Executive Summary Between February and September 2025, NETSCOUT’s ATLAS telemetry confirmed 249 distributed denial-of-service (DDoS) attacks attributed to the threat actor Keymous+ targeting organizations across 15 countries and 21 industry sectors. Although the group’s individual attacks peaked at 11.8Gbps...

The phrase Bulletproof hosting suggests technical sophistication, infrastructure resiliency, and a platform with elaborate redundancy. However, for the internet security community its connotation is rarely flattering. BPH typically refers to a service provider that is unresponsive to complaints and ignores requests to curb certain types of activity that may be harmful if not illegal.

Key Takeaways: - A new UDP reflection/amplification DDoS vector is observed in the wild. - The surprising nature of the abusable reflectors/amplifiers. - Recommended DDoS Defense and Best Current Practices (BCPs) for ARMS.

Internet of Things (IoT) botnets commonly propagate by exploiting vulnerabilities in IoT devices. Telemetry from our IoT honeypots show the number of exploit attempts originating from bots continues to increase.

Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used today by mobile phones in China, but expected to grow with the explosion of Internet of Things (IoT) devices.

In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our research, we’ve monitored a number of new malware samples.

First discovered in May of 2018, Danabot is a Delphi written banking trojan that has been under active development throughout the year.

Internet of Things (IoT) botnet authors are adapting to a shift in more secure IoT devices, which has diverted attacker’s focus to exploiting vulnerabilities in IoT devices, either to supplement brute-forcing factory default passwords or completely supplant it.

ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018.

Botmasters have taken the lessons from developing Internet of Things (IoT) malware and shifted their focus to targeting commodity Linux servers.

Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation.

ASERT recently came across spear-phishing emails targeting the Office of the First Deputy Prime Minister of Bahrain.

Executive Summary Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT...

Arbor ASERT has uncovered a new class of SSDP abuse where naïve devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets have ephemeral source and destination ports, making mitigation more difficult - a SSDP diffraction attack. This behavior appears to...

Key Findings ASERT researchers discovered Kardon Loader being advertised on underground forums. Kardon Loader features functionality allowing customers to open their own botshop, which grants the purchaser the ability to rebuild the bot and sell access to others. Kardon Loader is in early stages of development, public...

Executive Summary Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in...

Written by Roland Dobbins, ASERT Principal Engineer and Matt Bing, ASERT Security Analyst. In this article: SSDP Diffraction Attacks aren’t new; they’ve been observed in the wild since 2015. ‘Evasive Amplification’ attacks, aren’t. UPnP NAT Bypass is real. SSDP Diffraction Attacks - Targeting ISP and Enterprise...

Executive Summary ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically...

Overview ASERT recently identified a campaign targeting commercial manufacturing in the US and potentially Europe in late 2017. The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT calls InnaputRAT on the target's machine. The RAT contained a series of commands that includes...

Key Findings A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan. Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations. It is likely a new campaign or...