Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Botnet. Show all posts
Kimwol
Botnet Cyber Attacks DDOS Attack Kimwol

Kimwolf Botnet Hijacks 1.8M Android Devices for DDoS Chaos

 

The Kimwolf botnet is one of the largest recently found Android-based threats, contaminating over 1.8 million devices mostly Android TV boxes and IoT devices globally. Named after its reliance on the wolfSSL library, this malware appeared in late October 2025 when XLab researchers noticed a suspicious C2 domain rising to the top, surpassing Google on Cloudflare charts. Operators evolved the botnet from the Aisuru family, enhancing evasion tactics to build a massive proxy and DDoS army. 

Kimwolf propagates through residential proxy services, taking advantage of misconfigured services like PYPROXY to access on home networks and attack devices with open Android Debug Bridge (ADB) ports. Once executed, it drops payloads such as the ByteConnect SDK via pre-packaged malicious apps or direct downloads, which converts victims into proxy nodes that can be rented on underground markets. The malware has 13 DDoS techniques under UDP, TCP, and ICMP while 96.5% of commands are related to traffic proxying for ad fraud, scraping, and account takeovers.

Capabilities extend to reverse shells for remote control, file management, and lateral movement within networks by altering DNS settings. To dodge takedowns, it employs DNS over TLS (DoT), elliptic curve signatures for C2 authentication, and EtherHiding via Ethereum Name Service (ENS) blockchain domains. Between November 19-22, 2025, it issued 1.7 billion DDoS commands; researchers estimate its peak capacity at 30 Tbps, fueling attacks on U.S., Chinese, and European targets.

Infections span 222 countries, led by Brazil (14.63%), India (12.71%), and the U.S. (9.58%), hitting uncertified TV boxes that lack updates and Google protections. Black Lotus Labs null-routed over 550 C2 nodes since October 2025, slashing active bots from peaks of 1.83 million to 200,000, while linking it to proxy sales on Discord by Resi Rack affiliates. Operators retaliated with taunting DDoS floods referencing journalist Brian Krebs. 

Security teams urge focusing on smart TV vulnerabilities like firmware flaws and weak passwords, pushing for intelligence sharing to dismantle such botnets.Users should disable ADB, update firmware, avoid sideloading, and monitor networks for anomalies. As consumer IoT grows, Kimwolf underscores the risks of turning homes into cyber weapons, demanding vendor accountability and robust defenses.
Read more »
Linux Servers
Botnet Brute Force Attacks Cyber Attacks GoBruteforcer Linux Servers

GoBruteforcer Botnet Targets Linux Servers with Brute-Force Attacks

 

A dangerous botnet called GoBruteforcer is ramping up brute-force attacks on internet-exposed Linux servers, focusing on services like FTP, MySQL, PostgreSQL, and phpMyAdmin. Check Point Research (CPR) warns that over 50,000 servers remain vulnerable due to weak credentials and poor configurations, turning them into new attack nodes after compromise. This surge exploits common defaults from tutorials and legacy stacks like XAMPP, amplifying risks for organizations worldwide.

The botnet, first spotted in 2023, evolved into a more sophisticated Go-written variant by mid-2025, featuring advanced obfuscation, persistence mechanisms, and process-hiding tricks like renaming to "init". Infected servers scan random IPs and test credential lists with usernames such as "admin," "appuser," or crypto-themed ones like "cryptouser," rotating campaigns weekly for efficiency. Low success rates still pay off given millions of exposed databases and FTP ports.

Financial motives drive some operations, with attackers deploying Go tools to scan TRON balances and sweep tokens from Binance Smart Chain on compromised hosts. CPR found 23,000 TRON addresses on one server, and on-chain data confirmed small thefts, highlighting resale potential for stolen access or data. Targeted attacks hit WordPress-linked phpMyAdmin panels and blockchain databases.

CPR links this threat to AI-generated deployment guides that propagate insecure defaults, predicting worse risks as server setups become easier. Legacy web environments and credential reuse from leaked databases fuel the botnet's spread, with C2 servers distributing modular components like IRC bots and bruteforcers.

