All news with #botnet tag

🔐 A new wave of GoBruteforcer botnet attacks is targeting exposed FTP, MySQL, PostgreSQL and phpMyAdmin services used by cryptocurrency and blockchain projects. Check Point reports the Golang-based botnet brute-forces weak or default credentials—often from servers deployed with AI-generated configuration snippets—and then deploys web shells and downloader stages. The malware scans random public IPv4s, spawning up to 95 threads while skipping private, AWS, and U.S. government ranges. Administrators are advised to remove defaults, audit exposed services, and replace outdated stacks like XAMPP.

🛡️ Researchers report the Kimwolf Android botnet — an Aisuru variant — has grown to nearly two million infected hosts by abusing residential proxy services to reach devices on internal networks. The malware scans for unauthenticated Android Debug Bridge (ADB) endpoints on ports such as 5555 and delivers payloads via telnet/netcat, often targeting low-cost Android TV boxes. Affected devices are used for DDoS, proxy resale, and ad-fraud via third-party SDKs; mitigation includes wiping compromised boxes and preferring Google Play Protect-certified hardware from reputable OEMs.

🛡️ Synthient reports the Kimwolf Android botnet has compromised more than two million devices by tunneling through residential proxy networks and embedded SDKs. The campaign, active since August 2025 and linked to AISURU by QiAnXin XLab, exploits exposed Android Debug Bridge (ADB) services—67% of infected devices had unauthenticated ADB enabled. Operators monetize infections via app installs, selling residential proxy bandwidth and DDoS services; the main payload listens on port 40860 and connects to 85.234.91[.]247:1337 for commands.

🔒 This week's recap highlights persistent, trust‑based attacks that quietly exploited updates, extensions, sessions, and messages to scale impact across IoT, browsers, and collaboration platforms. A nine‑month RondoDox campaign leveraged React2Shell for RCE in React Server Components, while a supply‑chain compromise of Trust Wallet extensions exposed GitHub secrets and Chrome Web Store keys, enabling roughly $8.5M in crypto theft. Newly observed groups like DarkSpectre abused legitimate extensions to reach millions of users, and well‑resourced actors reused successful trust vectors rather than relying on one‑off exploits.

🛡️ Synthient and other researchers describe the explosive growth of the Kimwolf botnet, which has infected more than two million devices globally, concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Kimwolf abuses residential proxy services — notably China-based IPIDEA — to tunnel back into home networks and compromise devices such as unofficial Android TV boxes and digital photo frames. The malware leverages weak proxy DNS handling and factory-enabled Android Debug Bridge (ADB) to gain unauthenticated administrative access, then installs proxy and DDoS-capable payloads. Researchers advise removing suspect TV boxes, isolating guests on a Guest Wi‑Fi network, and preferring reputable brands to reduce exposure.

🔒 CloudSEK researchers disclosed a nine‑month campaign that has recruited IoT devices and web servers into the RondoDox botnet by exploiting the critical React2Shell flaw (CVE‑2025‑55182). Actors moved from manual scanning to hourly automated deployments, dropping cryptocurrency miners, a loader/health checker and a Mirai variant. The loader (/nuts/bolts) kills competing malware, enforces persistence and fetches the main bot. Organizations should patch Next.js, segment IoT, deploy WAFs and monitor for suspicious processes.

🔥 The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to compromise vulnerable Next.js servers and deploy malware, including coinminers and Mirai-like components. CloudSEK reports scanning began on December 8 with active deployments starting December 11, and Shadowserver counts over 94,000 exposed assets. The botnet also conducts hourly IoT exploitation waves to enroll routers and uses loaders that remove competing malware and enforce persistence.

🎉 KrebsOnSecurity.com marks its 16th anniversary with a year of investigative reporting that focused on entities enabling complex, globally dispersed cybercrime. Coverage in 2025 examined rebranded bulletproof hosting such as Stark Industries Solutions, the rise and sanctioning of payment processor Cryptomus, pervasive voice- and SMS-phishing operations, and massive disruptive botnets including Aisuru and the emergent Kimwolf. The site detailed law enforcement actions, record DDoS assaults on the publication, and upcoming deep-dive reporting into Kimwolf. Readers are invited to subscribe to the plain-text newsletter and to consider exempting the site from ad blockers to support independent reporting.

