CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure

First reported
Last updated
6 unique sources, 20 articles

Summary

Hide ▲

The **Aisuru/Kimwolf botnet ecosystem** has reached a **critical disruption milestone** after a **multi-national law enforcement operation** led by the **U.S. Department of Justice (DoJ)**, alongside **Canadian and German authorities**, successfully **dismantled the command-and-control (C2) infrastructure** of four interconnected botnets—**AISURU, Kimwolf, JackSkid, and Mossad**—on **March 20, 2026**. This **court-authorized takedown**, supported by **18+ tech firms** (including Akamai, Cloudflare, Google, AWS, and Oracle), targeted the botnets’ **3 million+ infected devices** (including **2 million+ Android TVs, routers, DVRs, and IoT cameras**), which had been weaponized to launch **record-breaking DDoS attacks** (e.g., **31.4 Tbps in November 2025**) and **hyper-volumetric campaigns** averaging **3 Bpps, 4 Tbps, and 54 Mrps**. The botnets’ **cybercrime-as-a-service model** enabled operators to sell access to compromised devices for **DDoS extortion, residential proxy monetization, and lateral movement in corporate/government networks**, with **hundreds of thousands of attack commands** issued across sectors like **telecom, gaming, IT, and critical infrastructure**. The disruption **severed C2 communications**, aiming to **prevent further infections** and **eliminate the botnets’ ability to launch future attacks**, including those targeting **U.S. Department of Defense (DoD) networks**. Despite this **first major law enforcement strike**, **persistent infections and operator evasion tactics** (e.g., **ENS-based C2, decentralized proxy abuse**) underscore the **ongoing challenge of full eradication**. Prior milestones include the botnets’ **accidental Sybil attack on the I2P anonymity network** (February 2026), their **exploitation of residential proxy networks (IPIDEA)** for internal network infiltration (January 2026), and **Google’s takedown of IPIDEA** (January 29, 2026), which reduced millions of proxy exit nodes. The DoJ’s action follows a **year of escalating hyper-volumetric attacks**, including **Cloudflare’s mitigation of 47.1 million DDoS attacks in 2025** (a **100% YoY increase**) and **Akamai’s reports of attacks exceeding 30 Tbps/14 Bpps**. While the operation marks a **significant blow to the botnets’ operational capacity**, their **adaptive resilience** and **global scale of infections** demand continued vigilance.

Timeline

  1. 20.03.2026 08:25 2 articles · 1d ago

    U.S. DoJ disrupts AISURU/Kimwolf botnet C2 infrastructure in multi-national operation

    On **March 20, 2026**, the **U.S. Department of Justice (DoJ)**, in coordination with **German and Canadian authorities**, executed a **court-authorized disruption** of the **command-and-control (C2) infrastructure** underpinning the **AISURU, Kimwolf, JackSkid, and Mossad botnets**. This operation, supported by **18+ private sector partners** (Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, etc.), targeted the botnets’ **collective infection of 3 million+ devices** (including **2 million+ Android TVs, routers, DVRs, and IoT cameras**), which had been used to launch **hundreds of thousands of DDoS attacks**, including **record-breaking campaigns** (e.g., **31.4 Tbps in November 2025**) and **hyper-volumetric assaults** averaging **3 Bpps, 4 Tbps, and 54 Mrps**. **Key actions and findings include:** - **Hundreds of thousands of DDoS attack commands** were traced to the botnets: **AISURU (>200K)**, **Kimwolf (>25K)**, **JackSkid (>90K)**, and **Mossad (>1K)**, with attacks exceeding **30 Tbps, 14 Bpps, and 300 Mrps** (per Akamai). - **Cybercrime-as-a-service model**: Operators sold access to infected devices for **DDoS extortion, residential proxy services, and lateral movement in corporate/government networks**, with **Kimwolf/JackSkid exploiting residential proxy networks** (e.g., **IPIDEA**) to bypass firewalls and infiltrate **internal systems**. - **Systemic impact**: The botnets’ attacks **crippled ISPs, cloud providers, and critical infrastructure**, including **U.S. Department of Defense Information Network (DoDIN) IP addresses**, with **collateral traffic disrupting uninvolved networks** and enabling **secondary exploits** (e.g., **credential stuffing, AI-driven scraping**). - **Cross-border collaboration**: The disruption leveraged **court orders, domain seizures, and technical enforcement** (e.g., **Google Play Protect**) to sever C2 channels, marking the **first major law enforcement strike** against this ecosystem. However, **persistent infections and adaptive tactics** (e.g., **ENS-based C2, decentralized proxy abuse**) remain ongoing threats, necessitating **continued mitigation efforts**. **New details from the article:** - The operation **targeted virtual servers, internet domains, and other infrastructure** to **prevent further infections** and **limit or eliminate the botnets’ ability to launch future attacks**. - Akamai emphasized that the botnets’ attacks could **overwhelm high-capacity cloud-based mitigation services** and **cripple core internet infrastructure**, with cybercriminals using them for **extortion campaigns** demanding payments from victims. - The botnets’ **collective scale** (3M+ devices) and **attack volume** (e.g., **15.72 Tbps against Microsoft Azure in November 2025**) underscore their **unprecedented threat to global internet stability**.

