< ciso
brief />
Tag Banner

All news with #botnet tag

126 articles

Monday Recap: Proxy Botnets, Browser Ransomware

⚡ Google and partners disrupted the NetNut residential proxy network (aka Popa), which abused smart home devices and preinstalled SDKs to route malicious traffic through an estimated 2 million devices. Other incidents this week include fake PoC repos delivering the ChocoPoC RAT via a dependency, a 19-year-old alleged Scattered Spider suspect extradited to the U.S., and a Brazilian Ousaban banking trojan targeting Spain and Portugal. Check Point flagged AI-generated browser ransomware leveraging the File System Access API, illustrating AI can autonomously devise working attack techniques.
read more →

FBI and Google Disrupt Major NetNut Proxy Network

🛡️ In a coordinated international action, the FBI and Google's Threat Intelligence Group disrupted NetNut, a large commercial residential proxy network built on the Popa botnet. The operation targeted infrastructure, seized domains and worked with partners like Lumen and the IRS to degrade the service. Google disabled accounts, updated Play Protect and removed compromised apps to reduce the pool of infected devices by millions. The takedown exposed ties between the botnet and reseller programs and prompted debate after some NetNut domains remained temporarily active.
read more →

Canada’s Spy Agency Uses Court Warrant to Disrupt Botnets

🛡️ The Federal Court authorized the Canadian Security Intelligence Service to reach into infected servers, SOHO routers, and IoT devices on Canadian soil to neutralize two foreign-run botnets. The public ruling, released June 15, confirms CSIS used its threat reduction warrant powers for the first time to alter, degrade, and destroy botnet data while ensuring the operation targeted devices rather than people. The court found the threat imminent and proportional, but redactions leave the precise foreign actor(s) unidentified.
read more →

AryStinger malware converts legacy routers into relays

🔍 QiAnXin XLab has identified a new malware family named AryStinger that has infected at least 4,300 legacy home routers, turning them into a distributed reconnaissance and proxy network rather than a typical DDoS botnet. The campaign targets routers using Realtek RTL819X chips via old vulnerabilities (CVE-2013-3307, CVE-2016-5681) and favors D-Link DIR-850L units, with infections concentrated in South Korea and China. A second strain targeting QNAP NAS devices via CVE-2025-11837 was also observed; both builds support scanning, tunneling, and remote task execution. Defenders are advised to check for C2 connections, suspicious binaries and processes, retire unsupported devices, and disable remote administration.
read more →

Law enforcement disrupts SocGholish infections at scale

🛡️ International law enforcement agencies cleaned nearly 15,000 WordPress sites and took down over 100 servers tied to the SocGholish botnet and the Evil Corp cybercrime group as part of Operation Endgame. Authorities from the Netherlands, Canada, the United States, and Germany removed malware and backdoors from 14,971 compromised sites, advised remediation steps, and decommissioned 106 servers and domains. The action aims to deny criminals access, limit malware spread, and reduce risks to critical infrastructure.
read more →

China-linked JDY botnet accelerates enterprise risk

🔍 Lumen’s Black Lotus Labs reports a China-linked botnet called JDY has grown to over 1,500 compromised SOHO and IoT devices used to rapidly discover and fingerprint internet-facing systems after public vulnerability disclosures. The activity, tied to nation-state actors including Volt Typhoon, enables persistent, distributed reconnaissance that can evade geofencing and IP-reputation controls. Researchers warn this marks a shift toward industrialized pre-exploitation scanning and undermines traditional perimeter patch and monitoring assumptions.
read more →

China-linked JDY botnet broadens US military focus

🛡️ JDY is a distributed reconnaissance botnet tied to China-nexus actors that has expanded from ~650 to over 1,500 compromised SOHO and IoT devices, with a heavy focus on U.S. military and associated networks. Researchers at Black Lotus Labs observed JDY rapidly scanning for newly disclosed vulnerabilities, collecting banners, TLS certificates, and protocol fingerprints. The botnet uses Tor-hidden services and a central Dispatch Service to receive scanning tasks and exfiltrate results, and supports TCP/SSL/UDP/ICMP scanning plus service fingerprinting.
read more →

Inside C0XMO: Cross-Platform Gafgyt Propagation

🛡️ FortiGuard Labs details a new Gafgyt variant, C0XMO, which exploits CVE-2021-27137 in vulnerable DD-WRT firmware to gain remote control of devices. The malware separates scanning into a standalone Python scanner and distributes architecture-specific ELF payloads to multiple Linux platforms. C0XMO implements multi-stage persistence, kills competing botnets, supports extensive DDoS commands, and communicates with a C2 using a custom handshake. Organizations should update firmware, disable unnecessary remote services, and enforce strong credentials to mitigate risk.
read more →

Dutch Authorities Dismantle Massive Botnet Network

🛡️ Dutch authorities and the National Cyber Security Center announced the takedown of a botnet that had enlisted millions of devices, including computers, smartphones, tablets, and IoT gear. The network reportedly comprised at least 17 million infected devices and relied on more than 200 servers in the Netherlands for backend infrastructure. Police seized a subset of those servers from a hosting provider, which then took the botnet offline after it was used for criminal activity. Local reporting linked the operation to proxy services such as Asocks, previously associated with proxyware campaigns affecting Android devices.
read more →

