Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
Summary
Hide ▲
Show ▼
The Aisuru/Kimwolf botnet campaign expanded in late 2025 with Kimwolf, a DDoS botnet compiled using the NDK, and evidence linking it to AISURU through shared infection scripts and code artifacts. QiAnXin XLab says Kimwolf had at least 1.8 million infected Android-based TVs, set-top boxes, and tablets and issued 1.7 billion DDoS commands between November 19 and 22, 2025. The activity mattered because the botnet combined DDoS, proxy forwarding, reverse shell, and file management functions while also hardening its C2 infrastructure with ENS/EtherHiding. Recent analysis tied the campaign to the same botnet thread that later drew major mitigation and disruption actions against Aisuru/Kimwolf.
Related Happenings
Dort-linked DDoS, doxing, and swatting campaign against researchers
Campaign
First: 22.05.2026 00:50
Last: 22.05.2026 00:50
Sources 1
About this happening:
The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Dort-linked DDoS, doxing, and swatting campaign against researchers
CampaignAbout this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware Activity
First: 06.05.2026 23:21
Last: 06.05.2026 23:21
Sources 1
About this happening:
The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
Xlabs_v1 Mirai-derived ADB DDoS botnet
Malware ActivityAbout this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...
UAE and Gulf cyberattack surge after Iran conflict escalation
Target Trend
First: 06.05.2026 08:30
Last: 06.05.2026 08:30
Sources 1
About this happening:
Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
UAE and Gulf cyberattack surge after Iran conflict escalation
Target TrendAbout this happening: Cyberattack volume surged across the **UAE** and wider **Gulf** after military operations against **Iran** began, pushing daily breach attempts to **600,000 to 800,000** and raisi...
Brazilian ISP botnet DDoS campaign
Campaign
First: 30.04.2026 17:04
Last: 30.04.2026 17:04
Sources 1
About this happening:
The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
Brazilian ISP botnet DDoS campaign
CampaignAbout this happening: The **Brazilian ISP botnet DDoS campaign** has been linked to a **Brazil-based threat actor** that repeatedly hit **Brazilian network operators** over several years. The operation...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
Timeline
-
20.03.2026 02:49 1 articles · 2mo ago
Authorities dismantle Aisuru/Kimwolf botnet infrastructure
Legal Policy Action UpdateThe U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Show sources
- Feds Disrupt IoT Botnets Behind Huge DDoS Attacks — krebsonsecurity.com — 20.03.2026 02:49
-
29.01.2026 16:55 5 articles · 3mo ago
Cloudflare mitigates record Aisuru/Kimwolf DDoS campaign
Campaign Scope UpdateCloudflare detected and mitigated a record-setting Aisuru/Kimwolf botnet DDoS campaign on December 19, 2025, after the botnet launched hyper-volumetric HTTP and Layer 4 attacks peaking at 200 million requests per second and 31.4 Tbps against multiple companies, mostly telecommunications service providers and IT organizations, including Cloudflare customers, dashboard, and infrastructure.
Show sources
- Aisuru botnet sets new record with 31.4 Tbps DDoS attack — www.bleepingcomputer.com — 29.01.2026 16:55
- Aisuru botnet sets new record with 31.4 Tbps DDoS attack — www.bleepingcomputer.com — 29.01.2026 16:55
- Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bpps — www.securityweek.com — 24.09.2025 12:24
- DDoS Botnet Aisuru Blankets US ISPs in Record DDoS — krebsonsecurity.com — 10.10.2025 19:10
- Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks — thehackernews.com — 17.12.2025 20:09
-
29.01.2026 16:55 3 articles · 3mo ago
Cloudflare publishes 2025 Q4 DDoS threat findings
Initial DisclosureCloudflare's 2025 Q4 DDoS Threat Report said 2025 recorded 47.1 million DDoS incidents, a 121% increase over 2024, and described the Aisuru campaign's attack sources as Android TVs while noting that the hyper-volumetric attacks were automatically detected and mitigated without triggering internal alerts.
Show sources
- Aisuru botnet sets new record with 31.4 Tbps DDoS attack — www.bleepingcomputer.com — 29.01.2026 16:55
- Microsoft Mitigates Record 5.72 Tbps DDoS Attack Driven by AISURU Botnet — thehackernews.com — 18.11.2025 10:17
- Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts — thehackernews.com — 04.12.2025 08:52