Threat actors are actively exploiting CVE-2025-24016, a critical remote code execution vulnerability in Wazuh servers, to deploy two distinct Mirai-based botnets for distributed denial-of-service (DDoS) attacks. Akamai first identified the malicious activity in late March 2025, shortly after the public disclosure of the vulnerability and a proof-of-concept (PoC) exploit. The flaw, affecting versions 4.4.0 and later, was patched in February 2025 with version 4.9.1, but attackers continue to exploit unpatched systems.

The first botnet delivers the LZRD Mirai variant, previously observed targeting IoT devices. Infrastructure analysis uncovered additional Mirai variants, including "neon" and "vision," along with exploits targeting Hadoop YARN and various router vulnerabilities.

The second botnet deploys the Resbot variant and appears to have connections to Italian-language domains, suggesting a campaign possibly targeting Italian-speaking users. It leverages multiple exploits against Huawei, Realtek, and ZyXEL routers.

Researchers note that Mirai propagation remains persistent, with attackers frequently repurposing older exploits and incorporating newly disclosed vulnerabilities, including CVE-2024-3721.
Globally, botnet activity continues to rise, especially in the APAC region and among IoT devices, contributing to an increase in sophisticated cyberattacks. Additionally, the FBI has warned about the BADBOX 2.0 botnet, which has infected millions of devices to create proxy networks for cybercriminals.

Source: https://thehackernews.com/2025/06/botnet...ility.html

https://www.tomshardware.com/video-games...-top-of-os

Just started my journey into hacking—been reading and watching tutorials nonstop. I joined ExploitForums because it feels like the right place to learn the real stuff, not just surface-level fluff. Hoping to master privilege escalation and basic web exploits soon. Open to mentorships or study partners!

Hey everyone, I'm Kingpin. I’ve always been fascinated by the digital underworld but only recently started diving into exploits and reverse engineering. I’m here to soak up knowledge like a sponge. I hope to one day give back what I learn. Any guidance from experienced members would mean the world.

What are some of the ways that one can stay anonymous on Discord?

There has recently been news of an exploit (CVE-2025-49113) for sale that allows an attacker to exploit mail application running RoundCube. The exploit existed over a decade and impact RoundCube webmail versions 1.1.0 through 1.6.10. 

Well known hosting providers such as GoDaddy, Hostinger, Dreamhost, OVH and Bluehost provides the RoundCube webmail application often bundled with cPanel and Plesk Control panels.

Positive Technologies, in a post published on X, said it was able to reproduce CVE-2025-49113, urging users to update to the latest version of Roundcube as soon as possible.

"This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization," the Russian cybersecurity company

To protect yourself, they urge users to update to the latest version of RoundCube.

In early 2024, cybersecurity researchers attributed a new wave of cyberattacks to BladedFeline, an Iran-aligned hacking group believed to be a sub-cluster of the well-known Iranian APT group OilRig. The group has been actively targeting Kurdish and Iraqi government officials, with operations dating back to at least 2017. According to ESET, which uncovered and analyzed the activity, BladedFeline focuses on long-term access and espionage, developing and deploying a range of custom malware to infiltrate and maintain control over high-value networks. The group has been linked to sophisticated backdoors such as Shahmaran, Whisper, Spearal, and Optimizer, as well as tunneling tools like Laret and Pinar, and the passive IIS module PrimeCache. These tools are used to exfiltrate diplomatic and financial data, likely in alignment with Iranian strategic interests. Notably, attacks have also extended to telecommunications infrastructure in Uzbekistan and government systems in Azerbaijan. The campaign reflects a persistent and well-resourced effort to monitor and influence regional politics, particularly the Kurdish Regional Government's (KRG) relationships with Western powers and Iraq’s evolving post-conflict governance. While the initial access vector remains uncertain, the consistent targeting patterns underscore Iran’s continued reliance on cyber espionage as a means of projecting regional influence.

