< ciso
brief />
Tag Banner

All news with #botnet tag

126 articles · page 3 of 7

DoJ Disrupts 3 Million-Device IoT Botnets Behind 31.4 Tbps

🔒 The U.S. Department of Justice announced a court-authorized operation that disrupted command-and-control infrastructure used by multiple IoT Mirai variants, including AISURU, Kimwolf, JackSkid, and Mossad. Authorities from Canada and Germany, assisted by major vendors such as AWS, Cloudflare, and Akamai, helped dismantle networks that collectively enslaved roughly 3 million devices and enabled record-breaking DDoS attacks exceeding 30 Tbps. The action seeks to curb a cybercrime-as-a-service market that sold access to compromised DVRs, webcams, routers, and off-brand Android TVs.
read more →

Feds Disrupt Four IoT Botnets Behind Massive DDoS Attacks

🛡️ The U.S. Justice Department, with Canadian and German partners, dismantled infrastructure for four major IoT botnets — Aisuru, Kimwolf, JackSkid and Mossad — that compromised more than three million devices and launched hundreds of thousands of DDoS attacks. The action targeted U.S.-registered domains and virtual servers and aimed to stop further infections and future attacks. Law enforcement credited nearly two dozen tech firms for assisting in the operation.
read more →

Weekly Cybersecurity Recap: Chrome 0-days and Router Botnets

🔒 This weekly recap spotlights multiple high‑urgency incidents, including two actively exploited Chrome zero‑days—an out‑of‑bounds write in Skia (CVE‑2026‑3909) and an implementation flaw in V8 (CVE‑2026‑3910)—patched in Chrome 146.0.7680.75/76. It also documents large router botnets such as SocksEscort and KadNap that flash custom firmware to maintain persistence and operate as proxy services. Supply‑chain abuse reappears with UNC6426, which used stolen nx npm keys and abused GitHub→AWS OIDC trust to gain admin access and exfiltrate S3 data within 72 hours. Prioritize patching actively exploited flaws, audit OIDC/S3 trusts and router persistence, and monitor for emerging supply‑chain and AI‑agent risks.
read more →

Authorities Disrupt SocksEscort Proxy Botnet Service

🚨 Authorities dismantled the criminal proxy service SocksEscort, which enslaved thousands of residential routers worldwide to operate a large-scale proxy botnet and sold anonymous access for fraud and other crimes. U.S. and European partners executed a court-authorized disruption, seizing domains and servers and freezing roughly $3.5 million in cryptocurrency. The service relied on AVrecon malware that exploited SOHO router vulnerabilities to persistently infect devices and route traffic for criminal customers.
read more →

U.S., Europe Disrupt SocksEscort Linux Proxy Network

🛡️ U.S. and European law enforcement, assisted by Lumen’s Black Lotus Labs and private partners, disrupted the SocksEscort proxy network that relied on Linux-targeting AVRecon malware to compromise edge devices. The takedown seized domains and servers, froze about $3.5 million in cryptocurrency, and disconnected listed infected routers from the service. Authorities say SocksEscort sold access to hundreds of thousands of IPs and was tied to multimillion-dollar frauds. Investigations and remediation efforts continue.
read more →

KadNap Botnet Hijacks Edge Routers Using DHT P2P Network

🛡️ Cybersecurity researchers at Black Lotus Labs have identified a novel malware family, KadNap, that has infected over 14,000 edge devices — primarily Asus routers — since first observed in August 2025. KadNap uses a custom Kademlia-based DHT to conceal its control infrastructure and build a resilient peer-to-peer botnet. Infected devices are being offered as resident proxies by a service named Doppelgänger, complicating attribution and abuse tracking.
read more →

