Significant Increase in Botnet Threats
The past year has witnessed a substantial surge in botnet-fueled cyber threats, with a significant portion linked to the notorious Mirai malware family. Initially identified in 2016, Mirai was designed to exploit vulnerabilities in Internet of Things (IoT) devices, particularly those operating on ARC processors with a limited Linux version.
Cyber attackers capitalize on these devices by taking advantage of existing security flaws or using unchanged default factory credentials. Originally a tool for Distributed Denial of Service (DDoS) attacks, Mirai has since evolved, spawning numerous variants that target millions of devices globally.
Proliferation of Mirai Variants
The open-source release of Mirai’s code has enabled a multitude of cybercriminals to develop their own variants. Data from Spamhaus indicates a 26% increase in botnet command and control (C2) servers in the first half of 2025, followed by an additional 24% rise in the latter half of the year. This has resulted in the United States surpassing China as the leading host of botnet C2 servers, a position China held since 2023.
This proliferation underscores how easily the Mirai code is dispersed among cybercriminals and the minimal effort required to create new variants. Researchers from Pulsedive have identified several active Mirai-based botnets, with Aisuru and Kimwolf being particularly destructive.
Impact and Scale of Aisuru-Kimwolf Botnets
The Aisuru and Kimwolf variants, collectively known as Aisuru-Kimwolf, have compromised between one and four million hosts worldwide. According to Cloudflare, they are responsible for some of the largest recorded DDoS attacks, including a 31.4 terabit-per-second flood and a 14.1 billion packet-per-second assault, showcasing their formidable threat level.
The operators of Aisuru-Kimwolf have turned their network into a commercial enterprise, selling access to compromised devices via platforms like Discord and Telegram. Despite disruptions announced by the U.S. Department of Justice on March 19, 2026, these botnets continue to find new ways to operate.
Adaptive Strategies of Kimwolf Botnet
Kimwolf, a subvariant targeting Android devices and Smart TVs, has infected approximately two million mobile devices globally. It utilizes a similar DDoS strategy as Aisuru but is optimized for Android systems, employing scripts to download and execute malicious files across various CPU architectures.
Following enforcement actions by Google and the DOJ, the botnet transitioned to The Invisible Project (I2P), a decentralized, encrypted network that is more challenging to monitor or dismantle, reflecting its operators’ adaptability to law enforcement pressures.
Enhancing Cyber Defense
Organizations can bolster their defenses by utilizing network providers’ DDoS protection services and implementing protective DNS services to block suspicious domain queries. Regularly updating network device firmware and replacing default credentials with strong passwords are crucial steps in preventing unauthorized access.
