Botnets continue to dominate the cyber threat landscape due to their scalability, adaptability, and persistent exploitation of poorly secured systems. Recent data highlights a noticeable surge in botnet-related infrastructure and activity, particularly in the second half of 2025. According to industry observations, there has been a significant increase in command-and-control (C2) servers, reflecting both the expansion and resilience of these malicious networks.
This report explores the evolution of botnets with a strong focus on the Aisuru-Kimwolf ecosystem, while also examining foundational botnets like Mirai and its variants. It aims to provide both technical clarity and operational insight into how these threats function, spread, and persist.
Understanding Botnets: A Practical Overview
At its core, a botnet is a network of compromised devices—often referred to as “bots”—that are remotely controlled by an attacker. These devices can range from personal computers to IoT devices like routers, smart TVs, and even home appliances.
Once infected, these systems become part of a larger coordinated network capable of executing tasks such as:
- Distributed Denial-of-Service (DDoS) attacks
- Credential stuffing and brute-force attacks
- Spam and phishing campaigns
- Proxying malicious traffic to obscure attacker identity
What makes botnets particularly dangerous is their distributed nature. Instead of relying on a single system, attackers leverage thousands—or even millions—of compromised devices, making detection and mitigation extremely challenging.
Recent Law Enforcement Activity
In March 2026, law enforcement agencies initiated disruption operations targeting multiple botnets, including Aisuru, Kimwolf, JackSkid, and Mossad. These actions were carried out across multiple countries, including Canada and Germany.
Investigators focused on dismantling command-and-control infrastructure, particularly virtual servers hosted on cloud platforms. Some of these servers were used to manage infected devices and coordinate large-scale attacks. This highlights a key trend: attackers increasingly rely on legitimate cloud infrastructure to host malicious operations.
Mirai: The Foundation of Modern Botnets
Mirai remains one of the most influential botnets in recent history. First identified in 2016, it specifically targets Internet of Things (IoT) devices running lightweight Linux-based systems.
How Mirai Works
Mirai spreads primarily through:
- Exploiting known vulnerabilities
- Using default or weak credentials
Once inside a device, it connects back to a central server and becomes part of the botnet.
Why Mirai Still Matters
The release of Mirai’s source code to the public changed everything. Since then, countless variants have emerged, each modifying and improving upon the original design.
Research has identified:
- Over 21,000 malware samples
- More than 100 distinct variant clusters
This open-source nature has allowed even low-skilled attackers to deploy powerful botnets, significantly lowering the barrier to entry in cybercrime.
Satori: A Fast-Spreading Mirai Variant
Satori is one of the more aggressive Mirai-based botnets. Discovered in 2017, it quickly infected over 260,000 devices.
Infection Method
Satori exploits vulnerabilities in networking devices, particularly routers. One notable example is a command injection flaw in certain D-Link devices.
Once exploited, the malware:
- Sends a crafted request to the device
- Downloads a malicious script
- Executes multiple payloads targeting different CPU architectures
This multi-architecture approach ensures a higher success rate, allowing the botnet to infect a wide variety of devices.
Aisuru-Kimwolf: A New Generation Botnet
Aisuru and its variant Kimwolf represent a more advanced and commercially driven botnet model.
Scale and Impact
These botnets have infected between 1 to 4 million devices globally. They are responsible for some of the largest DDoS attacks ever recorded, including:
- 31.4 Tbps attack volume
- 14.1 billion packets per second
Such scale demonstrates how botnets have evolved into industrial-grade attack platforms.
Technical Capabilities
Aisuru introduces several advanced features:
- Packet randomization to evade detection
- DNS TXT record usage for storing C2 server lists
- Modular architecture for adaptability
These capabilities make it significantly harder for traditional security tools to identify and block malicious traffic.
Kimwolf: Android-Focused Expansion
Kimwolf is essentially a specialized version of Aisuru designed to target Android-based devices.
Target Devices
- Smartphones
- Smart TVs
- Other Android-powered systems
With approximately 2 million infected devices, Kimwolf highlights the growing risk associated with mobile and IoT ecosystems.
Monetization and Criminal Ecosystem
Unlike earlier botnets that were primarily used by their creators, Aisuru-Kimwolf operates as a service.
Access to infected devices is sold through platforms like:
- Telegram
- Discord
Pricing depends on:
- Attack duration
- Target size
This “botnet-as-a-service” model reflects the increasing commercialization of cybercrime.