    Show sources
    Open in new tab
  2. 11.02.2026 18:08 1 articles · 1mo ago

    Kimwolf botnet disrupts I2P anonymity network via Sybil attack

    On **February 3, 2026**, the **Kimwolf botnet** disrupted the **Invisible Internet Project (I2P)**, a decentralized anonymity network, by attempting to integrate **700,000 infected devices** as nodes. The sudden influx—**35–46x I2P’s normal size** (15,000–20,000 devices)—triggered a **Sybil attack**, overwhelming the network and reducing its capacity to **~50%**. Legitimate users reported **widespread connectivity failures**, with routers freezing under **60,000+ connections**. Kimwolf’s operators **admitted the disruption was accidental** in a Discord post, revealing it stemmed from tests to use **I2P (and Tor) as backup command-and-control (C2) channels** after recent takedowns of their primary infrastructure. The incident marks the botnet’s **first known impact on privacy-focused infrastructure**, expanding its threat beyond DDoS and proxy monetization. **Collateral developments include:** - **Internal operator conflicts** led to a **>600,000-device reduction** in Kimwolf’s scale, as less experienced members caused critical errors. - I2P’s recovery efforts are ongoing, with a **software update planned** to restore stability within the week. - The botnet’s **C2 experimentation** underscores its **evolving tactics** to maintain resilience, now targeting **anonymity networks** as fallback infrastructure.

    Show sources
    Open in new tab
  3. 05.02.2026 19:25 1 articles · 1mo ago

    AISURU/Kimwolf botnet launches 31.4 Tbps attack and holiday DDoS campaign

    In **November 2025**, the AISURU/Kimwolf botnet conducted a **record-breaking 31.4 Tbps DDoS attack**, lasting **35 seconds** and mitigated by Cloudflare. This attack was part of a **surge in hyper-volumetric activity**, with Cloudflare reporting **47.1 million DDoS attacks mitigated in 2025**—a **100% increase** over 2024—including **34.4 million network-layer attacks** (78% of Q4 2025’s total). Hyper-volumetric incidents grew **40% QoQ in Q4**, from **1,304 to 1,824 attacks**, with a **700% size increase** compared to late 2024. The botnet also executed a **holiday-themed campaign codenamed *The Night Before Christmas*** (December 19, 2025), featuring **average attack rates of 3 Bpps, 4 Tbps, and 54 Mrps**, with peaks of **9 Bpps, 24 Tbps, and 205 Mrps**. These attacks leveraged **over 2 million compromised Android devices** (primarily off-brand TVs) tunneling through **residential proxy networks like IPIDEA**, which Google disrupted in January 2026 via **legal action and Play Protect enforcement**. **New infrastructure details** reveal IPIDEA enrolled devices using **600+ trojanized Android apps** and **3,000+ malicious Windows binaries** (e.g., fake OneDriveSync updates), while operating **a dozen proxy brands** under a **centralized command structure**. The botnet’s **expanded targeting** in Q4 2025 prioritized **telecommunications, IT, gambling, and gaming sectors**, with **Bangladesh overtaking Indonesia** as the top attack source. Despite mitigations, the botnet’s **persistent infrastructure and evolving tactics**—including **ENS-based C2 and proxy-driven lateral movement**—continue to pose **unprecedented risks to global internet stability and enterprise security**.

