Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks.

According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. Additional details about the shortcomings have been withheld to prevent further abuse.

Some of the other flaws weaponized by the distributed denial-of-service (DDoS) botnet include CVE-2013–3307, CVE-2016–20016, CVE-2017–5259, CVE-2018–14558, CVE-2020–25499, CVE-2020–8515, CVE-2022–3573, CVE-2022–40005, CVE-2022–44149, CVE-2023–28771, as well as those impacting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices.

A 13,000-router MikroTik botnet bypasses SPF protections on 20,000 domains, fueling malware, DDoS, and phishing.

Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into run PowerShell code that infects them with malware.

The attack, spotted by vx-underground, is a new variant of the “Click-Fix” tactic that has become very popular among threat actors to distribute malware over the past year.

However, instead of being fixes for common errors, this variant pretends to be a captcha or verification system that users must run to join the channel.

The campaign is unique for its focus on the Chinese-speaking demographic and the use of software-related lures to activate the attack chain.

“Equally striking is the attackers’ sophisticated use of legitimate software as a delivery mechanism for malware, seamlessly blending malicious activities with seemingly benign applications,” Fishbein said.

“The adaptability of the PNGPlug loader further elevates the threat, as its modular design allows it to be tailored for multiple campaigns.”

4.2M hosts, including VPNs and routers, face risks from unencrypted tunneling protocols like GRE6 enabling DDoS.

“Code executed in this early boot phase can persist on the system, potentially loading malicious kernel extensions that survive both reboots and OS reinstallation,” the CERT Coordination Center (CERT/CC) said. “Additionally, it may evade detection by OS-based and endpoint detection and response (EDR) security measures.”

Malicious actors could further expand the scope of exploitation by bringing their own copy of the vulnerable “reloader.efi” binary to any UEFI system with the Microsoft third-party UEFI certificate enrolled. However, elevated privileges are required to deploy the vulnerable and malicious files to the EFI system partition: local administrator on Windows and root on Linux.

The Slovakian cybersecurity firm said it responsibly disclosed the findings to the CERT/CC in June 2024, following which Howyar Technologies and their partners addressed the issue in the concerned products. On January 14, 2025, Microsoft revoked the old, vulnerable binaries as part of its Patch Tuesday update.

Threat actors embed malware like VIP Keylogger in images via phishing emails and Base64 encoding, leveraging. NET loaders and GenAI-written scripts to.

Malvertising targets Google Ads users, redirecting to phishing sites that steal credentials, budgets, and 2FA codes.