KadNap botnet hijacks ASUS routers for proxy abuse

🔒 KadNap is a newly observed botnet that compromises primarily ASUS routers and other edge devices to assemble a distributed proxy network. Since August 2025 it has grown to roughly 14,000 nodes and uses a modified Kademlia Distributed Hash Table (DHT) protocol to conceal command-and-control infrastructure and complicate takedowns. Infections begin when a malicious script (aic.sh) is fetched from 212.104.141.140, which installs an ELF binary named kad and establishes persistence via a cron job that runs every 55 minutes. Researchers at Black Lotus Labs link KadNap to the Doppelganger/Faceless proxy service that sells access to infected devices, and Lumen has blocked related traffic on its network while preparing indicators of compromise.
read more →

Investigating Dort: The Alleged Kimwolf Botmaster's Identity

🔎 This article analyzes public evidence tying the alleged Kimwolf botmaster—known online as Dort and by earlier handles like CPacket and M1ce—to accounts, emails and domain registrations linked to an Ottawa-based Jacob Butler. It reviews GitHub and forum footprints (jay.miner232@gmail.com / MemeClient), ties to SIM Land and LAPSUS$ activity, and allegations that Dort sold disposable-email and CAPTCHA-bypass tools. After KrebsOnSecurity published research in January 2026 that disrupted Kimwolf’s spread, Dort allegedly mounted doxing, DDoS, email-flooding and swatting campaigns against researchers and the author.
read more →

Aeternum C2: Blockchain-Based Botnet Resiliency and Evasion

🧭 Researchers disclosed a new botnet loader named Aeternum C2 that stores encrypted commands on the public Polygon blockchain, making its C2 infrastructure resistant to conventional takedowns. The native C++ loader (x86/x64) polls Polygon RPC endpoints to retrieve transactions written by a web panel implemented in Next.js. Operators can deploy multiple smart contracts, write immutable encrypted commands, and manage payloads with minimal operational cost while leveraging anti-analysis checks and AV-evasion scanning.
read more →

Aeternum Botnet Shifts C2 to Polygon Blockchain Control

⛓️ A newly discovered loader named Aeternum relocates botnet command-and-control onto the Polygon blockchain, researchers at Qrator Research Lab report. Infected machines retrieve instructions written as on-chain transactions and poll more than 50 RPC endpoints instead of contacting centralized servers or domains. The seller offers native C++ builds and a web dashboard that writes commands to smart contracts, creating a low-cost, resilient C2 channel that complicates traditional takedowns and shifts defensive emphasis to edge filtering and proactive DDoS mitigation.
read more →

SSHStalker botnet brute-forces thousands of Linux hosts

🔐 Researchers at Flare Systems uncovered a botnet, dubbed SSHStalker, that brute-forces weak SSH passwords and had compromised an estimated 7,000 Linux servers by the end of January, with roughly half located in the United States. The toolkit combines fileless malware, rootkits, log cleaners and a library of kernel exploits — some dating to 2009 — and can harvest AWS credentials. Flare characterizes it as a "scale-first" operation focused on persistence; observed capabilities include DDoS and cryptomining, though monetization has not yet been seen. Immediate mitigations include disabling SSH password authentication, switching to key-based or short-lived credentials, and restricting and rate-limiting SSH access.
read more →

Kimwolf Botnet Overwhelms I2P Anonymity Network Services

🛡️ The massive Kimwolf IoT botnet has been disrupting the I2P anonymity network after thousands of infected devices attempted to join as nodes, overwhelming relays and degrading connectivity. Users reported a rapid influx of new routers and widespread connection failures starting around Feb. 3, and developers linked the outages to a Sybil-style flood. Kimwolf operators later admitted they tried to register roughly 700,000 bots on I2P, and the network is currently running at reduced capacity while a stability update is rolled out.
read more →

SSHStalker Botnet Uses IRC C2 to Control Linux Systems

🛡️ Flare researchers describe SSHStalker, an IRC-controlled botnet that automates mass compromise of Linux systems by combining SSH scanning with a back-catalog of legacy kernel exploits. The operation drops C-based bots, Perl IRC bots that connect to UnrealIRCd, rootkit components, log-cleaning utilities and a keep-alive to maintain persistence. A Golang scanner enumerates SSH hosts and the toolkit includes automated erasure of SSH connection logs; unlike typical botnets, many infections remain dormant after access is obtained, suggesting staging or long-term retention.
read more →

