AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
Summary
Hide ▲
Show ▼
The AISURU/Kimwolf botnet is a malware activity cluster tied to hyper-volumetric DDoS attacks and large-scale device conscription. On 2025-12-04, Cloudflare said it detected and mitigated a record 29.7 Tbps DDoS attack linked to AISURU; the attack lasted 69 seconds and used a UDP carpet-bombing pattern averaging 15,000 destination ports per second. Cloudflare also blocked a 14.1 Bpps attack from the same botnet and said it has mitigated 2,867 Aisuru attacks since the start of the year, including 1,304 hyper-volumetric attacks in Q3 2025. The botnet has been linked to attacks against telecommunication providers, gaming companies, hosting providers, and financial services, and is believed to be powered by 1-4 million infected hosts worldwide.
Related Happenings
RustDuck DDoS botnet activity targeting routers and servers
Malware Activity
H score27
First: 30.06.2026 20:45
Last: 30.06.2026 20:45
Sources 1
About this happening:
The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
RustDuck DDoS botnet activity targeting routers and servers
Malware ActivityAbout this happening: The **RustDuck** malware family is **hijacking routers, cameras, Android boxes, and servers** to assemble a **DDoS botnet** that can flood targets and knock websites and online se...
AryStinger botnet turns outdated routers into proxy executors
Malware Activity
H score60
First: 21.06.2026 17:14
Last: 21.06.2026 17:14
Sources 1
About this happening:
The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
AryStinger botnet turns outdated routers into proxy executors
Malware ActivityAbout this happening: The **AryStinger** botnet is **compromising more than 4,000 outdated routers** and converting them into **proxy executors** for malicious traffic, expanding attacker reach and int...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Vo1d botnet campaign targeting unofficial Android-based TV boxes
Campaign
H score88
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Vo1d botnet campaign targeting unofficial Android-based TV boxes
CampaignAbout this happening: **NetNut** used the **Popa botnet** and deceptive SDKs on **off-brand Android-based smart TVs**, streaming media boxes, and unofficial apps to turn home connections into **residen...
Latest development: 03.07.2026 12:35
Google disabled all Google accounts used by NetNut for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing the compromised SDKs. The FBI’s seizure banner appeared on netnut.com while netnut.io briefly remained accessible, and Google said the coordinated actions caused significant degradation to NetNut’s proxy network and business operations.
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
Vulnerability
H score39
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
VulnerabilityAbout this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
Timeline
-
20.03.2026 08:25 1 articles · 3mo ago
U.S. Department of Justice disrupts AISURU/Kimwolf C2 infrastructure
Legal Policy Action UpdateThe U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
Show sources
- DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks — thehackernews.com — 20.03.2026 08:25
-
05.02.2026 19:25 3 articles · 5mo ago
Cloudflare attributes AISURU/Kimwolf record-setting DDoS activity
Initial DisclosureCloudflare attributed AISURU/Kimwolf to a record-setting 31.4 Tbps DDoS burst that lasted 35 seconds and said the botnet was also linked to The Night Before Christmas, a campaign that began on December 19, 2025. Cloudflare said AISURU/Kimwolf had ensnared more than 2 million Android devices, often by tunneling through residential proxy networks such as IPIDEA, and reported that Google disrupted IPIDEA's proxy network and began legal action to take down dozens of control domains last month. Cloudflare also described 2025 as a year of sharply growing DDoS volume and size, including 47.1 million total attacks and rising hyper-volumetric activity in Q4 2025.
Show sources
- AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack — thehackernews.com — 05.02.2026 19:25
- Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bpps — www.securityweek.com — 24.09.2025 12:24
- Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts — thehackernews.com — 04.12.2025 08:52