Kimwolf Botnet Breaches Home Networks via Proxy Abuse, Infecting Over 2 Million Devices
Security researchers are warning about the rapid expansion of the Kimwolf botnet, which has compromised more than two million devices worldwide by exploiting weaknesses in residential proxy services. Unlike traditional botnets that focus solely on exposed systems, Kimwolf tunnels through proxy endpoints to access devices hidden behind home routers and firewalls. The botnet is heavily concentrated in Android-based devices, particularly unofficial Android TV boxes and digital photo frames that ship with little to no built-in security. Many of these devices either come preloaded with proxy malware or require users to install unverified app stores that introduce additional malicious components. Once infected, systems are forced to relay abusive traffic, conduct ad fraud, support account takeover attempts, and participate in large-scale DDoS attacks. This technique effectively collapses the assumed boundary between the public internet and private local networks. At the core of Kimwolf’s growth is the abuse of proxy services that failed to properly block access to internal IP ranges, allowing attackers to pivot directly into local networks. Researchers found that attackers bypassed RFC-1918 protections by manipulating DNS records to resolve internal addresses, enabling lateral movement across private devices. The threat is compounded by the widespread presence of Android Debug Bridge being enabled by default on many unofficial Android TV boxes, granting unauthenticated administrative access over the local network. Evidence shows Kimwolf operators monetizing the botnet through proxy resale, app installs, and on-demand DDoS services, underscoring its commercial scale. Although at least one major proxy provider has since implemented mitigations, the botnet has demonstrated an ability to rapidly rebuild after takedowns. Organizations should mitigate Kimwolf exposure by prohibiting residential proxy software on enterprise networks, isolating or blocking unmanaged Android and IoT devices at the network edge, disabling ADB access, and enforcing egress controls to prevent internal network access through proxy endpoints.
Attackers Exploit Google Cloud Workflows to Deliver Authenticated Phishing at Scale
Threat researchers have identified a growing wave of phishing campaigns that abuse Google’s own cloud automation and notification services to deliver malicious emails from fully legitimate Google infrastructure. In December 2025 alone, more than 3,000 organizations were targeted with phishing messages that bypassed traditional email security controls by design. Rather than spoofing Google branding or domains, attackers operated directly within trusted Google services, allowing messages to pass SPF, DKIM, and DMARC checks without raising any flags. The emails impersonated routine enterprise workflows, including Google Tasks notifications, voicemail alerts, or file access requests, exploiting user familiarity with automated SaaS communications. Call-to-action links initially pointed to trusted Google Cloud Storage or googleusercontent URLs, further reinforcing legitimacy and reducing suspicion. This approach represents a structural shift in phishing tactics, in which attackers exploit trusted workflow platforms rather than impersonate them. The attack chain relied on high-fidelity brand impersonation, contextual abuse of Google services, and multi-stage redirection to ultimately harvest credentials on attacker-controlled pages. Security teams observed that legitimate Google Tasks workflows never use Cloud Storage URLs for user actions, highlighting a subtle but critical behavioral mismatch that defenders can leverage for detection. Analysts also linked this activity to similar campaigns abusing Google Cloud Application Integration and Google AppSheet, reinforcing that this is not an isolated incident. Researchers emphasize that Google's infrastructure was not compromised; instead, attackers misused legitimate automation features intended for business workflows. Organizations should mitigate this threat by treating SaaS-originated emails as untrusted by default, enforcing intent-based email inspection, restricting credential entry to known corporate domains, and blocking interaction-driven workflows that originate from external cloud automation services despite valid authentication.
Finnish Authorities Detain Cargo Vessel in Suspected Undersea Cable Sabotage Case
Finnish police have seized a cargo vessel suspected of deliberately damaging an undersea telecommunications cable linking Helsinki and Estonia, escalating concerns over the security of critical infrastructure in the Baltic Sea. The ship, Fitburg, was traveling from St. Petersburg to Haifa under a St. Vincent and the Grenadines flag when authorities intervened after the cable operator detected a fault. According to reporting, the damage did not disrupt customer services, as traffic was rapidly rerouted to maintain continuity. Finnish coastguard units, including a helicopter and patrol ship, located the vessel dragging its anchor along the seabed near the damaged cable. All 14 crew members were detained as part of a joint law enforcement operation. Police confirmed the investigation covers aggravated disruption of telecommunications and aggravated sabotage, including attempted sabotage. The incident adds to a growing pattern of cable disruptions in the Baltic Sea that Western officials increasingly frame as potential hybrid warfare activity linked to Russia. Finnish President Alexander Stubb stated that Finland is prepared to respond to a wide range of security challenges, underscoring the national security implications of the case. Authorities declined to speculate on state involvement, emphasizing that conclusions would be based on evidence gathered during the criminal investigation. Estonia separately reported an outage affecting a second cable connection with Finland, further heightening regional concern. NATO has previously warned that undersea cables represent critical infrastructure vulnerable to sabotage and non-kinetic attacks. The European Commission said it is closely monitoring the situation and stands ready to respond to hybrid threats targeting European infrastructure.
VVS Discord Stealer Uses Pyarmor Obfuscation to Evade Detection and Hijack Accounts
Researchers at Palo Alto have identified renewed activity tied to VVS Stealer, a Python-based infostealer targeting Discord users through heavy obfuscation and stealthy execution. The malware is distributed as a PyInstaller package and protected with Pyarmor, significantly complicating static analysis and signature-based detection. By abusing Pyarmor’s AES-128-CTR encryption and BCC compilation mode, the stealer conceals its core logic and embedded strings, thereby bypassing many traditional security controls. Analysis shows the malware specifically targets Discord authentication tokens, browser-stored credentials, and session data across a wide range of Chromium and Firefox-based browsers. The use of legitimate tooling for obfuscation reflects a broader trend where commodity malware adopts techniques historically associated with more advanced threats. VVS Stealer is a mature and stealthy infostealer rather than an experimental or low-effort operation. Once active, VVS Stealer performs full Discord session hijacking by injecting malicious JavaScript directly into the Discord desktop client, enabling persistent monitoring of user actions and credential changes. The malware extracts encrypted Discord tokens from local LevelDB files, decrypts them using DPAPI-derived keys, and queries Discord APIs for extensive account metadata, including billing details and MFA status. Stolen data is exfiltrated via Discord webhooks, a low-friction abuse vector that avoids the need for dedicated command-and-control infrastructure. Beyond Discord, the stealer harvests browser passwords, cookies, autofill data, and history, compressing the results into archives for bulk exfiltration. To maintain access, it installs itself in the Windows Startup folder and displays fake fatal error messages to deflect user suspicion during execution. Defenders should mitigate VVS stealer activity by blocking unauthorized Python-based executables, monitoring for Discord process injection and startup persistence, restricting outbound webhook communications, and educating users to avoid installing untrusted tools promoted via Telegram or Discord communities.
