ALL POSTS

Key Findings A new Linux botnet called SSHStalker has been discovered, leveraging IRC for command-and-control (C2) purposes The botnet combines old-school 2009-era Linux kernel exploits with automated mass-compromise techniques to infect around 7,000 systems, primarily cloud servers Unlike typical botnets focused on DDoS attacks or cryptocurrency mining, SSHStalker maintains persistent access without immediate follow-on activities, suggesting potential infrastructure staging

Key Findings The Aisuru/Kimwolf botnet launched a record-setting DDoS attack that peaked at 31.4 Tbps and 200 million requests per second. The attack was part of a broader campaign targeting multiple organizations, primarily in the telecommunications and IT sectors. Cloudflare automatically detected and mitigated the attack, which they dubbed "The Night Before Christmas" due to its timing in late December 2025. The Aisuru/Kimwolf botnet is a large-scale network of malware-inf

Key Findings The Kimwolf Android botnet has infected over 2 million devices, primarily through the exploitation of residential proxy networks. The botnet primarily targets low-cost, unofficial Android TV boxes that are left insecure or intentionally configured as proxy nodes. Kimwolf is believed to be an Android variant of the AISURU botnet, with connections to a series of record-setting DDoS attacks. The botnet uses a scanning infrastructure that leverages residential proxie

Key Findings The RondoDox botnet has been conducting a persistent nine-month campaign targeting IoT devices and web applications. The botnet has been exploiting the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability in Next.js and React Server Components (RSC) to achieve remote code execution on susceptible devices. There are about 90,300 instances that remain vulnerable to React2Shell globally, with the majority (68,400) located in the U.S. The R

Key Findings The RondoDox botnet is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. The RondoDox botnet has been active since 2024 and has evolved through three phases: reconnaissance and vulnerability testing, automated web application exploitation, and large-scale IoT botnet deployment. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavli

Key Findings The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw in Digiever DS-2105 Pro network video recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2023-52163, has a CVSS score of 8.8 and allows post-authentication remote code execution through a case of command injection. CISA cited evidence of active exploitation of the flaw by threat actors to deliver botnets like Mirai and S

Key Findings The Kimwolf Android botnet has infected over 1.8 million devices globally, primarily targeting TV boxes It uses advanced techniques like DNS over TLS, elliptic curve digital signatures, and blockchain domains to evade detection The botnet is capable of massive DDoS attacks, issuing over 1.7 billion commands in a three-day period Kimwolf shares code with the Aisuru botnet family but has been heavily redesigned to avoid detection Background The Kimwolf botnet was f

Key Findings Cloudflare mitigated the largest ever distributed denial-of-service (DDoS) attack, measuring 29.7 terabits per second (Tbps) The attack originated from the AISURU DDoS botnet-for-hire, which has been linked to numerous high-volume DDoS attacks over the past year The 69-second attack did not disclose the target, but AISURU has targeted telecommunication providers, gaming companies, hosting providers, and financial services AISURU is believed to be powered by a mas

Key Findings Microsoft disclosed that it automatically detected and mitigated a 15.72 Tbps DDoS attack, the largest ever observed in the cloud, targeting a single endpoint in Australia. The attack originated from the AISURU botnet, a Mirai-class IoT botnet powered by nearly 300,000 infected devices, mainly routers, security cameras, and DVR systems. The attack involved massive UDP floods from over 500,000 source IPs across various regions, with minimal spoofing and random sou

Key Findings: RondoDox botnet malware is targeting unpatched XWiki instances to exploit a critical remote code execution vulnerability (CVE-2025-24893). The vulnerability, with a CVSS score of 9.8, allows any guest user to execute arbitrary code through a request to the "/bin/get/Main/SolrSearch" endpoint. The flaw was patched by XWiki in versions 15.10.11, 16.4.1, and 16.5.0RC1 released in late February 2025. Evidence shows the vulnerability has been exploited in the wild si