https://feed.craftedsignal.io/tags/botnet/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 11:22:42 +0000https://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/Thu, 23 Apr 2026 11:22:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-china-nexus-covert-networks/China-nexus cyber actors are increasingly using large-scale networks of compromised devices, including SOHO routers and IoT devices, to obscure the origin of their attacks and conduct various malicious activities, from reconnaissance to data exfiltration.A joint advisory highlights a significant shift in tactics employed by China-nexus cyber actors. They are moving away from using individually procured infrastructure and instead leveraging large-scale, externally provisioned networks of compromised devices. These “covert networks” primarily consist of Small Office Home Office (SOHO) routers, Internet of Things (IoT) devices, and smart devices, but can include any vulnerable device that can be exploited at scale. These networks are used for various purposes, including disguising the origin of malicious activity, scanning networks, delivering malware, communicating with compromised systems, exfiltrating stolen data, and conducting general deniable internet browsing to research new TTPs and victim profiles. These networks are constantly updated and could be used by multiple actors.

Attack Chain

1. Initial Compromise: China-nexus actors exploit vulnerabilities in SOHO routers, IoT devices (web cameras, video recorders), firewalls, and NAS devices.
2. Botnet Establishment: Compromised devices are incorporated into a covert network (botnet), often controlled by Chinese information security companies.
3. Reconnaissance: The actors use the botnet to scan target networks, gathering information about potential vulnerabilities and attack surfaces.
4. Exploitation: Leveraging the compromised network to mask their origin, the actors exploit identified vulnerabilities in target systems.
5. Malware Delivery: The covert network is used to deliver malware payloads to compromised systems within the target network.
6. Command and Control: The actors establish command and control (C2) channels through the compromised network to remotely control the malware and maintain access.
7. Data Exfiltration: Sensitive data is exfiltrated from the compromised network through the covert network, making attribution difficult.
8. Persistence: The actors maintain persistence on compromised systems to ensure continued access and control.

Impact

Compromised networks can lead to the exposure of sensitive data, disruption of critical services, and financial losses. The use of covert networks makes attribution difficult, allowing attackers to operate with impunity. The advisory notes that Volt Typhoon has used these techniques to pre-position on critical national infrastructure. The widespread nature of the networks, comprising potentially hundreds of thousands of endpoints, makes traditional network defense strategies like static IP blocklists less effective. In 2024, one such network, Raptor Train, infected over 200,000 devices worldwide.

Recommendation

• Implement robust patch management practices to keep SOHO routers, IoT devices, and other network devices up-to-date with the latest security patches (reference: Overview).
• Strengthen network perimeter security by implementing intrusion detection and prevention systems (IDPS) to identify and block malicious traffic originating from suspicious or known compromised IP addresses (reference: Attack Chain).
• Monitor network traffic for unusual patterns and anomalies that may indicate the presence of a compromised device or covert network activity (reference: Attack Chain).
• Deploy the Sigma rule “Detect Outbound Connection to Known SOHO Devices” to identify potential compromised devices on your network (reference: rules).
• Segment networks to limit the potential impact of a compromised device or network segment (reference: Protective Advice).

]]>highthreatcovert-networkbotnetchina-nexuscompromised-deviceshttps://feed.craftedsignal.io/briefs/2026-04-powmix/Thu, 16 Apr 2026 10:00:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-powmix/The PowMix botnet campaign targets Czech organizations, particularly HR, legal, and recruitment agencies, using compliance-themed lures delivered via phishing emails, with the attack employing a Windows shortcut file that executes a PowerShell loader to bypass AMSI and deploy the botnet payload in memory.The PowMix botnet campaign, active since at least December 2025, is targeting the Czech workforce. The attackers are using compliance-themed lures impersonating legitimate brands such as EDEKA and referencing the Czech Data Protection Act. These lures are distributed via malicious ZIP files, potentially through phishing emails, and aim to compromise victims in HR, legal, and recruitment agencies, as well as job aspirants in IT, finance, and logistics. PowMix employs randomized command-and-control (C2) beaconing intervals and embeds encrypted heartbeat data into C2 URL paths, mimicking legitimate REST API URLs to evade network signature detections. The botnet can dynamically update the C2 domain in its configuration file and abuses the Heroku cloud platform for C2 operations.

Attack Chain

1. The attack begins with a phishing email containing a malicious ZIP file.
2. The victim opens the ZIP file and executes a Windows shortcut (.LNK) file.
3. The .LNK file executes an embedded PowerShell loader script.
4. The PowerShell script creates a copy of the ZIP file and its contents in the victim’s “ProgramData” folder.
5. The PowerShell script bypasses AMSI by setting the amsiInitFailed field to true.
6. The PowerShell script extracts the PowMix botnet payload from the ZIP archive using a hardcoded delimiter (“zAswKoK”).
7. The extracted payload is a secondary PowerShell script that is reconstructed by replacing placeholders.
8. The secondary PowerShell script is executed in memory using Invoke-Expression (IEX), establishing communication with the C2 server on Heroku.

Impact

This campaign targets Czech organizations across various levels, with a focus on HR, legal, and recruitment sectors. If successful, the attacker gains control over the infected machine, potentially enabling data theft, espionage, or further malicious activities. The final payload and ultimate intent of the attackers remain unknown, but the botnet could be used for various purposes, including distributed denial-of-service (DDoS) attacks or as a foothold for lateral movement within the victim’s network.

