Full Report
The Aisuru, Kimwolf, JackSkid, and Mossad botnets had used clever techniques to worm into home networks, infecting more than 3 million devices in total, according to the US Justice Department.
Analysis Summary
# Incident Report: Multi-Botnet Takedown (Aisuru, Kimwolf, JackSkid, & Mossad)
## Executive Summary
U.S. law enforcement, in coordination with international partners, dismantled four massive IoT/Android botnets—Aisuru, Kimwolf, JackSkid, and Mossad—that had compromised over 3 million devices globally. These Mirai-variant botnets were used to launch record-breaking DDoS attacks, including a 31.4 Tbps attack in November 2025. The operation successfully disabled command-and-control (C2) infrastructure used to rent out "booter" services to criminal actors.
## Incident Details
- **Discovery Date:** Ongoing investigations culminated in October/November 2025
- **Incident Date:** Takedown announced March 19, 2026
- **Affected Organization:** Global internet infrastructure, gaming services (Minecraft), and cybersecurity journalists (Brian Krebs)
- **Sector:** Information Technology / IoT / Consumer Electronics
- **Geography:** Global (Command infrastructure targeted in US, Canada, and Germany)
## Timeline of Events
### Initial Access
- **Date/Time:** Fall 2025 (Peak activity)
- **Vector:** Exploitation of vulnerable IoT devices and Android-based appliances.
- **Details:** Attackers targeted DVRs, network appliances, webcams, smart TVs, and set-top boxes using Mirai-based code.
### Lateral Movement
- **Details:** The Kimwolf variant utilized "residential proxies" to pivot from infected consumer gadgets into private home networks, bypassing standard router protections to infect secondary local devices.
### Data Exfiltration/Impact
- **Details:** Primary impact was not data theft, but massive service disruption. Notable attacks exceeded 30 terabits per second (Tbps), capable of crashing legacy DDoS protections and disrupting connectivity for entire nations.
### Detection & Response
- **Detection:** Identified by Cloudflare and independent researchers following record-breaking DDoS volumes in Q4 2025.
- **Response:** Operation led by the US DOJ and Defense Criminal Investigative Service (DCIS) to seize C2 servers and target operators in Germany and Canada.
## Attack Methodology
- **Initial Access:** Exploiting weak credentials and unpatched vulnerabilities in IoT/Android firmware.
- **Persistence:** Firmware-level persistence on low-power devices.
- **Privilege Escalation:** Exploiting local network trust relationships via residential proxies.
- **Defense Evasion:** Using residential IP addresses to blend malicious traffic with legitimate home user traffic.
- **Credential Access:** Brute-forcing default or weak administrative credentials on IoT devices.
- **Discovery:** Automated scanning for internet-connected appliances and local network reconnaissance.
- **Lateral Movement:** Pivoting from external-facing gadgets to internal home network devices.
- **Collection:** Aggregating infected devices into a "booter" service for hire.
- **Exfiltration:** N/A (Focused on resource hijacking).
- **Impact:** Distributed Denial of Service (DDoS) via high-volume traffic flooding.
## Impact Assessment
- **Financial:** Significant mitigation costs for targets; lost revenue for gaming services and ISPs.
- **Data Breach:** Compromise of 3 million+ private devices' integrity.
- **Operational:** Record-breaking 31.4 Tbps DDoS attacks causing total service outages.
- **Reputational:** Demonstrated the continued vulnerability of the global IoT ecosystem despite previous Mirai takedowns.
## Indicators of Compromise
- **Network:** High volumes of outbound traffic on non-standard ports; connections to known malicious C2 infrastructure (specific IPs defanged: `hxxp[://]aisuru-c2[.]net`).
- **File:** Mirai-variant binary signatures in `/tmp` or ephemeral storage of IoT devices.
- **Behavioral:** Sudden spikes in residential upstream bandwidth usage; devices becoming unresponsive to user input.
## Response Actions
- **Containment:** Sinkholing C2 domains and seizing physical server infrastructure.
- **Eradication:** Disruption of the communication chain between the malware and the controllers.
- **Recovery:** Public notification of the takedown to allow ISPs and consumers to reboot and patch devices.
## Lessons Learned
- **IoT Proliferation:** The "residential proxy" technique shows that even "hidden" internal devices are at risk if one peripheral device is compromised.
- **Scale of Attacks:** DDoS capabilities have tripled in under two years, outpacing some legacy cloud defense solutions.
- **Code Longevity:** The Mirai source code (released in 2016) continues to be the foundation for the most disruptive modern botnets a decade later.
## Recommendations
- **Device Hardening:** Change default passwords on all IoT devices immediately upon installation.
- **Network Segmentation:** Place IoT devices (Webcams, Smart TVs) on a separate VLAN from sensitive home/office computers.
- **Firmware Management:** Ensure automatic updates are enabled for routers and network appliances to patch known vulnerabilities used by Mirai variants.