Frankfurt am Main, Germany, 30th April 2025, CyberNewsWire

**Frankfurt am Main, Germany, April 30th, 2025, CyberNewsWire**

**Link11 has fully integrated DOSarrest and Reblaze to become one of Europe’s leading providers of network security, web application security, and application performance**

Link11, DOSarrest, and Reblaze have combined their strengths into a single, integrated platform with a new brand identity. The result: a consistent user experience, maximum efficiency, and seamless security. As a European provider, Link11 addresses the current business risks associated with geopolitical uncertainties and growing compliance requirements. At the same time, the company secures business-critical processes worldwide through the synergies created.

With the acquisitions of DOSarrest in 2021 and Reblaze Technologies in 2024, Link11 has expanded its market position. The new Link11 WAAP (Web Application and API Protection) SaaS platform combines comprehensive DDoS protection against web attacks with ML-based adaptive security and API protection. The result is an unmatched combination of adaptive real-time traffic filtering, AI-powered bot detection, and a next-gen web application firewall for secure and encrypted interactions in a single suite.

At the end of 2023, Link11 secured an investment of €26.5 million from Pride Capital Partners. This financing will support the company’s planned product developments and international go-to-market strategy.

**Maximum security through proprietary, sovereign cloud infrastructure and artificial intelligence**

Link11 is setting new standards in protection against DDoS attacks by using its own AI-based technology. The patented DDoS filter secures all traffic within the Link11 cloud – faster and more efficiently than conventional solutions. The advantages over competitors lie in users’ full control over scaling and intelligent real-time analysis of traffic, as well as continuous learning from attacks.

While other providers rely on third-party infrastructures such as AWS or Google, Link11 controls its own cloud infrastructure. This allows protection mechanisms to work in real time – without delays that can have critical consequences in a DDoS attack. As one of Europe’s leading IT security providers, Link11 enables platform-independent protection, even in multi-cloud environments.

**Technological independence as a security factor**

The solution is designed for workloads in any cloud environment. Link11’s network was developed specifically for modern cybersecurity requirements and sovereignty. It strengthens security at the network edge, accelerates global content delivery, and provides resilience and data sovereignty.

> Jens-Philipp Jung, founder and CEO of Link11: “Cybersecurity today means resilience against threats and outages. European companies that set global standards in data protection should also insist on independence when it comes to their cyber resilience. Especially in times of geopolitical uncertainty, sovereign, powerful and trustworthy IT solutions are needed. With Link11, we are demonstrating what European cutting-edge technology can achieve: maximum resilience, top performance and uncompromising compliance – independently and confidently”.

**European companies should rely on an EU-based DDoS protection provider**

Recent surveys of cybersecurity managers show that, given the option, independent and trustworthy security solutions from Europe will be used more in the future. Link11 has been successfully providing its services to companies such as financial institutions, media companies, retail and logistics companies, and the public sector for many years. With a strong brand and a multi-layered security approach, Link11 helps its customers reduce their dependence on cybersecurity. The goal is to make security architectures more resilient – technologically, functionally, and geopolitically. 

YouTube link: Link11 – Always at your side

**About Link11**

Link11 is a specialized European IT security provider that protects global infrastructures and web applications from cyberattacks. Its cloud-based IT security solutions help companies worldwide strengthen the cyber resilience of their networks and critical applications and avoid business interruptions. Link11 is a BSI-qualified provider of DDoS protection for critical infrastructure. With ISO 27001 certification, it meets the highest standards in data security.  

**Contact**

**Lisa Froehlich**  
**Link11 GmbH**  
**\[email protected\]**

Link11 brings three brands together on one platform with new branding

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the…

BreachForums posts a PGP-signed message explaining the sudden April 2025 shutdown. Admins cite MyBB 0day vulnerability impacting the site, plan return, deny seizure, and warn of clones.

In early April 2025, the well-known cybercrime and data breach forum BreachForums disappeared from the internet without explanation. The forum, administered and **owned by the hacker group ShinyHunters**, went offline without any farewell note or clarification, triggering widespread speculation about a possible law enforcement seizure.

Despite these concerns, DNS records for BreachForums remained unchanged, showing the original nameservers at **DDoS-Guard**, not the typical Cloudflare nameservers seen when the FBI seizes criminal infrastructure. This consistency hinted that the site had not fallen into the hands of authorities but left many questions unanswered.

    BreachForums.st DNS Records:
    
    185.129.101.200
    
    185.129.103.200
    
    ns1.ddos-guard.net
    
    ns2.ddos-guard.net
    
    Typical FBI Seizure DNS Records:
    
    plato.ns.cloudflare.com
    
    jocelyn.ns.cloudflare.com

****BreachForums Plans to Return****

Earlier today (April 28, 2025), visitors to Breachforums.st have been met with a new development: a detailed message posted on the homepage, allegedly from the forum’s administration, signed with a PGP key.