⚠️ CISA has added a vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Tracked as CVE-2023-52163 (CVSS 8.8), the issue is a post-authentication command injection via time_tzsetup.cgi that can enable remote code execution. The device is end-of-life and unpatched; vendors and researchers note attacks delivering botnets like Mirai and ShadowV2. Users are advised to avoid exposing affected NVRs to the internet, change default credentials, apply compensating controls, and follow agency guidance ahead of the January 12, 2025 FCEB mitigation deadline.

🛡️ Researchers at QiAnXin XLab disclosed a large-scale NDK-compiled botnet dubbed Kimwolf that has infected at least 1.8 million Android-based TVs, set-top boxes, and tablets across multiple countries. The infrastructure issued an estimated 1.7 billion DDoS commands over a three-day period in November 2025 and supports 13 UDP/TCP/ICMP attack methods while also offering proxy forwarding, reverse shell, and file management functions. Operators responded to repeated C2 takedowns by moving to ENS domains and deploying an EtherHiding technique that resolves C2 IPs via a smart contract.

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.

🚨 Cloudflare reported it detected and mitigated a record 29.7 Tbps distributed denial-of-service attack attributed to the AISURU botnet. The UDP "carpet-bombing" assault, which randomized packet attributes and targeted an average of 15,000 destination ports per second, lasted 69 seconds. Cloudflare also mitigated a 14.1 Bpps event and said AISURU may comprise 1–4 million infected hosts, while blocking thousands of related hyper-volumetric attacks and noting significant quarterly increases in DDoS activity.

⚠️ In three months the Aisuru botnet has been linked to more than 1,300 DDoS attacks, including a record peak of 29.7 Tbps in Q3 2025 that Cloudflare mitigated. The botnet, offered as a rental service, leverages an estimated 1–4 million compromised routers and IoT devices exploited via known vulnerabilities and weak credentials. The record incident lasted 69 seconds and used UDP carpet‑bombing across roughly 15,000 destination ports per second; Cloudflare reports a sharp rise in hyper‑volumetric attacks that can disrupt ISPs and critical services.

🛡 GreyNoise Labs provides a free online IP-check tool that helps users determine whether their home or family public IP has been observed performing malicious scanning or appears in GreyNoise's dataset. The GreyNoise IP Check returns one of three outcomes: clean, suspicious/malicious activity, or traffic consistent with VPN, corporate, or cloud environments, and shows a 90-day activity history when correlations exist. For advanced users, an unauthenticated, rate‑limit‑free JSON API accessible via curl supplies structured data for integration into MDMs, VPN scripts, or network onboarding.

🔍 GreyNoise Labs has launched GreyNoise IP Check, a free scanner that lets users determine whether an IP address has been observed performing malicious scanning activity, including botnets and residential proxy traffic. The web tool returns one of three statuses — Clean, Malicious/Suspicious, or Common Business Service — and, when applicable, provides a 90-day activity timeline to help pinpoint potential infection points. A rate-limit-free JSON API is available for integration, and GreyNoise recommends conducting malware scans, updating device firmware, securing router credentials, and disabling unneeded remote access when an IP appears suspicious.

🔍 This week's briefing highlights resurgent Mirai variants, AI-enabled malware, and large-scale social engineering and laundering operations. Security vendors reported ShadowV2 and RondoDox infecting IoT devices, while researchers uncovered the QuietEnvelope mail-server backdoors and a Retell AI API flaw enabling automated deepfake calls. Regulators and vendors are pushing fixes, bans, and protocol upgrades as defenders race to close gaps.

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.

⚠️ Superbox media streaming boxes sold through retailers like BestBuy and Walmart have been found running intrusive, unofficial apps that can enlist buyers' Internet connections into distributed residential proxy networks and botnets. Censys researchers observed devices phoning home to Tencent QQ and a proxy service called Grass IO, and installing tools such as tcpdump and netcat while performing DNS hijacking and ARP spoofing. The boxes require removing Google Play and installing a third-party app store, increasing the risk of unauthorized relays, advertising fraud, and account takeovers. Consumers are advised to avoid uncertified Android TV devices and follow FBI and EFF guidance on suspicious app marketplaces.

🔒Operation Endgame 3.0, coordinated by Europol with over 30 national and private partners, dismantled more than 1,000 servers and seized 20 domains tied to the Rhadamanthys infostealer, VenomRAT and the Elysium botnet. Authorities say the disrupted infrastructure harboured hundreds of thousands of infected computers and millions of stolen credentials, with the Rhadamanthys operator allegedly accessing over 100,000 crypto wallets. The action included 11 searches and at least one arrest; users are advised to check accounts via national breach-check services or HaveIBeenPwned and to maintain strong defences as criminals can rebuild.