DigiCert warns of prolonged online demand & attacks

DigiCert has published its Q4 2025 RADAR Threat Intelligence Brief, reporting sustained pressure on internet infrastructure alongside an increase in cyber threats during the year-end period.

The brief draws on network telemetry from DigiCert's security platform, including UltraDNS, UltraDDoS Protect, and UltraWAF. DigiCert said the data set covers trillions of network events.

DigiCert said the fourth quarter combined high levels of consumer and business online activity with a measurable rise in malicious behaviour. It said the combination changed the character of peak season operations for many organisations.

Traffic patterns

DigiCert reported that demand for online content stayed elevated throughout the quarter. It said internet traffic showed consistently high growth across the period. It also identified short spikes around major events.

The company said DNS usage patterns suggested a shift away from short bursts of heavy demand. It described longer stretches of sustained load that lasted weeks rather than days. It said there was no clear "off-peak" during busy seasons.

DigiCert also pointed to specific DNS signals that stayed above normal levels. It cited NXDOMAIN requests, which represent failed lookups. It also cited queries from automation tools.

In the brief, DigiCert associated those signals with persistent internet scanning, repeated failed requests linked to misconfigured systems, and automated probing activity. It characterised the activity as ongoing background pressure on DNS infrastructure.

DDoS trends

DigiCert said distributed denial-of-service activity intensified as the quarter progressed. It reported increases in the frequency, scale, and duration of attacks.

The company described a change in attacker behaviour. It said incidents increasingly ran longer and aimed for sustained pressure rather than short-lived disruption. DigiCert linked that approach to attempts to wear down infrastructure and defences over time.

The brief framed extended DDoS attacks as an operational challenge. DigiCert said prolonged incidents can degrade performance even without causing full outages. It also said longer-running attacks can increase costs and extend customer impact.

Application attacks

DigiCert said web application threats remained highly automated. It said activity focused on ongoing probing rather than one-off disruptive events.

It reported that attackers repeatedly tested application responses using automated tools. It cited techniques such as cookie manipulation. DigiCert said the goal appeared to be the discovery of weaknesses over time.

The company said volumes fluctuated, but the behaviour remained consistent. It described persistent testing and reconnaissance that blends into normal-looking traffic patterns.

Company view

DigiCert's brief positioned the quarter's findings as part of a broader shift in how organisations experience internet load and security risk during peak seasons.

"What Q4 reinforces is that resilience is no longer about absorbing isolated spikes in traffic and attacks," said Michael Smith, AppSec CTO, DigiCert. "With the ever-increasing scale of internet bandwidth and the creation of the Aisuru and Kimwolf botnets, organisations must be prepared to operate under prolonged demand and sustained attack pressure across DNS, network, and application layers simultaneously."

DigiCert said RADAR stands for Risk Analysis, Detection, and Attack Reconnaissance. It said the report is published quarterly and draws on global network data from its platform.

The company described RADAR as a source of threat intelligence designed for operational decision-making. It said the publication distils key trends and provides guidance on anticipating risks and aligning defences.

DigiCert said the Q4 brief reflected an environment in which sustained demand and sustained malicious activity can overlap. It said organisations should plan for prolonged periods of pressure across multiple layers of internet infrastructure.