In today's Security Sunday, we'll look at the largest DDoS attack, Grokking on Platform X, APT28 is attacking with NotDoor malware, and 120 security bugs fixed in Android

Cloudflare successfully blocked the largest volumetric DDoS attack ever recorded, reaching 11.5 terabits per second (Tbps). Interestingly, this massive cyberattack only lasted 35 seconds.

It was characterized as a UDP flood, generating 5.1 billion packets per second. To put this into perspective, this volume of data is equivalent to streaming more than 9,350 HD movies, or 7,480 hours of HD video, nonstop in less than a minute.

Cloudflare initially stated that the attack primarily originated from Google Cloud infrastructure. However, the company later corrected this statement, saying that the attack actually originated from a combination of several IoT devices and cloud providers. Google Cloud was only one source, not the main one.

This attack is nearly 60% higher than the previous record of 7.3 Tbps, which Cloudflare blocked in June 2025.

"Cloudflare's defenses are working at full capacity. Over the past few weeks, we have autonomously blocked hundreds of hyper-volumetric DDoS attacks," said Cloudflare.

"Grokking" on the X Platform

Security researchers at Guardio Labs have discovered that cybercriminals are using a new technique called "Grokking" to bypass the platform's protections against malicious advertising.

This technique involves several sophisticated steps. First, attackers create paid advertising posts containing controversial or adult-oriented video content designed to attract users' attention. These posts are designed to appear legitimate and generate as much interaction as possible. A key element of the attack involves placing a malicious link in the "From:" field of the video player's metadata. This field is a blind spot in Platform X's security architecture — it is not routinely scanned by automated security systems, providing the perfect hiding place for dangerous links.

The attackers then tag the Grok AI assistant with questions such as "Where is this video from?" or similar queries. Grok, which is designed to be helpful and informative, automatically analyzes the post's metadata and displays the link found in the hidden "From:" field in its response.

Once Grok displays the malicious link, the content gains a whole new level of legitimacy. The link is now shared by the trusted Grok system account, which gives the link authority and credibility that it would never have gained if shared directly by the attackers.

Thanks to millions of views and interactions, the malicious link gains significantly higher search engine rankings and a better domain reputation. This allows malicious content, which should be blocked automatically by Platform X, to reach millions of users' feeds and search results.

Finally, attackers direct users to suspicious ad networks, where they may be exposed to further threats, ranging from malware to phishing attacks.

This technique is a sophisticated way to exploit AI systems and circumvent security measures. Attackers exploit trust in the AI assistant to make malicious links appear legitimate, which would otherwise be automatically blocked.

APT28 is attacking with NotDoor malware

The Russian state-sponsored hacking group has been identified as the source of a new, sophisticated attack that uses a backdoor called NotDoor to target Microsoft Outlook.

NotDoor is a Visual Basic for Applications (VBA) macro designed to monitor incoming emails and detect specific trigger words. When an email with the appropriate trigger is detected, the malware enables the attacker to exfiltrate data from the compromised system, upload files to the target computer, and execute commands remotely.

NotDoor creates a working folder in the %TEMP%\Temp path to store TXT files during the operation and subsequently exfiltrate them to a Proton Mail address. Incoming messages are analyzed for trigger strings, such as "Daily Report."

Exfiltrated files are encrypted using the malware's encryption algorithm, sent via email, and deleted from the system.

The group targets companies in NATO countries across various sectors.

Google fixed 120 security bugs in Android.

The tech giant just released its September security patches for Android, addressing a total of 120 vulnerabilities. The most notable aspect of this update is that two of the vulnerabilities being addressed were already being exploited in targeted attacks.

Two of the fixed bugs stand out in particular: CVE-2025–38352, which has a CVSS score of 7.4 and highlights a kernel vulnerability that allows for privilege escalation; and CVE-2025–48543, a similar bug in the Android Runtime component.

These vulnerabilities are dangerous because they allow attackers to gain higher system privileges without additional permissions. Furthermore, no user interaction is required to exploit them.

While Google has not disclosed exactly how these bugs were exploited, the company has confirmed "limited, targeted exploitation." This typically indicates sophisticated attacks targeting specific individuals or organizations.

Google recommends that all partners implement a complete set of fixes and use the latest security patches. For regular users, this means updating as soon as possible.