< ciso
brief />
Tag Banner

All news with #botnet tag

126 articles · page 4 of 7

Aisuru Botnet Launches Record 31.4 Tbps DDoS Attack

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.
read more →

Disrupting IPIDEA: Takedown of Major Proxy Network

🏠 This week Google Threat Intelligence Group led coordinated legal, technical, and platform actions to disrupt the IPIDEA residential proxy network, a large global provider of exit-node infrastructure. Actions included domain takedowns, sharing SDK and infrastructure intelligence with platform providers and law enforcement, and enforcing Google Play Protect to remove and block offending apps. These steps materially degraded IPIDEA’s operations and reduced the pool of available exit-node devices by millions while enabling broader partner remediation.
read more →

Investigation Ties Badbox 2.0 Control to Chinese Firms

🔍 New analysis links the operators of the Badbox 2.0 Android TV botnet to named individuals and companies in China, following a screenshot allegedly obtained by the Kimwolf botmasters that shows authorized accounts. Open-source pivots on qq.com email addresses connect several accounts to developers and domains previously tied to Badbox activity. Google and the FBI are pursuing the operators while researchers warn that Kimwolf’s unauthorized access could let it push malware directly onto millions of infected streaming devices.
read more →

Kimwolf IoT Botnet Infects Corporate and Government Networks

🚨A new IoT botnet, Kimwolf, has infected more than two million devices and is being used for large-scale DDoS and to relay abusive traffic. Operators abuse commercial residential proxy services—most prominently IPIDEA—to reach proxy endpoints and scan local networks, enabling lateral infections of vulnerable devices, particularly unofficial Android TV boxes. Some proxy providers have begun blocking Kimwolf-related traffic, but millions of infected endpoints remain within corporate and government networks.
read more →

RondoDox Botnet Escalates Exploitation of HPE OneView

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.
read more →

Kimwolf/AISURU Botnet Infects Over Two Million Devices

🚨 Black Lotus Labs said it null-routed traffic to more than 550 command-and-control nodes tied to the AISURU/Kimwolf botnet after detecting rapid growth beginning in early October 2025. Researchers attribute the expansion to a malicious ByteConnect SDK delivered to unsanctioned Android TV devices and proxy services that expose Android Debug Bridge (ADB). The botnet, leveraged for DDoS and residential proxy leasing, has infected more than two million devices and has been linked to hosting providers and proxy marketplaces where compromised nodes were offered for sale.
read more →

GoBruteforcer Botnet Targets Crypto Databases via Weak Keys

🔒 A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain project databases by exploiting weak, reused credentials and exposed services such as FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux hosts. Check Point Research reports the Golang-based botnet deploys obfuscated IRC bots and web shells, leverages XAMPP FTP as an initial vector, and uses brute-force modules to expand, host payloads, and act as backup C2.
read more →

China-linked UAT-7290 Targets Telcos via Edge Exploits

🛡️ Cisco Talos warns that a China-linked actor tracked as UAT-7290 has expanded its focus to telecommunications providers in Southeastern Europe. The group leverages Linux-based malware and one-day public exploits against edge network devices, plus targeted SSH brute force, to gain initial access and escalate privileges. UAT-7290 also establishes Operational Relay Boxes (ORBs) that are reused by other China-aligned actors. Talos published technical details and IOCs to help affected organizations respond.
read more →

Who Benefited From the Aisuru and Kimwolf Botnets: Findings

🔍 This analysis traces how the Aisuru and Kimwolf botnets turned millions of unsecured Android TV streaming boxes into residential proxies and DDoS participants. Investigators linked proxy traffic and control infrastructure to a Utah hosting firm, Resi Rack, a Discord marketplace (resi.to), and vendors including Plainproxies/ByteConnect and Maskify. Operators hardened control with the Ethereum Name Service to evade takedowns. Owners of affected TV boxes are urged to disconnect and replace them.
read more →

GoBruteforcer Botnet Bruteforces Exposed Linux Services

🔒 Check Point Research (CPR) reports that the GoBruteforcer botnet is actively targeting internet‑facing Linux servers, using large‑scale brute‑force attacks against services such as FTP, MySQL, PostgreSQL and phpMyAdmin. The latest Go‑based variant, observed since mid‑2025, introduces heavier obfuscation, stronger persistence and techniques to hide malicious processes. Compromised hosts become scanning and attack nodes, enabling data theft, backdoors, resale of access and further propagation. Analysts also recovered tools used to sweep TRON and Binance Smart Chain assets, underscoring a financial motive behind some campaigns.
read more →

GoBruteforcer Botnet Targets Crypto Project Servers

🔐 A new wave of GoBruteforcer botnet attacks is targeting exposed FTP, MySQL, PostgreSQL and phpMyAdmin services used by cryptocurrency and blockchain projects. Check Point reports the Golang-based botnet brute-forces weak or default credentials—often from servers deployed with AI-generated configuration snippets—and then deploys web shells and downloader stages. The malware scans random public IPv4s, spawning up to 95 threads while skipping private, AWS, and U.S. government ranges. Administrators are advised to remove defaults, audit exposed services, and replace outdated stacks like XAMPP.
read more →

