The FBI is warning that that the North Korean threat group Kimsuky is targeting organizations with spearphishing campaigns using malicious QR codes, a tactic known as “Quishing.” The Quishing campaigns appear to be primarily directed at organizations in the U.S. and elsewhere that are involved in foreign policy show more ...
linked to North Korea, or as the FBI advisory put it, “NGOs, think tanks, academia, and other foreign policy experts with a nexus to North Korea.” Since last year, Kimsuky threat actors have targeted “think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spearphishing campaigns,” the FBI said. FBI Details Kimsuky QR Spearphishing Incidents The FBI cited four incidents in May and June 2025 where Kimsuky actors used malicious QR codes in targeted spearphishing campaigns. In one May 2025 incident, Kimsuky threat actors impersonated “a foreign advisor” in an email “requesting insight from a think tank leader regarding recent developments on the Korean Peninsula.” The email contained a malicious QR code for the recipient to scan to access a questionnaire. Later that month, Kimsuky actors spoofed an embassy employee in an email seeking input “from a senior fellow at a think tank regarding North Korean human rights issues.” That email contained a QR code that claimed to offer access to a secure drive. Also that month, the North Korean threat actors impersonated a think tank employee in an email with a QR code “that, when scanned, would take the targeted individual to Kimsuky infrastructure designed to conduct malicious activity.” In June 2025, Kimsuky threat actors “sent a strategic advisory firm a spearphishing email inviting recipients to a non-existent conference.” The email included a QR code that took recipients to a registration landing page that included a registration button. That button “took visitors to a fake Google account login page, where users could input their login credentials for harvesting.” It’s not the first time the FBI and other agencies have warned of Kimsuky and other North Korean threat actors targeting organizations involved in foreign policy; a similar warning was issued in 2023 of a spearphishing campaign that targeted think tanks, academic institutions and news organizations. FBI Defines Quishing Tactics and Procedures The FBI said Quishing attacks use QR codes “to force victims to pivot from their corporate endpoint to a mobile device, bypassing traditional email security controls.” QR images are typically sent as email attachments or embedded graphics to evade URL inspection and sandboxing, the agency said. Victims are typically re-routed by the attacks to collect “device and identity attributes such as user-agent, OS, IP address, locale, and screen size in order to selectively present mobile-optimized credential harvesting pages impersonating Microsoft 365, Okta, or VPN portals.” Quishing attacks “frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical ‘MFA failed’ alerts,” the FBI said. The compromised mailbox can then be used for additional spearphishing attacks. Protecting Against QR and Quishing Attacks The FBI recommends “a multi-layered security strategy to address the unique risks posed by QR code-based spearphishing.” The agency’s recommendations include: Employees should be educated on the risks of scanning unsolicited QR codes regardless of where they came from, and organizations should implement training programs to help users recognize social engineering tactics involving QR codes, “including urgent calls to action and impersonation of trusted entities.” Organizations should also have clear processes for reporting suspicious QR codes and other phishing attempts. QR code sources should first be verified by contacting the sender directly, “especially before entering login credentials or downloading files.” Organizations should deploy mobile device management (MDM) or endpoint security solutions that can analyze QR-linked URLs before permitting access to web resources. Phishing-resistant MFA should be required for all remote access and sensitive systems, and a strong password policy should be implemented. All credential entry and network activity following QR code scans should be logged and monitored for possible compromises. Access privileges should be reviewed according to zero trust principles, and regular audits should be conducted for unused or excessive account permissions. The FBI encouraged organizations to establish a liaison relationship with the FBI Field Office in their region and to report malicious activity at fbi.gov/contact-us/field-offices.
Web applications, databases, sub-domains, DNS configuration, and public_html are some of the online places where you can never allow a hacker in. If they do, sometimes forcefully, a full account takeover is just a matter of time. Since these are the most targeted assets of a show more ...