According to the statement, the administrators shut down operations after confirming the existence of a MyBB 0day vulnerability that left the forum exposed to infiltration attempts by law enforcement agencies.

It is worth noting that in June 2023, when BreachForums was revived under ShinyHunters’ control, it **suffered a data breach**. The forum administrator attributed the incident to a MyBB 0day vulnerability, which led to the leak of personal details belonging to over 4,000 members.

However, in the latest update, the administrators claimed they acted quickly once they received credible information about the security risk through trusted contacts. They initiated an incident response protocol, shut down infrastructure, and conducted an audit of their systems.

Their findings suggested that although the forum software was vulnerable, the infrastructure had not been compromised and no data had been stolen. The statement also apologized to staff and users for the extended silence, citing operational security as the top priority during the crisis. BreachForums announced that work is underway on a complete rewrite of the forum backend to prevent future vulnerabilities.

Additionally, the message warned users against engaging with various BreachForums clones that have surfaced online, suggesting that these are likely law enforcement honeypots designed to lure and identify cyber criminals. The administrators emphasized that no arrests had taken place and that the original team remained intact.

Screenshot from the BreachForums’ homepage (Image credit: Hackread.com)

****But Some Questions Remain Unanswered****

What the message does not explain is why ShinyHunters deleted their Telegram account. BreachForums had a large and active community on Telegram. What happened to that account, and why were no updates provided on Telegram before taking down the forum?

The sudden disappearance and equally sudden reappearance of BreachForums have raised further concerns within cybercrime circles. While the operators insist the platform remained secure, the revelation of a zero-day vulnerability in the forum software raises new questions about the operational risks associated with underground forums.

**ShinyHunters**, the hacker group tied to the forum’s ownership, has been linked to several high-profile data breaches over the past few years, which places BreachForums under constant scrutiny by law enforcement agencies worldwide.

The situation is likely to develop as cybersecurity researchers, law enforcement, and threat actors react to the forum’s unexpected return. Until then, BreachForums’ future remains uncertain.

BreachForums Displays Message About Shutdown, Cites MyBB 0day Flaw

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States.
"From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.

Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.

Thursday, April 17, 2025 14:01

Welcome to this week’s edition of the Threat Source newsletter. 

As we navigate our daily routines, certain tasks become second nature to us, especially if they are integral to our professions. However, what feels instinctive to one person might be foreign to another. This disparity is akin to a skilled musician effortlessly playing a complex melody, while someone without musical training might appreciate the beauty of the music in a different way. Both may enjoy music, but they experience it from different perspectives. 

Lately, I've found myself thinking about these differences in the context of online interactions, particularly with search engines. I've become increasingly frustrated with how they try to influence my buying behavior or try to “enhance” search results with AI. It's often unsuccessful, as many of you have experienced. I once looked up something for my father-in-law and got swamped for weeks after with advertisements absolutely irrelevant to me. 

It's easy to overlook that when using a search engine, the exchange of knowledge is not one-sided. It's not only users who gain knowledge from indexed content, but search engines also acquire detailed insights into user behavior and preferences. You may unknowingly share sensitive information that could be stored for extended periods or shared with third parties for advertising or other purposes. I tried to get around this by shifting to privacy-focused search engines but wasn’t happy with the experience, either because of smaller or different indexes, or I was missing results in my native language. 

Luckily, I came across an open-source project called SearXNG, a “free internet metasearch engine which aggregates results from up to 229 search services. Users are neither tracked nor profiled.” 

I like it for three reasons: 

1.  You can try one of the public instances and check if you like it before you go all-in.
2.  You can self-host it on bare metal, in Docker or LXC, giving you even more control over your data. 
3.  With Opensearch it seamlessly integrates with your existing browser. 

It took me a couple of days to get used to it, but I do really like it now. It’s not perfect, but it is a real timesaver. As a bonus, the search syntax for advanced use is easy to memorize: 

*   “:en”, “:de” or “:fr” to search in a given language 
*   “!social\_media” or “!news” to search just a given category 

The same principle applies to the increasing number of AI and large language models (LLMs) that process your queries — they also gather information about you. There are initiatives like Perplexica on GitHub that aim to bridge the gap for AI-assisted searches, although I haven't explored them in detail. Additionally, if your interactions extend beyond simple searches to more profound inquiries, such as asking an LLM about the meaning of life, it's wise to first assess the trustworthiness of the engine or the company behind it. Care what you share.

**The one big thing **

We are continuing our discussion of Talos' 2024 Year in Review report, looking at each section in detail. This week, let’s examine ransomware.

**Why do I care? **

Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70% of related cases.  

