The DOT Report: 5 Plead Guilty in Ongoing Cyber Espionage Case, SEC Drops SolarWinds’ Case

The DOT Report is a monthly news series from DOT Security that covers the biggest stories and headlines in cybersecurity. Each edition offers a closer look at the real-world impact of breaches, malware campaigns, and digital deception.

These stories highlight the full spectrum of modern threats — from massive infrastructure attacks and geopolitical cybercrime to regulatory scrutiny and industrialized supply chain malware. Let’s dive into November’s most pressing cybersecurity headlines.

For even more cybersecurity news from The DOT Report, check out our video report on YouTube, or our podcast on Spotify, Apple Podcasts, or wherever you like to listen.

Microsoft Azure Sees 15.72 Tbps DDoS Attack

Microsoft has confirmed it recently mitigated the largest distributed denial-of-service attack ever recorded: a staggering 15.72 terabits per second aimed at Azure customers. The assault, sourced from a botnet spanning hundreds of thousands of compromised devices, used rapid-fire bursts of traffic to overwhelm public-facing endpoints.

Unlike past volumetric attacks, this one blended amplification, packet-flooding, and region-hopping patterns designed to exploit gaps in cloud-level detection.

Azure’s global backbone absorbed the brunt of the traffic, but the incident exposed an uncomfortable reality: attacks at this scale are no longer theoretical.

The operation demonstrated how consumer IoT devices, residential proxies, and even misconfigured cloud workloads have become cheap, renewable fuel for adversaries looking to flood infrastructure with unprecedented force.

Microsoft is framing the event as evidence of a broader shift toward planet-scale DDoS activity, where attackers leverage automation to spin up attacks faster than defenders can trace or scrub them. Even though Azure remained online, the numbers indicate that volumetric pressure is outpacing the defensive growth curve, especially for organizations relying on smaller cloud providers or hybrid deployments without comparable global redundancy.

5 Plead Guilty in Ongoing Cyber-Espionage Case

Federal prosecutors announced guilty pleas from five U.S.-based individuals who helped North Korean IT workers infiltrate American companies using stolen and rented identities.

According to the DOJ, the group handled everything from acquiring legitimate U.S. identities to hosting employer-issued laptops, spoofing domestic login locations, and even appearing for drug tests on behalf of DPRK workers to pass onboarding.

Investigators linked the network to fraudulent employment at more than 130 U.S. companies, with roughly $3.2 million in combined earnings funneled through the scheme.

Authorities say the money ultimately supported North Korea’s sanctioned cyber and weapons programs. The case illustrates how remote work and identity-as-a-service marketplaces have become critical tools for state-backed operatives seeking access to U.S. corporate environments — without ever breaching a network in the traditional sense.

The pleas also show the scale of the operation’s infrastructure, detailing prepaid wireless accounts, fake residential addresses, mule bank accounts, and encrypted comms channels all woven together to disguise the workers’ true locations and affiliations.

Prosecutors emphasized that the network operated like a full-service backend for DPRK cyber operators, making the case one of the most detailed examples yet of how North Korean IT labor quietly embeds itself inside the U.S. economy.

SEC Drops Longstanding SolarWinds Case

After nearly three years of litigation, the SEC has officially dropped its case against SolarWinds and its former CISO. The agency had alleged the company misled investors about its cybersecurity practices prior to the 2020 supply-chain compromise — a case that drew scrutiny across the industry for its potential to set strict precedents around cybersecurity disclosures.

The SEC’s decision underscores the challenges regulators face when interpreting what constitutes “reasonable” communication about cyber risk. Companies argued that the expectations for disclosure were ambiguous and difficult to meet, given the unpredictable nature of cyber threats. By ending the case, the SEC avoids establishing a standard that could have held executives personally liable for unforeseen incidents, but the move also leaves ongoing questions about how companies should report vulnerabilities and breaches.

The closure of the SolarWinds case provides some clarity for executives and boards, yet it highlights a persistent tension: balancing transparency with investors against the practical realities of defending against sophisticated attacks. For security leaders and corporate officers, the case remains a cautionary tale about the scrutiny and legal exposure surrounding cyber risk communication in high-profile incidents.

TamperedChef Malware Targets

Security researchers uncovered a global malvertising campaign distributing a malware called TamperedChef through bogus software installers. Instead of using traditional exploit kits, the attackers pose as legitimate software providers, offering PDF editors, utilities, and other everyday tools to trick users into downloading their payload.

The installers are signed with seemingly legitimate digital certificates issued to shell companies in the U.S., Panama, and Malaysia, giving them an added layer of credibility that helps evade security checks.

Once installed, TamperedChef drops an XML file that creates a scheduled Windows task, launching an obfuscated JavaScript backdoor. From there, it collects machine identifiers, session details, and other metadata, transmitting the information in encrypted JSON over HTTPS.

In some cases, it also functions as an info-stealer, harvesting browser credentials and cookies to deepen access and persistence.

The campaign’s infrastructure is highly industrialized. Operators use SEO poisoning, poisoned search ads, and software names that mirror legitimate tools, targeting everyday search queries like “PDF editor.” Certificates are continually rotated as old ones are revoked, ensuring the malware remains trusted in appearance.

Healthcare, manufacturing, and construction are among the most impacted sectors, reflecting a chilling strategy: attackers weaponize the very searches users perform to find tools and product manuals, turning everyday workflows into attack vectors.

The DOT Report Signing Off

From state-backed cyber schemes to high-scale malware campaigns, this month’s stories show that digital risk is increasingly complex and interconnected.

Whether it’s the exploitation of trust, the weaponization of everyday software, or the manipulation of global IT infrastructure, each story reminds us that security isn’t just about technology — it’s about strategy, vigilance, and informed decision-making.

Stay alert, stay informed, and check back next month for another round of analysis and insight from the frontline of cybersecurity.

For even more cybersecurity news from The DOT Report, check out our video report on YouTube, or our podcast on Spotify, Apple Podcasts, or wherever you like to listen.