Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

IPIDEA ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 41
2 unique sources, 2 articles

Summary

Hide ▲

IPIDEA's residential proxy ecosystem was coordinatedly disrupted, reducing malicious access to a large proxy infrastructure and weakening abuse routes across cybercrime and espionage operations. The action matters because the network had been used to hide traffic inside normal consumer connections, and the disruption reportedly removed millions of proxy devices from circulation.

Related Happenings

DKnife Linux AitM malware activity targeting routers and edge devices

Malware Activity
First: 06.02.2026 16:56 Last: 06.02.2026 16:56 Sources 1

About this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...

Open Happening

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First: 05.02.2026 19:25 Last: 05.02.2026 19:25 Sources 1

How related: The distributed denial-of-service (DDoS) botnet known as AISURU/Kimwolf has been attributed to a record-setting attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds.

About this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

Open Happening

IPIDEA trojanized Android apps and Windows binaries enrolling devices into a proxy network

Malware Activity
First: 29.01.2026 21:29 Last: 29.01.2026 21:29 Sources 1

How related: Google says IPIDEA enrolled devices using at least 600 trojanized Android apps that embedded proxying SDKs (Packet SDK, Castar SDK, Hex SDK, Earn SDK), and over 3,000 trojanized Windows binaries posing as OneDriveSync or Windows Update.

About this happening: The **IPIDEA** proxy network used **trojanized Android apps** and **Windows binaries** to enroll consumer devices as proxy exit nodes, creating a large-scale traffic-routing threa...

Open Happening

Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies

Campaign
First: 29.01.2026 16:55 Last: 29.01.2026 16:55 Sources 1

How related: AISURU/Kimwolf has also been linked to another DDoS campaign codenamed The Night Before Christmas that commenced on December 19, 2025.

About this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...

Latest development: 20.03.2026 02:49

The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.

Open Happening

Cloudflare BGP route leak from router policy misconfiguration disrupts IPv6 traffic

Service Disruption
First: 26.01.2026 19:50 Last: 26.01.2026 19:50 Sources 1

About this happening: **Cloudflare** experienced a **25-minute BGP route leak** that disrupted **IPv6 traffic**, causing congestion, packet loss, and about **12 Gbps** of dropped traffic. The issue ext...

Open Happening

Timeline

  1. 29.01.2026 19:15 2 articles · 3mo ago

    Google and partners disrupt IPIDEA

    Initial Disclosure

    Google Threat Intelligence Group and industry partners coordinated legal action and technical enforcement to disrupt IPIDEA, a large residential proxy network used to hide malicious traffic inside consumer IP space. Google pursued court action against domains used to command infected devices and manage proxy traffic, shared intelligence on IPIDEA software development kits with platform providers, law enforcement and security researchers, and expanded Google Play Protect to alert users, remove apps containing IPIDEA SDKs and block future installation attempts on certified Android devices. Google said the effort significantly degraded IPIDEA operations and reduced the pool of available proxy devices by millions, with broader impact expected for affiliated services.

    Show sources
    Open in new tab