An unknown hacking group — potentially Russian state-sponsored — hit Croatian government agencies with spear phishing using post-exploitation frameworks; a Golang-written crypto miner targeting Linux servers was undetectable by most antivirus software; a Cloudflare WAF regex bug knocked 10% of the internet offline for 30 minutes; and the Christmas DDoS Grinch who took down PlayStation and Xbox networks received a 27-month prison sentence.
Stories Covered
Croatian Government Targeted by Spear Phishing Campaign Using Empire Backdoor and Silent Trinity
ZDNet reported on a series of spear phishing attacks against Croatian government employees by an unknown hacking group believed to be state-sponsored. Spear phishing differs from broad phishing in that it targets specific individuals or organizations rather than casting a wide net — the emails are tailored to the target’s context to increase the likelihood of engagement. In this campaign, the phishing emails contained Excel attachments with embedded macros. When a recipient opened the file and enabled macros, the macro downloaded a malware payload to the machine. Two malware families were identified: the Empire backdoor, which is part of the Empire post-exploitation framework — a tool designed to provide persistent access and command execution on compromised machines — and Silent Trinity, another post-exploitation tool. A presentation at Positive Hack Days had previously concluded that Silent Trinity had not previously been weaponized in active malware campaigns, making this deployment notable. The campaign operated undetected for two months before the Croatian Information Systems Security Bureau issued alerts and distributed indicators of compromise to government agencies. A FireEye report was cited as potentially linking the attacks to Russian threat actors based on shared command-and-control infrastructure with attacks against Ukrainian government agencies — though attributing attacks solely on shared C2 servers carries inherent uncertainty. The post-exploitation model used here — gaining access through phishing then using framework-based tools for persistent backdoor access — is standard nation-state espionage tradecraft.
Golang Malware Targeting Linux Servers: Undetectable by AV, Active Since Mid-2018
A Monero cryptocurrency mining malware written in Go (Golang) had been targeting Linux servers since mid-2018 and remained active. The malware exploited multiple CVEs to gain initial access: CVE-2019-9082 (ThinkPHP), CVE-2019-3396 (Atlassian Confluence), and CVE-2018-7600 (Drupal, also known as Drupalgeddon2). Beyond web application vulnerabilities, the malware spread via SSH credential enumeration, Redis database password enumeration, and by attempting to use SSH private keys found on already-compromised machines to pivot to additional servers. Once inside a machine, it deployed XMRig with the Cryptonight algorithm to mine Monero. The most significant aspect of this malware was its antivirus evasion: at the time of reporting, it was not detected by most antivirus products. Golang was not a common malware development language, and AV signature databases had not accumulated enough samples to reliably detect it. This was an early demonstration of the pattern — later confirmed widely across Go, Rust, and other “unusual” language malware — that novel implementation languages reliably bypass signature-based detection because AV engines have trained on far fewer examples. The malware affected several thousand servers. For Linux server administrators: ensure public-facing web applications running ThinkPHP, Confluence, or Drupal are patched, audit exposed Redis instances for unauthorized access, rotate SSH keys on any machine suspected of compromise, and monitor for unexpected CPU usage spikes that may indicate unauthorized mining.
Cloudflare Outage: One Bad Regex in a WAF Rule Crashed 10% of the Internet for 30 Minutes
Cloudflare experienced a 30-minute global outage that caused sites behind its network to return 502 errors, not from a hack or external attack, but from a misconfigured deployment. A new rule added to Cloudflare’s Web Application Firewall contained a regular expression — a pattern-matching syntax used to identify specific strings in traffic — that caused catastrophic CPU usage when applied to live traffic. A regular expression that contains certain pathological patterns can trigger “catastrophic backtracking,” where the regex engine attempts exponentially many partial matches before failing — consuming CPU in proportion to traffic volume rather than in constant time. The CPU spike was severe enough that Cloudflare’s network could not process ordinary traffic, causing requests to be dropped. Cloudflare rolled back the deployment and service was restored after approximately 30 minutes. The standard practice for WAF rule deployments is to run new rules in simulation or dry-run mode first, monitoring their behavior against production traffic without enforcing them, before enabling enforcement. In this case, the rule went directly to enforcement, bypassing the opportunity to observe the CPU impact before it affected customers. Cloudflare’s post-incident report acknowledged the process failure and committed to tighter deployment controls. The outage was a reminder that infrastructure providers who serve a significant fraction of internet traffic carry systemic risk — a single bad deployment at that scale affects millions of downstream services simultaneously.
Christmas DDoS Grinch Sentenced: 27 Months for Taking Down PlayStation and Xbox Networks
A 23-year-old hacker from Utah, operating under the handle “derptroll” and as a member of the group Derptrolling, was sentenced to 27 months in federal prison and ordered to pay $95,000 in restitution to Daybreak Games (formerly Sony Online Entertainment) for DDoS attacks that knocked PlayStation Network and Xbox Live offline during Christmas 2013 and January 2014. The timing of the attacks — targeting gaming services during the Christmas period when millions of people receive new consoles and games — was deliberate for maximum disruption. DDoS attacks against gaming networks affect more than just online play: many games require online authentication to launch even in single-player mode, and console updates are delivered over the same network infrastructure. The hacker had pleaded guilty in November 2018. The sentence is unrelated to the separately reported Lizard Squad DDoS attacks, which targeted the same gaming networks in 2014 and were carried out by a different group — though the timing overlap created confusion in media coverage at the time. The case represents one of the earlier successful federal prosecutions specifically for DDoS attacks against consumer gaming infrastructure.

