< ciso
brief />
Tag Banner

All news with #ddos tag

133 articles · page 5 of 7

Kimwolf Android Botnet Infects Over 2 Million Devices

🛡️ Synthient reports the Kimwolf Android botnet has compromised more than two million devices by tunneling through residential proxy networks and embedded SDKs. The campaign, active since August 2025 and linked to AISURU by QiAnXin XLab, exploits exposed Android Debug Bridge (ADB) services—67% of infected devices had unauthenticated ADB enabled. Operators monetize infections via app installs, selling residential proxy bandwidth and DDoS services; the main payload listens on port 40860 and connects to 85.234.91[.]247:1337 for commands.
read more →

Kimwolf Botnet Exploits Residential Proxies and TVs

🛡️ Synthient and other researchers describe the explosive growth of the Kimwolf botnet, which has infected more than two million devices globally, concentrated in Vietnam, Brazil, India, Saudi Arabia, Russia and the United States. Kimwolf abuses residential proxy services — notably China-based IPIDEA — to tunnel back into home networks and compromise devices such as unofficial Android TV boxes and digital photo frames. The malware leverages weak proxy DNS handling and factory-enabled Android Debug Bridge (ADB) to gain unauthenticated administrative access, then installs proxy and DDoS-capable payloads. Researchers advise removing suspect TV boxes, isolating guests on a Guest Wi‑Fi network, and preferring reputable brands to reduce exposure.
read more →

KrebsOnSecurity Marks 16 Years of Cyber Investigations

🎉 KrebsOnSecurity.com marks its 16th anniversary with a year of investigative reporting that focused on entities enabling complex, globally dispersed cybercrime. Coverage in 2025 examined rebranded bulletproof hosting such as Stark Industries Solutions, the rise and sanctioning of payment processor Cryptomus, pervasive voice- and SMS-phishing operations, and massive disruptive botnets including Aisuru and the emergent Kimwolf. The site detailed law enforcement actions, record DDoS assaults on the publication, and upcoming deep-dive reporting into Kimwolf. Readers are invited to subscribe to the plain-text newsletter and to consider exempting the site from ad blockers to support independent reporting.
read more →

La Poste Offline After Major DDoS Disrupts Services

🔴 La Poste's main website and multiple digital services were taken offline by a major DDoS attack on Monday, and access remained impaired as of Wednesday morning. While email (laposte.net) and Digiposte reportedly stayed operational, online banking, the La Poste app and digital identity services were described as "temporarily inaccessible." The incident also disrupted physical operations, with some Paris post offices turning customers away. La Poste says teams are fully mobilized while analysts warn the timing suggests possible state-sponsored or hacktivist motives.
read more →

French postal service disrupted by suspected DDoS attack

⚠️ France’s national postal service, La Poste, experienced a widespread network outage lasting more than twelve hours that affected its website, mobile app, digital document service Digiposte, and a digital ID service. Counter services remained operational, but the banking arm, Banque Postale, saw its app and online services go offline. Payments and SMS verification reportedly continued to function. Officials have not confirmed a cause; Le Monde Informatique has cited a suspected DDoS attack.
read more →

Major Network Incident Knocks Offline La Poste Services

🚨 La Poste, France’s national postal service, reported a 'major network incident' that knocked its information systems offline and disrupted its website, mobile app, digital identity service and the Digiposte document platform. La Banque Postale said online and mobile banking were affected but core banking functions — ATM withdrawals, in-store card payments, interbank exchanges and WERO transfers — remained operational. French media cited a suspected DDoS attack; La Poste has not provided a restoration timeline.
read more →

Denmark Attributes Two Destructive Cyberattacks to Russia

🔒 The Danish Defence Intelligence Service (DDIS) publicly attributed two separate cyber operations to Russian-linked actors. It said a pro-Russian group known as Z-Pentest carried out a destructive intrusion against a Danish water utility in 2024, while NoName057(16), an actor with ties to the Russian state, mounted disruptive DDoS attacks against Danish websites ahead of municipal and regional elections in November. Danish authorities characterized the incidents as part of a broader pattern of state-aligned cyber coercion and disruption.
read more →

Denmark Blames Russia for 2024–25 Cyber Attacks, DDoS

🛡️ The Danish Defence Intelligence Service (DDIS) said on December 18, 2025 that Russian-aligned actors were responsible for recent destructive and disruptive cyber activity against Denmark. The agency named pro‑Russian hacktivist groups Z‑Pentest for a destructive 2024 intrusion at a water utility and NoName057(16) for DDoS campaigns targeting websites ahead of the 2025 municipal and regional elections. DDIS assessed both groups have links to the Russian state and are being used as instruments of a hybrid campaign to create insecurity and penalise countries supporting Ukraine. The statement followed a global advisory, co-signed by 23 law enforcement and intelligence bodies, which catalogued related TTPs.
read more →

Kimwolf Botnet Hijacks 1.8M Android TV Devices Worldwide

🛡️ Researchers at QiAnXin XLab disclosed a large-scale NDK-compiled botnet dubbed Kimwolf that has infected at least 1.8 million Android-based TVs, set-top boxes, and tablets across multiple countries. The infrastructure issued an estimated 1.7 billion DDoS commands over a three-day period in November 2025 and supports 13 UDP/TCP/ICMP attack methods while also offering proxy forwarding, reverse shell, and file management functions. Operators responded to repeated C2 takedowns by moving to ENS domains and deploying an EtherHiding technique that resolves C2 IPs via a smart contract.
read more →

