Malware Brief: New wave of botnets driving DDoS chaos

How botnets are fueling a new era of relentless DDoS attacks

Key takeaways

• Three major botnets — Kimwolf, Aisuru and Mirai (and its variants) — are driving a surge in highly automated DDoS attacks.
• Attackers increasingly exploit insecure IoT and household devices, including unauthorized Android TV streaming boxes in Kimwolf campaigns.
• Botnets use adaptive attack patterns, mass exploitation pipelines and stealthy communication mechanisms.
• The core issue: a global supply chain of devices with weak defaults, outdated firmware and inconsistent security practices.

The botnet ecosystem continues to evolve rapidly, fueled by a flood of poorly secured consumer and small‑office hardware. Everything from routers and webcams to unauthorized Android TV streaming devices — often shipped with unvetted apps or hidden remote‑access features — has become part of a global substrate powering persistent DDoS operations.

Here are three of the most dominant threats in today’s environment.

Kimwolf: A stealthy botnet infiltrating corporate and government networks

Type: Botnet, DDoS

Malware: Kimwolf

Spread: Compromised IoT devices, household equipment, unauthorized Android streaming boxes

Vector: Supply‑chain weaknesses in consumer and small‑office tech

Target: Corporate, government and municipal networks

Active since: 2025

The Kimwolf botnet has quietly embedded itself in corporate, government and municipal environments. As Krebs on Security reported, “Kimwolf lurks inside everyday office equipment and home routers that were never hardened for enterprise‑level exposure.”

Additional reporting shows Kimwolf using stealthy communication channels that shift dynamically to evade detection.

A notable vector in Kimwolf’s spread involves unauthorized or cloned Android TV devices, which sometimes ship with pre‑installed malware or insecure remote‑access components. Once connected to a home or small‑office network, they expose remote shells or management interfaces that attackers can easily weaponize.

Within enterprise networks, compromised devices act as durable footholds, enabling lateral movement and converting internal infrastructure into unwilling participants in large‑scale DDoS campaigns.

Aisuru: The predecessor that set global DDoS records

Type: Botnet, DDoS

Malware: Aisuru

Spread: Automated scanning and exploitation of vulnerable IoT devices

Vector: Weak authentication, outdated firmware and insecure supply‑chain defaults

Target: Consumer and enterprise networks globally

Active since: 2024

Before Kimwolf, Aisuru showcased how destructive automated IoT exploitation can be. According to Cybersecurity Dive, Aisuru drove multiple record‑setting DDoS attacks, including a campaign where “traffic volumes exceeded previous global peaks by a significant margin.”

Aisuru rapidly compromises predictable device models — often low‑end IoT hardware with outdated firmware — infecting thousands of devices within hours. These compromised nodes generate massive volumetric floods, rotate attack vectors dynamically and overwhelm global mitigation systems.

One hallmark Aisuru campaign targeted multiple service providers at once, shifting load in real time as defenders attempted mitigation. Cloudflare’s Q325 threat analysis explores this broader escalation in DDoS scale and sophistication.

Mirai and the new generation of IoT botnet variants

Type: Botnet, DDoS

Malware: Mirai and modern variants (e.g., Satori, Mozi remnants, Katana)

Spread: Automated exploitation of insecure IoT devices

Vector: Default credentials, unpatched firmware, exposed services (Telnet/SSH/HTTP APIs)

Target: ISPs, hosting providers, gaming platforms, enterprise edge networks

Active since: 2016 (with major variants active through 2025)

Nearly a decade after its debut, Mirai remains one of the most persistent and widely adapted botnet families on the internet. Its endurance is driven by the massive, ever‑renewing supply of insecure IoT devices — routers, DVRs, smart cameras, and low‑cost appliances shipped with outdated firmware and guessable credentials.

Modern Mirai variants have expanded far beyond the original open‑source botnet. Strains such as Katana, Satori and other emerging forks now include:

• Large exploit libraries targeting dozens of IoT vulnerabilities at once
• Faster propagation engines capable of compromising thousands of devices per hour
• Evasive command-and-control techniques, including domain‑fluxing and encrypted command channels
• Self‑updating modules, allowing attackers to rapidly push new exploits as they appear.

Researchers note that many Mirai‑infected devices suffer from neglected firmware lifecycles, meaning they rarely receive patches — resulting in a long‑lived pool of vulnerable nodes powering sustained DDoS activity.

Final thoughts

The growth in botnets such as Kimwolf, Aisuru and Mirai underscores a critical truth: The global supply chain for household and IoT devices is now a central battleground for DDoS operations.

Attackers benefit from an endless supply of insecure hardware:

• Cheap IoT devices with predictable configurations
• Household equipment with exposed management interfaces
• Devices that rarely receive firmware updates
• Vendor ecosystems with weak defaults and inconsistent testing

For defenders, the mandate is clear: treat every network‑connected device, no matter how small, inexpensive or “consumer‑grade,” as a potential foothold for botnet operators.