Mirai Botnets Evolve, Pose Massive DDoS and Proxy Abuse Threat
Key Takeaways Mirai botnets, particularly the Aisuru-Kimwolf variants, are rapidly evolving, exhibiting increased sophistication and destructive power in DDoS attacks and residential proxy abuse....
Key Takeaways
- Mirai botnets, particularly the Aisuru-Kimwolf variants, are rapidly evolving, exhibiting increased sophistication and destructive power in DDoS attacks and residential proxy abuse.
- These advanced Mirai strains have compromised between one and four million devices globally, including Android devices and Smart TVs, and are responsible for some of the largest recorded DDoS attacks.
- Botnet operators are monetizing their infrastructure by selling access to compromised devices and are actively adapting to law enforcement takedown efforts by shifting to decentralized, encrypted networks like I2P.
The cybersecurity landscape has witnessed a significant escalation in botnet-driven threats over the past year, largely propelled by the persistent evolution of the Mirai malware family. This influential threat, first identified in 2016, continues to expand its reach and capabilities, now encompassing hundreds of active variants targeting millions of devices worldwide.
Table Of Content
Originally designed to scan for vulnerable Internet of Things (IoT) devices running stripped-down Linux on ARC processors, Mirai exploited known security flaws or default factory credentials. The public release of its source code democratized botnet creation, allowing numerous threat actors to develop their own versions.
Spamhaus reported a substantial increase in botnet command and control (C2) servers, with a 26% rise in the first half of 2025, followed by another 24% surge between July and December 2025. This growth propelled the United States past China as the leading host for botnet C2 servers, a position China had maintained since Q3 2023. This rapid proliferation underscores the ease with which Mirai’s codebase is leveraged by cybercriminals.

Researchers at Pulsedive have closely monitored several Mirai-based botnets, identifying Aisuru and Kimwolf as particularly potent. These two variants, often collectively referred to as Aisuru-Kimwolf, are estimated to have compromised between one and four million hosts globally.
Cloudflare has attributed some of the largest recorded Distributed Denial of Service (DDoS) attacks to Aisuru-Kimwolf, including a massive 31.4 terabit-per-second flood and an assault reaching 14.1 billion packets per second. These figures represent a significant increase in destructive potential compared to earlier Mirai variants, signaling a dangerous new phase in botnet capabilities.

The operators behind Aisuru-Kimwolf have established a criminal enterprise, selling access to their network of compromised devices via platforms like Discord and Telegram. In a coordinated effort to counter this threat, the U.S. Department of Justice announced court-authorized disruption actions against the C2 servers supporting Aisuru, KimWolf, JackSkid, and Mossad botnets on March 19, 2026, with enforcement extending across Canada and Germany.
Beyond orchestrating DDoS attacks, these botnets are also implicated in abusing residential proxy networks. By routing malicious traffic through the IP addresses of ordinary homeowners, attackers significantly complicate tracing efforts. Despite law enforcement intervention, these botnets have demonstrated a persistent ability to adapt and maintain operations.
Kimwolf’s Infection Mechanism and Infrastructure Evasion
Kimwolf stands out as an Android-specific subvariant of Aisuru, specifically engineered to compromise mobile devices and Smart TVs. It has successfully infected approximately two million Android devices worldwide, utilizing Aisuru’s DDoS capabilities adapted for Android systems.
Upon gaining access to a vulnerable device, Kimwolf executes an installation script that downloads multiple .apk files from a command-and-control server. The script then makes these files executable and runs them sequentially, targeting various CPU architectures to maximize device infection rates.

Following the disruption of the IPIDEA residential proxy infrastructure, which was linked to Kimwolf by Google and the U.S. Department of Justice, reports emerged indicating the botnet’s migration to The Invisible Project (I2P). I2P is a decentralized, encrypted communication network designed to anonymize traffic, making it significantly more resistant to monitoring and takedown attempts than conventional infrastructure.
This strategic shift highlights the operators’ responsiveness to law enforcement actions, demonstrating a clear pattern of adapting their operations to evade disruption.

What You Should Do
- Implement advanced DDoS protection solutions offered by network providers to detect and mitigate bot-driven traffic.
- Utilize protective DNS services to filter out suspicious domain queries before they can reach internal systems.
- Ensure all publicly accessible network devices, especially routers, are regularly patched and updated to address known vulnerabilities.
- Replace all default credentials on networking equipment with strong, unique passwords immediately during initial setup.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.