Kimwolf-Dort-Snow ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Kimwolf botmasters’ alleged unauthorized access to the Badbox 2.0 control panel now matters because it could let them push malware directly onto devices in a botnet that has infected more than 2 million devices. The shift raises the risk of cross-botnet control and wider identity exposure for the operators behind Badbox 2.0. OSINT links built from qq.com accounts, domain records, and passwords suggest possible overlap among Dort, Snow, and Badbox-related infrastructure.
Related Happenings
Kimwolf IoT botnet activity disrupting I2P
Malware Activity
First: 11.02.2026 18:08
Last: 11.02.2026 18:08
Sources 1
About this happening:
The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...
Kimwolf IoT botnet activity disrupting I2P
Malware ActivityAbout this happening: The **Kimwolf** botnet disrupted **I2P** over the past week after operators tried to join **700,000 infected bots** as nodes, briefly overwhelming the anonymity network and disrup...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
FBI seizure of RAMP cybercrime forum
Law Enforcement
First: 28.01.2026 19:38
Last: 28.01.2026 19:38
Sources 1
About this happening:
The **FBI** seized the **RAMP** cybercrime forum, taking down a **ransomware**-focused marketplace that had been used to advertise **malware**, **hacking services**, and related c...
FBI seizure of RAMP cybercrime forum
Law EnforcementAbout this happening: The **FBI** seized the **RAMP** cybercrime forum, taking down a **ransomware**-focused marketplace that had been used to advertise **malware**, **hacking services**, and related c...
AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling
Malware Activity
First: 24.01.2026 17:23
Last: 24.01.2026 17:23
Sources 1
About this happening:
The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...
AI-generated PowerShell backdoor with LNK/CAB loader chain and C2 polling
Malware ActivityAbout this happening: The **AI-generated PowerShell malware** is targeting **blockchain developers and engineers** in the **Asia-Pacific region**, raising the risk of credential and wallet theft on inf...
AiFWall launches free basic AI firewall for agentic AI deployments
Security Tool/Service
First: 21.01.2026 16:09
Last: 21.01.2026 16:09
Sources 1
About this happening:
**aiFWall Inc** emerged from stealth on **January 21, 2026**, making the basic **aiFWall** product free and adding a new control for **agentic AI deployments**. The launch matters...
AiFWall launches free basic AI firewall for agentic AI deployments
Security Tool/ServiceAbout this happening: **aiFWall Inc** emerged from stealth on **January 21, 2026**, making the basic **aiFWall** product free and adding a new control for **agentic AI deployments**. The launch matters...
Timeline
-
26.01.2026 18:11 2 articles · 4mo ago
Kimwolf-Dort-Snow ecosystem shift changes threat-actor operations
Initial DisclosureA shared screenshot of the **Badbox 2.0** panel first exposed an **ABCD** account logged in alongside six other users, triggering OSINT work on who could administer the botnet. Follow-up pivots linked the panel identities and related email addresses to **Kimwolf**-adjacent actors and China-based registrations.
Show sources
- Who Operates the Badbox 2.0 Botnet? — krebsonsecurity.com — 26.01.2026 18:11
- Who Operates the Badbox 2.0 Botnet? — krebsonsecurity.com — 26.01.2026 18:11