    Show sources
    Open in new tab
  4. 29.01.2026 19:15 1 articles · 1mo ago

    Google disrupts IPIDEA proxy network enabling Aisuru/Kimwolf operations

    On **January 29, 2026**, Google’s Threat Intelligence Group (GTIG) led a **coordinated disruption of IPIDEA**, one of the largest residential proxy networks enabling the **Aisuru and Kimwolf botnets**. The operation combined **legal action to seize command domains** and **technical enforcement via Google Play Protect**, which now **blocks/removes apps using IPIDEA SDKs** and prevents future installations on certified Android devices. IPIDEA’s infrastructure had been **instrumental in Kimwolf’s lateral movement**, with its proxies detected in **298 government networks (including U.S. DoD), 318 utilities, and 166 healthcare providers**. The disruption **reduced IPIDEA’s pool of proxy devices by millions**, directly impacting **over 550 tracked threat groups**—including actors linked to **China, DPRK, Iran, and Russia**—who relied on its exit nodes for **SaaS account hijacking, password spray attacks, and internal network exploitation**. IPIDEA’s SDKs were embedded in **Aisuru, Kimwolf, and BadBox 2.0**, often marketed as **legitimate app monetization tools** while covertly turning devices into proxy exit nodes. The takedown also revealed that **multiple proxy/VPN brands**, presented as independent businesses, were **controlled by the same actors behind IPIDEA**, exposing a **grey market of residential proxy abuse**. While the action **degrades a key enabler of botnet resilience**, Google emphasized the need for **continued industry collaboration** to address **persistent infections** and **emerging proxy-driven threats**.

    Show sources
    Open in new tab
  5. 20.01.2026 20:19 2 articles · 1mo ago

    Kimwolf botnet infiltrates government and corporate networks via proxy abuse

    In **January 2026**, research from **Infoblox, Synthient, and Spur** revealed that the **Kimwolf botnet** had achieved **widespread infiltration of government and corporate networks** by exploiting **residential proxy services** (primarily **IPIDEA**) to relay malicious commands into internal systems. Nearly **25% of Infoblox’s enterprise customers** queried Kimwolf-related domains since October 1, 2025, indicating exposure across **government, healthcare, finance, and education sectors**. **Key findings include:** - **33,000 IPIDEA proxy endpoints** detected in **universities and colleges**, and **8,000 endpoints in U.S. and foreign government networks**, with Spur identifying proxies in **298 government-owned networks (including U.S. Department of Defense), 318 utilities, 166 healthcare providers, and 141 financial institutions**. - Kimwolf’s **lateral movement tactic** leverages **compromised Android TV boxes** (often pre-loaded with proxy malware) and **exposed ADB services** to scan and infect other vulnerable devices on local networks. Proxy providers like IPIDEA attempted mitigations in late 2025, but **millions of devices remain infected**, sustaining the risk of **internal network exploitation**. - The botnet’s **enterprise infiltration** demonstrates how **residential proxy abuse** can enable **cross-sector intrusion risks**, with infected devices serving as beachheads for **reconnaissance and secondary attacks** behind organizational firewalls. This marks a shift from Kimwolf’s initial focus on **consumer DDoS** to **targeted compromise of critical infrastructure**, amplifying systemic risks to **supply chain and operational security**. **New Development (January 29, 2026):** Google and industry partners **disrupted IPIDEA**, the primary residential proxy network enabling Kimwolf/Aisuru operations, via **court-ordered takedowns of command domains** and **Google Play Protect enforcement** to block/remove apps embedding IPIDEA SDKs. The action **reduced IPIDEA’s proxy device pool by millions**, impacting **550+ threat groups**—including state-linked actors—who used its infrastructure for **SaaS hijacking, credential stuffing, and lateral movement in compromised networks**. While this disrupts a critical vector for the botnets’ **proxy-driven monetization**, **persistent infections** underscore the need for ongoing mitigation efforts.

    Show sources
    Open in new tab
  6. 17.12.2025 20:09 4 articles · 3mo ago

    Kimwolf botnet emerges as Aisuru sibling, hijacks 1.8M Android devices

    The **Kimwolf botnet** was discovered in December 2025, initially hijacking **1.8 million Android TVs/set-top boxes** but now expanded to **over 2 million infected devices** by exploiting **exposed Android Debug Bridge (ADB)** services and tunneling through residential proxy networks. Operated by the **same hacker group** as Aisuru (Snow, Tom, Forky), Kimwolf shares **code, infrastructure, and a common downloader server (93.95.112[.]59)**, with **96% of commands** dedicated to **proxy services** (via **ByteConnect SDK** and **Rust modules**). Since October 2025, **over 550 Kimwolf/Aisuru C2 nodes** were **null-routed** by Black Lotus Labs, including domains like *greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su* (hosted on **Resi Rack LLC**, a Utah provider tied to a **Discord proxy marketplace**). Kimwolf’s infrastructure **scanned PYPROXY services** (October 20–November 6, 2025) to exploit a flaw enabling internal network access, fueling a **300% bot surge** (800K new devices in a week) sold via **resi[.]to**. The botnet’s **C2 domains migrated between Resi Rack IPs** (e.g., *104.171.170[.]21 → 104.171.170[.]201*) post-takedown, with traffic spiking to **176.65.149[.]19:25565**, a malware host shared with Aisuru. **New Developments (February 2026):** - Kimwolf **disrupted the I2P anonymity network** (February 3, 2026) by attempting to join **700,000 infected devices** as nodes, overwhelming the network’s **15,000–20,000-device capacity** and triggering a **Sybil attack** that reduced I2P’s functionality to **~50%**. Operators admitted the disruption was accidental via Discord, stemming from tests to use I2P (and Tor) as **backup C2 channels** to evade takedowns. - **Internal disputes** among Kimwolf’s team led to a **>600,000-device reduction** in the botnet’s scale, with less experienced operators causing critical errors. I2P’s recovery is underway, with a planned software update to restore stability. - The botnet’s **expanded C2 experimentation** highlights its **adaptive resilience**, combining **decentralized anonymity networks** with **residential proxy abuse** and **hyper-volumetric DDoS** to sustain operations despite mitigations.

    Show sources
    Open in new tab
  7. 03.12.2025 16:01 4 articles · 3mo ago

    Aisuru botnet sets 29.7 Tbps DDoS record with expanded targets

    In Q3 2025, the Aisuru botnet launched a **29.7 Tbps DDoS attack** (the largest recorded to date) and a **14.1 Bpps assault**, both mitigated by Cloudflare. The 29.7 Tbps attack lasted **69 seconds**, used **UDP carpet-bombing** to flood **15,000+ destination ports/second**, and was part of **1,304 hyper-volumetric incidents** in Q3—a **227% QoQ increase** for >1 Tbps attacks. Cloudflare mitigated **2,867 Aisuru attacks in 2025** (45% hyper-volumetric) and **36.2 million DDoS attacks total** (40% YoY increase), with **8.3 million blocked in Q3 alone** (15% QoQ rise). The botnet now controls **1–4 million infected hosts** (up from 700,000) and has expanded targets beyond gaming to **telecom, hosting, financial services, AI companies, and automotive sectors**. Attacks originated from **Indonesia, Thailand, Bangladesh, Vietnam, and Ecuador**, with **70% of HTTP DDoS attacks** linked to known botnets. Cloudflare averaged **3,780 mitigations/hour** in Q3, noting **347% spike in AI-sector attacks** and **automotive becoming the 6th most targeted industry**. Collateral traffic continues to disrupt **uninvolved U.S. ISPs and critical infrastructure**, underscoring systemic risks to global internet stability. **Update (February 2026):** The botnet set a **new record with a 31.4 Tbps attack** in November 2025, followed by a **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025) averaging **4 Tbps/3 Bpps/54 Mrps** but peaking at **24 Tbps/9 Bpps/205 Mrps**. Cloudflare’s 2025 data shows **47.1 million DDoS attacks mitigated** (100% YoY increase), with **hyper-volumetric attacks rising 40% QoQ in Q4 2025** (1,824 incidents). The botnet’s **expanded proxy infrastructure**—partially disrupted in January 2026—now leverages **trojanized apps and ENS-based C2**, sustaining its **cross-sector threat to telecommunications, IT, and critical infrastructure**. **Update (March 2026):** The **U.S. Department of Justice (DoJ)**, with support from **Canadian/German authorities and 18+ tech firms (Akamai, AWS, Cloudflare, Google)**, **disrupted the C2 infrastructure** of AISURU and three related botnets (**Kimwolf, JackSkid, Mossad**). The operation targeted their **3 million+ infected devices** (including **2M+ Android TVs**) and **hundreds of thousands of DDoS attack commands**, citing their role in **record-breaking attacks (31.4 Tbps)** and **hyper-volumetric campaigns (3 Bpps/4 Tbps/54 Mrps average)**. The botnets’ **cybercrime-as-a-service model**—selling access for **DDoS extortion, proxy abuse, and lateral movement**—was confirmed, with **Akamai reporting attacks exceeding 30 Tbps/14 Bpps/300 Mrps**. Operator **Jacob Butler (aka Dort)** was identified but not arrested; the disruption marks the **first major law enforcement action** against this ecosystem, though **persistent infections** remain a risk.

    Show sources
    Open in new tab
  8. 17.11.2025 19:13 2 articles · 4mo ago

    Microsoft Azure hit by 15.72 Tbps DDoS attack using Aisuru botnet

    Microsoft Azure was hit by a **15.72 Tbps** DDoS attack in November 2025, followed by a **5.72 Tbps** attack on November 18—now the largest ever observed in Microsoft’s cloud. Both attacks targeted Australian endpoints using **UDP floods from 500,000+ source IPs** with minimal spoofing, simplifying traceback. The Aisuru botnet, powered by compromised IoT devices (routers, cameras, DVRs), leverages **Turbo Mirai** variants to exploit vulnerabilities in Realtek chips and firmware from manufacturers like T-Mobile and Zyxel. Aisuru’s operators have implemented **preventive measures** to avoid targeting government, law enforcement, or military infrastructure, focusing instead on online gaming and DDoS-for-hire services. The botnet’s infrastructure also supports **residential proxy networks**, enabling credential stuffing, AI-driven web scraping, and phishing. The botnet’s rapid growth stems from exploits like the **April 2025 Totolink firmware breach**, which infected ~100,000 devices.

    Show sources
    Open in new tab
  9. 06.11.2025 04:04 2 articles · 4mo ago

    Aisuru botnet manipulates Cloudflare's top domains list

    Aisuru botnet domains have repeatedly appeared in Cloudflare's top domains list, displacing legitimate sites like Amazon, Apple, Google, and Microsoft. Cloudflare redacted these domains from their top domains list to address security and brand confusion concerns. The botnet's domains were using Cloudflare's DNS server 1.1.1.1, shifting from Google's 8.8.8.8. Cloudflare's domain ranking system is based on DNS query volume, not actual web visits. Cloudflare CEO Matthew Prince confirmed that the botnet was generating excessive DNS requests to influence rankings and attack Cloudflare's DNS service. Cloudflare plans to improve its ranking algorithm to better distinguish between legitimate and malicious traffic. The botnet's domains were predominantly registered in the .su top-level domain, frequently abused for cybercrime. Cloudflare removed multiple domains linked to the Aisuru botnet from its public 'Top Domains' rankings after they began overtaking legitimate sites. Cloudflare now redacts or completely hides suspected malicious domains to avoid similar incidents in the future.

    Show sources
    Open in new tab
  10. 29.10.2025 02:51 2 articles · 4mo ago

    Aisuru botnet spreads to 700,000 IoT systems

    The Aisuru botnet has spread to at least 700,000 IoT systems, including poorly secured Internet routers and security cameras. The botnet's operators have demonstrated DDoS capabilities of nearly 30 Tbps, exceeding the mitigation capabilities of most Internet destinations. The botnet has caused significant operational impact on U.S.-based ISPs, with outbound DDoS attacks exceeding 1.5 Tbps. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices.

    Show sources
    Open in new tab
  11. 10.10.2025 19:10 4 articles · 5mo ago

    Aisuru botnet operators rent out botnet as proxy network

    The botnet's operators have updated their malware to rent out compromised devices as residential proxies, facilitating cybercriminal activities. The botnet's operators are actively involved in the proxy network industry, enabling aggressive content scraping for AI projects. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. **New Development:** A related botnet, **Kimwolf**, has emerged with **1.8 million infected Android TVs/set-top boxes**, sharing **code, infrastructure, and operators** with Aisuru. Kimwolf primarily focuses on **proxy services (96% of commands)** and uses **EtherHiding (ENS domains)** to evade takedowns, demonstrating the group’s **expanded monetization and resilience tactics**.

