CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Cloudflare mitigates record 11.5 Tbps UDP flood DDoS attack

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

Cloudflare recently blocked the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood, primarily originating from a combination of several IoT and cloud providers, including Google Cloud, and lasted approximately 35 seconds. Volumetric DDoS attacks overwhelm targets with massive data, consuming bandwidth and exhausting resources. This attack is part of a recent surge in hyper-volumetric DDoS attacks, with Cloudflare autonomously blocking hundreds over the past few weeks. This attack follows a 7.3 Tbps DDoS attack in June 2025 and a 3.8 Tbps attack in October 2024, both mitigated by Cloudflare. The increase in DDoS attacks highlights the escalating threat landscape and the need for robust cybersecurity defenses. The attack involved the RapperBot botnet, which targets network video recorders (NVRs) and other IoT devices, exploiting security flaws to gain initial access and download the malware payload.

Timeline

  1. 03.09.2025 23:34 πŸ“° 1 articles Β· ⏱ 12d ago

    Cloudflare reports 7.3 Tbps DDoS attack in June 2025

    In June 2025, Cloudflare reported a 7.3 Tbps DDoS attack delivering 37.4 terabytes of data in 45 seconds. The attack reached 6.5 Tbps and delivered 4.8 billion packets per second (pps). The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report.

    Show sources
    Open in new tab
  2. 03.09.2025 10:49 πŸ“° 2 articles Β· ⏱ 13d ago

    RapperBot botnet used in 11.5 Tbps DDoS attack

    The attack involved the RapperBot botnet, which targets network video recorders (NVRs) and other IoT devices. The malware used a path traversal flaw in the web server to leak valid administrator credentials and push a fake firmware update. The malware established an encrypted connection to a command-and-control (C2) domain to receive commands for launching DDoS attacks. The attack was part of a broader trend of hyper-volumetric DDoS attacks, with a significant increase in such attacks in the second quarter of 2025.

    Show sources
    Open in new tab
  3. 02.09.2025 18:52 πŸ“° 3 articles Β· ⏱ 14d ago

    Cloudflare mitigates record 11.5 Tbps UDP flood DDoS attack

    The attack was part of a series of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The attack was mitigated by Cloudflare's autonomous defenses, which have been actively blocking hundreds of similar attacks over the past few weeks. The attack lasted approximately 35 seconds and was designed to overwhelm the target with a massive volume of traffic, causing network congestion and potential outages. The attackers used botnets to conduct the attack, exploiting security flaws in IoT devices and other machines infected with malware. The attack was part of a broader trend of hyper-volumetric DDoS attacks, with a significant increase in such attacks in the second quarter of 2025. The RapperBot botnet, which targets network video recorders (NVRs) and other IoT devices, was used in the attack. The attack involved exploiting security flaws in NVRs to gain initial access and download the RapperBot payload. The malware used a path traversal flaw in the web server to leak valid administrator credentials and push a fake firmware update. The malware established an encrypted connection to a command-and-control (C2) domain to receive commands for launching DDoS attacks. Google Cloud was initially reported as the primary source of the attack, but later updates indicated that the attack came from a combination of several IoT and cloud providers. Google's abuse defenses detected the attack, and they followed proper protocol in customer notification and response. The attack was a UDP flood that came from a combination of several IoT and cloud providers, with Google Cloud being one source but not the majority. Volumetric attacks are designed to overwhelm servers or networks, causing them to slow or shut down completely. Volumetric cyberattacks make up around 75% of distributed denial-of-service (DDoS) attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Supply Chain Attack on npm Packages with Billions of Weekly Downloads

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

Open in new tab

Lazarus Group Deploys PondRAT, ThemeForestRAT, and RemotePE in DeFi Sector Intrusion

The North Korea-linked Lazarus Group targeted a decentralized finance (DeFi) organization in 2024 using a social engineering campaign that distributed three cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. The attack began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The group used various tools to harvest credentials and proxy connections, eventually deploying more sophisticated malware for stealthier operations. The attack chain involved initial access through a loader called PerfhLoader, which dropped PondRAT. This malware facilitated further discovery and deployment of additional tools, including keyloggers and credential stealers. The group later transitioned to ThemeForestRAT and finally to the more advanced RemotePE for high-value targets. The intrusion highlights the group's evolving tactics, techniques, and procedures (TTPs), including the use of multiple RATs for different stages of the attack.

Open in new tab

Jaguar Land Rover Production Disrupted by Cyberattack

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The attack prompted the company to shut down several systems to mitigate the impact. Customer data was compromised, and the exact nature of the attack and the timeline for recovery remain unclear. The incident affected multiple systems, including those at the Solihull production plant, where popular models like the Land Rover Discovery and Range Rover are manufactured. The attack occurred over the weekend, a common time for such incidents due to reduced response capabilities. This is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025. The company is still investigating the incident and has not attributed the breach to a specific cybercrime group.

Open in new tab

Massive Brute-Force Attacks on SSL VPN and RDP Devices from Ukrainian Network FDN3

Between June and July 2025, a Ukrainian IP network FDN3 (AS211736) launched extensive brute-force and password spraying attacks targeting SSL VPN and RDP devices. The activity is part of a broader abusive infrastructure involving multiple Ukrainian and Seychelles-based networks. These networks have been previously linked to spam distribution, network attacks, and malware command-and-control hosting. The attacks have been attributed to large-scale brute-force attempts, peaking between July 6 and 8, 2025. The techniques used are consistent with initial access vectors employed by various ransomware-as-a-service (RaaS) groups. The infrastructure includes networks such as VAIZ-AS (AS61432), ERISHENNYA-ASN (AS210950), and TK-NET (AS210848). These networks often exchange IPv4 prefixes to evade blocklisting and continue hosting abusive activities. The prefixes involved have ties to known bulletproof hosting providers and have been used for various malicious activities in the past.

Open in new tab

Espionage campaign targets Eastern Asia using hijacked Sogou Zhuyin update server

An espionage campaign, codenamed TAOTH, has been targeting users in Eastern Asia since June 2025. The attackers hijacked an abandoned update server for the Sogou Zhuyin input method editor (IME) software to distribute multiple malware families, including C6DOOR and GTELAM. The campaign primarily targets dissidents, journalists, researchers, and technology/business leaders in China, Taiwan, Hong Kong, Japan, South Korea, and overseas Taiwanese communities. The attackers took control of the lapsed domain name associated with Sogou Zhuyin in October 2024 and used it to disseminate malicious payloads. The malware families deployed serve various purposes, including remote access, information theft, and backdoor functionality. The attack chain begins with users downloading the official installer for Sogou Zhuyin, which triggers a malicious update process. The campaign has impacted several hundred victims, with Taiwan accounting for 49% of all targets. The attackers also leveraged third-party cloud services to conceal their network activities.

Open in new tab