Ransomware actors exploited public-facing applications nearly 20% of the time. The Known Exploited Vulnerabilities Catalog for 2024 lists 28 out of 186 Vulnerabilities as “Known to be used in Ransomware Campaigns” with CVE ID’s all the way from 2012-2024 (except for 2015).

**So now what? **

These are major risks which can be mitigated by applying basic cyber hygiene principles. Please update and patch your software, and protect your credentials. Tune in next week to learn about multi-factor authentication (MFA) and identity threats, and why you need to do more than just enable MFA.

**Top security headlines of the week **

*   **OpenAI cuts safety tests in “reckless” AI push.** According to the article, testing has gone down from six months to just days. We all know that even with six months of testing any model, it’ll never be quite perfect. (MSN) Further compounding this: 
*   **AI-hallucinated code dependencies become new supply chain risk.** “Slopsquatting” (as a spin on typosquatting) has become a thing. Threat actors can check with one or more AI models what packages they hallucinate and upload their malicious ones to PyPI or npm. (BleepingComputer)
*   **Windows Recall seems to be back again.** More privacy-related news. If I recall (pun intended) correctly, in May last year Microsoft introduced Recall — a feature which constantly takes screenshots, indexes them, and makes them searchable for you. After huge backslashes in the community, and the creation of tools like TotalRecall, Microsoft paused the launch last June. (BleepingComputer)
*   **The 25-year-old CVE program seemed to be at risk.** MITRE warned on April 15 that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program expired on April 16. This was big. Just in Q1 about 11,781 vulnerabilities were added (with 415 rejected) to the Database. Stopping this would have caused a lot of trouble. (Krebs on Security) However, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it had exercised an option to extend MITRE’s contract—reportedly for another 11 months, according to multiple sources.

**Can’t get enough Talos? **

*   **Unmasking the new XorDDoS controller and infrastructure.** Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks. 
*   **Talos Takes: Year in Review Special (Pt. 2).** Azim Khodjibaev and Lexi DiScola join Hazel to discuss some of the most prolific ransomware groups (and why LockBit may end this year very differently to how they ended 2024).

**Upcoming events where you can find Talos **

*   RSA (April 28 – May 1) San Francisco, CA    
*   PIVOTcon (May 7 – 9) Malaga, Spain    
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA    
*   Cisco Connect UK & Ireland (May 20) London, UK  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f     
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507     
Typical Filename: VID001.exe     
Detection Name: Win.Worm.Bitmin-9847045-0 

**SHA256: 2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385**   
MD5: 01b521c78f5bbdaba0cc221bc893e2b8   
VirusTotal: https://www.virustotal.com/gui/file/2e964c017df8b7d56600a5d68018f9f810a1c7dd3da800b5b5dfe85e9ce6b385   
Typical Filename: toyboy.exe     
Detection Name: Gen:Variant.Tedy.758566 

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**   
MD5: 42c016ce22ab7360fb7bc7def3a17b04   
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277   
Typical Filename: Rainmeter-4.5.22.exe    
Detection Name: Artemis!Trojan 

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: IMG001.exe    
Detection Name: Win.Trojan.Miner-9835871-0

Care what you share

Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.

Thursday, April 17, 2025 06:00

*   Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. 
*   A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. 
*   The language settings of the muti-layer controller, XorDDoS builder and controller binding tool strongly suggest that the operators are Chinese-speaking individuals. 
*   Talos discovered the latest version of the XorDDoS controller, called the “VIP version,” and its corresponding central controller were used to build the DDoS bot network for more sophisticated and widespread attacks. 
*   Talos' analysis exposes the network connection between central controller, sub-controller and XorDDoS malware in order to highlight the XorDDoS trojan network pattern. This may help victims identify when they are targeted by these trojans.

**Linux XorDDoS trojan trend and victimology  **

The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals. 

From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence. This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots. It employs a strategy of Secure Shell (SSH) brute-force attacks to gain remote access to target devices. Once it obtains valid SSH credentials, the attacker leverages root privileges to execute a script that downloads and installs XorDDoS on the compromised device. 

Even though numerous security vendors have already provided solutions and detection methods to capture them, Talos continues to observe attempts to deliver XorDDoS malware.

__Figure 1. Cisco Secure Firewall’s monthly malware connection detection statistics.__

Between November 2023 and February 2025, Talos observed that the XorDDoS trojan continued to have a global impact, with nearly 50 percent of its successfully compromised victims located in the United States. Additionally, we noted that the compromised systems attempted to target and attack several countries, including Spain, the United States, Taiwan, Canada, Japan, Brazil, Paraguay, Argentina, the United Kingdom, the Netherlands, Italy, Ukraine, Germany, Thailand, China, India, Israel, Venezuela, Switzerland, Singapore, Finland, Australia, Saudi Arabia, France, Turkey, the United Arab Emirates and South Korea.

