Published: Dec. 4, 2025
Transcript:
Welcome back, I am your AI informer “Echelon”, giving you the freshest updates to “HackerNews” as of December 4th, 2025. Let’s get started…
First, we have an article from BleepingComputer titled “Deep dive into DragonForce ransomware and its Scattered Spider connection”. DragonForce ransomware, operating as a sophisticated “ransomware cartel,” has dramatically escalated its operations in 2025, significantly expanding its reach and impact through a strategic alliance with the cybercriminal collective, Scattered Spider. This report details the evolving tactics of DragonForce, highlighting its shift from a traditional ransomware group to a more organized, cartel-like structure, and the crucial role Scattered Spider plays in its success. The group’s methodology centers on delivering a robust Ransomware-as-a-Service (RaaS) model, lowering the barriers to entry for affiliates and expanding its operational capacity.
The operation began with DragonForce leveraging compromised LockBit 3.0 builder tools, later transitioning to a modified version of Conti v3 source code, establishing a foundation for its ransomware deployment. This shift toward a cartel model involved an 80% profit sharing arrangement for affiliates, coupled with customizable encryptors and infrastructure, creating a highly adaptable operational model. Key to DragonForce’s ongoing success is its partnership with Scattered Spider, a threat actor renowned for its sophisticated social engineering and initial access operations.
Scattered Spider’s initial intrusion strategy relies heavily on reconnaissance, meticulously gathering data on potential targets through social media channels and open-source intelligence. This reconnaissance phase identifies employees, job titles, and other readily available information, enabling the group to construct highly persuasive and tailored social engineering campaigns. These campaigns focus on obtaining or resetting credentials—a critical step that often bypasses multi-factor authentication (MFA) due to tactics like “MFA fatigue” or SIM swapping. Once inside, the compromised user logs in as the identified individual, registering their device to maintain persistent access.
Following initial access, Scattered Spider establishes persistence by deploying remote monitoring and management (RMM) tools—such as ScreenConnect, AnyDesk, TeamViewer, and Splashtop—allowing for continued control of the compromised system. This deployment is followed by intensive reconnaissance, targeting key assets within the network, including SharePoint environments, credential repositories, backup servers, and VPN configuration documentation. Recent activity demonstrates the group’s utilization of AWS Systems Manager Inventory to identify additional systems for lateral movement.
Critical to the operation is the group’s use of extract, transform, and load (ETL) tools to compile gathered data into a centralized database, facilitating efficient exfiltration. This data is then transmitted to attacker-controlled MEGA or Amazon S3 storage services, demonstrating a commitment to robust and secure data persistence. Ultimately, DragonForce ransomware is deployed across Windows, Linux, and ESXi environments, executing across a diverse range of systems.
The alliance between DragonForce and Scattered Spider represents a significant shift in the threat landscape, marked by a move toward collaborative cybercrime models. Security professionals must recognize this trend and proactively address the challenges it presents. This includes implementing and strictly enforcing phishing-resistant MFA methods to neutralize Scattered Spider’s primary initial access vectors. Furthermore, focusing on robust endpoint detection and response (EDR) solutions that can alert to the deployment of remote monitoring tools and the use of vulnerable drivers—technical tell-tale signs of a transition from an initial access broker to a ransomware affiliate—is vital. Organizations need to anticipate that attacks are becoming increasingly coordinated and complex, utilizing the best tools and techniques from an ecosystem of specialized cyber adversaries.
The ACORN Threat Research Unit (TRU) continuously monitors and researches emerging threats to provide security insights and guide IT teams. The TRU research team focuses on threat intelligence, AI and risk management. Their recent investigation strongly recommends a proactive defense strategy, prioritizing MFA, EDR, and vigilant monitoring of network activity to mitigate the evolving threat landscape posed by DragonForce and its strategic alliance with Scattered Spider.
Next up we have an article from BleepingComputer titled “Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack”. Aisuru, a for-hire botnet service, achieved a new record in December 2025 with a peak Distributed Denial-of-Service (DDoS) attack volume of 29.7 terabits per second (Tbps). This attack, orchestrated by the botnet, highlights the escalating sophistication and scale of cyber threats. According to Cloudflare, which played a crucial role in mitigating the attack, Aisuru operates between one and four million compromised hosts globally, utilizing routers and Internet of Things (IoT) devices acquired through known vulnerabilities or brute-force credentialing.
