Find notable cyber news and cases, enriched with sources, timelines, and signals.

Aisuru botnet shifts to residential proxy rental

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The Aisuru botnet has been updated to turn hundreds of thousands of infected IoT devices into residential proxies, expanding its monetization model and helping cybercriminals hide traffic. That shift matters because the same botnet that delivered record-smashing DDoS attacks is now also being used to anonymize malicious web activity and large-scale scraping.

Related Happenings

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Kimwolf operators build a cybercrime-as-a-service DDoS access market

Threat Actor Meta
H score24 First: 22.05.2026 11:50 Last: 22.05.2026 11:50 Sources 1

About this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Trend
H score30 First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Aisuru, KimWolf, JackSkid, and Mossad botnet C2 takedown

Law Enforcement
H score20 First: 20.03.2026 10:05 Last: 20.03.2026 10:05 Sources 1

About this happening: The **U.S. Department of Justice** announced the arrest of **Jacob Butler (aka Dort)**, a **23-year-old** in **Ottawa, Canada**, for allegedly developing and operating the **Kimwo...

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
H score23 First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Timeline

  1. 29.10.2025 02:51 1 articles · 8mo ago

    Aisuru adds residential proxy rental

    Technical Analysis Update

    Aisuru botmasters updated the botnet so compromised Internet of Things devices can be rented to residential proxy providers, turning infected routers and security cameras into traffic-anonymization infrastructure for cybercriminals and large-scale content scraping. The botnet had first been identified in August 2024, had spread to at least 700,000 IoT systems, and had already been used for a June DDoS against KrebsOnSecurity.com that reached 6.3 terabits per second.

    Show sources