__Figure 2. Percentage of XorDDoS successfully-compromised machines across all regions.__

Talos also used our Cisco Secure Network/Cloud Analysis to observe actors using those compromised machines to launch DDoS attack and the attacks are globalized. Notably, we found that the United States accounted for over 70 percent of attempted attacks employing XorDDoS.

__Figure 3. Percentage of XorDDoS attempted targets across all regions.__

**Infection chain  **

XorDDoS has long relied on SSH brute-force attacks to spread. It deploys a malicious shell script that attempts numerous root credential combinations across thousands of servers until it successfully accesses a target Linux device. Once inside the machine, XorDDoS implements persistence mechanisms to ensure it launches automatically at system startup, therefore evading detection and termination by security products. To maintain persistence, the malware installs an init script and a cron job script. These scripts are embedded within the malware and perform actions consistent with those outlined in previous reports.

__Figure 4. Inint script and cron script embedded in trojan.__

The latest version of XorDDoS malware continues to use the same decryption function and the XOR key "BB2FA36AAA9541F0" to decrypt its embedded configuration. Once the URLs or IPs are decrypted, they are added to a remote list. This list is then used to establish communication and retrieve commands from the C2 server. Talos used CyberChef to successfully decrypt one of the examples.

__Figure 5. Talos CyberChef decryption.__

**XorDDoS new sub-controller and central controller **

Although the sub-controller for XorDDoS was exposed in 2015, attacks have persisted over the last decade. The panel from 2015 was for version 1.4, the oldest version, which we believe is no longer in use by threat actors. In 2024, Talos discovered a new “VIP” version of the XorDDoS sub-controller, which can control the "VIP version” of the XorDDoS trojan, the first instance of which we traced back to 2017. With the newest version of the XorDDoS sub-controller and trojan builder, Talos believes that this collection is a product suite developed for sale.

Figure 6 shows translated screenshots of the XorDDoS trojan sub-controller and builder. The builder also contains new feature descriptions, which strengthens Talos’ assessment that this is a product meant to be sold. The VIP version of the XorDDoS trojan builder includes new feature descriptions. When translated, the description in Figure 7 reads, "Stable Anti-Kick, 100% Packet Sending, Fixes for Over Ten Thousand Online Without Lag. Supports Domain Online, IP Online, with New Packet Sending Code and Wall-Penetration Optimization. Can Send 1024 Packets with Resource Utilization Optimization."

__Figure 6. VIP version sub-controller.__

__Figure 7. Feature description in the VIP version of the XorDDoS trojan builder.__

Talos observed a new version of the sub-controller, which we call the "central controller." Specifically created for the XorDDoS trojan, the central controller enables threat actors to manage multiple XorDDoS controllers simultaneously. This updated central controller enhances cybercriminals’ ability to coordinate and execute attacks more efficiently, indicating an evolution in their tactics and capabilities.

__Figure 8. Example view of central controller controlling each sub-controller__.

The central controller can generate a controller binder that will inject a DLL file to the XorDDoS controller to bind network connection and command operation to the sub-controller, allowing the central controller to fully remote control the sub-controllers.

__Figure 9. Generator Setting__

The controller binder will establish a connection with the central controller. When running the controller binder on the host, the actor can enter the controller's process name, allowing them to inject into the process and take control. This straightforward strategy allows the actor to send the DDoS commands to multiple controllers simultaneously. There are two notable facts Talos observed from this central controller. First, when the actor opens the central controller, there is a feature description in its mission list column that, when translated, includes the following:

*    "Check the SYN packet length to make it a large packet, otherwise it will be a small packet. 
*   A round-robin attack is a task performed by all online hosts.
*   Select the host and click the test mode, which means a single host sends a packet.
*   Multiple measurement modes cannot be selected, only one at a time!
*   The round-robin attack needs to be stopped manually.
*   Supports 1024 packages but requires a corresponding sub-controller.
*   The sub-controller of version 1.4 and 1.8 on the underground market cannot use the central controller to send 1024 packages."

Second, the controller's creator left their Tencent QQ instant message contact number and nickname on the central controller, while also mentioning other sub-controller versions available on the underground market. This further supports Talos’ assessment that these tools are for sale.

__Figure 10. Central controller and controller binder.__

**Advanced XorDDoS traffic analysis **

Talos’ detailed analysis of these new tools suggests cybercriminals’ continued investment in the development and deployment of the XorDDoS trojan, allowing for more sophisticated and widespread attacks. The entire control flow of these operations demonstrates the adaptability and resilience of these threat actors, emphasizing the ongoing challenge in combating this form of cybercrime. Talos completed a traffic analysis in our sandbox environment, first to analyze how the XorDDoS trojan is connected to the sub-controller, and then to understand how the central controller manages the sub-controller.

