The invisible force fueling cyber chaos.

A joint advisory labels Fast Flux a national security threat. Europol shuts down a major international CSAM platform. Oracle verifies a data breach. A new attack targets Apache Tomcat servers. The Hunters International group pivots away from ransomware. Hackers target Juniper routers using default credentials. A controversy erupts over a critical CrushFTP vulnerability. Johannes Ullrich, Dean of Research at SANS Technology Institute unpacks Next.js. Abracadabra, alakazam — poof! Your credentials are gone. 

Today is Thursday April 3rd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A joint advisory labels Fast Flux a national security threat. 

Fast flux is a technique used by cybercriminals and nation-state actors to evade detection by rapidly rotating DNS records and IP addresses linked to malicious domains. This tactic supports resilient command-and-control (C2) infrastructure and enables persistent malicious activity, such as ransomware, phishing, and botnets. Variants include single flux (rotating IPs) and double flux (changing DNS servers too), often supported by bulletproof hosting services.

A joint advisory from the NSA, CISA, FBI, and international partners warns of fast flux as a national security threat and urges ISPs and cybersecurity providers—especially Protective DNS (PDNS) services—to develop detection and mitigation capabilities. Recommended strategies include DNS analysis, anomaly detection, IP blocking, sinkholing, and threat intelligence sharing. Distinguishing malicious fast flux from legitimate services like CDNs remains a challenge.

Organizations are encouraged to verify PDNS protections, train staff on phishing, and participate in collaborative defense efforts to reduce exposure to fast flux-enabled cyber threats.

Meanwhile, House cybersecurity leaders criticized Trump-era cuts to CISA, urging expanded responsibilities instead. Rep. Andrew Garbarino wants CISA central to U.S. cyber efforts, including reauthorizing the 2015 cyber info-sharing law and extending a key grant program. He criticized cuts that harmed operations and signaled support for nominee Sean Plankey. Rep. Eric Swalwell slammed chaotic firings as inefficient and backs legislation to formalize the Joint Cyber Defense Collaborative. Both aim to shield CISA from political attacks and ensure strong congressional support moving forward.

Europol shuts down a major international CSAM platform. 

Europol announced the takedown of Kidflix, a major dark web child sexual abuse material (CSAM) platform, calling it the largest child exploitation operation in its history. The multi-year effort led to 79 arrests so far, with 1,393 suspects identified and 39 children rescued. Over 39 countries participated in the investigation. Offenders used cryptocurrency to access the site, which hosted up to 91,000 videos—many previously unknown to law enforcement. German and Dutch authorities seized servers containing 72,000 videos. Users could earn access tokens by tagging content. Europol emphasized the real-world harm behind the platform’s operations, rejecting attempts to frame the case as a purely cyber issue. The platform had 1.8 million users, with around 3.5 new videos uploaded every hour. The investigation remains ongoing.

Elsewhere, a major data leak at GenNomis, an AI image-generation platform by South Korea’s AI-NOMIS, exposed 47.8GB of sensitive data, including 93,000+ images—some appearing to depict underage individuals in explicit content. Discovered by researcher Jeremiah Fowler, the unsecured database also contained deepfakes of celebrities as children and user command logs. The platform, now offline, allowed face-swapping and nude image generation. The incident raises alarm over AI misuse in creating non-consensual, explicit content, especially involving minors, prompting urgent calls for stricter safeguards and developer accountability.

Oracle verifies a data breach. 

Oracle has informed customers of a data breach involving stolen login credentials from a legacy system, Bloomberg reports. The breach, now under investigation by the FBI and CrowdStrike, is separate from another incident Oracle disclosed last month. The attacker reportedly tried to extort the company and began selling the stolen data online. Though Oracle claims the compromised system hasn’t been used in eight years, some stolen credentials date back to 2024, raising concerns about lingering risks. Oracle has not publicly commented.

A new attack targets Apache Tomcat servers. 

