AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
Summary
Hide ▲
Show ▼
The AISURU/Kimwolf botnet is a malware activity cluster tied to hyper-volumetric DDoS attacks and large-scale device conscription. On 2025-12-04, Cloudflare said it detected and mitigated a record 29.7 Tbps DDoS attack linked to AISURU; the attack lasted 69 seconds and used a UDP carpet-bombing pattern averaging 15,000 destination ports per second. Cloudflare also blocked a 14.1 Bpps attack from the same botnet and said it has mitigated 2,867 Aisuru attacks since the start of the year, including 1,304 hyper-volumetric attacks in Q3 2025. The botnet has been linked to attacks against telecommunication providers, gaming companies, hosting providers, and financial services, and is believed to be powered by 1-4 million infected hosts worldwide.
Related Happenings
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Dort-linked DDoS, doxing, and swatting campaign against researchers
Campaign
First: 22.05.2026 00:50
Last: 22.05.2026 00:50
Sources 1
About this happening:
The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Dort-linked DDoS, doxing, and swatting campaign against researchers
CampaignAbout this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 23.04.2026 23:52
Last: 23.04.2026 23:52
Sources 1
About this happening:
**China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
Vulnerability
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
**CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
D-Link DIR-823X command-injection RCE (CVE-2025-29635)
VulnerabilityAbout this happening: **CVE-2025-29635** is now being **actively exploited** on **D-Link DIR-823X routers**, turning a command-injection flaw into **remote command execution** and **botnet enrollment**...
Timeline
-
20.03.2026 08:25 1 articles · 2mo ago
U.S. Department of Justice disrupts AISURU/Kimwolf C2 infrastructure
Legal Policy Action UpdateThe U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
Show sources
- DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks — thehackernews.com — 20.03.2026 08:25
-
05.02.2026 19:25 3 articles · 3mo ago
Cloudflare attributes AISURU/Kimwolf record-setting DDoS activity
Initial DisclosureCloudflare attributed AISURU/Kimwolf to a record-setting 31.4 Tbps DDoS burst that lasted 35 seconds and said the botnet was also linked to The Night Before Christmas, a campaign that began on December 19, 2025. Cloudflare said AISURU/Kimwolf had ensnared more than 2 million Android devices, often by tunneling through residential proxy networks such as IPIDEA, and reported that Google disrupted IPIDEA's proxy network and began legal action to take down dozens of control domains last month. Cloudflare also described 2025 as a year of sharply growing DDoS volume and size, including 47.1 million total attacks and rising hyper-volumetric activity in Q4 2025.
Show sources
- AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack — thehackernews.com — 05.02.2026 19:25
- Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bpps — www.securityweek.com — 24.09.2025 12:24
- Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts — thehackernews.com — 04.12.2025 08:52