__Figure 11. XorDDoS control flow diagram.__

The connection between the sub-controller and DDoS trojan is the orange line in Figure 11. When the malware is successfully installed in the target system, it will attempt to send encrypted data, including "phone home," which consists of the CRC Header, uname string release, uname string machine, magic string and hardcoded version string. Talos used CyberChef to provide a decryptor function for this data.

__Figure 12. Example of decrypted phone home data.__

We noticed that the latest VIP version's "phone home" CRC header remains unchanged from what Unit 42 previously detailed in a blog post. Since the blog post has already covered the encryption of the XorDDoS trojan's phone home data, we will focus here on the behavior of the controller's responses and any modifications in the CRC header.

Once the XorDDoS trojan successfully establishes a connection, the CRC header changes to "5343f096000000000200000000000000000000000000000000000000", as shown in Figure 13. This functions similarly to basic client-server authentication for establishing a connection. When the controller issues a command to the XorDDoS trojan, it uses the same CRC header to attach the encrypted command, sending it to the trojan. This process, illustrated in Figure 14, helps the XorDDoS trojan verify that the commands are authorized and safe to execute.

__Figure 13. The CRC header changes after successfully establishing a connection.__

__Figure 14. Network flow of sub-controller sending the command to XorDDoS trojan.__

Next, Talos explored the connection between the central controller and the sub-controller, represented by the purple line in Figure 11. The central controller can create a controller binder to inject the sub-controller, thereby gaining full access to it. Once the controller binder successfully takes control of the sub-controller, it sends the sub-controller's machine information back to the central controller as a "phone home" beacon. This phone home data uses plaintext to send information, which includes the message number, packet size, IP address, hostname and connection port.

__Figure 15. Network flow of the phone home connection.__

Talos used the central controller to establish a connection with the sub-controller to monitor network traffic. During this process, we observed that the MSG number in the packets increases with each command sent to either the client controller or back to the central controller. As shown in Figure 16, Talos used the central controller to issue commands to start a SYN DDoS attack, stop the attack, and target specific IPs or domains. For every command sent, the MSG number increments. Similarly, each received packet also sees an increase in its MSG number. However, it's important to note that the MSG numbers for sent packets and received packets are not directly related to each other.

__Figure 16. Network flow of central controller sending the command to sub-controller.__

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64669, 64668 and 64667.

ClamAV detections are also available for this threat: Unix.Dropper.Xorddos::in07.talos

**Indicators of Compromise**

IOCs for this threat can be found in our GitHub repository here.

Unmasking the new XorDDoS controller and infrastructure

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and…

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and leaked its source code. Investigation is ongoing.

The infamous imageboard **4chan** is facing a major security incident. Users and researchers have flagged a possible breach resulting in the leak of 4chan’s custom source code, widely known as Yotsuba. What makes the incident ironic is the claim that the attacker is affiliated with Soyjak.st, a lesser-known but competing imageboard community.

****Unusual Downtime****

As of this writing, 4chan was offline or loading inconsistently, with broken images and non-functional links across multiple boards. The outage began in the early hours of April 15th, and speculation quickly spread across social media and rival platforms.

The screenshot shows the current status of 4chan (Image credit: Hackread.com)

Some users initially blamed server issues or a possible **DDoS attack**. However, what followed was far more serious: a user on Soyjak.st claimed responsibility for accessing admin credentials and leaking 4chan’s internal codebase.

Shortly after the claim surfaced, links to what appear to be portions of the Yotsuba source code began circulating across multiple platforms, including Telegram, GitHub Gists and private paste sites.

While the full extent of the leak is still being verified, early samples appear to be consistent with 4chan’s long-running backend structure. The leaked files also include core PHP scripts, administrative tools, and configuration files, some containing outdated coding practices that raise security concerns.

Although 4chan does not rely on user accounts or store typical sensitive information like emails or passwords, a codebase leak can still be serious. With access to internal logic, attackers could exploit undocumented behaviour and server-level compromises. It may also provide insights into moderation workflows or board-level permissions that were never intended to be public.

****The Soyjak.st Connection****

Soyjak.st, though much smaller than 4chan, has managed to grow its own dedicated niche in the imageboard world. With a focus on parody, satire, and meme content, the community has a complicated and often hostile relationship with 4chan.

Whether the claimed attacker is truly affiliated with Soyjak.st or is simply using its name remains to be seen. No formal attribution has been made. Nevertheless, if verified, the breach may be the first major incident where one imageboard’s userbase actively compromises the infrastructure of another.

****No Official Word from 4chan****

At the time of publication, 4chan has not released a public statement addressing the outage or confirming the breach. The site’s front page remains reachable worldwide, but many boards continue to load inconsistently or not at all.

