Kimwolf and Aisuru linked as a shared botnet operator ecosystem
Threat Actor Meta
Summary
Hide ▲
Show ▼
Infoblox says PBaaS service providers are helping industrialize pig butchering operations by supplying scam kits, stolen identities, mobile apps, CRM/SCRM tooling, and payment services. The report says these off-the-shelf packages lower the barrier to entry for criminal groups operating across Southeast Asia and beyond, making it easier to run and manage social-engineering fraud at scale. It also ties the ecosystem to Penguin Account Store, UWORK, and BCD Pay, which advertise account data, templates, victim-engagement tooling, and payment processing for scam operators.
Related Happenings
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans
Threat Actor Meta
H score20
First: 29.05.2026 17:32
Last: 29.05.2026 17:32
Sources 1
About this happening:
Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...
Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans
Threat Actor MetaAbout this happening: Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
H score15
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
**TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor MetaAbout this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
U.S. Treasury sanctions Kok An scam network
Regulatory/Legal Action
H score40
First: 04.05.2026 08:59
Last: 04.05.2026 08:59
Sources 1
About this happening:
The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...
U.S. Treasury sanctions Kok An scam network
Regulatory/Legal ActionAbout this happening: The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...
Timeline
-
17.12.2025 02:00 2 articles · 6mo ago
Kimwolf and Aisuru shared operators confirmed on December 8, 2025
Attribution UpdateXLab confirmed that Kimwolf and Aisuru were being distributed by the same Internet address at 93.95.112[.]59, resolving suspicions that had existed since October 2025 and supporting the assessment that both botnet strains shared operators and infrastructure.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23
-
17.12.2025 02:00 1 articles · 6mo ago
XLab deep dive documents shared Kimwolf and Aisuru infrastructure on December 17, 2025
Technical Analysis UpdateXLab published a deep dive on Kimwolf describing definitive evidence that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the earlier Aisuru botnet, tying the ecosystem to DDoS attacks and residential proxy abuse.
Show sources
- Who Benefited from the Aisuru and Kimwolf Botnets? — krebsonsecurity.com — 09.01.2026 01:23