Mitigation demands strong passwords, MFA, service lockdowns, and exposure monitoring beyond takedowns. Disabling unnecessary ports and auditing configs counters brute-force economics, while tools block known IOCs like C2 domains (e.g., fi.warmachine.su) and SHA-256 hashes for IRC bots. Proactive hygiene remains key against persistent threats like GoBruteforce.
Read more »
DDOS Attack
Aisuru Botnet Cloudfare Cyber Attacks DDOS Attack

Aisuru Botnet Unleashes Record 29.7 Tbps DDoS Attack

 

A new record-breaking 29.7 Tbps distributed denial-of-service (DDoS) attack launched via the Aisuru botnet has set a new standard for internet disruption and reinforced that multi-terabit attacks are on track to soon be an everyday event for DDoS defenders. According to Cloudflare’s latest DDoS threats report, Aisuru launched an intense hyper-volumetric DDoS on a network layer with traffic that reached 29.7 Tbps and 14.1 billion packets per second, reaching new heights beyond previous records that topped 22 Tbps. 

The DDoS attack employed a UDP ‘carpet bombing’ technique that targeted 15,000 destination ports every second with random packet components constantly varying so as not to get filtered out at traditional scrubbing centers. Despite these efforts, Cloudflare reports that Aisuru traffic took mere seconds for an autonomous mitigation system to identify and remove. 

Behind the incident is a botnet Cloudflare now estimates at 1 million to 4 million compromised devices, making Aisuru the biggest DDoS botnet in active circulation. Since the start of 2025, Cloudflare has mitigated 2,867 Aisuru incidents, with 1,304 hyper-volumetric attacks in the third quarter alone - a 54% quarter-over-quarter increase that equates to about 14 mega-events a day. Segments of the botnet are openly leased as "chunks", allowing buyers to rent enough power to take down backbone connections or perhaps even national ISPs for mere hundreds or thousands of dollars apiece.

Cloudflare thwarted a total of 8.3 million DDoS attacks in the third quarter of 2025, a 15% increase from the prior quarter and 40% year-over-year, while marking the 2025 year-to-date total at 36.2 million - already 170% of all attacks recorded in 2024 and still one full quarter away. 

About 71% of Q3 attacks were network-layer traffic, which soared 87% QoQ and 95% YoY, while HTTP-layer events fell 41% QoQ and 17% YoY, indicating a strategic swing back to pure bandwidth and transport-layer exhaustion. The extremes are picked up the most: incidents over 100 Mpps jumped 189% QoQ, and those above 1 Tbps increased by 227%, though many ended within 10 minutes, too late for any effective intervention by manual actions or DDoS-on-demand mitigation programs.

Collateral damage continues to escalate as well. KrebsOnSecurity reports Aisuru-driven traffic has already caused severe outages at U.S. internet services not targeted as main victims. Cloudflare data shows Aisuru and actors like it have targeted telecoms, gaming, hosting, and financial services intensely. Information Technology and Services, telecoms, gambling and casinos are among the toughest hit sectors in Q3. 

Geopolitics and societal unrest are increasingly reflected in attack behavior. DDoS traffic against generative AI service providers jumped as high as 347% month-over-month in September, and DDoS attacks on mining, minerals and metals, and autos failed to lag as tensions escalated involving EV tariffs and China and the EU.

Indonesia continues as source number one for DDoS traffic, registering an astonishing 31,900% increase in HTTP DDoS requests since 2021, and there were sharp increases in Q3 2025 for the Maldives, France, and Belgium, reflecting massive protests and worker walkouts. China stayed the most‑targeted country, followed by Turkey and Germany, with the United States climbing to fifth and the Philippines showing the steepest rise within the top 10, underscoring how modern DDoS campaigns now track political flashpoints, public anger, and regulatory fights over AI and trade almost in real time.
Read more »
Microsoft security
Azure Azure Attack Botnet Botnet attack Cyber Attacks Microsoft Microsoft Azure Microsoft security

Aisuru Botnet Launches 15.72 Tbps DDoS Attack on Microsoft Azure Network

 

Microsoft has reported that its Azure platform recently experienced one of the largest distributed denial-of-service attacks recorded to date, attributed to the fast-growing Aisuru botnet. According to the company, the attack reached a staggering peak of 15.72 terabits per second and originated from more than 500,000 distinct IP addresses across multiple regions. The traffic surge consisted primarily of high-volume UDP floods and was directed toward a single public-facing Azure IP address located in Australia. At its height, the attack generated nearly 3.64 billion packets per second. 

Microsoft said the activity was linked to Aisuru, a botnet categorized in the same threat class as the well-known Turbo Mirai malware family. Like Mirai, Aisuru spreads by compromising vulnerable Internet of Things (IoT) hardware, including home routers and cameras, particularly those operating on residential internet service providers in the United States and additional countries. Azure Security senior product marketing manager Sean Whalen noted that the attack displayed limited source spoofing and used randomized ports, which ultimately made network tracing and provider-level mitigation more manageable. 

