Full Report
The U.S. Department of Justice (DoJ) on Thursday announced the disruption of command-and-control (C2) infrastructure used by several Internet of Things (IoT) botnets like AISURU, Kimwolf, JackSkid, and Mossad as part of a court-authorized law enforcement operation. The effort also saw authorities from Canada and Germany targeting the operators behind these botnets, with a number of private
Analysis Summary
# Incident Report: Global Disruption of AISURU, Kimwolf, JackSkid, and Mossad Botnets
## Executive Summary
The U.S. Department of Justice (DoJ), in coordination with Canadian and German authorities, disrupted the command-and-control (C2) infrastructure of four major IoT botnets: AISURU, Kimwolf, JackSkid, and Mossad. These botnets, comprising over 3 million infected devices, were responsible for record-breaking DDoS attacks peaking at 31.4 Tbps and were operated under a "cybercrime-as-a-service" model. The operation dismantled a significant global threat that leveraged residential proxy networks to bypass traditional firewalls.
## Incident Details
- **Discovery Date:** November 2025 (Initial record-breaking attack detected)
- **Incident Date:** Ongoing through March 20, 2026 (Date of disruption announcement)
- **Affected Organization:** Global Internet Infrastructure, ISPs, and varying private enterprises.
- **Sector:** Technology / Critical Infrastructure / IoT
- **Geography:** Global (Infections and targets), with core investigations focused in U.S., Canada, and Germany.
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025 (Resurgence/Escalation)
- **Vector:** Exploitation of vulnerable IoT devices (off-brand Android TVs, DVRs, webcams, Wi-Fi routers).
- **Details:** Attackers exploited unpatched vulnerabilities and weak credentials to conscript devices into Mirai-variant botnets.
### Lateral Movement
- **Details:** The Kimwolf botnet specifically utilized residential proxy networks to infiltrate home networks. By compromising an initial device within a household, the botnet gained access to local networks that were typically shielded from the open internet by home routers.
### Data Exfiltration/Impact
- **Impact:** Used primarily for hyper-volumetric DDoS attacks. A record 31.4 Tbps attack was recorded in November 2025.
- **Secondary Impact:** Extortion attempts against victims to cease attacks.
### Detection & Response
- **Detection:** Security firms (Cloudflare, Akamai, AWS) identified record-breaking traffic spikes (30+ Tbps) and traced them to specific Mirai variants.
- **Response Actions:** A court-authorized law enforcement operation led by the DoJ, assisted by dozens of private-sector partners, to seize and disrupt C2 infrastructure.
## Attack Methodology
- **Initial Access:** Scanning for vulnerable IoT devices and exploiting "bottom-tier" Android-based streaming boxes.
- **Persistence:** Maintaining control over 3 million devices across various Mirai-based variants.
- **Discovery:** Scanning for devices "firewalled" from the open internet via residential proxies.
- **Lateral Movement:** Infiltrating local home networks via compromised IoT gateways.
- **Impact:** Hyper-volumetric DDoS (up to 300 million requests per second and 14 billion packets per second) and financial extortion.
## Impact Assessment
- **Financial:** Significant costs to ISPs and cloud providers for mitigation; extortion payments demanded from victims.
- **Data Breach:** Compromise of 3 million devices, including 2 million+ Android-based systems.
- **Operational:** Record-breaking service degradation (31.4 Tbps attacks) capable of crippling core internet infrastructure.
- **Reputational:** High public profile due to the scale and "record-breaking" nature of the attacks.
## Indicators of Compromise
- **File indicators:** Mirai-variant binary signatures (AISURU, Kimwolf, JackSkid, Mossad).
- **Behavioral indicators:**
- High-volume outbound UDP/TCP traffic from IoT devices.
- Unusual residential proxy traffic originating from off-brand Android TVs.
- Large bursts of requests (up to 54 million Mrps).
## Response Actions
- **Containment:** Coordination with ISPs and cloud providers (AWS, Google, Cloudflare, etc.) to null-route malicious traffic.
- **Eradication:** Court-authorized seizure and disruption of Command-and-Control (C2) domains and IP infrastructure.
- **Recovery:** Public attribution and identification of actors (e.g., Jacob Butler aka "Dort") to deter future operations.
## Lessons Learned
- **IoT Vulnerability:** Off-brand and "cheap" Android IoT devices remain a massive, unmanaged risk to global internet stability.
- **Proxy Exploitation:** Traditional firewalls are insufficient if attackers can pivot through residential proxy services to reach "protected" internal networks.
- **Collaboration Effectiveness:** Success was dependent on the massive scale of private-public partnership involving over 15 major tech companies.
## Recommendations
- **Device Hardening:** Change default credentials on all IoT devices (cameras, routers, DVRs).
- **Network Segmentation:** Place IoT devices on isolated VLANs to prevent lateral movement to sensitive home or business assets.
- **Firmware Management:** Ensure automatic updates are enabled; avoid purchasing off-brand IoT hardware that lacks a clear security support lifecycle.
- **Egress Monitoring:** Implement monitoring for unusual outbound traffic spikes from residential and small-business network segments.