamasers Commands
Command
Purpose
!stop
Stops the current operation. Closes sockets, terminates attack threads, and clears buffers.
!download
Downloads and executes a file. Retrieves a PE file over HTTP, verifies it, and launches it. Also detects whether the file has been removed by antivirus software.
!visiturl
Sends a basic HTTP GET request to the specified URL to generate traffic or check availability.
!httpget
Basic HTTP GET flood implementation. Spawns several dozen threads with minimal randomization.
!httpgetpro
Advanced HTTP GET flood. Spawns hundreds of threads, randomizes the User-Agent, Referer, URL paths, and parameters. Uses keep-alive connections.
!httppost
HTTP POST flood. Sends POST requests with randomized headers and payloads, creating load on server-side data processing.
!tlsflood
TLS handshake flood. Initiates SSL/TLS handshakes without completing them, creating load on the server’s cryptographic operations.
!httpbypass
HTTP attack with defense evasion. Uses WAF/CDN bypass techniques such as header manipulation, payload encoding, and request fragmentation.
!graphql
GraphQL API flood. Sends deeply nested GraphQL queries that create exponential load on the server parser.
!httphulk
HULK attack (HTTP Unbearable Load King). Applies maximumrandomization to all HTTP request parameters to bypass caching and rate limiting.
!fastflood
Optimized high-speed flood with minimal overhead, designed to saturate available bandwidth.
!proloris
Professional implementation of Slowloris. Slowly sends partial HTTP headers to exhaust the server’s connection pool.
!slowread
Slow Read attack. Requests a large file and reads it very slowly to tie up server resources.
!udppro
Professional UDP flood with support for IP spoofing and NTP/DNS amplification.
!tcppro
Advanced TCP flood. Combines SYN flood, ACK flood, and connection reset techniques to exhaust the TCP state table.
!tcphold
TCP connection holding. Establishes the maximum number of connections while maintaining minimal keep-alive traffic to exhaust server limits.