The same botnet has been connected to other record-setting cyber incidents in recent months. Cloudflare previously associated Aisuru with an attack that measured 22.2 Tbps and generated over 10.6 billion packets per second in September 2025, one of the highest traffic bursts observed in a short-duration DDoS event. Despite lasting only 40 seconds, that incident was comparable in bandwidth consumption to more than one million simultaneous 4K video streams. 

Within the same timeframe, researchers from Qi’anxin’s XLab division attributed another 11.5 Tbps attack to Aisuru and estimated the botnet was using around 300,000 infected devices. XLab’s reporting indicates rapid expansion earlier in 2025 after attackers compromised a TotoLink router firmware distribution server, resulting in the infection of approximately 100,000 additional devices. 

Industry reporting also suggests the botnet has targeted vulnerabilities in consumer equipment produced by major vendors, including D-Link, Linksys, Realtek-based systems, Zyxel hardware, and network equipment distributed through T-Mobile. 

The botnet’s growing presence has begun influencing unrelated systems such as DNS ranking services. Cybersecurity journalist Brian Krebs reported that Cloudflare removed several Aisuru-controlled domains from public ranking dashboards after they began appearing higher than widely used legitimate platforms. Cloudflare leadership confirmed that intentional traffic manipulation distorted ranking visibility, prompting new internal policies to suppress suspected malicious domain patterns. 

Cloudflare disclosed earlier this year that DDoS attacks across its network surged dramatically. The company recorded a 198% quarter-to-quarter rise and a 358% year-over-year increase, with more than 21.3 million attempted attacks against customers during 2024 and an additional 6.6 million incidents directed specifically at its own services during an extended multi-vector campaign.
Read more »
Palo Alto Networks
Botnet Botnet attack cryptocurrency mining Cyber Attacks Evasion Tactics Linux Linux Malware Linux Security Linux Servers Malware attacks Palo Alto Palo Alto Networks

Palo Alto Detects New Prometei Botnet Attacks Targeting Linux Servers

Cybersecurity analysts from Palo Alto Networks’ Unit 42 have reported a resurgence of the Prometei botnet, now actively targeting Linux systems with new, upgraded variants as of March 2025. Originally discovered in 2020 when it was aimed at Windows machines, Prometei has since expanded its reach. 

Its Linux-based malware strain has been in circulation since late 2020, but recent versions—designated as 3.x and 4.x—demonstrate significant upgrades in their attack capabilities. The latest Prometei malware samples are equipped with remote control functionality, domain generation algorithms (DGA) to ensure connection with attacker-controlled servers, and self-updating systems that help them remain undetected. This renewed activity highlights the botnet’s growing sophistication and persistent threat across global networks. 

At its core, Prometei is designed to secretly mine Monero cryptocurrency, draining the resources of infected devices. However, it also engages in credential harvesting and can download additional malicious software depending on the attacker’s goals. Its modular framework allows individual components to carry out specific tasks, including brute-force attacks, vulnerability exploitation (such as EternalBlue and SMB bugs), mining operations, and data exfiltration. 

The malware is typically delivered via HTTP GET requests from rogue URLs like hxxp://103.41.204[.]104/k.php. Prometei uses 64-bit Linux ELF binaries that extract and execute payloads directly in memory. These binaries also carry embedded configuration data in a JSON format, containing fields such as encryption keys and tracking identifiers, making them harder to analyze and block. 

Once a system is compromised, the malware collects extensive hardware and software information—CPU details, OS version, system uptime—and sends this back to its command-and-control (C2) servers, including addresses like hxxp://152.36.128[.]18/cgi-bin/p.cgi. Thanks to DGA and self-update features, Prometei ensures consistent communication with attacker infrastructure and adapts to security responses on the fly.  

To defend against these threats, Palo Alto Networks advises using advanced detection tools such as Cortex XDR, WildFire, and their Advanced Threat Prevention platform. These technologies utilize real-time analytics and machine learning to identify and contain threats. Organizations facing a breach can also contact Palo Alto’s Unit 42 incident response team for expert help. 

