FBI botnet cleanup backfires.

FBI botnet disruption leaves cybercriminals scrambling to pick up the pieces. Notorious ransomware gangs announce their retirement, but don’t hold your breath. Hacktivists leak data tied to China’s Great Firewall. A new report says DHS mishandled a key program designed to retain cyber talent at CISA. GPUGate malware cleverly evades analysis. WhiteCobra targets developers with malicious extensions. North Korea’s Kimsuky group uses AI to generate fake South Korean military IDs. My guest is Tim Starks from CyberScoop, discussing offensive cyber operations. A cyberattack leaves students hung out to dry.

Today is Monday September 15th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

FBI botnet disruption leads to a cybercriminal scramble to pick up the pieces. 

The FBI recently disrupted a massive botnet, freeing nearly 95,000 hacked devices. But instead of neutralizing the threat, the takedown sparked a scramble among cybercriminals to seize control of the machines. A rival botnet known as Aisuru captured more than a quarter of them and quickly began launching some of the largest distributed denial-of-service (DDoS) attacks ever recorded. Cloudflare reported one strike reaching 11.5 trillion bits per second, a new world record. Analysts warn this unintended consequence shows how difficult it is to dismantle botnets without leaving devices open to new operators. What began as an FBI success has turned into a dangerous escalation, highlighting how today’s internet-connected devices can be weaponized faster than law enforcement can neutralize them.

Notorious ransomware gangs announce their retirement, but don’t hold your breath. 

Fifteen ransomware gangs, including Scattered Spider and Lapsus$, have suddenly declared they’re “retiring,” claiming their real mission was noble system hardening, not extortion. In a Breachforums post dripping with self-justification, they say they’ll now enjoy their “golden parachutes” from millions in stolen funds while others continue “improving systems.” They even promise to “humiliate” those who arrested some members. If this sounds like a heartfelt farewell, don’t bet on it, cybercrime groups are notorious for rebranding, and few believe these attackers are hanging up their keyboards.

Hacktivists leak data tied to China’s Great Firewall. 

Hacktivists have leaked nearly 600 GB of data tied to China’s Great Firewall, in what experts call the largest breach of its kind. The files, published by Enlace Hacktivista on September 11, include source code, internal reports, work logs, and technical documentation allegedly from Geedge Networks and the MESA Lab, both central to the Firewall’s development. Early analysis shows evidence of censorship and surveillance exports to countries tied to China’s Belt and Road Initiative, including Pakistan and Ethiopia. Unlike past leaks, this trove includes raw operational data, tens of thousands of documents and software packages that reveal how the Firewall has evolved and expanded. Researchers caution the files may contain malware but say they offer a rare, detailed look into China’s censorship machine.

Meanwhile, China is tightening cybersecurity rules, requiring network operators to report “particularly serious” incidents within one hour starting November 1, 2025. The Cyberspace Administration of China defines top-tier threats as large-scale outages, breaches exposing over 100 million citizens’ data, or cyberattacks disrupting utilities, transport, or healthcare for millions. Officials must notify higher authorities within 30 minutes of receiving reports, and operators must file a full review within 30 days. Lawmakers are also considering amendments to raise fines, up to 10 million yuan, for failures involving critical infrastructure or data protection.

A new report says DHS mishandled a key program designed to retain cyber talent at CISA. 

A new inspector general report says the Department of Homeland Security mishandled a key program designed to retain cyber talent at CISA. Since 2015, over $100 million was spent on the Cyber Incentive program, meant to keep highly sought-after cybersecurity experts in government. Instead, funds were often misdirected. Payments went to ineligible staff, including 240 employees with no direct cybersecurity roles, and more than 300 people received erroneous back pay. The watchdog concluded the poorly managed program wasted taxpayer dollars and may worsen attrition risks, leaving CISA less able to protect the nation from cyber threats. Triggered by a 2023 hotline complaint, the investigation found HR failed to track payments, and CISA has agreed to eight corrective recommendations to fix oversight and targeting issues.