Cloudflare Radar 2025 Year in Review — AI, PQ, DDoS Trends

🔍 The 2025 Cloudflare Radar Year in Review summarizes Internet trends observed across Cloudflare’s global network, covering January–December 2025. The report highlights rapid growth in traffic (up 19%), dramatic increases in AI crawling and user-action requests, and widespread adoption of post-quantum TLS, which reached 52% of human web traffic. It also documents hyper-volumetric DDoS escalation — multiple attacks exceeded 10 Tbps with records hitting 31.4 Tbps — and provides sector, device, and connectivity insights informed by new AI and speed‑test datasets.
read more →

Customizing AWS WAF Anti-DDoS AMR Responses for L7

🛡️This post explains how to customize AWS WAF Anti-DDoS AMR responses to Layer 7 DDoS events using labels and additional rules. It summarizes the AMR’s baseline‑and‑anomaly approach, default mitigations (a mix of Block and JavaScript Challenge), and the importance of excluding non‑challengeable paths. Three practical examples show geo‑based blocking, tightened rate limits, and adaptive capacity‑aware defenses, with JSON/IaC configuration guidance.
read more →

CISA, FBI Warn: Protect Critical Infrastructure Now

🚨 CISA, the FBI, NSA, DOE, EPA, DOD’s DC3, and international partners issued a joint advisory alerting operators that pro‑Russia hacktivist groups are conducting opportunistic, low‑sophistication attacks against U.S. and global critical infrastructure. These actors exploit internet‑facing OT components (notably VNC and SCADA) and sometimes combine intrusions with DDoS. The advisory urges immediate mitigations: reduce OT exposure, improve asset management, and enforce robust authentication.
read more →

Weekly Cyber Recap: React2Shell, AI IDE Flaws, DDoS

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.
read more →

Cloudflare Mitigates Record 29.7 Tbps DDoS by AISURU

🚨 Cloudflare reported it detected and mitigated a record 29.7 Tbps distributed denial-of-service attack attributed to the AISURU botnet. The UDP "carpet-bombing" assault, which randomized packet attributes and targeted an average of 15,000 destination ports per second, lasted 69 seconds. Cloudflare also mitigated a 14.1 Bpps event and said AISURU may comprise 1–4 million infected hosts, while blocking thousands of related hyper-volumetric attacks and noting significant quarterly increases in DDoS activity.
read more →

Aisuru botnet behind record 29.7 Tbps DDoS attack impact

⚠️ In three months the Aisuru botnet has been linked to more than 1,300 DDoS attacks, including a record peak of 29.7 Tbps in Q3 2025 that Cloudflare mitigated. The botnet, offered as a rental service, leverages an estimated 1–4 million compromised routers and IoT devices exploited via known vulnerabilities and weak credentials. The record incident lasted 69 seconds and used UDP carpet‑bombing across roughly 15,000 destination ports per second; Cloudflare reports a sharp rise in hyper‑volumetric attacks that can disrupt ISPs and critical services.
read more →

Cloudflare Q3 2025 DDoS Threat Report: Aisuru Peaks

📈 The 23rd edition of Cloudflare’s Quarterly DDoS Threat Report reviews Q3 2025 data and spotlights the unprecedented Aisuru botnet, estimated at 1–4 million infected hosts. Aisuru launched routine hyper-volumetric attacks exceeding 1 Tbps and 1 Bpps, peaking at 29.7 Tbps and 14.1 Bpps, while Cloudflare mitigated 8.3 million DDoS events in the quarter. Network-layer attacks dominated the mix, and the report warns that short, high-volume strikes often outpace manual defenses, underscoring the need for global, automated mitigation.
read more →

ShadowV2 Mirai Botnet Tested During AWS Outage Activity

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.
read more →

ShadowV2 IoT Botnet Exploits Multiple Device Flaws

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.
read more →

Azure Mitigates Record 15.72 Tbps DDoS from IoT Botnet

🛡️ Microsoft Azure said it blocked a record 15.72 Tbps DDoS attack tied to the Aisuru IoT botnet that surged to roughly 3.64 billion packets per second and targeted a single cloud endpoint in Australia. The attacker launched extremely high-rate UDP floods from over 500,000 source IPs with minimal spoofing and random source ports. Azure DDoS Protection automatically detected and mitigated the traffic without disrupting customer workloads, and Microsoft urged organizations to validate internet-facing protections ahead of peak periods, noting systemic IoT security gaps.
read more →

Microsoft Mitigates 15.72 Tbps IoT-Driven DDoS Attack

🛡 Microsoft automatically detected and mitigated a massive DDoS attack that peaked at 15.72 Tbps and roughly 3.64 billion packets per second against a single Australian endpoint. The traffic was attributed to a TurboMirai-class IoT botnet called AISURU, sourced from hundreds of thousands of compromised routers, cameras, and DVRs and launched from over 500,000 source IPs across multiple regions. Attackers used high-rate UDP floods with minimal source spoofing and random source ports, factors Microsoft said helped simplify traceback and provider enforcement. The incident underscores rising DDoS baselines as broadband speeds increase and IoT devices become more capable.
read more →