Recommendation

• Monitor process creation events for PowerShell executing from unusual locations like the ProgramData folder to detect initial execution (see Sigma rule: “Detect PowerShell Executing from ProgramData”).
• Deploy the Sigma rule “Detect AMSI Bypass via Reflection” to identify attempts to disable the Antimalware Scan Interface.
• Monitor network connections for traffic to *.herokuapp.com initiated by unusual processes, which may indicate C2 communication (see IOCs and Sigma rule: “Detect Heroku C2 Communication”).
• Inspect PowerShell command lines for the presence of the Invoke-Expression command, which is used to execute the payload in memory (see Sigma rule: “Detect PowerShell IEX with Suspicious Parameters”).

]]>mediumadvisorypowmixbotnetczech-republicherokuhttps://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/Fri, 20 Mar 2026 05:50:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-iot-ddos-disruption/Law enforcement has disrupted significant IoT botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks, impacting the availability of targeted systems.Authorities have dismantled a globally distributed network of compromised Internet of Things (IoT) devices that were being leveraged to conduct large-scale DDoS attacks. The botnets consisted of a large number of IoT devices. These attacks overwhelmed target systems, rendering them inaccessible. While the specific devices, malware, and attribution remain undisclosed in the provided source, the disruption of these botnets is a significant event for defenders, as it reduces the overall capacity for attackers to launch extremely large DDoS attacks. The botnets were responsible for record-breaking attacks.

Attack Chain

1. Compromise IoT Devices: Attackers exploit vulnerabilities (e.g., default credentials, unpatched firmware) on IoT devices such as routers, cameras, and DVRs.
2. Install Malware: Malicious software specifically designed for the IoT architecture is installed on the compromised devices.
3. Botnet Formation: The malware turns the IoT devices into bots, which are controlled remotely by a command-and-control (C2) server.
4. C2 Communication: The bots maintain persistent communication with the C2 server, awaiting instructions for launching attacks.
5. DDoS Attack Initiation: The C2 server issues commands to the bots, instructing them to flood a target system with malicious traffic.
6. Traffic Amplification: The bots, now acting in unison, send high volumes of traffic to the target, overwhelming its resources.
7. Service Disruption: The target system becomes unavailable to legitimate users due to the sheer volume of malicious traffic.
8. Impact: Disruption of services for targeted organizations, potentially leading to financial losses and reputational damage.

Impact

The DDoS attacks launched by these IoT botnets caused significant service disruptions for targeted organizations. The scope of the attacks was described as “record-breaking”, suggesting a large number of victims and potential financial losses. Sectors affected are not detailed in the source, but DDoS attacks can impact any organization with an online presence. Successful attacks lead to website and application unavailability, impacting business operations and customer access.

Recommendation

• Monitor network traffic for unusual spikes in volume and traffic patterns indicative of DDoS attacks.
• Implement rate limiting and traffic filtering on network infrastructure to mitigate the impact of DDoS attacks.
• Although no specific IOCs are available, investigate any alerts related to high-volume network traffic originating from internal devices.
• Enable logging on network devices to capture potential indicators of compromise and attack activity.

]]>highadvisoryiotddosbotnetdisruptionhttps://feed.craftedsignal.io/briefs/2024-01-iranian-botnet/Tue, 17 Mar 2026 19:15:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-iranian-botnet/An Iranian botnet operation utilizing a 15-node relay network and active C2 infrastructure was exposed through an open directory.A blog post on hunt.io details an Iranian botnet operation discovered through an open directory. The operation involves a 15-node relay network, suggesting a focus on obfuscation and resilience. The existence of an active Command and Control (C2) infrastructure indicates ongoing malicious activity. The exposure of these details allows defenders to gain insights into the botnet’s architecture and potentially disrupt its operations. While the specific targeting and malware used remain unclear from this report, the network structure points to a potentially sophisticated actor capable of conducting sustained campaigns. Understanding the C2 communication patterns and relay node infrastructure is crucial for effective defense.

Attack Chain

1. Initial Compromise: Systems are compromised through an unknown initial access vector.
2. Bot Installation: A bot payload is installed on the compromised systems.
3. C2 Communication: The bots establish communication with the C2 server to receive commands.
4. Relay Network Activation: Bots connect to one another creating the 15-node relay network.
5. Command Execution: The C2 server issues commands to the bots through the relay network.
6. Malicious Activity: Bots execute malicious commands, the specific actions are currently unknown.

Impact

The impact of this botnet is currently unknown due to limited information, but botnets are commonly used for DDoS attacks, spam campaigns, or credential stuffing. If the botnet successfully conducts its objectives it could lead to service disruptions, data breaches, or further compromise of systems within targeted networks. The Iranian origin suggests potential geopolitical motivations.

Recommendation

• Monitor network traffic for connections to the domain hunt.io as it is related to the botnet operation ([IOC: hunt.io]).
• Implement a network connection rule to detect unusual network connections that could indicate the C2 activity or relay network behavior.
• Investigate any systems that show signs of unusual network activity or communication with external domains.

]]>mediumadvisorybotnetiranC2