New Linux botnet SSHStalker uses IRC for C2 comms campaign

🛡️ A newly documented Linux botnet named SSHStalker uses the legacy IRC protocol for command-and-control while relying on noisy SSH scanning and brute forcing for initial access. Researchers at Flare say it deploys a Go binary masquerading as nmap, compiles C-based IRC bots on hosts, and persists via cron jobs that run every 60 seconds. The kit favors scale and reliability over stealth, reuses a back-catalog of decade-plus-old CVEs for privilege escalation, and includes AWS key harvesting, cryptomining, and dormant DDoS code.
read more →

Bloody Wolf Uses NetSupport RAT to Target Uzbekistan, Russia

🛡️ Kaspersky says the threat actor tracked as Stan Ghouls (also referred to as Bloody Wolf) has conducted spear‑phishing operations to deliver NetSupport RAT to systems in Uzbekistan and Russia. Malicious PDFs embed links that download a loader which displays fake errors, limits installation attempts, retrieves the RAT from multiple domains and ensures persistence through Startup items, a Registry autorun entry and a scheduled task. Kaspersky estimates roughly 50 victims in Uzbekistan and 10 in Russia, with additional infections in Kazakhstan, Turkey, Serbia and Belarus. The vendor also discovered Mirai botnet payloads staged on infrastructure associated with the actor, raising concerns about an expanded IoT targeting capability.
read more →

AISURU/Kimwolf Botnet Launches Record 31.4 Tbps DDoS

🚨 Cloudflare attributed a record hyper‑volumetric HTTP DDoS to the AISURU/Kimwolf botnet that peaked at 31.4 Tbps and lasted 35 seconds in November 2025. The group was also linked to a campaign codenamed The Night Before Christmas, which began on December 19, 2025, and produced averages near 3 Bpps, 4 Tbps and 54 Mrps. Google and Cloudflare disrupted the IPIDEA residential proxy network used to recruit more than 2 million Android devices.
read more →

Global SystemBC Botnet Active on Over 10,000 Systems

🛡️ Silent Push links the long-running SystemBC malware to more than 10,000 infected IP addresses worldwide, including hosts tied to government sites. SystemBC acts as a multi-platform SOCKS5 proxy, turning compromised machines into relays that help attackers hide infrastructure and maintain persistence, often appearing before ransomware is deployed. Researchers found infections concentrated in data centres, uncovered a Perl-based Linux variant undetected by 62 antivirus engines, and observed reliance on abuse-tolerant hosting for C2 operations.
read more →

Weekly Cyber Recap: Proxy Botnet and Office Zero‑Day

🛡️ Google disrupted the IPIDEA residential proxy network by seizing or sinkholing command-and-control domains, cutting operators' ability to route traffic and reducing millions of exit nodes that had been recruited via bundled SDKs or monetization lures. Microsoft released an out‑of‑band patch for an actively exploited Office zero‑day (CVE-2026-21509), while Ivanti fixed two EPMM RCEs. CERT Polska attributed destructive intrusions against Polish energy assets to Static Tundra, and criminals were observed hijacking exposed LLM endpoints for resale and lateral access. Researchers also documented new modular frameworks, open BYOB C2 repositories, and continued exploitation of web platforms and DevOps tooling.
read more →

Google Disrupts IPIDEA Residential Proxy Network at Scale

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.
read more →

Google and Partners Disrupt Major Residential Proxy Network

🔍 Google and industry partners have disrupted IPIDEA, a large residential proxy network used to conceal malicious activity. The operation combined court action to seize domains with intelligence-sharing and platform enforcement, including expanded protections in Google Play Protect that remove apps embedding IPIDEA SDKs and block further installs. Google reports these steps have reduced the pool of proxy devices by millions and expect knock-on effects across reseller-linked services. The network’s SDKs were tied to multiple botnets and used by numerous threat actors to obscure follow-on attacks.
read more →