From 2013 to 2020, the internet experienced what could be called the Golden Age of IoT botnet chaos. Botnets like Mirai, Bashlite, and Aidra took advantage of the explosion in poorly secured Internet of Things (IoT) devices—exploiting default credentials, unpatched firmware, and careless user behavior to build massive networks of hijacked routers, IP cameras, DVRs, and even smart fridges. These compromised devices were turned into digital weapons, capable of launching large-scale attacks that reshaped the landscape of cyberwarfare. One of the most infamous examples was Mirai’s 2016 attack on DNS provider Dyn, which brought down major platforms like Twitter, Netflix, and Reddit with a 1.2 Tbps distributed denial-of-service (DDoS) assault. This incident served as a wake-up call to the world: IoT security was dangerously inadequate, and cybercriminals were profiting from it. At its peak, Mirai infected over 600,000 devices, exposing how vulnerable the backbone of the internet truly was.

The dominance of IoT botnets during this period was fueled by several factors. First, the low-hanging fruit of unsecured devices made them easy targets. Default usernames and passwords like “admin:admin” and open Telnet ports meant that attackers could compromise devices simply by scanning IP ranges. Second, the sheer scale of IoT proliferation played a critical role. By 2020, there were over 20 billion IoT devices connected to the internet, many of which were never patched or updated—giving botnets a virtually unlimited pool of potential recruits. Third, profit became a major motivator. Botnets evolved into a service industry, with offerings like “Mirai as a Service” allowing even unskilled users to launch DDoS attacks for as little as $19.99 a month.

However, the era of unchecked IoT botnet growth eventually came to an end due to a combination of law enforcement, vigilante malware, and improved security practices. Authorities arrested the original creators of Mirai in 2017, although the botnet's source code had already been made public, leading to numerous variants. Meanwhile, vigilante efforts emerged in the form of malware like Hajime and BrickerBot, which actively sought to disable infected devices to prevent them from being used in more harmful attacks. Additionally, ISPs and manufacturers began to implement mandatory firmware updates and improve default security settings, while regulatory pressure further encouraged better cybersecurity practices across the industry.

Although the original wave of IoT botnets has subsided, the threat has not disappeared—it has evolved. Modern botnets like Mozi and DarkNexus now target enterprise-level hardware and hide their command-and-control infrastructure behind peer-to-peer networks, making them harder to detect and shut down. While the chaotic, wide-open days of IoT exploitation may be over, today’s threats are stealthier and more sophisticated. 

The question remains: did IoT botnets truly peak in 2016, or are we simply entering a new, smarter phase of cyber warfare?

The U.S. Department of Justice (DoJ) has seized approximately 145 clearnet and dark web domains linked to the illicit carding marketplace known as BidenCash. This platform facilitated the buying and selling of stolen credit card information and personal data, generating at least $17 million in revenue since its inception in March 2022. BidenCash reportedly supported over 117,000 customers and trafficked more than 15 million payment card numbers and associated personal information. Notably, between October 2022 and February 2023, the platform released 3.3 million stolen credit cards for free to promote its services, with about half of the 2.1 million cards released in February 2023 belonging to U.S.-based individuals or entities.
The marketplace also specialized in selling compromised credentials and offered services such as advertising SSH access for as low as $2, along with packages to assess target servers for vulnerabilities. These offerings posed significant risks, enabling threat actors to conduct activities like data exfiltration, brute-force attacks, ransomware deployment, and unauthorized cryptocurrency mining.
The takedown was part of an international operation led by the U.S. Secret Service and the FBI, in collaboration with the Dutch Politie, the Shadowserver Foundation, and Searchlight Cyber. While the DoJ has not disclosed the value of the confiscated cryptocurrency funds or identified the operators of BidenCash, this action underscores the ongoing efforts of global law enforcement agencies to dismantle cybercriminal infrastructures and protect individuals from identity theft and financial fraud.

Read more here.

Hidden Content Notice


Content is hidden. You must register an account or login to view this content.