Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

The threat titled "Around the World in 90 Days: State-Sponsored Actors Try ClickFix" describes the observed adoption of the ClickFix social engineering technique by multiple state-sponsored threat actors originating from North Korea, Iran, and Russia. These groups, including TA427, TA450, UNK_RemoteRogue, and TA422, integrated ClickFix into their existing malware infection chains over a three-month period spanning late 2024 to early 2025. ClickFix is a social engineering method that relies on presenting targets with dialogue boxes containing instructions that prompt users to copy, paste, and execute malicious commands directly on their machines. This technique effectively replaces the traditional installation and execution stages of malware deployment, streamlining the infection process by leveraging user interaction to execute payloads. While ClickFix has been previously associated with cybercriminal groups, its adoption by state-sponsored actors marks a notable shift in tactics, demonstrating the fluidity and adaptability of these actors in evolving their operational methods. The technique is linked with tools such as Metasploit and QuasarRAT, indicating its use in deploying remote access trojans and exploitation frameworks. Despite the integration of ClickFix, the overall campaign strategies of these groups have not fundamentally changed, but the trend suggests a potential for broader adoption of this social engineering approach by other state-sponsored entities in the future. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The threat is classified as medium severity, reflecting moderate risk based on current knowledge.

Detailed information about Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Get real-time updates, technical details, and mitigation strategies

Around the World in 90 Days: State-Sponsored Actors Try ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

OSINT - Keep Calm and (Donâ€™t) Enable Macros: A New Threat Actor Targets UAE Dissidents

This threat report describes a new threat actor targeting UAE dissidents through social engineering techniques involving malicious macros. The attack vector relies on convincing targets to enable macros in documents, which then execute malicious code. Macros are small programs embedded in office documents that can automate tasks but can also be exploited to deliver malware. The threat actor's campaign appears to focus on political dissidents in the UAE, leveraging OSINT (Open Source Intelligence) to identify and target individuals. Although specific technical details and payloads are not provided, the use of macros suggests the threat actor is exploiting a common attack vector that bypasses traditional signature-based detection by embedding malicious code in seemingly benign documents. The campaign's medium severity rating indicates a moderate threat level, likely due to targeted scope and reliance on user interaction (enabling macros). There are no known exploits in the wild beyond this campaign, and no affected software versions or patches are listed, implying this is a social engineering-based threat rather than a software vulnerability. The threat level and analysis scores of 2 (on an unspecified scale) further support a moderate risk assessment.

Detailed information about OSINT - Keep Calm and (Donâ€™t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Get real-time updates, technical details, a

Title	Severity	Type	Source	Date

Threats Affecting United Arab Emirates

Filter Threats

Threats Affecting United Arab Emirates

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility