CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure

First reported
Last updated
6 unique sources, 17 articles

Summary

Hide ▲

The **Aisuru/Kimwolf botnet ecosystem** has escalated its global threat, now conducting **record-breaking DDoS campaigns**—including a **31.4 Tbps attack in November 2025** and a **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025) with peaks of **24 Tbps, 9 Bpps, and 205 Mrps**. This follows the **29.7 Tbps assault in Q3 2025** and **disruption of the IPIDEA proxy network** (January 2026), which had enabled the botnets’ **lateral movement into government, healthcare, and critical infrastructure networks** via **33,000+ compromised endpoints** in universities and **8,000 in U.S./foreign government systems**. With **over 6 million infected devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf), the botnets now blend **hyper-volumetric DDoS** with **residential proxy monetization**, targeting sectors beyond gaming to include **telecom, IT, finance, and AI companies**. Cloudflare reported **47.1 million DDoS attacks mitigated in 2025** (100% YoY increase), with **hyper-volumetric incidents surging 40% QoQ in Q4**—highlighting the botnets’ **rapid evolution in scale, sophistication, and cross-sector impact**. Despite **Google’s January 2026 takedown of IPIDEA** (reducing proxy devices by millions), persistent infections and **new attack vectors** (e.g., **trojanized apps, ENS-based C2**) underscore the ongoing systemic risk to **global internet stability and enterprise security**.

Timeline

  1. 05.02.2026 19:25 1 articles · 5h ago

    AISURU/Kimwolf botnet launches 31.4 Tbps attack and holiday DDoS campaign

    In **November 2025**, the AISURU/Kimwolf botnet conducted a **record-breaking 31.4 Tbps DDoS attack**, lasting **35 seconds** and mitigated by Cloudflare. This attack was part of a **surge in hyper-volumetric activity**, with Cloudflare reporting **47.1 million DDoS attacks mitigated in 2025**—a **100% increase** over 2024—including **34.4 million network-layer attacks** (78% of Q4 2025’s total). Hyper-volumetric incidents grew **40% QoQ in Q4**, from **1,304 to 1,824 attacks**, with a **700% size increase** compared to late 2024. The botnet also executed a **holiday-themed campaign codenamed *The Night Before Christmas*** (December 19, 2025), featuring **average attack rates of 3 Bpps, 4 Tbps, and 54 Mrps**, with peaks of **9 Bpps, 24 Tbps, and 205 Mrps**. These attacks leveraged **over 2 million compromised Android devices** (primarily off-brand TVs) tunneling through **residential proxy networks like IPIDEA**, which Google disrupted in January 2026 via **legal action and Play Protect enforcement**. **New infrastructure details** reveal IPIDEA enrolled devices using **600+ trojanized Android apps** and **3,000+ malicious Windows binaries** (e.g., fake OneDriveSync updates), while operating **a dozen proxy brands** under a **centralized command structure**. The botnet’s **expanded targeting** in Q4 2025 prioritized **telecommunications, IT, gambling, and gaming sectors**, with **Bangladesh overtaking Indonesia** as the top attack source. Despite mitigations, the botnet’s **persistent infrastructure and evolving tactics**—including **ENS-based C2 and proxy-driven lateral movement**—continue to pose **unprecedented risks to global internet stability and enterprise security**.

    Show sources
    Open in new tab
  2. 29.01.2026 19:15 1 articles · 7d ago

    Google disrupts IPIDEA proxy network enabling Aisuru/Kimwolf operations

    On **January 29, 2026**, Google’s Threat Intelligence Group (GTIG) led a **coordinated disruption of IPIDEA**, one of the largest residential proxy networks enabling the **Aisuru and Kimwolf botnets**. The operation combined **legal action to seize command domains** and **technical enforcement via Google Play Protect**, which now **blocks/removes apps using IPIDEA SDKs** and prevents future installations on certified Android devices. IPIDEA’s infrastructure had been **instrumental in Kimwolf’s lateral movement**, with its proxies detected in **298 government networks (including U.S. DoD), 318 utilities, and 166 healthcare providers**. The disruption **reduced IPIDEA’s pool of proxy devices by millions**, directly impacting **over 550 tracked threat groups**—including actors linked to **China, DPRK, Iran, and Russia**—who relied on its exit nodes for **SaaS account hijacking, password spray attacks, and internal network exploitation**. IPIDEA’s SDKs were embedded in **Aisuru, Kimwolf, and BadBox 2.0**, often marketed as **legitimate app monetization tools** while covertly turning devices into proxy exit nodes. The takedown also revealed that **multiple proxy/VPN brands**, presented as independent businesses, were **controlled by the same actors behind IPIDEA**, exposing a **grey market of residential proxy abuse**. While the action **degrades a key enabler of botnet resilience**, Google emphasized the need for **continued industry collaboration** to address **persistent infections** and **emerging proxy-driven threats**.

    Show sources
    Open in new tab
  3. 20.01.2026 20:19 2 articles · 16d ago

    Kimwolf botnet infiltrates government and corporate networks via proxy abuse

    In **January 2026**, research from **Infoblox, Synthient, and Spur** revealed that the **Kimwolf botnet** had achieved **widespread infiltration of government and corporate networks** by exploiting **residential proxy services** (primarily **IPIDEA**) to relay malicious commands into internal systems. Nearly **25% of Infoblox’s enterprise customers** queried Kimwolf-related domains since October 1, 2025, indicating exposure across **government, healthcare, finance, and education sectors**. **Key findings include:** - **33,000 IPIDEA proxy endpoints** detected in **universities and colleges**, and **8,000 endpoints in U.S. and foreign government networks**, with Spur identifying proxies in **298 government-owned networks (including U.S. Department of Defense), 318 utilities, 166 healthcare providers, and 141 financial institutions**. - Kimwolf’s **lateral movement tactic** leverages **compromised Android TV boxes** (often pre-loaded with proxy malware) and **exposed ADB services** to scan and infect other vulnerable devices on local networks. Proxy providers like IPIDEA attempted mitigations in late 2025, but **millions of devices remain infected**, sustaining the risk of **internal network exploitation**. - The botnet’s **enterprise infiltration** demonstrates how **residential proxy abuse** can enable **cross-sector intrusion risks**, with infected devices serving as beachheads for **reconnaissance and secondary attacks** behind organizational firewalls. This marks a shift from Kimwolf’s initial focus on **consumer DDoS** to **targeted compromise of critical infrastructure**, amplifying systemic risks to **supply chain and operational security**. **New Development (January 29, 2026):** Google and industry partners **disrupted IPIDEA**, the primary residential proxy network enabling Kimwolf/Aisuru operations, via **court-ordered takedowns of command domains** and **Google Play Protect enforcement** to block/remove apps embedding IPIDEA SDKs. The action **reduced IPIDEA’s proxy device pool by millions**, impacting **550+ threat groups**—including state-linked actors—who used its infrastructure for **SaaS hijacking, credential stuffing, and lateral movement in compromised networks**. While this disrupts a critical vector for the botnets’ **proxy-driven monetization**, **persistent infections** underscore the need for ongoing mitigation efforts.

    Show sources
    Open in new tab
  4. 17.12.2025 20:09 3 articles · 1mo ago

    Kimwolf botnet emerges as Aisuru sibling, hijacks 1.8M Android devices

    The **Kimwolf botnet** was discovered in December 2025, initially hijacking **1.8 million Android TVs/set-top boxes** but now expanded to **over 2 million infected devices** by exploiting **exposed Android Debug Bridge (ADB)** services and tunneling through residential proxy networks. Operated by the **same hacker group** as Aisuru (Snow, Tom, Forky), Kimwolf shares **code, infrastructure, and a common downloader server (93.95.112[.]59)**, with **96% of commands** dedicated to **proxy services** (via **ByteConnect SDK** and **Rust modules**). Since October 2025, **over 550 Kimwolf/Aisuru C2 nodes** were **null-routed** by Black Lotus Labs, including domains like *greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su* (hosted on **Resi Rack LLC**, a Utah provider tied to a **Discord proxy marketplace**). Kimwolf’s infrastructure **scanned PYPROXY services** (October 20–November 6, 2025) to exploit a flaw enabling internal network access, fueling a **300% bot surge** (800K new devices in a week) sold via **resi[.]to**. The botnet’s **C2 domains migrated between Resi Rack IPs** (e.g., *104.171.170[.]21 → 104.171.170[.]201*) post-takedown, with traffic spiking to **176.65.149[.]19:25565**, a malware host shared with Aisuru. **New Developments (January 2026):** - Kimwolf **exploited IPIDEA’s residential proxy service** to relay malicious commands into **internal networks of government, academic, and corporate entities**, enabling lateral movement via local network scans. Nearly **25% of Infoblox’s enterprise clients** queried Kimwolf domains, with detections in **298 government networks (including U.S. DoD), 318 utilities, 166 healthcare providers, and 141 financial institutions**. - **33,000 IPIDEA proxy endpoints** were identified in universities/colleges and **8,000 in government networks**, with Spur’s analysis confirming **proxy-driven footholds** in critical sectors. - The botnet’s **lateral movement** relies on **unsecured Android TV boxes** (often pre-loaded with proxy malware) and **unauthenticated ADB services**, automating internal scans for vulnerable IoT devices. Proxy providers like IPIDEA implemented **partial mitigations** in late 2025, but **millions of devices remain infected**, sustaining the threat of **secondary compromise**.

    Show sources
    Open in new tab
  5. 03.12.2025 16:01 3 articles · 2mo ago

    Aisuru botnet sets 29.7 Tbps DDoS record with expanded targets

    In Q3 2025, the Aisuru botnet launched a **29.7 Tbps DDoS attack** (the largest recorded to date) and a **14.1 Bpps assault**, both mitigated by Cloudflare. The 29.7 Tbps attack lasted **69 seconds**, used **UDP carpet-bombing** to flood **15,000+ destination ports/second**, and was part of **1,304 hyper-volumetric incidents** in Q3—a **227% QoQ increase** for >1 Tbps attacks. Cloudflare mitigated **2,867 Aisuru attacks in 2025** (45% hyper-volumetric) and **36.2 million DDoS attacks total** (40% YoY increase), with **8.3 million blocked in Q3 alone** (15% QoQ rise). The botnet now controls **1–4 million infected hosts** (up from 700,000) and has expanded targets beyond gaming to **telecom, hosting, financial services, AI companies, and automotive sectors**. Attacks originated from **Indonesia, Thailand, Bangladesh, Vietnam, and Ecuador**, with **70% of HTTP DDoS attacks** linked to known botnets. Cloudflare averaged **3,780 mitigations/hour** in Q3, noting **347% spike in AI-sector attacks** and **automotive becoming the 6th most targeted industry**. Collateral traffic continues to disrupt **uninvolved U.S. ISPs and critical infrastructure**, underscoring systemic risks to global internet stability. **Update (February 2026):** The botnet set a **new record with a 31.4 Tbps attack** in November 2025, followed by a **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025) averaging **4 Tbps/3 Bpps/54 Mrps** but peaking at **24 Tbps/9 Bpps/205 Mrps**. Cloudflare’s 2025 data shows **47.1 million DDoS attacks mitigated** (100% YoY increase), with **hyper-volumetric attacks rising 40% QoQ in Q4 2025** (1,824 incidents). The botnet’s **expanded proxy infrastructure**—partially disrupted in January 2026—now leverages **trojanized apps and ENS-based C2**, sustaining its **cross-sector threat to telecommunications, IT, and critical infrastructure**.

    Show sources
    Open in new tab
  6. 17.11.2025 19:13 2 articles · 2mo ago

    Microsoft Azure hit by 15.72 Tbps DDoS attack using Aisuru botnet

    Microsoft Azure was hit by a **15.72 Tbps** DDoS attack in November 2025, followed by a **5.72 Tbps** attack on November 18—now the largest ever observed in Microsoft’s cloud. Both attacks targeted Australian endpoints using **UDP floods from 500,000+ source IPs** with minimal spoofing, simplifying traceback. The Aisuru botnet, powered by compromised IoT devices (routers, cameras, DVRs), leverages **Turbo Mirai** variants to exploit vulnerabilities in Realtek chips and firmware from manufacturers like T-Mobile and Zyxel. Aisuru’s operators have implemented **preventive measures** to avoid targeting government, law enforcement, or military infrastructure, focusing instead on online gaming and DDoS-for-hire services. The botnet’s infrastructure also supports **residential proxy networks**, enabling credential stuffing, AI-driven web scraping, and phishing. The botnet’s rapid growth stems from exploits like the **April 2025 Totolink firmware breach**, which infected ~100,000 devices.

    Show sources
    Open in new tab
  7. 06.11.2025 04:04 2 articles · 3mo ago

    Aisuru botnet manipulates Cloudflare's top domains list

    Aisuru botnet domains have repeatedly appeared in Cloudflare's top domains list, displacing legitimate sites like Amazon, Apple, Google, and Microsoft. Cloudflare redacted these domains from their top domains list to address security and brand confusion concerns. The botnet's domains were using Cloudflare's DNS server 1.1.1.1, shifting from Google's 8.8.8.8. Cloudflare's domain ranking system is based on DNS query volume, not actual web visits. Cloudflare CEO Matthew Prince confirmed that the botnet was generating excessive DNS requests to influence rankings and attack Cloudflare's DNS service. Cloudflare plans to improve its ranking algorithm to better distinguish between legitimate and malicious traffic. The botnet's domains were predominantly registered in the .su top-level domain, frequently abused for cybercrime. Cloudflare removed multiple domains linked to the Aisuru botnet from its public 'Top Domains' rankings after they began overtaking legitimate sites. Cloudflare now redacts or completely hides suspected malicious domains to avoid similar incidents in the future.

    Show sources
    Open in new tab
  8. 29.10.2025 02:51 2 articles · 3mo ago

    Aisuru botnet spreads to 700,000 IoT systems

    The Aisuru botnet has spread to at least 700,000 IoT systems, including poorly secured Internet routers and security cameras. The botnet's operators have demonstrated DDoS capabilities of nearly 30 Tbps, exceeding the mitigation capabilities of most Internet destinations. The botnet has caused significant operational impact on U.S.-based ISPs, with outbound DDoS attacks exceeding 1.5 Tbps. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices.

    Show sources
    Open in new tab
  9. 10.10.2025 19:10 4 articles · 3mo ago

    Aisuru botnet operators rent out botnet as proxy network

    The botnet's operators have updated their malware to rent out compromised devices as residential proxies, facilitating cybercriminal activities. The botnet's operators are actively involved in the proxy network industry, enabling aggressive content scraping for AI projects. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. **New Development:** A related botnet, **Kimwolf**, has emerged with **1.8 million infected Android TVs/set-top boxes**, sharing **code, infrastructure, and operators** with Aisuru. Kimwolf primarily focuses on **proxy services (96% of commands)** and uses **EtherHiding (ENS domains)** to evade takedowns, demonstrating the group’s **expanded monetization and resilience tactics**.

    Show sources
    Open in new tab
  10. 23.09.2025 18:58 6 articles · 4mo ago

    Cloudflare blocks 22.2 Tbps DDoS attack

    The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the Aisuru botnet, which has been around for more than a year. **Update (December 2025):** Cloudflare later mitigated a **new record-breaking 29.7 Tbps attack** from Aisuru in Q3 2025, lasting **69 seconds** and using UDP carpet-bombing to target **15,000 destination ports/second**. This attack was part of **1,304 hyper-volumetric incidents** in Q3, marking a **227% QoQ increase** in >1 Tbps attacks. The botnet’s total infected hosts are now estimated at **1–4 million devices**, up from prior reports of 700,000.