Researchers Disrupt Glassworm's Resilient Botnet C2

🛡️ CrowdStrike, Google, and The Shadowserver Foundation coordinated to disrupt the Glassworm botnet by simultaneously takedown of four resilient C2 channels. The threat abused Solana blockchain memo fields, the BitTorrent DHT, Google Calendar events, and traditional VPS-hosted servers to persist and evade mitigation. Active campaigns targeted developers via malicious OpenVSX and VS Code extensions and later poisoned GitHub and npm artifacts. Infected hosts now beacon to a CrowdStrike-controlled IP and YARA rules have been published to detect compromise.
read more →

Fraud Schemes Target Formula 1 Fans Worldwide

🚨 A Bitdefender report warns that cybercriminals have built extensive ecosystems to scam Formula 1 fans, exploiting the sport’s fast-moving digital culture. Scams include counterfeit merchandise, fake grand prix tickets, illegal streaming apps and boxes, social media fraud and distribution of infostealer malware. Fans may also be coerced into botnets for DDoS attacks. Bitdefender urges vigilance and recommends anti-phishing and antivirus tools to reduce risk.
read more →

Canadian Arrest Over KimWolf DDoS Botnet Operations

🔍 Canadian and U.S. authorities arrested 23-year-old Jacob Butler (aka "Dort") in Ottawa under an extradition warrant after unsealing a criminal complaint in the District of Alaska linking him to the KimWolf DDoS botnet. Investigators tied Butler to the botnet through IP address logs, transaction records, and online messages, and he now faces a charge of aiding and abetting computer intrusions with a potential 10-year sentence. KimWolf operated as a DDoS-for-hire service that enslaved nearly two million devices and powered attacks up to nearly 30 Tbps, causing substantial global disruption and financial losses.
read more →

Canadian Arrest Tied to Kimwolf DDoS Botnet

🛡️ The U.S. Department of Justice announced the arrest of 23-year-old Canadian Jacob Butler (aka Dort) for allegedly operating the Kimwolf DDoS botnet, a variant of AISURU. The botnet enslaved devices like digital photo frames and webcams and was offered via a cybercrime-as-a-service model to launch global attacks, including against DoD network addresses. Authorities linked Butler through IP, account data, and Discord messages, and charged him with aiding and abetting computer intrusion.
read more →

Kazuar Evolves into Modular P2P Botnet by Secret Blizzard

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.
read more →

Turla Converts Kazuar Into Modular P2P Botnet for Stealth

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.
read more →

Kazuar: Anatomy of a Nation-State P2P Botnet Operations

🔍 Kazuar, attributed to the Russian state actor Secret Blizzard, has progressed from a traditional backdoor into a modular peer-to-peer botnet engineered for espionage and persistent access. Its architecture separates functionality into Kernel, Bridge, and Worker modules, enabling leader election and SILENT-mode behavior to minimize external visibility. Delivery methods include the Pelmeni dropper and .NET loaders that bind payloads to targeted hosts. The malware uses named pipes, mailslots, and window messaging with AES-encrypted IPC and multiple C2 transports for resilience and stealth.
read more →

Mirai-Derived xlabs_v1 Botnet Exploits ADB Devices

🛡️ Hunt.io has uncovered a Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to conscript them into DDoS campaigns. The malware supports 21 flood variants across TCP, UDP, and raw protocols and is offered as a DDoS-for-hire service aimed at game servers and Minecraft hosts. It targets devices with ADB enabled by default—such as Android TV boxes, set-top boxes, smart TVs—and includes multi-architecture binaries for routers and IoT hardware. The bot probes device bandwidth to tier victims and uses a "killer" subsystem to evict competing malware.
read more →

What Is a Botnet? Risks, Architecture, and Defenses

🤖 A botnet is a network of compromised internet-connected devices controlled by attackers to perform coordinated criminal tasks such as DDoS, spam, crypto-mining, or malware distribution. Modern botnets use distributed architectures — from centralized command-and-control servers to peer-to-peer propagation — and often hide control traffic via IRC, HTTP, Telnet, or even public platforms. Defenders combine user training, patching, IoT hardening, antivirus, traffic filtering and CDN services with threat hunting methods like flow analysis and malware reverse-engineering.
read more →

Anti-DDoS Firm Accused of Enabling Attacks on ISPs

🛡️ A Brazilian DDoS-mitigation firm, Huge Networks, was implicated in enabling a Mirai-based botnet that launched sustained DDoS attacks against regional Brazilian ISPs. An exposed archive contained Portuguese Python attack scripts, private SSH keys belonging to CEO Erick Nascimento, and tooling that mass-scanned for TP-Link Archer AX21 devices vulnerable to CVE-2023-1389. The CEO says the malicious activity followed a January 2026 intrusion, that affected droplets were wiped and keys rotated, and that a third-party forensics firm has been engaged.
read more →

UK warns: Chinese hackers using hijacked device botnets

⚠️ The UK’s National Cyber Security Centre (NCSC-UK), alongside international partners, warns that China‑nexus threat actors are increasingly using large proxy networks of compromised consumer devices to route traffic and evade detection. These covert networks are largely composed of compromised SOHO routers, IoT cameras, DVRs, and NAS devices, and enable traffic to exit near intended targets to defeat geographic and static-IP defenses. Authorities point to large botnets such as Raptor Train (over 260,000 infected devices in 2024) and disrupted operations like KV‑Botnet; defenders are urged to deploy multifactor authentication, map edge devices, consume dynamic threat feeds, use allowlists, and adopt zero-trust and machine certificate verification.
read more →