In the meantime, if you are a 4chan user, it’s a good idea to be cautious with any links or files claiming to be from 4chan. There’s always a risk of fakes or **phishing attempts** popping up after something like this

4chan Breached? Hacker from Rival Soyjak Forum Claims Source Code Leak

Though the exact details of the situation have not been confirmed, community infighting seems to have spilled out in a breach of the notorious image board.

The anonymous image board 4chan has survived years of controversy. It weathered user and advertiser boycotts as well as damning accusations that it incubated hate speech that may have fueled mass shootings. Users have convened on 4chan to plan hacks like DDoS attacks, and conspiracy theories that festered on 4chan even reportedly inspired the January 6 insurrection at the United States Capitol. On Monday night and Tuesday, though, the platform faced its latest test after a series of outages led to speculation that the site had been hacked.

The core feature 4chan provides is public anonymity to post text and images, but the platform itself does collect information about users, such as their IP addresses. As a result, a breach of the website could represent a significant exposure of data that was intended to be private.

“4chan is an anonymous message board that enables often offensive and hateful content. The content leaked, if genuine, would remove some of the anonymity from 4chan administrators, moderators, and janitors,” says Ian Gray, director of analysis and research at the security firm Flashpoint. The image board’s billing as an “anonymous” platform may have given users a “false sense of security,” Gray says. “Some users may have registered their email addresses years ago when they were less aware or concerned about their operational security.”

Reports about the apparent hack began circulating after a previously banned board on 4chan briefly appeared online and the site was defaced with a message saying, “U GOT HACKED XD.” Subsequently, an online account on a rival forum known as Soyjak.party posted screenshots allegedly showing 4chan’s backend systems, plus a list of alleged 4chan administrator and moderator usernames, with associated email addresses. Following this post of 4chan administrator email addresses, Soyjak.party users started posting alleged doxes, including photos and personal information, of the accounts included in the leak.

WIRED has not been able to confirm whether the data is legitimate. A press email address associated with 4chan as well as two alleged administrator emails from the leaked data did not immediately respond to WIRED’s requests for comment on the hack and its validity. One of the site’s moderators said they believed the hack and leaks were real, according to a report by TechCrunch.

Rumors also started circulating on Tuesday that the breach is the result of 4chan running legacy, unpatched software that exposed the platform to attack. After a breach a decade ago, 4chan founder Christopher Poole, known online as “moot,” wrote in a blog post, “\[We\] have spent—and will continue to spend—dozens of hours poring over our software and systems to help mitigate and prevent future intrusions. We’re sorry it happened, and will do our best to ensure it doesn’t happen again.”

Emiliano De Cristofaro, a computer science and engineering professor at UC Riverside, who has researched the impact of 4chan on the web, says the ramifications could be large if the hack is confirmed.

“It seems true that 4chan hasn't been properly maintained and patched for years, which might indicate that a hack would have definitely been a possibility,” De Cristofaro says. “There might be some ‘high profile’ users exposed as moderators—traditionally, 4chan users hate them, so they might be targeted. It might be hard or at least painfully slow and costly for 4chan to recover from this, so we might really see the end of 4chan as we know it.”

Initial reports posted on Soyjak.party referencing a 4chan hack appeared to say that Soyjak.party members may have been involved in the attack. One post claimed that a hacker had been in 4chan’s systems “for over a year” and exposed personal information allegedly linked to 4chan users and administrators. And multiple screenshots posted on Soyjak.party appear to show someone accessing 4chan’s internal systems. These include images of someone with administrator access to a 4chan backend database, stats about users on various sections of 4chan, a page showing deleted posts and the IP addresses they were made from, as well as other internal documentation. Some reports also claim that hackers stole 4chan’s source code.

In recent years, 4chan has increasingly been on the radar of US government officials. The website has reportedly been kept online due in part to investment by a Japanese company. In June 2023, WIRED reported on internal 4chan documents that showed how the site’s policies shaped the highly toxic nature of the platform—including how moderators explicitly allow racism. In most cases, the documents showed, calls for violence on 4chan are not met with user bans.

“If the data is legitimate, information on members and posting could be useful for law enforcement investigations,” Flashpoint’s Gray says. “4chan has been around since at least 2003, which is extremely notable for any online service. Aside from the offensive and often extremist content, a lot of internet culture has originated from 4chan. If this is a death knell for 4chan, other services will likely fill its place. However, the effect of 4chan on the internet cannot be overstated.”

Suspected 4chan Hack Could Expose Longtime, Anonymous Admins

Luxembourg, Luxembourg, 9th April 2025, CyberNewsWire

**Luxembourg, Luxembourg, April 9th, 2025, CyberNewsWire**

Gcore, the global edge AI, cloud, network, and security solutions provider, has launched Super Transit, a cutting-edge DDoS protection and acceleration feature, designed to safeguard enterprise infrastructure while delivering lightning-fast connectivity. 

