Cybersecurity researchers recently confirmed the existence of Zergeca, a powerful botnet written in Golang. Unlike typical DDoS botnets, Zergeca boasts an impressive array of capabilities, including support for six different attack methods, proxying, scanning, self-upgrading, persistence, file transfer, reverse shell functionality, and sensitive device information collection. QiAnXin XLab, the research team behind the discovery, emphasized the botnet’s sophistication.
“Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information.”
Notably, Zergeca employs DNS-over-HTTPS (DoH) for DNS resolution of its command-and-control (C2) server and communicates via the Smux library. Despite its previous association with the Mirai botnet in 2023, Zergeca continues to evolve, with its creators actively developing and updating it to support new commands.
Record-Breaking DDoS Attack Hits OVHcloud
French cloud computing firm OVHcloud recently faced an unprecedented distributed denial-of-service (DDoS) attack, reaching a staggering rate of 840 million packets per second (Mpps). The attack was distributed globally, but the majority of the malicious traffic originated from just four points of presence (PoPs), all located in the U.S., with three of them on the West Coast. This highlights the adversary’s ability to generate massive packet rates through minimal peering.
The attack combined a TCP ACK flood from 5,000 source IPs with a DNS reflection attack leveraging 15,000 DNS servers for amplification. Sebastien Meriot, an OVHcloud expert, noted a concerning trend: over the past 18 months, large-scale attacks exceeding 1 Tbps have become almost daily occurrences, with the highest observed bit rate reaching approximately 2.5 Tbps. This escalation poses significant challenges for anti-DDoS infrastructure.
GootLoader Malware Enhanced Attack Through New Version Deployment
Threat actors increasingly rely on GootLoader for payload delivery, leading to compromised hosts. Cybereason’s analysis reveals multiple versions of GootLoader, with GootLoader 3 currently active. Associated with the Gootkit banking trojan, GootLoader is now part of Hive0127’s arsenal.
In a recent expansion, Hive0127 introduced GootBot—a command-and-control (C2) and lateral movement tool unique to the group. The attack vector involves hosting GootLoader JavaScript payloads within seemingly innocuous legal documents on compromised websites. Upon execution, the malware establishes persistence through scheduled tasks and executes PowerShell scripts to harvest system information.
Security experts Ralph Villanueva, Kotaro Ogino, and Gal Romano emphasize that attackers exploit SEO poisoning techniques, luring victims into searching for business-related files like contract templates or legal documents.
