Find notable cyber news and cases, enriched with sources, timelines, and signals.

Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies

Campaign
First reported
Last updated
Happening score
H score 60
4 unique sources, 7 articles

Summary

Hide ▲

The Aisuru/Kimwolf botnet campaign expanded in late 2025 with Kimwolf, a DDoS botnet compiled using the NDK, and evidence linking it to AISURU through shared infection scripts and code artifacts. QiAnXin XLab says Kimwolf had at least 1.8 million infected Android-based TVs, set-top boxes, and tablets and issued 1.7 billion DDoS commands between November 19 and 22, 2025. The activity mattered because the botnet combined DDoS, proxy forwarding, reverse shell, and file management functions while also hardening its C2 infrastructure with ENS/EtherHiding. Recent analysis tied the campaign to the same botnet thread that later drew major mitigation and disruption actions against Aisuru/Kimwolf.

Related Happenings

RustDuck DDoS botnet activity targeting routers and servers

Malware Activity
H score27 First: 30.06.2026 20:45 Last: 30.06.2026 20:45 Sources 1

About this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...

Dort-linked DDoS, doxing, and swatting campaign against researchers

Campaign
H score38 First: 22.05.2026 00:50 Last: 22.05.2026 00:50 Sources 1

About this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
H score22 First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

UAE and Gulf cyberattack surge after Iran conflict escalation

Trend
H score29 First: 06.05.2026 08:30 Last: 06.05.2026 08:30 Sources 1

About this happening: Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...

Brazilian ISP botnet DDoS campaign

Campaign
H score36 First: 30.04.2026 17:04 Last: 30.04.2026 17:04 Sources 1

About this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...

Timeline

  1. 20.03.2026 02:49 1 articles · 3mo ago

    Authorities dismantle Aisuru/Kimwolf botnet infrastructure

    Legal Policy Action Update

    The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.

    Show sources
  2. 29.01.2026 16:55 5 articles · 5mo ago

    Cloudflare mitigates record Aisuru/Kimwolf DDoS campaign

    Campaign Scope Update

    Cloudflare detected and mitigated a record-setting Aisuru/Kimwolf botnet DDoS campaign on December 19, 2025, after the botnet launched hyper-volumetric HTTP and Layer 4 attacks peaking at 200 million requests per second and 31.4 Tbps against multiple companies, mostly telecommunications service providers and IT organizations, including Cloudflare customers, dashboard, and infrastructure.

    Show sources
  3. 29.01.2026 16:55 3 articles · 5mo ago

    Cloudflare publishes 2025 Q4 DDoS threat findings

    Initial Disclosure

    Cloudflare's 2025 Q4 DDoS Threat Report said 2025 recorded 47.1 million DDoS incidents, a 121% increase over 2024, and described the Aisuru campaign's attack sources as Android TVs while noting that the hyper-volumetric attacks were automatically detected and mitigated without triggering internal alerts.

    Show sources