Find notable cyber news and cases, enriched with sources, timelines, and signals.

AISURU/Kimwolf hyper-volumetric DDoS botnet activity

Malware Activity
First reported
Last updated
Happening score
H score 23
2 unique sources, 4 articles

Summary

Hide ▲

The AISURU/Kimwolf botnet is a malware activity cluster tied to hyper-volumetric DDoS attacks and large-scale device conscription. On 2025-12-04, Cloudflare said it detected and mitigated a record 29.7 Tbps DDoS attack linked to AISURU; the attack lasted 69 seconds and used a UDP carpet-bombing pattern averaging 15,000 destination ports per second. Cloudflare also blocked a 14.1 Bpps attack from the same botnet and said it has mitigated 2,867 Aisuru attacks since the start of the year, including 1,304 hyper-volumetric attacks in Q3 2025. The botnet has been linked to attacks against telecommunication providers, gaming companies, hosting providers, and financial services, and is believed to be powered by 1-4 million infected hosts worldwide.

Related Happenings

RustDuck DDoS botnet activity targeting routers and servers

Malware Activity
H score27 First: 30.06.2026 20:45 Last: 30.06.2026 20:45 Sources 1

About this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...

AryStinger botnet turns outdated routers into proxy executors

Malware Activity
H score60 First: 21.06.2026 17:14 Last: 21.06.2026 17:14 Sources 1

About this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Vo1d botnet campaign targeting unofficial Android-based TV boxes

Campaign
H score88 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...

Latest development: 03.07.2026 12:35

Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.

Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw

Vulnerability
H score39 First: 03.06.2026 11:33 Last: 03.06.2026 11:33 Sources 1

About this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...

Timeline

  1. 20.03.2026 08:25 1 articles · 3mo ago

    U.S. Department of Justice disrupts AISURU/Kimwolf C2 infrastructure

    Legal Policy Action Update

    The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.

    Show sources
  2. 05.02.2026 19:25 3 articles · 5mo ago

    Cloudflare attributes AISURU/Kimwolf record-setting DDoS activity

    Initial Disclosure

    Cloudflare attributed AISURU/Kimwolf to a record-setting 31.4 Tbps DDoS burst that lasted 35 seconds and said the botnet was also linked to The Night Before Christmas, a campaign that began on December 19, 2025. Cloudflare said AISURU/Kimwolf had ensnared more than 2 million Android devices, often by tunneling through residential proxy networks such as IPIDEA, and reported that Google disrupted IPIDEA's proxy network and began legal action to take down dozens of control domains last month. Cloudflare also described 2025 as a year of sharply growing DDoS volume and size, including 47.1 million total attacks and rising hyper-volumetric activity in Q4 2025.

    Show sources