Kimwolf Android Botnet Abuses Residential Proxies Widely

🛡️ Researchers report the Kimwolf Android botnet — an Aisuru variant — has grown to nearly two million infected hosts by abusing residential proxy services to reach devices on internal networks. The malware scans for unauthenticated Android Debug Bridge (ADB) endpoints on ports such as 5555 and delivers payloads via telnet/netcat, often targeting low-cost Android TV boxes. Affected devices are used for DDoS, proxy resale, and ad-fraud via third-party SDKs; mitigation includes wiping compromised boxes and preferring Google Play Protect-certified hardware from reputable OEMs.
read more →

Kimwolf Android Botnet Infects Over 2 Million Devices

🛡️ Synthient reports the Kimwolf Android botnet has compromised more than two million devices by tunneling through residential proxy networks and embedded SDKs. The campaign, active since August 2025 and linked to AISURU by QiAnXin XLab, exploits exposed Android Debug Bridge (ADB) services—67% of infected devices had unauthenticated ADB enabled. Operators monetize infections via app installs, selling residential proxy bandwidth and DDoS services; the main payload listens on port 40860 and connects to 85.234.91[.]247:1337 for commands.
read more →

Weekly Recap: IoT Botnets, Extension Supply-Chain Risk

🔒 This week's recap highlights persistent, trust‑based attacks that quietly exploited updates, extensions, sessions, and messages to scale impact across IoT, browsers, and collaboration platforms. A nine‑month RondoDox campaign leveraged React2Shell for RCE in React Server Components, while a supply‑chain compromise of Trust Wallet extensions exposed GitHub secrets and Chrome Web Store keys, enabling roughly $8.5M in crypto theft. Newly observed groups like DarkSpectre abused legitimate extensions to reach millions of users, and well‑resourced actors reused successful trust vectors rather than relying on one‑off exploits.
read more →

Kimwolf Botnet Exploits Residential Proxies and TVs

🛡️ Synthient and other researchers describe the explosive growth of the Kimwolf botnet, which has infected more than two million devices globally, concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Kimwolf abuses residential proxy services — notably China-based IPIDEA — to tunnel back into home networks and compromise devices such as unofficial Android TV boxes and digital photo frames. The malware leverages weak proxy DNS handling and factory-enabled Android Debug Bridge (ADB) to gain unauthenticated administrative access, then installs proxy and DDoS-capable payloads. Researchers advise removing suspect TV boxes, isolating guests on a Guest Wi‑Fi network, and preferring reputable brands to reduce exposure.
read more →

RondoDox Botnet Exploits React2Shell to Infect IoT

🔒 CloudSEK researchers disclosed a nine‑month campaign that has recruited IoT devices and web servers into the RondoDox botnet by exploiting the critical React2Shell flaw (CVE‑2025‑55182). Actors moved from manual scanning to hourly automated deployments, dropping cryptocurrency miners, a loader/health checker and a Mirai variant. The loader (/nuts/bolts) kills competing malware, enforces persistence and fetches the main bot. Organizations should patch Next.js, segment IoT, deploy WAFs and monitor for suspicious processes.
read more →

RondoDox Botnet Exploits React2Shell to Hit Next.js

🔥 The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to compromise vulnerable Next.js servers and deploy malware, including coinminers and Mirai-like components. CloudSEK reports scanning began on December 8 with active deployments starting December 11, and Shadowserver counts over 94,000 exposed assets. The botnet also conducts hourly IoT exploitation waves to enroll routers and uses loaders that remove competing malware and enforce persistence.
read more →

KrebsOnSecurity Marks 16 Years of Cyber Investigations

🎉 KrebsOnSecurity.com marks its 16th anniversary with a year of investigative reporting that focused on entities enabling complex, globally dispersed cybercrime. Coverage in 2025 examined rebranded bulletproof hosting such as Stark Industries Solutions, the rise and sanctioning of payment processor Cryptomus, pervasive voice- and SMS-phishing operations, and massive disruptive botnets including Aisuru and the emergent Kimwolf. The site detailed law enforcement actions, record DDoS assaults on the publication, and upcoming deep-dive reporting into Kimwolf. Readers are invited to subscribe to the plain-text newsletter and to consider exempting the site from ad blockers to support independent reporting.
read more →

CISA Flags Exploited Digiever NVR Flaw; Urges Mitigation

⚠️ CISA has added a vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Tracked as CVE-2023-52163 (CVSS 8.8), the issue is a post-authentication command injection via time_tzsetup.cgi that can enable remote code execution. The device is end-of-life and unpatched; vendors and researchers note attacks delivering botnets like Mirai and ShadowV2. Users are advised to avoid exposing affected NVRs to the internet, change default credentials, apply compensating controls, and follow agency guidance ahead of the January 12, 2025 FCEB mitigation deadline.
read more →

Kimwolf Botnet Hijacks 1.8M Android TV Devices Worldwide

🛡️ Researchers at QiAnXin XLab disclosed a large-scale NDK-compiled botnet dubbed Kimwolf that has infected at least 1.8 million Android-based TVs, set-top boxes, and tablets across multiple countries. The infrastructure issued an estimated 1.7 billion DDoS commands over a three-day period in November 2025 and supports 13 UDP/TCP/ICMP attack methods while also offering proxy forwarding, reverse shell, and file management functions. Operators responded to repeated C2 takedowns by moving to ENS domains and deploying an EtherHiding technique that resolves C2 IPs via a smart contract.
read more →