website/company, attackers have a hawk eye on them. However, white hat hackers, the red teams, and security companies also hack into these online services to perform pen testing on mobile apps, servers, and workflows. A successful pen tester is not someone who can get inside into every system, but the one who can find multiple bugs within the same system. In 2026, organizations heavily rely on pen testers to hack into their system, report vulnerabilities to them, and support their data protection endeavors. If you are a beginner in your pen testing journey, The Cyber Express has the perfect starter guide for you. In this article, we will discuss the basics of pen testing, why it is important, and what tools and methodologies are used to accomplish a successful and effective penetration test. What Is Penetration Testing? Penetration testing, often referred to as pen testing, is a structured security assessment technique that simulates real-world cyberattacks to identify and exploit vulnerabilities in systems, networks, or web applications. Unlike basic vulnerability scans, penetration testing actively tests weaknesses to determine the potential impact of an attack. The penetration testing meaning extends beyond simply finding vulnerabilities; it evaluates how these weaknesses can be exploited, the severity of the risks, and the potential consequences for the organization. Penetration testers, commonly known as ethical hackers, employ the same tactics as cybercriminals but do so in a controlled and authorized manner, ensuring that testing is both effective and safe. Essentially, what is a penetration test? It is a proactive security assessment that combines automated tools and manual techniques to uncover flaws before attackers can exploit them. Organizations use this process to strengthen their security posture, reduce risk, and improve incident response capabilities. Why Penetration Testing Is Important Cyber threats are updating in both size and complexity every second, making penetration testing in cybersecurity an essential practice. Common vulnerabilities such as SQL injection, cross-site scripting (XSS), broken authentication, and insecure file handling can lead to lethal consequences, including data breaches, financial loss, regulatory penalties, and reputational damage. By performing penetration testing, organizations can: Identify and address vulnerabilities proactively Understand the real-world impact of potential attacks Strengthen compliance with standards like PCI DSS, HIPAA, and ISO 27001 Improve incident response and security awareness Prioritize remediation based on risk rather than theoretical severity Penetration testing is not just a technical exercise; it is a strategic component of a comprehensive cybersecurity program. Types of Penetration Testing There are several approaches to penetration testing, each targeting specific aspects of an organization’s environment: Network Penetration Testing: Focuses on internal and external networks, identifying vulnerabilities in routers, firewalls, and connected systems. Web Application Penetration Testing: Evaluates websites and applications for common flaws like SQL injection, XSS, CSRF, and broken authentication. Mobile Application Penetration Testing: Targets vulnerabilities in mobile apps across iOS and Android platforms. Cloud Penetration Testing: Assesses misconfigurations and weaknesses in cloud environments, including SaaS, PaaS, and IaaS platforms. Social Engineering Tests: Simulate phishing, pretexting, or baiting attacks to evaluate human vulnerabilities. Understanding the types of penetration testing helps organizations select the right approach based on their systems, business logic, and threat exposure. How Does Penetration Testing Work? Penetration testing follows a structured methodology that ensures that all aspects of the system are evaluated thoroughly. The process typically includes the following stages: Information Gathering Testers begin by collecting as much information as possible about the target system. This includes domain names, IP addresses, subdomains, hosting environments, and technologies like web servers, frameworks, and databases. Passive techniques, such as analyzing public data, and active techniques, like DNS enumeration, help testers map the attack surface. Reconnaissance and Scanning Next, testers perform reconnaissance to identify open ports, running services, and exposed endpoints. Tools such as Nmap are used for network mapping, while Nessus and OpenVAS scan for known vulnerabilities. Both automated and manual validation are critical to eliminate false positives. Vulnerability Identification Once reconnaissance is complete, vulnerabilities are identified. This phase targets issues such as: SQL injection Cross-site scripting (XSS) Cross-site request forgery (CSRF) File inclusion vulnerabilities Broken authentication and session management Insecure access controls Testers combine automated tools like Burp Suite, Nessus, and Qualys with manual testing to uncover complex logic flaws often missed by scanners. Exploitation The exploitation phase assesses the real-world impact of vulnerabilities. Testers attempt to leverage weaknesses to gain unauthorized access or escalate privileges. Common tools include Metasploit, sqlmap, and Burp Suite. Successful exploitation demonstrates how attackers could compromise systems and help organizations prioritize remediation. Post-Exploitation After initial access, testers evaluate the potential damage by accessing sensitive data, moving laterally, or maintaining