Use of Residential Proxies
One of the most interesting aspects of Kimwolf is its use of residential proxy networks.
These networks route traffic through real home IP addresses, making malicious activity appear legitimate.
A known proxy service used in these operations includes IPIDEA. By leveraging such infrastructure, attackers can:
- Avoid detection
- Bypass geo-restrictions
- Blend in with normal user traffic
Following disruption efforts, there are indications that the botnet shifted to using decentralized networks like I2P (Invisible Internet Project), further complicating tracking efforts.
Kimwolf Script Behavior
Analysis of Kimwolf scripts reveals a structured infection process:
- Downloading multiple APK files
- Executing payloads automatically
- Initiating background services
This automated approach ensures persistence and rapid propagation across devices.
Trends and Observations
Recent data suggests a sharp increase in botnet activity:
- 26% growth in early 2025
- 24% growth in late 2025
Interestingly, the United States has now surpassed China in hosting the largest number of botnet C2 servers. This shift indicates changing infrastructure preferences among threat actors.
A major contributing factor remains the continued exposure of vulnerable devices, especially home routers that are rarely updated or secured properly.
Mitigation Strategies
Reducing botnet impact requires a combination of technical controls and user awareness.
Recommended Measures
- Deploy DDoS protection solutions to filter malicious traffic
- Use protective DNS services to block suspicious domains
- Regularly update and patch network devices
- Replace default credentials with strong, unique passwords
These steps, while simple, can significantly reduce the attack surface.
Indicators of Compromise (IOCs)
The following domains are associated with Aisuru-Kimwolf activity:
14emeliaterracewestroxburyma02132[.]su
713mtauburnctcolumbusoh43085[.]st
hahaezretard3[.]713mtauburnctcolumbusoh43085[.]st
r[.]lolbrogg123424[.]com
fuckzachebt[.]meowmeowmeowmeowmeow[.]meow[.]indiahackgod[.]su
lol[.]713mtauburnctcolumbusoh43085[.]st
lolbroweborrowtvbro[.]713mtauburnctcolumbusoh43085[.]st
nnkjzfaxkjanxzk[.]14emeliaterracewestroxburyma02132[.]su
rtrdedge1[.]samsungcdn[.]cloud
sdk-dl-prod[.]proxiessdk[.]online
staging[.]pproxy1[.]fun
zachebt[.]chachasli[.]de
These indicators can be used for threat hunting and detection across security platforms.
Analyst Opinion
From an analytical standpoint, the evolution of botnets like Aisuru-Kimwolf reflects a broader transformation in cybercrime. What once started as relatively simple distributed attack tools has now matured into a full-fledged underground economy. The introduction of service-based models, where access to botnets is rented or sold, shows how cybercriminal operations are adopting business-like structures.
One of the most concerning developments is the targeting of everyday consumer devices. Unlike enterprise systems, which often have layered security defenses, home devices such as routers and smart TVs are typically neglected. Users rarely update firmware, and many continue using default credentials. This creates a massive pool of easily exploitable devices, effectively turning households into unwilling participants in global cyberattacks.
Another critical observation is the increasing use of legitimate infrastructure. Cloud platforms and residential proxy networks provide attackers with anonymity and resilience. By blending malicious traffic with normal user behavior, attackers significantly reduce the likelihood of detection. The shift toward decentralized communication systems like I2P further complicates law enforcement efforts, as these networks are inherently designed to resist surveillance.
The reuse and modification of open-source malware like Mirai also highlight a systemic issue. Once such code is released, it becomes nearly impossible to contain. Even if one variant is neutralized, countless others continue to emerge, each with slight improvements or changes.
In our view, the fight against botnets cannot rely solely on reactive measures. While takedown operations are important, they often address symptoms rather than root causes. A more effective approach would involve improving baseline security standards for consumer devices, enforcing stricter regulations on manufacturers, and increasing public awareness.
Ultimately, botnets thrive because of a combination of technical vulnerabilities and human behavior. Until both aspects are addressed, we can expect these threats to persist and evolve further.
Conclusion
Botnets are not going away anytime soon. Their ability to adapt, scale, and exploit weak points in global infrastructure makes them one of the most persistent cybersecurity challenges.
As demonstrated by Aisuru-Kimwolf and its predecessors, the combination of automation, commercialization, and anonymity is reshaping how these threats operate. Addressing them will require coordinated efforts across technology, policy, and user education.
