Malware Activity
Organized Ransomware and Massive DDoS Attacks
Cybersecurity experts have been closely studying new and evolving threats in the digital world. One such threat is DragonForce, a highly organized ransomware group that started in 2023 and has now grown into a "ransomware cartel." They use advanced techniques to bypass security systems, fix encryption weaknesses, and attack organizations globally. Often collaborating with another cybercriminal group called Scattered Spider. This partnership allows them to carry out large-scale attacks more effectively, making them a serious danger to businesses everywhere. Meanwhile, another major threat comes from the Aisuru botnet, which has launched 1,304 large volume Distributed Denial of Service (DDoS) attacks, some reaching nearly 30 terabits per second. This is enough to overload entire networks. These attacks are powered by millions of infected devices like routers and smart gadgets, which cybercriminals hijack through security flaws or weak passwords. Such assaults disrupt essential services, especially in industries like gaming, telecoms, and finance, forcing organizations to spend heavily on recovery. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Deep Dive Into DragonForce Ransomware And Its Scattered Spider Connection article
- BleepingComputer: Aisuru Botnet Behind New Record-Breaking 29.7 Tbps DDoS Attack article
- TheHackerNews: Record 29.7 Tbps DDoS Attack Linked To AISURU Botnet With Up To 4 Million Infected Hosts article
Threat Actor Activity
ShadyPanda's Long-Running Campaign Infects Millions via Browser Extensions
Over a seven-year campaign, the ShadyPanda group has infected 4.3 million users of Chrome and Edge browsers by exploiting trusted browser marketplaces. They initially operated legitimately, building user bases before deploying malicious updates. Koi Security's report identified a remote code execution backdoor affecting 300,000 users across five (5) extensions, including Clean Master. These extensions functioned normally until mid-2024, when updates began downloading arbitrary JavaScript hourly, logging website visits, and exfiltrating browsing histories. Simultaneously, a spyware operation impacted over 4 million users through five (5) Microsoft Edge extensions, particularly WeTab, which alone accounted for 3 million installs. These extensions collected browsing data and routed it to servers in China. Microsoft removed the malicious extensions following Koi Security’s findings. ShadyPanda's tactics date back to 2023, launching 145 extensions as wallpaper or productivity tools, injecting affiliate codes, and using Google Analytics for user profiling. Their success was attributed to limited post-approval monitoring, high trust in popular extensions, and long-term legitimacy. As ShadyPanda evolved, they manipulated browsers more aggressively, with extensions like Infinity V+ redirecting searches and harvesting cookies. CTIX Analysts recommend individuals audit and remove unnecessary extensions, preferring those with transparent update histories to defend against similar threats.
Vulnerabilities
Active Mass Exploitation of Critical WordPress Plugin Privilege Escalation and RCE Flaws
Two (2) actively exploited critical vulnerabilities in widely used WordPress plugins are enabling attackers to take over full administrative control of vulnerable websites and, in some cases, execute arbitrary code. The most heavily abused flaw, tracked as CVE-2025-8489 (CVSS 9.8/10), affects King Addons for Elementor, a third-party extension for WordPress, and allows unauthenticated attackers to escalate privileges by assigning themselves the administrator role during user registration via maliciously crafted admin-ajax.php requests. The vulnerability impacts versions 24.12.92 through 51.1.14 and was patched in version 51.1.35 on September 25, 2025, yet exploitation began almost immediately after public disclosure on October 31 and surged into mass attacks by November 9. According to Wordfence of Defiant, more than 48,400 exploitation attempts have been blocked, with activity concentrated among a small set of highly aggressive IPs. Successful exploitation allows attackers to create rogue admin accounts, upload malicious code, redirect visitors, inject spam, or deploy persistent malware. Compounding the risk, Wordfence has also warned of CVE-2025-13486, a separate critical unauthenticated remote code execution (RCE) flaw in Advanced Custom Fields: Extended, which affects over 100,000 sites and can be used to deploy backdoors or create administrator accounts. CTIX analysts strongly advise Website owners to immediately update affected plugins, audit environments for unauthorized admin users, review logs for exploitation attempts, and closely monitor for anomalous activity as public disclosure continues to drive attacker interest.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