persistence. This step reveals the broader consequences of a breach without causing actual harm. Reporting and Remediation Guidance Finally, testers prepare a detailed report documenting vulnerabilities, exploitation methods, impact, and recommended mitigation steps. A high-quality penetration testing report provides actionable guidance for technical teams and management, prioritizing risks based on real-world severity. Penetration Testing Tools and Their Uses Penetration testing tools are specialized software used to identify, exploit, and assess vulnerabilities in systems, networks, and applications. [caption id="attachment_108438" align="aligncenter" width="1070"] Performing a basic scan in Nmap (Source: kali.org)[/caption] They support different phases of a penetration test, including reconnaissance, scanning, exploitation, post-exploitation, and reporting. Network Discovery and Reconnaissance Nmap: Scans networks to identify live hosts, open ports, and services. Supports OS detection and custom scripts. Masscan: High-speed port scanner for large networks; often used before deeper scans with Nmap. Vulnerability Scanners Nessus: Commercial scanner that detects outdated software, misconfigurations, and known vulnerabilities. OpenVAS: Open-source alternative to Nessus for identifying system weaknesses. Qualys: Cloud-based scanner for vulnerability management and compliance monitoring. Web Application Testing Burp Suite: Intercepts and manipulates web traffic; finds SQL injection, XSS, CSRF, and logic flaws. OWASP ZAP: Open-source web proxy with automated scanning and fuzzing. Nikto: Web server scanner for outdated software and insecure files. Exploitation Tools Metasploit: Framework for exploiting vulnerabilities, gaining access, and performing post-exploitation. Core Impact: Commercial exploitation platform with automated attack paths and reporting. Database and Injection Tools sqlmap: Automates detection and exploitation of SQL injection vulnerabilities across multiple database platforms. Password and Credential Tools Hydra: Performs network login brute-force attacks on multiple protocols. John the Ripper: Cracks password hashes using brute-force or dictionary attacks. Hashcat: GPU-accelerated password recovery tool for large-scale hash cracking. Wireless and Network Attack Tools Aircrack-ng: Captures and analyzes Wi-Fi traffic, tests WPA/WPA2 encryption, and performs deauthentication attacks. Post-Exploitation Tools Mimikatz: Extracts passwords, hashes, and tokens from Windows memory. BloodHound: Maps Active Directory environments to identify privilege escalation paths. Reporting Tools Dradis, Faraday, Serpico: Help organize findings, assign severity, and produce professional penetration testing reports. Penetration Testing vs Vulnerability Assessment It is important to differentiate penetration testing vs vulnerability assessment. A vulnerability assessment identifies potential weaknesses but does not attempt to exploit them, providing a theoretical overview of risk. Penetration testing goes a step further by actively exploiting vulnerabilities to measure real-world impact, offering actionable insights that can directly guide remediation and risk prioritization. Real-World Examples The necessity of penetration testing is evident in high-profile vulnerabilities. For example, recently, the open-source workflow automation platform n8n was affected by CVE-2025-68668, a critical flaw rated 9.9 on the CVSS scale. The vulnerability allowed authenticated users to execute arbitrary system commands due to a sandbox bypass in the Python Code Node. The flaw was mitigated in n8n version 2.0.0 through architectural changes, highlighting that effective security solutions often require more than patches; they may necessitate structural improvements. Penetration testing identifies such systemic risks before they can be exploited in production. The Future of Penetration Testing As technologies like AI, machine learning, IoT, and cloud computing expand the digital landscape, penetration testing must evolve. Modern attackers employ automation and highly advanced techniques, requiring testers to continually update their skills, tools, and methodologies. Continuous penetration testing is replacing periodic assessments, integrating security into DevSecOps pipelines to identify vulnerabilities early. This proactive approach reduces the window of opportunity for attackers and ensures security remains a core component of system design. Penetration testing is no longer a one-off exercise; it is a critical, ongoing strategy that strengthens an organization’s overall cybersecurity posture, informs risk management, and enhances incident response. Penetration testing explained shows it is far more than a technical procedure; it is a strategic necessity in today’s cybersecurity environment. From network and web application assessments to social engineering and cloud testing, penetration testing provides a comprehensive view of real-world risk. By combining skilled testers with tools and ethical practices, organizations can defend their systems, protect critical data, and strengthen trust in their digital operations. To sum up, understanding the penetration testing definition, how penetration testing works, and applying it effectively is indispensable for any organization serious about cybersecurity. Caution: The Cyber Express does not endorse or approve any tools, methods, or activities described here. This content is for informational purposes only and should only be used in authorized, legal environments.