This comes as organizations face a 56% year-on-year increase in high-volume, complex DDoS attacks that disrupt operations, increase latency, and compromise network security. Traditional solutions often require expensive, complex integrations, but Super Transit is delivered as part of the Gcore DDoS Protection Suite. Using the Gcore global network of 180+ points of presence (PoP), traffic is automatically routed through the Gcore Anycast backbone, and any malicious traffic is intelligently split from legitimate traffic in real-time. This proactive detection, filtering, and mitigation of DDoS attacks means an uninterrupted user experience, so even during an attack, users remain unaffected and continue to experience stable, secure, high-speed connectivity. 

Gcore Super Transit, which is available to all customers now, optimizes performance and security through the following key differentiators: 

**1\. Real-time DDoS threat mitigation:** Detects and blocks malicious traffic in real-time at the nearest Gcore PoP, before it can reach user networks – minimizing impact on performance. 

**2\. Global-scale protection:** Comprehensive defense against DDoS attacks of any size, backed by a total filtering network capacity exceeding 200 Tbps. 

**3\. Consistent performance:** Traffic is filtered at the edge with legitimate traffic routed via the optimal path within Gcore’s high-performance backbone, eliminating unnecessary rerouting to external scrubbing centers and reducing latency. 

**4\. Cost-effective protection:** Optimizes security spending with flexible, integrated deployment options that balance performance and affordability. 

> Andrey Slastenov, Head of Security at Gcore, commented: “This is a hugely important launch for many reasons. Primarily, Super Transit allows for fast, worldwide access to our DDoS protection services, with real-time intelligent data analysis and filtering ensuring legitimate data is routed to servers efficiently. These are crucial capabilities as advanced DDoS protection for real-time services mitigates latency and outages that significantly impact user experience and enterprises’ business success.” 

**About Gcore** 

Gcore is a global edge AI, cloud, network, and security solutions provider. Headquartered in Luxembourg, with a team of 600 operating from ten offices worldwide, Gcore provides solutions to global leaders in numerous industries. Gcore manages its global IT infrastructure across six continents, with one of the best network performances in Europe, Africa, and LATAM due to the average response time of 30 ms worldwide. Gcore’s network consists of 180 points of presence worldwide in reliable Tier IV and Tier III data centers, with a total network capacity exceeding 200 Tbps.

Users can learn more at gcore.com or follow them on LinkedIn, Twitter, and Facebook.

**Contact**

**Gcore PR team**  
**gcore.com**  
**\[email protected\]**

Gcore Super Transit Brings Advanced DDoS Protection and Acceleration for Superior Enterprise Security and Speed

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over…

Online gaming has become an integral part of modern entertainment, with millions of players connecting from all over the world to immerse themselves in **virtual worlds**, participate in competitive matches, or simply relax with friends.

However, while gaming offers exciting experiences, it also exposes players to a range of cybersecurity threats and privacy risks. The risks are real, from data breaches and identity theft to malware infections and in-game scams.

This article will explore the common cybersecurity risks in online gaming and provide practical strategies to avoid them.

****Why Online Gaming Is a Target for Cybercriminals****

The online gaming industry has grown exponentially in recent years, with global revenues expected to reach $200 billion by 2025. This massive audience makes it an attractive target for cybercriminals.

Hackers and scammers exploit **vulnerabilities in gaming platforms**, user accounts, and in-game assets to make illicit gains. Gamers often store sensitive information, such as credit card details, addresses, and personal identifiers, which can be used for malicious purposes if compromised.

Furthermore, the popularity of multiplayer games and the constant online interaction provide ample opportunities for social engineering attacks and the spread of malware.

****Common Cybersecurity Risks in Online Gaming********Phishing Scams****

Phishing is one of the most common types of attacks targeting online gamers. Cybercriminals often impersonate game developers, customer support teams, or even fellow players to trick individuals into revealing sensitive information, such as login credentials or financial details.

****How to Avoid Phishing Scams:****

*   **Be cautious with emails and messages**: Always verify the sender’s email address or message source before clicking on any links or attachments. Legitimate gaming companies rarely ask for sensitive information via email.

*   **Check website URLs**: Before logging into any gaming platform, ensure that the website’s URL is correct and starts with “https://” to confirm it’s secure.

*   **Enable two-factor authentication (2FA)**: Most major gaming platforms offer 2FA, which provides an extra layer of security by requiring a second form of verification (such as a code sent to your phone) when logging in.

****Account Hacking and Credential Stuffing****

Many gamers use the same login credentials across multiple sites, making them easy targets for hackers who can obtain this information in a breach.

Credential stuffing attacks occur when hackers use previously leaked usernames and passwords from one breach to access accounts on other platforms.