    Show sources
    Open in new tab
  11. 02.09.2025 18:52 6 articles · 5mo ago

    Cloudflare blocks 11.5 Tbps UDP flood DDoS attack

    The attack was part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. Cloudflare's defenses have autonomously blocked hundreds of such attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps, 11.5 Tbps, and now 22.2 Tbps. The attack was conducted using botnets that infected various devices with malware. Volumetric DDoS attacks can be used as a cover for more sophisticated exploits, known as 'smoke screen' attacks. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). The Aisuru botnet has been responsible for a series of increasingly massive and disruptive attacks, targeting mostly ISPs that serve online gaming communities like Minecraft. The botnet's firepower is now drawing a majority of its power from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GoBruteforcer Botnet Expands Attacks on Linux Servers

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Mirai Broadside Botnet Targets Maritime IoT with Advanced Tactics

A new Mirai botnet variant, Broadside, is exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR to target the maritime logistics sector. Unlike previous Mirai variants, Broadside employs a custom C2 protocol, a unique 'Magic Header' signature, and an advanced 'Judge, Jury, and Executioner' module for exclusivity. It uses Netlink kernel sockets for stealthy, event-driven process monitoring and payload polymorphism to evade static defenses. Broadside attempts to maintain exclusive control over hosts by terminating other processes and harvesting system credential files to establish a strategic foothold. The botnet extends beyond denial-of-service attacks, aiming to compromise devices within the maritime sector, which could have significant operational and security implications.

Open in new tab

Pro-Russia Hacktivists Target Critical Infrastructure with Low-Sophistication Attacks

Pro-Russia hacktivist groups are conducting opportunistic, low-sophistication cyberattacks against U.S., UK, and global critical infrastructure. These attacks target a wide range of sectors, including water treatment facilities, food production, energy systems, and local government bodies, using easily repeatable methods. The groups exploit minimally secured, internet-facing virtual network computing (VNC) connections to gain unauthorized access to operational technology (OT) control devices. The joint advisory from CISA, FBI, NSA, and global partners, along with a recent warning from the UK National Cyber Security Centre (NCSC), urges immediate action to mitigate these threats. The advisory highlights the use of basic methods to target supervisory control and data acquisition (SCADA) networks, sometimes combined with DDoS attacks. The cumulative impact of these activities poses a persistent and disruptive threat to essential services. According to a new report, groups such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16 are using simple reconnaissance tools and common password-guessing techniques to reach internet-facing human-machine interfaces. These groups have led to physical impacts in some cases, including temporary loss of view and costly manual recovery efforts. The NCSC warns of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the UK with disruptive denial-of-service (DDoS) attacks. The NCSC notes that NoName057(16) operates the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community. Operation Eastwood disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers. Despite these efforts, the group has returned to action, highlighting the evolving threat they pose.

Open in new tab

ShadowRay 2.0 Campaign Hijacks Ray Clusters for Cryptomining and DDoS Attacks

A threat actor, tracked as IronErn440, is exploiting an old code execution flaw (CVE-2023-48022) in exposed Ray Clusters to convert them into a self-propagating cryptomining botnet. The campaign, dubbed ShadowRay 2.0, also involves data and credentials theft, as well as distributed denial-of-service (DDoS) attacks. The vulnerability affects over 230,000 Ray servers exposed on the internet. The attacks use AI-generated payloads to compromise vulnerable Ray infrastructure, leveraging the Ray Jobs API to deploy malware across all nodes. The payloads include a crypto-mining module that mines Monero using XMRig, while evading detection by limiting CPU usage to 60%. The attacker also ensures exclusive mining access by terminating rival mining scripts and blocking other mining pools. The campaign has two attack waves: one using GitLab for payload delivery, which ended on November 5, and another using GitHub, ongoing since November 17. The attackers have also been found to use the Sockstress tool to launch DDoS attacks, targeting port 3333 commonly used by mining pools.

Open in new tab