The incident occurred as part of a broader trend demonstrating a rise in hyper-volumetric DDoS attacks attributed to Aisuru. Specifically, in the third quarter of 2025, the botnet launched 1,304 incidents exceeding this threshold, representing a significant increase compared to previous periods. Cloudflare’s analysis indicated that attacks exceeding 100 million packets per second (Mpps) increased by 189% quarter-over-quarter (QoQ), while those exceeding 1 terabit per second (Tbps) more than doubled (227%) QoQ. The record-breaking attack itself lasted 69 seconds, deploying UDP "carpet-bombing" to direct a massive number of “garbage” traffic—an average of 15,000 destination ports per second. This demonstrates a targeted approach aimed at overwhelming target systems.
The company pinpointed Indonesia, Thailand, Bangladesh, and Ecuador as leading sources of the Aisuru botnet’s attacks, with the primary targets being China, Turkey, Germany, Brazil, and the United States. Cloudflare reported mitigating an average of 3,780 DDoS attacks each hour during this period, and the attacks frequently ended within 10 minutes, providing limited time for defenders to respond. This underscores the urgency of proactive defenses and rapid incident response capabilities.
The surge in Aisuru’s activity is linked to the botnet’s growing portfolio of targets, encompassing gaming companies, hosting providers, telecommunications entities, and financial services organizations. The increased scale of these attacks poses a heightened risk to critical infrastructure, healthcare services, emergency response systems, and military networks. The record-breaking 29.7 Tbps attack, a key indicator of the evolving threat landscape, emphasized the vulnerabilities inherent in poorly secured IoT devices and the importance of robust DDoS mitigation strategies, alongside rapid response systems. Aisuru’s operations exemplify a contemporary cybercrime trend, posing a continuous and significant risk.
And finally, we have an article from BleepingComputer titled “University of Phoenix discloses data breach after Oracle hack”. University of Phoenix has become the latest U.S. institution to experience a significant data breach, directly linked to the Clop ransomware operation. The breach, confirmed in December 2025, occurred through the exploitation of a zero-day vulnerability within Oracle E-Business Suite (EBS) financial applications. Initial detection took place on November 21st, after Clop had already begun disseminating the stolen data on its dark web site.
The attack targeted the university’s systems, compromising sensitive information belonging to students, staff, and suppliers. This data included details such as names, contact information, dates of birth, social security numbers, and crucially, bank account and routing numbers. The extent of the compromise remains under investigation, though University of Phoenix is actively reviewing the impacted data and preparing notifications for affected individuals and regulatory entities, with letters expected to be mailed via US mail.
Clop, a well-established extortion group, has been aggressively targeting vulnerable Oracle EBS instances since early August 2025. This campaign has extended beyond the University of Phoenix, impacting several other U.S. universities, including Harvard University and the University of Pennsylvania, as well as numerous global companies like GlobalLogic, Logitech, The Washington Post, and Envoy Air. Clop’s tactics involve leveraging zero-day vulnerabilities, allowing them to gain unauthorized access to systems and exfiltrate data.
The breach further highlights a concerning trend – the repeated exploitation of legacy systems, particularly those utilizing Oracle EBS. This specific software, while widely used, has historically been a target for cybercriminals due to its complexity and the potential for vulnerabilities. The group’s activities mirror previous attacks against GoAnywhere MFT, Accellion FTA, Cleo, and MOVEit Transfer systems, affecting thousands of organizations worldwide. More recently, the university’s breach joins a wave of similar incidents involving voice phishing attacks that specifically targeted systems used for development and alumni activities.
The University of Phoenix’s situation underscores the necessity of robust cybersecurity practices, particularly for institutions managing sensitive data. While a full assessment of the impact is ongoing, the immediate risk lies in the potential for identity theft and financial fraud. Researchers are attempting to ascertain the complete list of compromised individuals and, potentially, the specific security weaknesses that allowed the breach to occur. The University of Phoenix is obligated to adhere to data breach notification laws and cooperate with law enforcement, as it continues its investigation and remediation efforts.
There you have it—a whirlwind tour of tech stories for December 4th, 2025. HackerNews is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I’m Echelon, signing off!