****How to Avoid Account Hacking:****

*   **Use unique passwords**: Create strong, unique passwords for each gaming account to make it harder for hackers to gain access.

*   **Utilize password managers**: Password managers can generate and store complex passwords for all your accounts, reducing the risk of password reuse.

*   **Enable two-factor authentication (2FA)**: As mentioned earlier, 2FA is essential for protecting your accounts from unauthorized access.

****Malware and Ransomware****

Malware can be introduced into gaming systems in several ways, such as through malicious links, downloads, or third-party applications. Cybercriminals can **disguise malware as a legitimate game** or cheat tool to gain control of a gamer’s device, steal information, or lock it until a ransom is paid.

****How to Avoid Malware:****

*   **Download games from trusted sources**: Always download games and updates from official sources like the game developer’s website or recognized gaming platforms (e.g., Steam, PlayStation Store, Xbox Live).

*   **Use antivirus software**: Install reliable antivirus software that can detect and block harmful files and applications before they infect your system.

*   **Avoid third-party tools**: Be cautious when using third-party mods, cheat tools, or unofficial game servers, as they can often contain malware.

****In-Game Scams and Fraud****

Online gaming environments are ripe for scams, especially in multiplayer games with virtual economies. Scammers often target players by promising rare **in-game items**, currency, or cheats in exchange for real money, but once the transaction is made, the scammer disappears.

****How to Avoid In-Game Scams:****

*   **Stick to official transaction platforms**: Only buy in-game items or currency through trusted, official sources such as the game’s marketplace.

*   **Beware of “too good to be true” offers**: If someone promises rare items for an unreasonably low price, it’s likely a scam.

*   **Report suspicious behavior**: Many games have built-in reporting systems for fraudulent players. Always report suspicious activity to the developers or moderators.

****Social Engineering and Doxxing****

Social engineering attacks exploit a player’s trust, often through manipulation and deceit, to gain access to private information.

One of the more alarming risks is doxxing, where cybercriminals gather personal details about a gamer (such as real names, addresses, and phone numbers) and publish them online with malicious intent.

****How to Avoid Social Engineering and Doxxing:****

*   **Limit personal information sharing**: Avoid sharing personal details (like full name, address, or phone number) in online gaming communities, forums, or chat rooms.

*   **Review privacy settings**: Adjust privacy settings on gaming platforms and social media accounts to restrict who can access your information.

*   **Be cautious of friend requests**: Only accept friend requests or direct messages from people you know or trust in the game.

****DDoS Attacks****

Distributed Denial-of-Service (**DDoS**) attacks involve overwhelming a gaming server or player’s network with massive amounts of traffic, causing disruptions, lag, or crashes.

These attacks can also be used as a form of extortion, with hackers threatening to shut down a server unless a ransom is paid.

****How to Avoid DDoS Attacks:****

*   **Use VPN services**: A VPN can help mask your IP address and prevent attackers from targeting your network.

*   **Play on secure servers**: Opt for gaming platforms and servers that implement strong anti-DDoS measures.

*   **Monitor traffic patterns**: If you manage a gaming server, regularly monitor traffic and set up intrusion detection systems (IDS) to detect unusual activities.  
    

****How to Protect Yourself and Your Data in Online Gaming****

To safeguard your data and protect your gaming experience, here are some additional proactive measures you can take:

****Stay Updated****

Game developers frequently release patches and security updates to address vulnerabilities. Always keep your game software, gaming platforms, and operating systems up to date.

****Use a VPN for Gaming****

A **VPN for gaming** can significantly enhance your online security by masking your IP address and encrypting your internet connection. This helps prevent DDoS attacks and protects your personal information from being exposed to malicious players.

Additionally, a VPN allows you to bypass geo-restrictions, ensuring that you can access games and content from around the world securely.

****Use Secure Payment Methods****

When making in-game purchases, consider using secure payment methods like credit cards, PayPal, or trusted digital wallets instead of debit cards or direct bank transfers. These methods often provide better fraud protection.

****Educate Yourself on Cyber Hygiene****

Good cyber hygiene habits go a long way in securing your online presence. Regularly change passwords, check for unusual account activity, and avoid reusing passwords across different platforms.

****Practice Good Online Behavior****

Always exercise caution when interacting with other players online. Avoid clicking on suspicious links, be careful when downloading files, and never share personal information during gameplay.

****Protecting Yourself****

The thrill of online gaming should not come at the expense of your privacy and security. Cybersecurity risks, such as phishing, malware, account hacking, and in-game scams, are prevalent in the gaming world.

However, you can reduce your exposure to these threats by following best practices like enabling two-factor authentication, using strong passwords, avoiding suspicious links, and exercising caution when interacting with others.

Top/Featured Image by Tyler Lagalo on Unsplash!

Tag

#ddos