The activity observed from March to April 2025 underlines the continued evolution of the Prometei botnet and the growing risk it poses to businesses relying on Linux environments. Strengthening cybersecurity protocols and remaining alert to new threats is essential in today’s threat landscape.
Read more »
Vulnerabilities and Exploits
ASUS Routers Botnet GreyNoise Malicious Campaign Vulnerabilities and Exploits

Thousands of ASUS Routers Affected by Stealthy Persistent Backdoor

 

It seems like someone, possibly nation-state hackers, is building a botnet out of thousands of Asus routers that can withstand firmware patches and reboots. Researchers report that about 9,000 routers have been infiltrated, and the figure is still rising. 

GreyNoise, a security firm, warned on Tuesday that attackers utilise a combination of known and previously undisclosed vulnerabilities to attack routers, including a command injection vulnerability identified as CVE-2023-39780. The tradecraft involved implies "a well-resourced and highly capable adversary," maybe building an operable relay box. 

ORBs are a strategy used by advanced persistent threat groups, including intelligence agencies around the world, to conceal malicious behaviour by routing internet traffic through a network of compromised Internet of Things devices. One cybersecurity firm characterises them as the offspring of a VPN and a botnet.

GreyNoise discovered the effort on March 18 and named the technique employed to backdoor the routers "AyySSHush." The intrusion chain starts with brute-force login attempts and two authentication bypass methods with no corresponding CVEs. After gaining access, attackers use CVE-2023-39780 to activate a security mechanism included into Asus routers by TrendMicro. 

The functionality enables "Bandwidth SQLlite Logging," which lets perpetrators feed a string directly into a system() call. With that power, attackers can enable a secure shell and connect it to a TCP port, along with an attacker-controlled public key. That is the step that renders firmware updates ineffective against the hack. 

"Because this key was introduced using official ASUS features, the configuration change is retained across firmware upgrades. "If you've been exploited before, upgrading your firmware will NOT remove the SSH backdoor," Remacle warned. As of publication, Censys' search had identified 8,645 infected routers. 

ASUS addressed CVE-2023-39780 in recent firmware upgrades. However, machines compromised prior to patching may still contain the backdoor unless administrators verify SSH setups and remove the attacker's key from them. For potential compromises, GreyNoise recommends performing a full factory reset.
Read more »
Proxy
Botnet Brute Force Attacks Cyber Attacks IoT Proxy

2.8 million IP Addresses Being Leveraged in Brute Force Assault On VPNs

 

Almost 2.8 million IP addresses are being used in a massive brute force password attack that aims to guess the login credentials for a variety of networking devices, including those generated by Palo Alto Networks, Ivanti, and SonicWall.

A brute force assault occurs when an attacker attempts to repeatedly log into an account or device with many usernames and passwords until the correct combination is found. Once the malicious actors access the right credentials, they can use them to access a network or take control of a device.

The Shadowserver Foundation, a threat monitoring platform, reports that a brute force attack has been going on since last month, using around 2.8 million source IP addresses every day to carry out these attacks. Brazil accounts for the majority of them (1.1 million), with Turkey, Russia, Argentina, Morocco, and Mexico following closely behind. However, a very big range of countries of origin generally participate in the activity.

These are edge security equipment, such as firewalls, VPNs, gateways, and other security appliances, which are frequently exposed to the internet to allow remote access. The devices used in these attacks are predominantly MikroTik, Huawei, Cisco, Boa, and ZTE routers and IoTs, which are frequently hacked by big malware botnets. 

The Shadowserver Foundation stated to the local media outlet that the activity has persisted for some time but has recently escalated significantly. ShadowServer also indicated that the attacking IP addresses are distributed across various networks and Autonomous Systems, suggesting the involvement of a botnet or an operation linked to residential proxy networks. 

Residential proxies are IP addresses allocated to individual customers of Internet Service Providers (ISPs), rendering them highly desirable for cybercrime, data scraping, circumvention of geo-restrictions, ad verification, and ticket scalping, among other uses. 

These proxies redirect internet traffic over residential networks, giving the impression that the user is a typical home user rather than a bot, data scraper, or hacker. Gateway devices targeted by this activity may be utilised as proxy exit nodes in residential proxying operations, passing malicious traffic through an organization's enterprise network. These nodes are rated "high-quality" because the organisations have a good reputation and the assaults are more challenging to identify and stop. 

Changing the default admin password to a strong and distinct one, implementing multi-factor authentication (MFA), employing an allowlist of trustworthy IPs, and turning down web admin interfaces when not in use are some ways to defend edge devices against brute-forcing assaults. In the end, patching those devices with the most latest firmware and security upgrades is essential to eliminating flaws that threat actors could use to gain initial access.
Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
Subscribe to: Comments (Atom)