Ddos 
The latest analysis from NETSCOUT highlights a dramatic escalation in botnet-driven distributed denial-of-service (DDoS) attacks during July 2025, with thousands of daily incidents and clear signs of hacktivist involvement.
According to the report, “July’s botnet-driven distributed denial-of-service (DDoS) activity remained elevated, with pressure spikes around the U.S. holiday period and continued automation from commodity botnets.”
Over the course of the month, NETSCOUT observed more than 20,000 DDoS attack events—an average of over 600 per day. On July 3, activity surged past 1,100 incidents in a single day, roughly 71% above the monthly average.
The attacks showed familiar mechanics, with TCP SYN floods leading the charge at nearly 3,000 incidents, alongside increasingly complex multivector attacks blending TCP, DNS, and amplification techniques to exhaust both device state and bandwidth.
Hacktivist group NoName057(16) once again dominated the threat landscape. The group claimed responsibility for more than 200 attacks, accounting for a significant portion of the 700+ total hacktivist incidents in July.
The group’s operations aligned strongly with observed traffic patterns, including HTTP/2 POST floods, TCP ACK floods, and TCP SYN floods. Their campaigns primarily targeted government agencies, transportation networks, and financial services, using rapid vector rotations and sustained engagements lasting several minutes.
NETSCOUT emphasized that “although some groups tend to exaggerate their activity, claiming credit when websites go offline for unrelated reasons, NoName057(16)’s announcements often align with observable attack activity.”
Other hacktivist groups such as Keymous+, TEAM FEARLESS, Dark Storm Team, and Z-ALLIANCE were also active, though their operational footprint was far smaller.
The report found sustained pressure on web-facing infrastructure. “TCP ports 80 and 443 were the most common combination, appearing in more than 900 unique attacks, reflecting sustained pressure on web-facing infrastructure,” NETSCOUT observed.
Attackers also continued to exploit VPN-related ports (500 and 4500), suggesting an ongoing interest in disrupting remote-access services.
On the UDP side, ports 443, 80, and 53 were heavily targeted, underscoring abuse of both encrypted traffic and DNS services.
Geographic analysis showed that Mongolia was the top single-country source, responsible for more than 1,000 attacks—primarily from IoT and router infections.
The most frequent multicountry pairing was Mauritius and South Africa, involved in more than 100 coordinated attacks.
Attackers relied heavily on compromised IoT devices and routers, exploiting years-old vulnerabilities such as CVE-2015-2051 (D-Link routers), CVE-2017-17215 (Huawei HG532 routers), and CVE-2017-16894. NETSCOUT stressed that, “although these vulnerabilities are years old, they remain effective due to unpatched devices, weak default credentials, and inadequate security practices.”
Mirai variants continued to drive significant botnet recruitment, leveraging Telnet brute-forcing and default credential exploits. July also saw increased exploitation of VStarcam C7824WIP cameras and Actiontec C1000A routers.
Related Posts:
- Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
- NETSCOUT ASERT Uncovers Disturbing Surge in Global Malicious Botnet Activity
- Multiple Vulnerabilities in NETSCOUT nGeniusONE Threaten Infrastructure Visibility Platforms
- DieNet Hacktivist Group Exploits DDoS-as-a-Service in Rapid Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