A new attack dubbed “Tomcat Campaign 25” is targeting Apache Tomcat servers with sophisticated, encrypted malware designed for both Windows and Linux. Hackers use brute-force methods to exploit weak credentials, quickly compromise servers, and deploy Java-based web shells for persistent access. The malware steals SSH keys, enables lateral movement, and hijacks resources for crypto mining. Notably, it hides payloads in fake 404 error pages and mimics kernel processes to evade detection. Researchers suggest links to Chinese-speaking actors, though attribution remains uncertain.

The Hunters International group pivots away from ransomware. 

Hunters International, a ransomware-as-a-service group believed to be a rebrand of the defunct Hive gang, is shifting to exfiltration-only attacks, according to threat firm Group-IB. Active since late 2023, Hunters has targeted around 300 organizations—mostly in North America—with sectors like real estate, healthcare, and energy most affected. The group offers affiliates tools to steal data, set ransoms, and communicate with victims, keeping 80% of payments. Recently, Hunters stopped using ransom notes, instead contacting executives directly to pressure payment. Their affiliate panel includes “Storage Software” to manage and transmit stolen data. On January 1, 2025, Hunters launched a new project called “World Leaks,” aiming to abandon file encryption entirely, though it was paused due to infrastructure issues. Group-IB predicts other ransomware groups may follow suit, automating data theft and focusing purely on exfiltration to reduce risk and increase profitability.

Hackers target Juniper routers using default credentials. 

SANS has reported a sharp rise in targeted scans exploiting default credentials in Juniper Networks’ Session Smart Router (SSR) platform. From March 23–28, 2025, around 3,000 unique IPs attempted logins using default credentials “t128/128tRoutes” and “root/128tRoutes.” The campaign, likely linked to the Mirai botnet, aimed to compromise unpatched or improperly secured SSR devices for use in DDoS attacks. This surge followed Juniper’s recent patch for CVE-2025-21589, a critical authentication bypass flaw. The activity dropped off abruptly, indicating a coordinated, automated effort.

A controversy erupts over a critical CrushFTP vulnerability. 

A controversy has erupted over a critical CrushFTP vulnerability, now tracked as both CVE-2025-2825 and CVE-2025-31161. The flaw, disclosed on March 21, allows remote attackers to bypass authentication and gain admin access. While patches and workarounds were quickly released, a delay in issuing a CVE prompted VulnCheck to assign one independently—without contacting CrushFTP or original discloser Outpost24, who had requested a CVE via MITRE on March 13. This led to confusion, as the security industry began referencing VulnCheck’s CVE. Exploitation began shortly after disclosure, with The Shadowserver Foundation observing widespread attacks. Initially, 1,800 internet-exposed instances were vulnerable; over 500 remain unpatched in the U.S. as of April 2. CrushFTP criticized firms for accelerating exploitation by sharing details too soon. Attackers’ goals remain unclear, but the flaw could enable data theft or deeper intrusions. Outpost24 is awaiting MITRE’s decision on the official CVE designation.

Abracadabra, alakazam — poof! Your credentials are gone. 

And finally, our prestidigitation desk tells us a new cyber trick has hit the magic world—and no, it’s not an illusion. Meet AbracadabraStealer, the malware campaign targeting magicians, magic shop owners, and dedicated wand-wielders worldwide. This cyber heist starts with emails promising “exclusive trick tutorials” or “never-before-seen Houdini footage.” Spoiler: it’s a trap. Open the attachment, and poof—your login credentials vanish faster than a coin behind an ear.

Kaspersky researchers uncovered this act after magicians reported account breaches and disappearing proprietary tricks. Turns out, the malware uses coded JavaScript (and a touch of villainy) to swipe browser data, log keystrokes, and snap screenshots during logins. It even hides like a stagehand—disguised as an Adobe update in your system registry.

Roughly 1,200 victims, mostly premium users and trick developers, have been hit since early 2025. So, if your magic act suddenly appears for sale on a sketchy forum… you’ve probably been abracadabra’d.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.