GPUGate malware cleverly evades analysis. 

On August 19, 2025, Arctic Wolf’s Cybersecurity Operations Center uncovered a sophisticated campaign blending Google Ads and GitHub lookalike domains to deliver malware. Attackers used commit-specific links in ads to mimic official repositories, luring IT professionals into downloading a malicious MSI installer disguised as GitHub Desktop. At 128 MB, the installer bypassed many sandboxes by stuffing itself with dummy files. Its standout feature, dubbed “GPUGate,” employed a GPU-based decryption routine that kept the payload encrypted unless run on a machine with a real GPU, evading most analysis environments. Once executed, the malware gained admin rights for persistence and lateral movement. The campaign primarily targeted IT workers in Western Europe, with evidence suggesting Russian-speaking operators. Likely goals included credential theft, data exfiltration, and ransomware deployment.

WhiteCobra targets developers with malicious extensions. 

A threat actor known as WhiteCobra is targeting developers by planting 24 malicious extensions in the Visual Studio Marketplace and Open VSX registry, affecting VSCode, Cursor, and Windsurf users. The campaign is active, with new malicious uploads replacing removed ones. Ethereum developer Zak Cole reported his wallet was drained after using one such extension, which appeared legitimate with a professional design and 54,000 downloads. WhiteCobra, previously tied to a $500,000 crypto theft, exploits weak extension vetting and cross-compatibility of VSIX packages.

North Korea’s Kimsuky group uses AI to generate fake South Korean military IDs.

Cybersecurity firm Genians has uncovered a spear-phishing campaign by North Korea’s Kimsuky group that used AI to generate fake South Korean military ID cards. Detected on July 17, the attack impersonated a defense institution, sending emails with counterfeit ID samples attached as PNGs, designed to look like draft reviews for ID issuance. The images, flagged as deepfakes with 98% certainty, were created through prompt injection to bypass AI safeguards against generating illegal IDs. A malicious BAT file executed alongside the images enabled data theft and remote control. Targets included researchers, journalists, and activists focused on North Korea. The campaign marks an evolution of Kimsuky’s earlier ClickFix phishing attacks, showing how deepfake technology can enhance the credibility of social engineering attempts.

Business Brief 

Mitsubishi Electric has announced its largest acquisition to date, agreeing to buy San Francisco-based OT security firm Nozomi Networks for $883 million in cash. The deal builds on Mitsubishi’s earlier 7% stake in Nozomi, gained during the company’s $100 million Series E funding round in 2024. Expected to close in late 2025, Nozomi will continue operating from San Francisco with R&D in Switzerland. Mitsubishi says the acquisition adds a fast-growing, AI-powered cybersecurity business to its industrial portfolio, helping deliver advanced protection for critical infrastructure and IoT systems. Meanwhile, consolidation continues across the cybersecurity sector: SentinelOne is buying Observo AI for $225 million, UltraViolet Cyber acquired Black Duck’s testing services, and several smaller firms in Europe, the U.S., and Israel announced deals. Investment activity was also strong, with ID.me raising $340 million, IQM Quantum Computers securing $320 million, and Shift5 closing $75 million to accelerate growth in their respective sectors.

 

A cyberattack leaves students hung out to dry. 

At Amsterdam’s Spinozacampus, more than a thousand students are still schlepping laundry bags across town after a cyberattack turned their “smart” washing machines into very expensive, very useless boxes. Back in July, an unknown hacker tampered with the digital payment system, granting students a glorious few weeks of free spin cycles. Management company Duwo eventually pulled the plug, declaring it wasn’t in the business of underwriting free laundry. Students now fight over a dwindling fleet of ten analog washers, most of which are usually broken, while some mutter darkly about lice. The university has offered little help, other than pointing back to Duwo. So, while IoT hacks usually fuel botnets or ad fraud, this one left students wringing out socks by hand, proof that cyber mischief can hit right at the fabric of daily life.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.