A DNS Crash disrupted networks around the world on January 8, 2026, after a flaw in the DNS client service caused multiple Cisco Small Business Switches to reboot repeatedly and, in some cases, completely core dump. The outage affected organizations of all sizes, from small IT teams managing a handful of switches to show more ...
administrators responsible for dozens of devices spread across multiple sites. The problem began surfacing around 2:00 AM and quickly appeared to be global in scope. Network administrators reported that switches suddenly entered reboot loops every 10 to 30 minutes, rendering networks unstable or unusable until emergency changes were made. The most frequently cited affected models included the CBS250, C1200, CBS350, SG350, and SG550X series. In several cases, switches had been running reliably for more than a year before failing simultaneously. DNS Crash Cause Reboot Loops Across Models Logs collected from impacted devices consistently pointed to fatal errors in the DNS client process, identified as the DNSC task. One of the most common log entries was: “%DNS_CLIENT-F-SRCADDRFAIL: Result is 2. Failed to identify address for specified name ‘www.cisco.com.’” Other failures involved time synchronization domains, including NIST-hosted servers such as “time-c.timefreq.bldrdoc.gov.” These DNS resolution failures triggered fatal errors that forced the switches to generate core dumps and automatically reset. Stack traces showed the crashes occurring inside the DNS client code path, rather than in SNTP or other services directly. Administrators observed the issue across multiple firmware versions, including 4.1.7.17 (dated May 26, 2025), 4.1.3.36 (dated May 19, 2024), and 4.1.7.24 (dated August 27, 2025). The breadth of versions affected suggested a long-standing defect that was only exposed when a specific external condition occurred. Administrators Trace Impact to DNS Lookups and SNTP Defaults On Cisco’s community forums, one administrator described the scope of the outage in stark terms. Posting under the title “Cisco CBS250 and C1200 DNS crash,” the user wrote on January 8, 2026: “Today was a bad day for the Cisco CBS250 and C1200’s. I’ve been running these for 1 to 2 years now and haven’t had an issue until today. I think every single one crashed today and kept crashing until I removed the DNS configuration. I have about 50 of these.” The same administrator shared detailed crash logs showing fatal DNSC errors when the switches attempted to resolve both “www.cisco.com” and “time-c.timefreq.bldrdoc.gov.” Similar reports appeared on Reddit, where SG550X owners confirmed that devices at different sites began failing at the same time, reinforcing the conclusion that the trigger was external rather than a localized configuration error. A pattern emerged linking the crashes to DNS lookups for default services embedded in the firmware. Even switches without explicit NTP configurations attempted to resolve domains such as time-pnp.cisco.com or www.cisco.com. When those lookups failed or returned unexpected responses, the DNS client treated the condition as fatal rather than recoverable, leading directly to a reboot. Workarounds Stabilize Networks as Root Cause Remains Unpatched Several forum participants speculated that a resolver-side change played a role. Attention focused on Cloudflare’s 1.1.1.1 DNS service, which many affected switches were using either as a primary or secondary resolver. One administrator summarized the concern bluntly: “How terrible that Cisco’s DNS implementation can’t handle a bad query response without resetting the whole switch.” While not definitively confirmed, multiple reports suggested that a degradation or behavioral change on 1.1.1.1 coincided with the synchronized onset of the DNS Crash. Administrators noted that switches using alternative resolvers, or those with DNS disabled entirely, were often unaffected. However, others reported crashes even when 1.1.1.1 was configured only as a backup, indicating that the DNS client could still be triggered by problematic responses. By mid-day on January 8, effective workarounds were circulating widely. The most reliable mitigation involved disabling DNS entirely using commands such as “no ip name-server” and “no ip domain-lookup.” Others removed default SNTP servers with “no sntp server time-pnp.cisco.com” or blocked outbound internet access from the switches. In nearly all cases, once DNS queries stopped, the switches stabilized. Cisco support acknowledged the issue privately to customers and confirmed that it affected CBS, SG, and Catalyst 1200 and 1300 lines, including the CBS250 and C1200 families. As of January 9, 2026, no public advisory, patch, or field notice had been released.