    Show sources
    Open in new tab
  12. 23.09.2025 18:58 6 articles · 5mo ago

    Cloudflare blocks 22.2 Tbps DDoS attack

    The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the Aisuru botnet, which has been around for more than a year. **Update (December 2025):** Cloudflare later mitigated a **new record-breaking 29.7 Tbps attack** from Aisuru in Q3 2025, lasting **69 seconds** and using UDP carpet-bombing to target **15,000 destination ports/second**. This attack was part of **1,304 hyper-volumetric incidents** in Q3, marking a **227% QoQ increase** in >1 Tbps attacks. The botnet’s total infected hosts are now estimated at **1–4 million devices**, up from prior reports of 700,000.

    Show sources
    Open in new tab
  13. 02.09.2025 18:52 6 articles · 6mo ago

    Cloudflare blocks 11.5 Tbps UDP flood DDoS attack

    The attack was part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. Cloudflare's defenses have autonomously blocked hundreds of such attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps, 11.5 Tbps, and now 22.2 Tbps. The attack was conducted using botnets that infected various devices with malware. Volumetric DDoS attacks can be used as a cover for more sophisticated exploits, known as 'smoke screen' attacks. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). The Aisuru botnet has been responsible for a series of increasingly massive and disruptive attacks, targeting mostly ISPs that serve online gaming communities like Minecraft. The botnet's firepower is now drawing a majority of its power from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SocksEscort Proxy Network Disrupted by Law Enforcement

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Open in new tab

KadNap Botnet Hijacks ASUS Routers for Cybercrime Proxy Network

A new botnet named KadNap targets ASUS routers and other edge networking devices, turning them into proxies for malicious traffic. Since August 2025, it has grown to 14,000 devices, using a peer-to-peer network and a custom Kademlia Distributed Hash Table (DHT) protocol to evade detection. The botnet is linked to the Doppelganger proxy service, which sells access to infected devices for cybercrime activities. Most infected devices are located in the United States (60%), followed by Taiwan, Hong Kong, and Russia. The infection begins with a malicious script that downloads an ELF binary, establishing persistence via a cron job. The botnet uses NTP servers for time synchronization and a modified Kademlia protocol for communication, making it difficult to identify and disrupt the command-and-control (C2) infrastructure. Lumen Technologies has taken proactive measures to block network traffic to and from the control infrastructure, but the disruption is limited to their network. Indicators of compromise will be released to help others disrupt the botnet. KadNap malware uses a shell script (aic.sh) downloaded from the C2 server (212.104.141[.]140) to initiate the process of conscripting the victim to the P2P network. The malware creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to .asusrouter, and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to kad, and executes it. The files fwr.sh and /tmp/.sose contain functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

Open in new tab

Aeternum Botnet Adopts Polygon Blockchain for Command and Control

The Aeternum botnet loader has shifted its command-and-control (C2) operations to the Polygon blockchain, eliminating traditional central servers. This move makes it harder for authorities and security firms to disrupt the botnet by seizing infrastructure. The botnet uses smart contracts on the blockchain to issue commands, which are publicly recorded and immutable. Aeternum is a native C++ loader available in x32 and x64 builds. Operators manage infections via a web dashboard that allows them to select a smart contract, choose a command type, and specify a payload URL. Commands are written to the blockchain as transactions and are accessible to bots querying over 50 remote procedure call endpoints. The botnet's use of blockchain-based C2 complicates traditional takedown strategies, as there is no central infrastructure to seize. Commands stored on-chain are permanent and globally accessible, making proactive DDoS mitigation more critical. The threat actor LenAI has attempted to sell the entire Aeternum toolkit for $10,000, claiming a lack of time for support and involvement in another project. LenAI is also behind a second crimeware solution called ErrTraffic.

Open in new tab

Dramatic Increase in DDoS Attack Frequency and Power in 2025

The frequency and power of Distributed Denial-of-Service (DDoS) attacks have escalated dramatically in 2025, with a 168% increase compared to 2024. The average Radware customer faced over 25,351 attempted DDoS attacks, equivalent to 139 incidents per day. The technology, telecommunications, and financial services sectors were the most targeted. Attacks have become faster, stronger, and harder to stop, with high-impact web DDoS attacks lasting less than 60 seconds. Hacktivism remains the primary driver behind these campaigns, coordinated through Telegram channels. The most targeted countries were Israel, the US, and Ukraine, with pro-Russian groups responsible for the highest number of campaigns.

Open in new tab

GoBruteforcer Botnet Expands Attacks on Linux Servers

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Open in new tab