Find notable cyber news and cases, enriched with sources, timelines, and signals.

Kimwolf and Aisuru linked as a shared botnet operator ecosystem

Threat Actor Meta
First reported
Last updated
Happening score
H score 89
1 unique sources, 1 articles

Summary

Hide ▲

Infoblox says PBaaS service providers are helping industrialize pig butchering operations by supplying scam kits, stolen identities, mobile apps, CRM/SCRM tooling, and payment services. The report says these off-the-shelf packages lower the barrier to entry for criminal groups operating across Southeast Asia and beyond, making it easier to run and manage social-engineering fraud at scale. It also ties the ecosystem to Penguin Account Store, UWORK, and BCD Pay, which advertise account data, templates, victim-engagement tooling, and payment processing for scam operators.

Related Happenings

Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score69 First: 12.06.2026 21:59 Last: 12.06.2026 21:59 Sources 1

About this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...

Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations

Threat Actor Meta
H score43 First: 12.06.2026 11:52 Last: 12.06.2026 11:52 Sources 1

About this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...

Latest development: 15.06.2026 09:30

Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.

Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans

Threat Actor Meta
H score20 First: 29.05.2026 17:32 Last: 29.05.2026 17:32 Sources 1

About this happening: Underground DDoS sellers are shifting from scattered tools to **packaged, resellable services**, lowering the barrier for disruptive attacks and widening the buyer pool. Listings...

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
H score15 First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

U.S. Treasury sanctions Kok An scam network

Regulatory/Legal Action
H score40 First: 04.05.2026 08:59 Last: 04.05.2026 08:59 Sources 1

About this happening: The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...

Timeline

  1. 17.12.2025 02:00 2 articles · 6mo ago

    Kimwolf and Aisuru shared operators confirmed on December 8, 2025

    Attribution Update

    XLab confirmed that Kimwolf and Aisuru were being distributed by the same Internet address at 93.95.112[.]59, resolving suspicions that had existed since October 2025 and supporting the assessment that both botnet strains shared operators and infrastructure.

    Show sources
  2. 17.12.2025 02:00 1 articles · 6mo ago

    XLab deep dive documents shared Kimwolf and Aisuru infrastructure on December 17, 2025

    Technical Analysis Update

    XLab published a deep dive on Kimwolf describing definitive evidence that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the earlier Aisuru botnet, tying the ecosystem to DDoS attacks and residential proxy abuse.

    Show sources