Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kimwolf and Aisuru linked as a shared botnet operator ecosystem

Threat Actor Meta
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Infoblox says PBaaS service providers are helping industrialize pig butchering operations by supplying scam kits, stolen identities, mobile apps, CRM/SCRM tooling, and payment services. The report says these off-the-shelf packages lower the barrier to entry for criminal groups operating across Southeast Asia and beyond, making it easier to run and manage social-engineering fraud at scale. It also ties the ecosystem to Penguin Account Store, UWORK, and BCD Pay, which advertise account data, templates, victim-engagement tooling, and payment processing for scam operators.

Related Happenings

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

U.S. Treasury sanctions Kok An scam network

Regulatory/Legal Action
First: 04.05.2026 08:59 Last: 04.05.2026 08:59 Sources 1

About this happening: The **U.S. Treasury Department** sanctioned **Cambodian Senator Kok An** and affiliates tied to **cyber scam compounds**, escalating financial and legal pressure on a network accu...

Open Happening

CL-CRI-1116 / BlackFile overlap with The Com

Threat Actor Meta
First: 27.04.2026 11:15 Last: 27.04.2026 11:15 Sources 1

About this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...

Open Happening

Triad Nexus expands fraud ecosystem and shifts into emerging markets after 2025 US sanctions

Threat Actor Meta
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: **Triad Nexus** expanded its fraud ecosystem after **US Treasury sanctions in 2025**, increasing operational scale and shifting into **emerging markets**. The network’s use of **U...

Open Happening

Triad Nexus investment scam and brand impersonation campaign targeting emerging markets

Campaign
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...

Open Happening

Timeline

  1. 17.12.2025 02:00 2 articles · 5mo ago

    Kimwolf and Aisuru shared operators confirmed on December 8, 2025

    Attribution Update

    XLab confirmed that Kimwolf and Aisuru were being distributed by the same Internet address at 93.95.112[.]59, resolving suspicions that had existed since October 2025 and supporting the assessment that both botnet strains shared operators and infrastructure.

    Show sources
    Open in new tab
  2. 17.12.2025 02:00 1 articles · 5mo ago

    XLab deep dive documents shared Kimwolf and Aisuru infrastructure on December 17, 2025

    Technical Analysis Update

    XLab published a deep dive on Kimwolf describing definitive evidence that the same cybercriminal actors and infrastructure were used to deploy both Kimwolf and the earlier Aisuru botnet, tying the ecosystem to DDoS attacks and residential proxy abuse.

    Show sources
    Open in new tab