The internet has seen a sharp rise in botnet-driven threats over the past year, with much of the activity tracing back to one of the most influential malware families in modern history — Mirai.
First discovered in 2016, Mirai was built to scan the internet for Internet of Things (IoT) devices running on ARC processors, which operate a stripped-down version of Linux.
Attackers gained access to these devices either by exploiting known security flaws or by logging in with default factory credentials that most users never change.
What started as a focused tool for launching DDoS attacks has since grown into a sprawling threat ecosystem with hundreds of active variants now targeting millions of devices worldwide.
The public release of Mirai’s source code opened the door for countless threat actors to build their own versions.
Spamhaus recorded a 26% increase in botnet command and control (C2) servers in the first half of 2025, followed by another 24% rise between July and December 2025.
That surge has pushed the United States past China as the country hosting the most botnet C2 servers, a rank China held since the third quarter of 2023.
The sheer scale of this growth reflects just how freely the Mirai codebase circulates among cybercriminals and how little effort it takes to spin up a new variant.
.webp)
Pulsedive researchers identified and tracked several active Mirai-based botnets, with Aisuru and Kimwolf emerging as the most destructive.
Together, these two variants — often referred to as Aisuru-Kimwolf — have compromised between one and four million hosts around the world.
Cloudflare documented that Aisuru-Kimwolf is behind some of the largest DDoS attacks ever recorded, including a 31.4 terabit-per-second flood and a 14.1 billion packet-per-second assault.
These numbers go well beyond anything earlier Mirai variants could produce and highlight just how dangerous the next generation of these botnets has become.
.webp)
The operators behind Aisuru-Kimwolf have turned their infrastructure into a criminal business, selling access to compromised devices through platforms like Discord and Telegram.
On March 19, 2026, the U.S. Department of Justice announced court-authorized disruption actions against the C2 servers supporting Aisuru, KimWolf, JackSkid, and Mossad botnets, with enforcement operations spanning Canada and Germany.
Beyond DDoS attacks, the botnets have been used to abuse residential proxy networks, routing attack traffic through IP addresses belonging to ordinary homeowners, making the activity far harder to trace. Despite the takedown efforts, these botnets continue to adapt and find new ways to stay operational.
Kimwolf’s Infection Mechanism and Infrastructure Evasion
Kimwolf is an Android-focused subvariant of Aisuru built to target mobile devices and Smart TVs.
It has infected approximately two million Android devices globally, leveraging the same DDoS capabilities as Aisuru but modified to work on Android systems.
Once a vulnerable device is reached, Kimwolf runs an install script that downloads .apk files from an attacker-controlled server. The script makes each file executable and runs them in sequence, targeting different CPU architectures to infect as many devices as possible.
.webp)
After Google and the DOJ disrupted the IPIDEA residential proxy infrastructure tied to Kimwolf, reports surfaced that the botnet had shifted to The Invisible Project (I2P), a decentralized, encrypted communications network designed to anonymize traffic.
This shift was a direct response to takedown pressure — I2P is far harder to monitor or shut down than conventional infrastructure.
The move underlines a clear pattern: these operators watch law enforcement actions closely and quickly reroute their operations the moment any disruption hits.
.webp)
Network providers often offer DDoS protection solutions that can detect and block bot-driven traffic, and organizations should take full advantage of these.
Protective DNS services can filter suspicious domain queries before they reach internal systems. Publicly accessible network devices, especially routers, should be patched consistently.
Default credentials on all networking equipment must be replaced with strong, unique passwords during initial setup and should never be left unchanged.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Mirai-Based Botnets Evolve Into Massive DDoS and Proxy Abuse Threat appeared first on Cyber Security News.
