Our security briefing covers eight threat intelligence articles from Monday, September 16th, 2025, between 0425 and 0629 hours UTC.
Threat Intelligence.
The AISURU botnet has emerged as potentially the most powerful DDoS botnet ever documented, capable of generating attacks at an unprecedented 11.5 terabits per second scale according to Qianxin researchers. Following last year's Operation Endgame law enforcement takedown, SmokeLoader malware has returned with a new 2025 version featuring bug fixes, improved evasion techniques, and an updated network protocol that breaks compatibility with previous variants.
A new Magecart web skimming campaign has been identified, with heavily obfuscated JavaScript hosted on cc-analytics dot com targeting payment card data from compromised e-commerce sites.
Malware.
Zscaler's analysis reveals that the resurrected SmokeLoader maintains its modular plugin framework for credential harvesting, browser hijacking, and cryptocurrency mining, with the threat actors actively advertising the updated version on criminal forums since July 2025.
Tools.
Thinkst has released a new AWS Infrastructure Canarytoken that automatically deploys decoy resources including DynamoDB tables, S3 buckets, and SQS queues across AWS accounts, with CloudTrail integration providing breach detection alerts when attackers interact with the honeypot assets. Wavestone security researchers have published details on AWSDoor, a new persistence technique specifically targeting AWS cloud environments.
Cobalt Strike has announced artificial intelligence integration for post-exploitation activities, though specific technical details remain limited. The fwd:cloudsec conference has made video presentations available covering current cloud security topics and methodologies.