Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Home/Threats/Mirai Botnets Evolve, Pose Massive DDoS and Proxy Abuse Threat
Threats

Mirai Botnets Evolve, Pose Massive DDoS and Proxy Abuse Threat

Key Takeaways Mirai botnets, particularly the Aisuru-Kimwolf variants, are rapidly evolving, exhibiting increased sophistication and destructive power in DDoS attacks and residential proxy abuse....

Sarah simpson
Sarah simpson
March 25, 2026 4 Min Read
44 0

Key Takeaways

  • Mirai botnets, particularly the Aisuru-Kimwolf variants, are rapidly evolving, exhibiting increased sophistication and destructive power in DDoS attacks and residential proxy abuse.
  • These advanced Mirai strains have compromised between one and four million devices globally, including Android devices and Smart TVs, and are responsible for some of the largest recorded DDoS attacks.
  • Botnet operators are monetizing their infrastructure by selling access to compromised devices and are actively adapting to law enforcement takedown efforts by shifting to decentralized, encrypted networks like I2P.

The cybersecurity landscape has witnessed a significant escalation in botnet-driven threats over the past year, largely propelled by the persistent evolution of the Mirai malware family. This influential threat, first identified in 2016, continues to expand its reach and capabilities, now encompassing hundreds of active variants targeting millions of devices worldwide.

Table Of Content

  • Key Takeaways
  • Kimwolf’s Infection Mechanism and Infrastructure Evasion
  • What You Should Do

Originally designed to scan for vulnerable Internet of Things (IoT) devices running stripped-down Linux on ARC processors, Mirai exploited known security flaws or default factory credentials. The public release of its source code democratized botnet creation, allowing numerous threat actors to develop their own versions.

Spamhaus reported a substantial increase in botnet command and control (C2) servers, with a 26% rise in the first half of 2025, followed by another 24% surge between July and December 2025. This growth propelled the United States past China as the leading host for botnet C2 servers, a position China had maintained since Q3 2023. This rapid proliferation underscores the ease with which Mirai’s codebase is leveraged by cybercriminals.

Top locations for botnet C2 servers (Source - Pulsedive)
Top locations for botnet C2 servers (Source – Pulsedive)

Researchers at Pulsedive have closely monitored several Mirai-based botnets, identifying Aisuru and Kimwolf as particularly potent. These two variants, often collectively referred to as Aisuru-Kimwolf, are estimated to have compromised between one and four million hosts globally.

Cloudflare has attributed some of the largest recorded Distributed Denial of Service (DDoS) attacks to Aisuru-Kimwolf, including a massive 31.4 terabit-per-second flood and an assault reaching 14.1 billion packets per second. These figures represent a significant increase in destructive potential compared to earlier Mirai variants, signaling a dangerous new phase in botnet capabilities.

The many variants of Mirai (Source - Pulsedive)
The many variants of Mirai (Source – Pulsedive)

The operators behind Aisuru-Kimwolf have established a criminal enterprise, selling access to their network of compromised devices via platforms like Discord and Telegram. In a coordinated effort to counter this threat, the U.S. Department of Justice announced court-authorized disruption actions against the C2 servers supporting Aisuru, KimWolf, JackSkid, and Mossad botnets on March 19, 2026, with enforcement extending across Canada and Germany.

Beyond orchestrating DDoS attacks, these botnets are also implicated in abusing residential proxy networks. By routing malicious traffic through the IP addresses of ordinary homeowners, attackers significantly complicate tracing efforts. Despite law enforcement intervention, these botnets have demonstrated a persistent ability to adapt and maintain operations.

Kimwolf’s Infection Mechanism and Infrastructure Evasion

Kimwolf stands out as an Android-specific subvariant of Aisuru, specifically engineered to compromise mobile devices and Smart TVs. It has successfully infected approximately two million Android devices worldwide, utilizing Aisuru’s DDoS capabilities adapted for Android systems.

Upon gaining access to a vulnerable device, Kimwolf executes an installation script that downloads multiple .apk files from a command-and-control server. The script then makes these files executable and runs them sequentially, targeting various CPU architectures to maximize device infection rates.

Distribution of KimWolf IP addresses (Source - Pulsedive)
Distribution of KimWolf IP addresses (Source – Pulsedive)

Following the disruption of the IPIDEA residential proxy infrastructure, which was linked to Kimwolf by Google and the U.S. Department of Justice, reports emerged indicating the botnet’s migration to The Invisible Project (I2P). I2P is a decentralized, encrypted communication network designed to anonymize traffic, making it significantly more resistant to monitoring and takedown attempts than conventional infrastructure.

This strategic shift highlights the operators’ responsiveness to law enforcement actions, demonstrating a clear pattern of adapting their operations to evade disruption.

How KimWolf abuses residential proxy infrastructure (Source - Pulsedive)
How KimWolf abuses residential proxy infrastructure (Source – Pulsedive)

What You Should Do

  • Implement advanced DDoS protection solutions offered by network providers to detect and mitigate bot-driven traffic.
  • Utilize protective DNS services to filter out suspicious domain queries before they can reach internal systems.
  • Ensure all publicly accessible network devices, especially routers, are regularly patched and updated to address known vulnerabilities.
  • Replace all default credentials on networking equipment with strong, unique passwords immediately during initial setup.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Open Directory Malware Campaign Delivers RAT Payloads via VBS and PNG Loaders

Next Post

Ghost SPN Attack Exploits Kerberos, Exposing User Passwords

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us