Rapper Bot Mirai-based DDoS botnet activity
Malware Activity
Summary
Hide ▲
Show ▼
The Rapper Bot Mirai-based botnet was documented as active at scale, which matters because it could marshal 2 to 6 Tbps of DDoS traffic against victims in 80 countries. It infected tens of thousands of DVRs and routers and later used more than 45,000 compromised devices across 39 countries to launch attacks. The operation has been active since at least 2021, and in 2023 it added a cryptomining module to increase monetization. The scale and persistence made it a durable abuse platform rather than a one-off tool.
Related Happenings
Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown
Law Enforcement
First: 20.03.2026 10:05
Last: 20.03.2026 10:05
Sources 1
About this happening:
The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...
Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown
Law EnforcementAbout this happening: The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
First: 29.01.2026 16:55
Last: 29.01.2026 16:55
Sources 1
About this happening:
The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
CampaignAbout this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Latest development: 20.03.2026 02:49
The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware Activity
First: 05.01.2026 18:41
Last: 05.01.2026 18:41
Sources 1
About this happening:
The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...
Kimwolf Android botnet expands proxy-relay operations to over 2 million devices
Malware ActivityAbout this happening: The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.
RondoDox edge-device exploitation wave
Exploitation Wave
First: 10.10.2025 22:22
Last: 10.10.2025 22:22
Sources 1
About this happening:
**RondoDox** is broadening its **edge-device exploitation** wave, with Trend Micro reporting an **exploit shotgun** approach against **more than 50 vulnerabilities** across **over...
RondoDox edge-device exploitation wave
Exploitation WaveAbout this happening: **RondoDox** is broadening its **edge-device exploitation** wave, with Trend Micro reporting an **exploit shotgun** approach against **more than 50 vulnerabilities** across **over...
Latest development: 13.10.2025 13:12
Trend Micro says RondoDox expanded its targeting to more than 50 vulnerabilities across over 30 vendors, including routers, DVRs, NVRs, CCTV systems, web servers, and other internet-exposed network devices. The campaign also broadened distribution through a loader-as-a-service setup that co-packages RondoDox with Mirai/Morte payloads.
Timeline
-
20.08.2025 20:40 1 articles · 9mo ago
Rapper Bot Mirai-based DDoS botnet activity
Initial DisclosureThe botnet's earliest documented phase centered on compromising **DVRs** and **router devices** to build a rented **Mirai-based** DDoS mesh.
Show sources
- “Rapper Bot” malware seized, alleged developer identified and charged — www.bleepingcomputer.com — 20.08.2025 20:40