05.19
Hack News Summary
01.New HTTPBot Botnet Launches Over 200 Targeted DDoS Attacks Against China’s Gaming and Technology Industries
The Windows botnet HTTPBot, written in Golang, has been active since 2024, launching over 200 high-precision DDoS attacks targeting login/payment interfaces of Chinese gaming companies, technology enterprises, and educational platforms. Key technical features include:
Stealth Persistence: Hides process interface, achieves persistence through registry HKCU\…\Run, and forges SHA1 certificate signatures;
Targeted Attack Modules:
-
BrowserAttack: Headless Chrome simulates legitimate traffic (over 5000 concurrent threads per node);
-
WebSocketAttack: Exhausts server resources through long connections using the ws:// protocol;
-
API Targeted Strikes: Launches HTTP/2 flood attacks against critical business interfaces (e.g., /game/match);
Traffic Obfuscation: Dynamically alters HTTP headers (e.g., User-Agent) to bypass rule detection.
Attack peaks reached 1.2Tbps, crippling real-time services through mixed protocol loads. Defense recommendations: deploy AI anomaly traffic analysis, strengthen API call frequency control, and implement zero-trust architecture to isolate attack surfaces.
02.New Chrome Vulnerability Enables Cross-Origin Data Leakage via Loader Reference Policy
Google fixed a high-risk vulnerability (CVE-2025-4664, CVSS 4.3) in the Chrome browser in May 2025, stemming from a policy execution flaw in the loader component when handling Link headers for sub-resource requests. Attackers can craft specially designed HTML pages to capture complete query parameters of cross-origin requests by setting the “unsafe-url” reference policy, leading to the leakage of sensitive data such as identity tokens, potentially resulting in full account takeover. The vulnerability was fully disclosed by its discoverer, Vsevolod Kokorin, on platform X, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included it in the known exploited vulnerabilities catalog, requiring federal agencies to patch it promptly. Users are advised to upgrade to Chrome 136.0.7103.113/.114 (Windows/Mac) or 136.0.7103.113 (Linux), and other Chromium based browser users should also apply security updates accordingly.
03.Researchers Uncover New Intel CPU Vulnerabilities: Triggering Memory Leaks and Spectre v2 Attacks
A research team disclosed three new security vulnerabilities in Intel processors, involving security flaws in branch predictor race conditions and microarchitectural predictor shared state. The BPI (Branch Privilege Injection, CVE-2024-45332) vulnerability exploits errors in branch prediction calculations during privilege transitions, allowing non-privileged attackers to steal sensitive cached and memory data across security domains. The Training Solo attack (CVE-2024-28956/CVE-2025-24495) achieves kernel memory leakage at a rate of up to 17KB/s through indirect target selection and defects in the branch prediction unit of the Lion Cove architecture, reactivating the Spectre v2 attack chain across privilege levels (user mode-kernel mode, virtual machine-host machine). Although Intel has deployed microcode updates, all modern Intel processors face risks of attack surface expansion, and AMD has also updated defense recommendations for traditional cBPF components. This series of vulnerabilities (CVSS 5.7-6.8) once again exposes deep security risks in the speculative execution mechanisms of modern processors.
04.Malicious npm Package Utilizes Unicode Steganography and Google Calendar as C2 Delivery Mechanism
A research team disclosed a malicious npm package named “os-info-checker-es6” that employs a progressive attack architecture. The initial version (released on March 19) masquerades as a system information tool to evade detection, while the updated version on May 7 implements a steganographic attack through pre-install scripts that parse Unicode private area characters. The attack payload dynamically resolves the C2 address (decoded to 140.82.54.223) via Google Calendar short links, constructing a “legitimate service relay” mechanism to evade network layer detection. This attack chain is associated with dependencies such as skip-tot and features multi-stage payload delivery. Currently, C2 communication is in a silent state, suggesting possible activation mechanisms like device fingerprint verification. Veracode points out that such attacks highlight the need to strengthen software supply chain defenses, including post-install script monitoring, CI/CD log auditing, and dynamic behavior analysis capabilities.
05.Fileless Remos Trojan Based on PowerShell Attacks via LNK Files and MSHTA
Researchers disclosed a new fileless Remcos remote access Trojan attack, starting with a ZIP archive containing a malicious Windows shortcut (LNK) file that masquerades as a tax-themed Office document to entice users to extract it. The LNK file executes an obfuscated HTA file (xlab22.hta) on a remote server by calling the system component mshta.exe, triggering multi-layer VBScript code to download a PowerShell script and implant it in the registry startup items. The PowerShell script uses dynamic decoding techniques to generate a shellcode loader, deploying the Remcos RAT payload (a modular 32-bit binary compiled with Visual Studio C++) directly in memory, capable of system metadata theft, keystroke logging, screen capture, and clipboard monitoring, while maintaining C2 communication through a TLS encrypted channel established with the domain “readysteaurants[.]com”. This attack marks a significant integration of fileless techniques (process hollowing, registry persistence) used in phishing activities themed around November 2024 orders with LNK/MSHTA proxy execution mechanisms, forming a more covert attack paradigm. Security experts note that such attacks are increasingly combining AI technologies to achieve polymorphic transformations, dynamically modifying email subjects and content to bypass traditional email filters.
06.Russian APT28 Group Exploits MDaemon Zero-Day Vulnerability to Attack Government Email Servers
Slovak cybersecurity company ESET disclosed that the Russian-linked APT28 advanced persistent threat group (also known as Fancy Bear) has been conducting a cyber espionage operation codenamed “RoundPress” since 2023, exploiting a zero-day vulnerability (CVE-2024-11182, CVSS 5.3) in the MDaemon email system and XSS vulnerabilities in email platforms such as Roundcube, Horde, and Zimbra. The attack employs spear-phishing emails to deliver malicious JavaScript payloads, triggering the vulnerability when victims view emails in unpatched webmail interfaces, executing the SpyPress malicious script to steal email credentials, email metadata, and two-factor verification codes, and has the capability to create Sieve filtering rules for automatic email leakage. The primary victims include Ukrainian government agencies, Eastern European defense enterprises, and government departments in various countries in Africa and South America. The attack infrastructure shows tactical overlaps with previous APT28 operations, highlighting the strategic value of webmail system vulnerabilities in APT attacks. The U.S. CISA included the relevant vulnerabilities in the known exploited vulnerabilities catalog in February 2024.
07.Meta Plans to Use EU User Data for AI Training Without Consent Starting May 27
Meta announced that starting May 27, 2025, it will use publicly available data from adult users in the EU on Facebook and Instagram for AI model training based on the “legitimate interests” clause under GDPR, without explicit user consent (opt-in). The Austrian privacy rights organization noyb has issued a warning to Meta’s Irish headquarters, alleging that the plan poses three GDPR compliance risks: first, AI training does not meet the applicable requirements of GDPR Article 6(1)(f) on “legitimate interests”; second, users can only exercise their opt-out rights through non-explicit paths before model training begins; and third, even if 10% of users consent, it would suffice for multilingual model training, Meta insists on collecting all data. Meta’s official statement emphasizes that it has provided a compliant objection mechanism, but noyb cites a precedent where the company was forced by EU regulators to change its legal basis from “legitimate interests” to “user consent” due to targeted advertising data processing, questioning the credibility of its compliance commitments. This controversy coincides with a recent ruling by the Belgian Court of Appeal, which found that the “Transparency and Consent Framework (TCF)” used by companies like Google and Microsoft violates GDPR data processing principles, indicating a tightening regulatory environment for data in the EU.
