Global law enforcement operation targets AISURU, Kimwolf, JackSkid botnet operators

DoJ disrupted IoT botnets’ C2 infrastructure with global partners, targeting operators behind AISURU, Kimwolf, JackSkid, and others.

The U.S. DoJ disrupted command-and-control infrastructure used by several IoT botnets, including AISURU, Kimwolf, JackSkid, and Mossad. The operation involved authorities from Canada and Germany, along with major tech companies, to target botnet operators and weaken their global cybercrime activities.

“The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.” reads the press release published by DoJ.

“The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.”

U.S. authorities seized domains, servers, and infrastructure used in cybercrime, including DDoS attacks targeting Department of Defense systems. The disrupted botnets had infected over 3 million devices worldwide, mainly IoT like cameras and routers, often bypassing firewall protections. Operators used a “cybercrime-as-a-service” model, renting access to these hijacked devices to launch large-scale DDoS attacks globally.

Victims reported heavy losses from DDoS attacks, with criminals launching hundreds of thousands of attacks and sometimes demanding extortion payments. The Aisuru botnet was used to launch over 200,000 attack commands, JackSkid 90,000, KimWolf 25,000, and Mossad over 1,000. The joint international operation aims to disrupt these botnets, stop further infections, and prevent future attacks.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. “This operation reflects the strength of that collaboration and our shared commitment to combatting cybercrime and protecting victims worldwide.”

The AISURU/Kimwolf botnet was linked to a record-breaking DDoS attack that peaked at 31.4 Tbps and lasted just 35 seconds. Cloudflare said the November 2025 incident was part of a surge in hyper-volumetric HTTP DDoS attacks observed in late 2025, all automatically detected and mitigated.

Acting as a DDoS-for-hire service, Aisuru avoids government and military targets, but broadband providers faced serious disruptions from attacks exceeding 1.5Tb/sec from infected customer devices.

Like other TurboMirai botnets, Aisuru incorporates additional dedicated DDoS attack capabilities and multi-use functions, enabling operators to carry out other illicit activities, including credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing.

Attacks use UDP, TCP, and GRE floods with medium-sized packets and randomized ports/flags. Over 1Tb/sec traffic from compromised CPEs disrupts broadband, and 4gpps+ floods have caused router line card failures.

Kimwolf is a newly discovered Android botnet linked to the Aisuru botnet that has infected over 1.8 million devices and issued more than 1.7 billion DDoS attack commands, according to XLab.

The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions. It encrypts sensitive data with a simple Stack XOR, uses DNS over TLS to hide communication, and authenticates C2 commands with elliptic curve digital signatures. Recent versions even incorporate EtherHiding to resist takedowns via blockchain domains.

Kimwolf follows a naming pattern of “niggabox + v[number]”; versions v4 and v5 have been tracked. By taking over one C2 domain, researchers observed around 2.7 million IPs interacting over three days, indicating a likely infection scale exceeding 1.8 million devices. Its infrastructure spans multiple C2s, global time zones, and versions, making it hard to estimate the total number of infections.

The botnet borrows the code from the Aisuru family, however, operators redesigned it to evade detection. Its primary function is traffic proxying, though it can execute massive DDoS attacks, as seen in a three-day period issuing 1.7 billion commands between November 19 and 22.

In Q4 2025, the largest DDoS attacks mainly targeted Cloudflare customers in the Telecommunications, Service Providers, and Carriers sector, followed by Gaming and Generative AI services. Cloudflare’s own infrastructure was also attacked using HTTP floods, DNS attacks, and UDP floods. Globally, China, the United States, Germany, and Brazil remained among the most targeted countries, while Hong Kong and especially the United Kingdom saw sharp increases in attacks.

Most DDoS attacks in Q4 2025 originated from IPs linked to major cloud platforms like DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner, mostly in the U.S. Telcos in Asia-Pacific also contributed. Attacks are global, using thousands of source networks. Cloudflare offers a free DDoS Botnet Threat Feed, with 800+ networks collaborating to identify and shut down abusive IPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)