Massive DDoS, DanaBot Dismantled, Scraped Discord Messages and Signal Blocks Windows Recall

Notable security news for the week of May 18–24, 2025, is brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news about ‘Signal messenger, which has blocked Windows Recall to protect its user privacy; massive 6.3Tbps of DDoS attacks on KrebsOnsecurity; CrowdStrike, and DOJ collaborated to dismantle DanaBot Malware Network and user messages from Discord’s app were dumped online by the researchers.

We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.

Ok, let’s get started and see the details of the security news.

Signal Blocks Windows Recall to Protect User Privacy

Signal Messenger has added a new rule that stops Windows from taking screenshots of its Desktop app. This is because Microsoft’s Recall AI tool in Windows 11 is a privacy risk. Recall, which captures and indexes user activity every three seconds, raises significant privacy concerns by storing data—including conversations, emails, and sensitive details—in plaintext or encrypted databases vulnerable to decryption. Although Microsoft recently overhauled Recall, making it opt-in and encrypting data, privacy risks persist due to inadequate developer tools, minimal user controls, and potential exposure to sophisticated malware. Signal criticized Microsoft’s lack of options for blocking Recall and creatively repurposed a DRM API—designed to protect copyrighted material—to safeguard user messages from being indexed. While Signal’s measure adds an extra layer of protection, it has limitations, applying only if all users maintain default settings. Signal expressed frustration at the need to balance privacy with accessibility, and urged developers of AI tools like Recall to consider ethical implications and provide proper resources.

KrebsOnSecurity Endures Massive 6.3 Tbps DDoS Attack

In May 2025, KrebsOnSecurity suffered a massive 6.3 Tbps distributed denial-of-service (DDoS) attack, among the largest recorded. The Aisuru botnet planned this short but fierce attack. It is a network of compromised Internet of Things (IoT) devices like routers and digital video recorders. It used default passwords and software weaknesses to attack these devices. Google’s Project Shield, mitigated the attack, delivering approximately 585 million data packets per second, marking the largest attack the service has handled to date. Aisuru, also known as “Airashi,” had previously surfaced in August 2024, targeting a gaming platform, and reemerged in November with enhanced capabilities, including a zero-day vulnerability in Cambium Networks cnPilot routers. The botnet’s operators, using the alias “Forky” and Telegram handle “@yfork,” have been offering DDoS-for-hire services via public Telegram channels, with subscription tiers ranging from $150 per day to $600 per week. Even though the FBI took over domains like Stresser, Forky kept promoting and running these services. The scale and sophistication of the Aisuru botnet underscore the evolving threat landscape posed by IoT-based DDoS attacks.

CrowdStrike and DOJ Dismantle DanaBot Malware Network

CrowdStrike, in collaboration with the U.S. Department of Justice (DOJ) and the Defense Criminal Investigative Service (DCIS), has successfully disrupted the DanaBot malware operation, a significant cyber threat tracked as SCULLY SPIDER. DanaBot, active since 2018, functioned as a malware-as-a-service platform, facilitating activities such as credit card theft, wire fraud, and cryptocurrency exfiltration. Its modular design allowed for adaptability, including capabilities like keystroke logging and hidden virtual network computing (HVNC). DanaBot was used in supply chain attacks, notably through hacked NPM packages like ua-parser-js and coa. These attacks affected industries like transportation, media, technology, and financial services. The malware’s operations extended beyond financial crimes. It aligned with Russian state interests by targeting military, diplomatic, and government entities, particularly during Russia’s invasion of Ukraine. The DCIS’s seizure of DanaBot’s U.S.-based command-and-control servers has effectively neutralized the threat, severing the operators’ control over infected systems. This takedown underscores the blurred lines between cybercrime and state-sponsored cyber operations. It highlights the importance of public-private partnerships in countering complex cyber threats

Researchers Release 2 Billion Scraped Discord Messages

A team at Brazil’s Federal University of Minas Gerais scraped and published an anonymized dataset of 2,052,206,308 messages from 3,167 public Discord servers—about 10 percent of the platform’s open communities—spanning 2015 through 2024 and involving 4,735,057 users. Released alongside their paper “Discord Unveiled: A Comprehensive Dataset of Public Communication (2015–2024),” the corpus aims to fuel research into political discourse, misinformation propagation, moderation strategies, and AI training. To protect privacy, usernames were replaced with pseudonyms, and user and message identifiers were hashed and truncated, but experts warn that such measures often fail to prevent re-identification when conversations are reconstructed. The researchers say that public server data is okay to use for academic studies. However, their methods break Discord’s Terms of Service, which clearly say that you can’t scrape data without written permission. Discord has confirmed an investigation and potential enforcement actions, emphasizing user‐data protection. This release underscores tensions between open‐data research and platform policies, reminding users that “public” online conversations may persist indefinitely and be repurposed beyond their original context