Botnet
Manager of botnet used in ransomware attacks gets 2 years in prison
A Russian national has been sentenced to two years in prison after admitting that the phishing botnet he managed was used to launch BitPaymer ransomware attacks against 72 U.S. companies. According to court documents, 40-year-old Ilya Angelov (who used the “milan” and “okart” online handles) decided to travel to the United States to plead guilty and […]
International joint action disrupts world’s largest DDoS botnets
Authorities from the United States, Germany, and Canada have taken down Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets to infect Internet of Things (IoT) devices. The joint law enforcement action also targeted virtual servers, internet domains, and other infrastructure used by the four botnets to launch hundreds of […]
US disrupts SocksEscort proxy network powered by Linux malware
Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network that relied solely on edge devices compromised via the AVRecon malware for Linux. According to Lumen’s Black Lotus Labs (BLL), which helped the U.S. Department of Justice take down Socksescort, the proxy network had a constant average of 20,000 […]
New KadNap botnet hijacks ASUS routers to fuel cybercrime proxy network
A newly discovered botnet malware called KadNap is targeting ASUS routers and other edge networking devices to turn them into proxies for malicious traffic. Since August 2025, KadNap has grown to 14,000 devices that are part of a peer-to-peer network and connect to the command-and-control (C2) infrastructure through a custom version of the Kademlia Distributed Hash Table […]
New Linux botnet SSHStalker uses old-school IRC for C2 comms
A newly documented Linux botnet named SSHStalker is using the IRC (Internet Relay Chat) communication protocol for command-and-control (C2) operations. The protocol was invented in 1988, and its adoption peaked during the 1990s, becoming the main text-based instant messaging solution for group and private communication. Technical communities still appreciate it for its implementation simplicity, interoperability, […]
Aisuru botnet sets new record with 31.4 Tbps DDoS attack
The Aisuru/Kimwolf botnet launched a new massive distributed denial of service (DDoS) attack that peaked at 31.4 Tbps and 200 million requests per second, setting a new record. The attack was part of a campaign targeting multiple companies, most of them in the telecommunications sector, and was detected and mitigated by Cloudflare last year on December 19. […]
New GoBruteforcer attack wave targets crypto, blockchain projects
A new wave of GoBruteforcer botnet malware attacks is targeting databases of cryptocurrency and blockchain projects on exposed servers believed to be configured using AI-generated examples. GoBrutforcer is also known as GoBrut. It is a Golang-based botnet that typically targets exposed FTP, MySQL, PostgreSQL, and phpMyAdmin services. The malware often relies on compromised Linux servers to scan random […]
Kimwolf Android botnet abuses residential proxies to infect internal devices
The Kimwolf botnet, an Android variant of the Aisuru malware, has grown to more than two million hosts, most of them infected by exploiting vulnerabilities in residential proxy networks to target devices on internal networks. Researchers observed increased activity for the malware since last August. Over the past month, Kimwolf has intensified its scanning of […]
RondoDox botnet exploits React2Shell flaw to breach Next.js servers
The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks. In November, VulnCheck spotted new RondoDox variants that featured exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in […]
Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack
In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second. Aisuru is a huge botnet-for-hire service that provides an army of routers and IoT devices compromised via known vulnerabilities or through brute-forcing weak credentials. Internet management and infrastructure […]