The opening week of 2026 has already highlighted the complexity of global cyber threats, with incidents affecting governments, educational institutions, and corporations alike. From school closures to corporate breaches and international policy shifts, cybersecurity news demonstrates that attacks are no longer show more ...
confined to technical systems; they have real-world consequences for operations, public trust, and the protection of sensitive data. This week, digital risks have shown their reach across multiple sectors: schools are grappling with ransomware and system outages that disrupt learning, corporations face data breaches due to human error and weak authentication practices, and governments are reevaluating international cooperation in cybersecurity. The early events of 2026 underline that managing cyber risk requires not just technology, but coordinated response, regulatory oversight, and awareness at every level, from individual users to global policymakers. The Cyber Express Weekly Roundup Higham Lane School Cyberattack Forces Temporary Closure Higham Lane School in Nuneaton, England, closed temporarily after a cyberattack disrupted IT systems, affecting 1,500 students. Staff and students must avoid platforms like Google Classroom while cybersecurity experts and the Department for Education investigate. Read more... Hacktivist Takes Down White Supremacist Websites Live at Conference Hacktivist Martha Root gained attention by deleting white supremacist websites live at the Chaos Communication Congress in Hamburg. Targeted platforms included WhiteDate, WhiteChild, and WhiteDeal. Root also exposed partial data from over 6,000 WhiteDate profiles, sharing it with controlled-access platforms DDoSecrets and HaveIBeenPwned. Read more... UK Announces £210 Million Cybersecurity Overhaul The UK government announced a £210 million cybersecurity initiative to address “critically high” risks across public sector systems, many of which rely on vulnerable legacy platforms. The plan includes creating a Government Cyber Unit for cross-department coordination and accountability, establishing the Government Cyber Coordination Centre (GC3) for strategic defense, and launching the first Government Cyber Profession to tackle skills shortages, supported by a Cyber Resourcing Hub. Read more... Australian Insurer Prosura Suffers Cyber Incident In Australia, Prosura temporarily shut down online policy management and claim portals following unauthorized access to internal systems on January 3, 2026. Customer names, emails, phone numbers, and policy details may have been exposed, though payment information remained secure. Read more... U.S. Withdraws from International Cyber Coalitions The United States announced its withdrawal from 66 international organizations related to cybersecurity, digital rights, and hybrid threat cooperation. These include the Hybrid CoE, GFCE, and Freedom Online Coalition. Officials cited misalignment with U.S. interests, raising concerns over reduced intelligence sharing and potential gaps in global cyber defense. Read more... Weekly Takeaway This week’s cybersecurity news from The Cyber Express shows that 2026 is already marked by complex threats. From school closures and corporate breaches to government reforms and international policy shifts, data breaches impact education, public services, and businesses. Protecting digital systems now requires vigilance, technical skill, and proactive governance, making strong cybersecurity strategies essential to protect operations, trust, and public safety worldwide.
Our first story of 2026 revealed how a destructive new botnet called Kimwolf has infected more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, we’ll dig through digital clues left behind by the hackers, network operators and services that appear to show more ...
have benefitted from Kimwolf’s spread. On Dec. 17, 2025, the Chinese security firm XLab published a deep dive on Kimwolf, which forces infected devices to participate in distributed denial-of-service (DDoS) attacks and to relay abusive and malicious Internet traffic for so-called “residential proxy” services. The software that turns one’s device into a residential proxy is often quietly bundled with mobile apps and games. Kimwolf specifically targeted residential proxy software that is factory installed on more than a thousand different models of unsanctioned Android TV streaming devices. Very quickly, the residential proxy’s Internet address starts funneling traffic that is linked to ad fraud, account takeover attempts and mass content scraping. The XLab report explained its researchers found “definitive evidence” that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the Aisuru botnet — an earlier version of Kimwolf that also enslaved devices for use in DDoS attacks and proxy services. XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time. But it said those suspicions were confirmed on December 8 when it witnessed both botnet strains being distributed by the same Internet address at 93.95.112[.]59. Image: XLab. RESI RACK Public records show the Internet address range flagged by XLab is assigned to Lehi, Utah-based Resi Rack LLC. Resi Rack’s website bills the company as a “Premium Game Server Hosting Provider.” Meanwhile, Resi Rack’s ads on the Internet moneymaking forum BlackHatWorld refer to it as a “Premium Residential Proxy Hosting and Proxy Software Solutions Company.” Resi Rack co-founder Cassidy Hales told KrebsOnSecurity his company received a notification on December 10 about Kimwolf using their network “that detailed what was being done by one of our customers leasing our servers.” “When we received this email we took care of this