Intelligent CISO Issue 99 | Page 9

NETSCOUT says South African infrastructure attacks reflect growing DDoS threat
Proofpoint identifies expanding China-aligned cybercrime threat actor

CISO news

NETSCOUT says South African infrastructure attacks reflect growing DDoS threat

ecent Distributed Denial-of-Service( DDoS) attacks targeting South African Internet infrastructure providers, web hosting

R companies and connectivity services reflect a broader escalation in both the scale and sophistication of cyberthreats facing the country’ s digital economy, according to NETSCOUT.

The warning follows a wave of high-profile local incidents that reportedly disrupted hosting providers, ISPs and Internet infrastructure services across the country, raising concerns around increasingly coordinated and potentially extortion-linked DDoS activity.
“ The recent incidents impacting South African infrastructure providers demonstrate how DDoS campaigns are evolving beyond isolated disruptions into broader attacks against critical digital ecosystems,” states Bryan Hamman, Area Vice President for Africa, NETSCOUT.“ Attackers are deploying multi-vector DDoS attacks, combining multiple techniques within a single incident to overwhelm defences. This continues the shift toward more adaptive and harder-to-mitigate attack strategies.”
Recent insights from NETSCOUT’ s Threat Intelligence Report for the second half of 2025 showed that South Africa has become one of the most targeted countries globally for DDoS attacks against several key industries.
Between July and December 2025, South Africa recorded 171,812 DDoS attacks, highlighting the scale of the local threat landscape. The average attack duration exceeded 74 minutes, increasing the risk of prolonged service disruption.
Within the broader Europe, Middle East and Africa( EMEA) region, South Africa was also ranked as the fifth most targeted country for DDoS attacks over the period, stressing the country’ s growing exposure within the regional cyberthreat landscape.

Proofpoint identifies expanding China-aligned cybercrime threat actor

Proofpoint researchers have identified a rapidly evolving suspected China-aligned cybercrime threat actor that is expanding its operations across Europe and Africa while adopting new malware, social engineering techniques and AI-assisted development methods.
roofpoint researchers have published new research detailing the activities of TA4922, a suspected Chinaaligned cybercrime threat actor that is rapidly expanding

P its global operations.

Historically focused on Japan and other Asian countries, TA4922 is increasingly targeting organisations in the UK, Germany, Italy and South Africa. Researchers said the actor combines sophisticated malware development, localised lures, credential phishing, fraud schemes and legitimate remote management tools to gain access to victim environments while evading detection.
In the UK, one campaign primarily targeted organisations by impersonating tax authorities and referencing VAT filings, payroll tax documentation and regulatory compliance requirements. A second campaign used benefits and compliance-themed lures that impersonated government and universal benefits services.
Proofpoint said the threat actor has recently expanded its malware arsenal with new families including Atlas RAT, RomulusLoader and SilentRunLoader, while continuing to deploy variants of ValleyRAT, also known as Winos4.0.
Researchers also observed the use of legitimate remote management tools such as AnyDesk and SyncFuture alongside malware, complicating detection and response efforts.
Proofpoint assesses with high confidence that some of TA4922’ s newer Python-based malware is likely being developed with the assistance of large language models.
The research highlights the growing sophistication of the Chinese-speaking cybercrime ecosystem and the increasing capabilities of financially motivated threat actors.
WWW. INTELLIGENTCISO. COM 9