Find notable cyber news and cases, enriched with sources, timelines, and signals.

Broad Keitaro TDS abuse across more than 120 campaigns

Trend
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Keitaro TDS was abused by more than 120 distinct campaigns between October 2025 and January 2026, showing a broad recurring pattern of malicious link delivery and spam. Telemetry tied the activity to about 226,000 DNS queries across 13,500 domains, underscoring its scale. The abuse matters because threat actors are turning a legitimate routing and cloaking platform into infrastructure for evasion and mass distribution.

Related Happenings

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Vo1d botnet campaign targeting unofficial Android-based TV boxes

Campaign
H score88 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...

Latest development: 03.07.2026 12:35

Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.

PurpleBravo Contagious Interview campaign

Campaign
H score49 First: 21.01.2026 19:17 Last: 21.01.2026 19:17 Sources 1

About this happening: The **North Korea-linked Contagious Interview** campaign is refining its malware stack, with **Cisco Talos** reporting that **BeaverTail** and **OtterCookie** are being merged mor...

Latest development: 22.04.2026 17:48

North Korean actor Void Dokkaebi, aka Famous Chollima, pushed the Contagious Interview fake-job campaign into a self-propagating software supply chain operation by abusing compromised developer repositories, malicious Visual Studio (VS) Code tasks, and injected code that can run during normal development activity to spread malware and steal cryptocurrency wallet credentials, signing keys, and access to CI/CD pipelines and production infrastructure. Trend Micro said the campaign also stages payloads on Tron, Aptos, and Binance Smart Chain, and in March it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 instances of the commit-tampering tool.

Parked and typosquatting domains now redirect most visitors to scams and malware

Trend
H score38 First: 16.12.2025 16:14 Last: 16.12.2025 16:14 Sources 1

About this happening: Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...

Cloudflare Radar Top Domains list redacts and hides Aisuru domains

Security Tool/Service
H score11 First: 06.11.2025 04:04 Last: 06.11.2025 04:04 Sources 1

About this happening: **Cloudflare** redacted **Aisuru** domains from its **Top Domains** rankings after the botnet started gaming the public list and distorting trust signals. The update reduces the v...

Timeline

  1. 27.04.2026 09:33 2 articles · 2mo ago

    Broad Keitaro TDS abuse across more than 120 campaigns

    Initial Disclosure

    Early telemetry showed **Keitaro Tracker** being repurposed as a cloaking and delivery layer for spam across many domains. The observed surge clustered in a **four-month window** ending in **January 2026**.

    Show sources