issue immediately,” Hales wrote in response to an email requesting comment. “This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever.” The Resi Rack Internet address cited by XLab on December 8 came onto KrebsOnSecurity’s radar more than two weeks before that. Benjamin Brundage is founder of Synthient, a startup that tracks proxy services. In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to. On November 24, 2025, a member of the resi-dot-to Discord channel shares an IP address responsible for proxying traffic over Android TV streaming boxes infected by the Kimwolf botnet. When KrebsOnSecurity joined the resi[.]to Discord channel in late October as a silent lurker, the server had fewer than 150 members, including “Shox” — the nickname used by Resi Rack’s co-founder Mr. Hales — and his business partner “Linus,” who did not respond to requests for comment. Other members of the resi[.]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet. As the screenshot from resi[.]to above shows, that Resi Rack Internet address flagged by XLab was used by Kimwolf to direct proxy traffic as far back as November 24, if not earlier. All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025. Neither of Resi Rack’s co-owners responded to follow-up questions. Both have been active in selling proxy services via Discord for nearly two years. According to a review of Discord messages indexed by the cyber intelligence firm Flashpoint, Shox and Linus spent much of 2024 selling static “ISP proxies” by routing various Internet address blocks at major U.S. Internet service providers. In February 2025, AT&T announced that effective July 31, 2025, it would no longer originate routes for network blocks that are not owned and managed by AT&T (other major ISPs have since made similar moves). Less than a month later, Shox and Linus told customers they would soon cease offering static ISP proxies as a result of these policy changes. Shox and Linux, talking about their decision to stop selling ISP proxies. DORT & SNOW The stated owner of the resi[.]to Discord server went by the abbreviated username “D.” That initial appears to be short for the hacker handle “Dort,” a name that was invoked frequently throughout these Discord chats. Dort’s profile on resi dot to. This “Dort” nickname came up in KrebsOnSecurity’s recent conversations with “Forky,” a Brazilian man who acknowledged being involved in the marketing of the Aisuru botnet at its inception in late 2024. But Forky vehemently denied having anything to do with a series of massive and record-smashing DDoS attacks in the latter half of 2025 that were blamed on Aisuru, saying the botnet by that point had been taken over by rivals. Forky asserts that Dort is a resident of Canada and one of at least two individuals currently in control of the Aisuru/Kimwolf botnet. The other individual Forky named as an Aisuru/Kimwolf botmaster goes by the nickname “Snow.” On January 2 — just hours after our story on Kimwolf was published — the historical chat records on resi[.]to were erased without warning and replaced by a profanity-laced message for Synthient’s founder. Minutes after that, the entire server disappeared. Later that same day, several of the more active members of the now-defunct resi[.]to Discord server moved to a Telegram channel where they posted Brundage’s personal information, and generally complained about being unable to find reliable “bulletproof” hosting for their botnet. Hilariously, a user by the name “Richard Remington” briefly appeared in the group’s Telegram server to post a crude “Happy New Year” sketch that claims Dort and Snow are now in control of 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously stated its owner operates a website that caters to DDoS-for-hire or “stresser” services seeking to test their firepower. BYTECONNECT, PLAINPROXIES, AND 3XK TECH Reports from both Synthient and XLab found that Kimwolf was used to deploy programs that turned infected systems into Internet traffic relays for multiple residential proxy services. Among those was a component that installed a software development kit (SDK) called ByteConnect, which is distributed by a provider known as Plainproxies. ByteConnect says it specializes in “monetizing apps ethically and free,” while Plainproxies advertises the ability to provide content scraping companies with “unlimited” proxy pools. However, Synthient said that upon connecting to ByteConnect’s SDK they instead observed a mass influx of credential-stuffing attacks targeting email servers and popular online websites. A search on LinkedIn finds the CEO of Plainproxies is Friedrich Kraft, whose resume says he is co-founder of ByteConnect Ltd. Public Internet routing records show Mr. Kraft also operates a hosting firm in Germany called 3XK Tech GmbH. Mr. Kraft did not respond to repeated requests for an interview. In July 2025, Cloudflare reported that 3XK Tech (a.k.a. Drei-K-Tech) had become the Internet’s largest source of application-layer DDoS attacks. In November 2025, the security firm GreyNoise Intelligence found that Internet addresses on 3XK Tech were responsible for roughly three-quarters of the Internet scanning being done at the time for a newly discovered and critical vulnerability in security products made by Palo Alto Networks. Source: Cloudflare’s Q2 2025 DDoS threat report. LinkedIn has a profile for another Plainproxies employee, Julia Levi, who is listed as co-founder of ByteConnect. Ms. Levi did not respond to requests for comment. Her resume says she previously worked for two major proxy providers: Netnut Proxy Network, and Bright Data. Synthient likewise said Plainproxies ignored their outreach, noting that the Byteconnect SDK continues