Threat Briefing: February 28, 2025

We often overlook the value of older electronic devices, but in the wrong hands, they can be exploited by cybercriminals to fuel botnets. These botnets enable attackers to launch cyberattacks or even rent out their services to others. This week, Microsoft revealed new details about a scheme involving multiple cyber threat actors—including two based in the U.S.—who are abusing artificial intelligence tools to offer malicious capabilities for sale worldwide.

• PolarEdge Botnet Infects Over 2,000 Devices – The PolarEdge botnet is actively exploiting vulnerabilities in Cisco, ASUS, QNAP, and Synology devices, hijacking them into a sophisticated network of infected systems. By leveraging unpatched security flaws, the malware deploys a backdoor that establishes TLS sessions and enables remote command execution. Several models of Cisco Small Business routers—now at end-of-life status—have been compromised. So far, PolarEdge has infected over 2,000 devices across the U.S., Australia, Brazil, India, Russia, and Taiwan. While its ultimate purpose remains unclear, experts suspect it may be intended for large-scale cyberattacks or to support Operational Relay Boxes. The Hacker News
• Anubis Ransomware-as-a-Service: A Rising Threat – Anubis, an emerging Ransomware-as-a-Service (RaaS) variant, operates using a double extortion model, offering its affiliates 80% of the ransom payments. In addition to ransomware deployment, Anubis provides a Data Ransom program, allowing affiliates to monetize stolen data from the past six months. It also runs an Access Monetization program, paying access brokers 50% of the proceeds for gaining entry into organizations across the U.S., Australia, Canada, and Europe. Anubis targets various systems, including Windows, Linux, NAS, and ESXi, making it a significant and evolving cyber threat. SecurityWeek
• Vo1d Malware Botnet Infects 1.6 Million Android TV Devices – The Vo1d malware botnet has compromised nearly 1.6 million Android TV devices across 226 countries, with over 800,000 actively participating in its network. This highly advanced botnet utilizes encrypted communication, a dynamic domain infrastructure, and sophisticated ad fraud techniques. It exploits infected devices as anonymous proxy servers for illicit activities, driving a rapid surge in global infections. The exact infection method remains unknown, posing a serious security risk to Android TV users worldwide. BleepingComputer
• Microsoft Targets AI Hackers in Landmark Cybercrime Case – Microsoft has identified four individuals from Iran, the UK, China, and Vietnam linked to a cybercrime network exploiting AI services to generate deepfakes and illegal content. Operating under the name Storm-2139, the group leverages stolen credentials to bypass AI safeguards. The investigation uncovered a structured network, including tool creators facilitating malicious AI activity, providers distributing these tools, and users generating deepfake content for cybercriminal purposes. Microsoft is working closely with global law enforcement to pursue criminal charges, marking a significant milestone in the fight against AI-driven cyber threats. SecurityWeek
• FBI Warns Against Laundering Stolen Bybit Crypto – The FBI is urging the crypto community to avoid facilitating the laundering of funds stolen in the $1.5 billion Bybit exchange hack, which has been linked to North Korean cybercriminals known as TraderTraitor or Lazarus. The attack stemmed from a compromised developer machine, allowing hackers to swiftly launder approximately $400 million across multiple blockchains. In response, the FBI has released wallet addresses tied to the laundering operation and is working with crypto platforms to block suspicious transactions. Bybit has also announced a bug bounty of up to $140 million for assistance in freezing the stolen funds. The Record