to remain active on devices compromised by Kimwolf. MASKIFY Synthient’s January 2 report said another proxy provider heavily involved in the sale of Kimwolf proxies was Maskify, which currently advertises on multiple cybercrime forums that it has more than six million residential Internet addresses for rent. Maskify prices its service at a rate of 30 cents per gigabyte of data relayed through their proxies. According to Synthient, that price range is insanely low and is far cheaper than any other proxy provider in business today. “Synthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash,” the Synthient report noted. “This approach likely helped fuel early development, with associated members spending earnings on infrastructure and outsourced development tasks. Please note that resellers know precisely what they are selling; proxies at these prices are not ethically sourced.” Maskify did not respond to requests for comment. The Maskify website. Image: Synthient. BOTMASTERS LASH OUT Hours after our first Kimwolf story was published last week, the resi[.]to Discord server vanished, Synthient’s website was hit with a DDoS attack, and the Kimwolf botmasters took to doxing Brundage via their botnet. The harassing messages appeared as text records uploaded to the Ethereum Name Service (ENS), a distributed system for supporting smart contracts deployed on the Ethereum blockchain. As documented by XLab, in mid-December the Kimwolf operators upgraded their infrastructure and began using ENS to better withstand the near-constant takedown efforts targeting the botnet’s control servers. An ENS record used by the Kimwolf operators taunts security firms trying to take down the botnet’s control servers. Image: XLab. By telling infected systems to seek out the Kimwolf control servers via ENS, even if the servers that the botmasters use to control the botnet are taken down the attacker only needs to update the ENS text record to reflect the new Internet address of the control server, and the infected devices will immediately know where to look for further instructions. “This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked,” XLab wrote. The text records included in Kimwolf’s ENS instructions can also feature short messages, such as those that carried Brundage’s personal information. Other ENS text records associated with Kimwolf offered some sage advice: “If flagged, we encourage the TV box to be destroyed.” An ENS record tied to the Kimwolf botnet advises, “If flagged, we encourage the TV box to be destroyed.” Both Synthient and XLabs say Kimwolf targets a vast number of Android TV streaming box models, all of which have zero security protections, and many of which ship with proxy malware built in. Generally speaking, if you can send a data packet to one of these devices you can also seize administrative control over it. If you own a TV box that matches one of these model names and/or numbers, please just rip it out of your network. If you encounter one of these devices on the network of a family member or friend, send them a link to this story (or to our January 2 story on Kimwolf) and explain that it’s not worth the potential hassle and harm created by keeping them plugged in.
The notorious Russian state-sponsored group relies on basic techniques that are highly effective, often delivering greater ROI than more complex malware-heavy operations.
The CrowdStrike-SGNL deal underscores how identity security has become a critical component of enterprise cybersecurity as companies add cloud services and deploy AI-driven tools.
Cybercriminal cryptocurrency transactions totaled billions in 2025, with activity from sanctioned countries like Russia and Iran causing the largest jump.
Tim Kosiba, who has a long history of national security positions at the NSA and elsewhere, will be the signals intelligence agency's new deputy chief.
Daniil Kasatkin, 26, was seen in a video shared by Russian state news outlet TASS emerging from a plane that was then used to send French researcher Laurent Vinatier back to France.
The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country. "As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR)
Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0. The vulnerability has been described as a case of remote code execution
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday said it's retiring 10 emergency directives (Eds) that were issued between 2019 and 2024. The list of the directives now considered closed is as follows - ED 19-01: Mitigate DNS Infrastructure Tampering ED 20-02: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday ED 20-03: Mitigate Windows DNS Server
As organizations plan for 2026, cybersecurity predictions are everywhere. Yet many strategies are still shaped by headlines and speculation rather than evidence. The real challenge isn’t a lack of forecasts—it’s identifying which predictions reflect real, emerging risks and which can safely be ignored. An upcoming webinar hosted by Bitdefender aims to cut through the noise with a data-driven
Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. Cybersecurity firm Huntress, which observed the activity in December 2025 and stopped it before it could progress to the final stage, said it may have resulted in a ransomware
Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The activity has been attributed to APT28 (aka BlueDelta), which was attributed to a "sustained"
The founder of a spyware company that encouraged customers to secretly monitor their romantic partners has pleaded guilty to federal charges - marking one of the few successful US prosecutions of a stalkerware operator. Read more in my article on the Hot for Security blog.
