VulnHub

The Black Lotus Labs team at Lumen Technologies has taken significant action against the AISURU and Kimwolf botnets by null-routing over 550 command-and-control (C2) servers since early October 2025. These botnets have gained notoriety for their ability to commandeer devices and use them in distributed denial-of-service (DDoS) attacks. By cutting off access to these C2 nodes, researchers aim to disrupt the operations of these botnets, which primarily target Android devices. This move is crucial as it not only protects potential victims from being exploited but also highlights the ongoing battle against cybercriminals who leverage such networks for malicious activities. The impact of these botnets underscores the need for continued vigilance in cybersecurity practices, especially for users of vulnerable devices.

The GoBruteforcer botnet is currently targeting cryptocurrency and blockchain projects by exploiting weak passwords and outdated web technologies. Researchers have identified that the botnet spreads through automated server deployments that are poorly secured. This means that many organizations within the crypto space could be at risk, as attackers can gain unauthorized access to their systems. The use of AI in the propagation of this botnet raises concerns about the evolving tactics of cybercriminals, making it crucial for affected companies to strengthen their security measures. As the cryptocurrency sector continues to grow, the potential impact of such attacks could be significant, leading to financial losses and data breaches.

Researchers have identified an enhanced version of the GoBruteforcer botnet that is targeting over 50,000 Linux servers. This botnet exploits weak passwords and takes advantage of system configurations generated by AI, making it easier for attackers to gain access. The findings emphasize the risks associated with inadequate security measures on server configurations, which can lead to widespread compromises. As more organizations rely on Linux servers, ensuring strong authentication practices is crucial. This situation serves as a warning for system administrators to review their security protocols and reinforce their defenses against such attacks.

The GoBruteforcer botnet is actively targeting unprotected Linux servers, particularly those running services like FTP and MySQL. This attack focuses on exploiting weak or default credentials, making it crucial for system administrators to secure their servers. Researchers have noted a rise in these attacks, which can lead to unauthorized access and potential data breaches. Affected users include businesses that rely on Linux servers for their operations. The growing prevalence of this botnet highlights the need for stronger authentication measures to protect sensitive data and maintain server integrity.

A new wave of attacks using GoBruteforcer malware is targeting cryptocurrency and blockchain projects by exploiting exposed databases. Researchers believe that many of these databases are improperly configured, potentially using AI-generated examples as templates. This makes them vulnerable to brute force attacks, where attackers try numerous password combinations to gain unauthorized access. The focus on crypto and blockchain projects is particularly concerning given the high value of assets and sensitive information involved. Companies in this space need to ensure their servers are securely configured to prevent these types of attacks, as the risk of data breaches and financial losses is significant.

The Kimwolf Android botnet has expanded significantly, now comprising around 2 million devices. This botnet primarily targets residential proxy networks, allowing its operators to profit through various means, including launching Distributed Denial of Service (DDoS) attacks, installing applications without user consent, and selling proxy bandwidth. The growth of this botnet poses serious risks to users, as it can lead to unauthorized use of their devices and potential data breaches. It also raises concerns for internet service providers and businesses that may be targeted by DDoS attacks. The situation highlights the ongoing challenges in securing IoT devices and the need for users to be vigilant about their device security.

Hackers using the RondoDox botnet are exploiting a vulnerability in Next.js known as React2Shell to take control of over 90,000 unpatched devices. This includes a range of products such as routers, smart cameras, and small business websites. The attack is particularly concerning because it targets devices that often lack regular updates or security patches, making them easy targets for cybercriminals. Users of these devices should be vigilant and consider updating their systems to protect against this growing threat. The scale of the devices affected raises alarms about the potential for widespread disruption if left unaddressed.

The RondoDox botnet has been actively exploiting the React2Shell vulnerability to target Next.js servers since December. This vulnerability allows attackers to compromise systems that are not properly secured, potentially leading to unauthorized access and control. Organizations using Next.js should be particularly vigilant, as the botnet's operators are weaponizing this flaw to expand their reach. It’s crucial for companies to implement security measures to protect their servers from these types of attacks. As the situation develops, users need to stay informed about their server configurations and ensure they are updated against known vulnerabilities.

The RondoDox botnet has been identified exploiting a serious vulnerability known as React2Shell (CVE-2025-55182) to compromise Next.js servers. This flaw allows attackers to inject malware and cryptominers into systems that have not been properly secured. Organizations using Next.js frameworks are particularly at risk, as the botnet targets these servers directly. This incident underscores the necessity for companies to regularly update their software and apply security patches to prevent such attacks. The ongoing exploitation of this vulnerability poses significant risks to data integrity and can lead to unauthorized resource usage, impacting both performance and costs for affected users.

The Kimwolf Android botnet has been discovered infecting over 1.8 million devices, according to security researchers at XLab. This botnet, which is linked to the previously identified Aisuru botnet, has been responsible for sending more than 1.7 billion commands for Distributed Denial of Service (DDoS) attacks. The scale of these attacks is significant, raising concerns about the potential for disruption to various online services. The fact that millions of devices are compromised highlights the ongoing vulnerability of Android systems to malware. Users should be cautious and consider securing their devices to prevent further infections and attacks.

A new botnet named Kimwolf has compromised around 1.8 million Android-based devices, including TVs, set-top boxes, and tablets. Researchers from QiAnXin XLab report that this botnet may be linked to another one known as AISURU. Kimwolf is built using the Native Development Kit (NDK), which allows attackers to control these devices and use them for large-scale distributed denial-of-service (DDoS) attacks. This incident raises concerns about the security of smart devices, as many consumers may not realize their equipment can be hijacked in this way. Users of affected devices should be vigilant and consider measures to secure their systems against such threats.

The article discusses a record-breaking DDoS attack powered by the Aisuru botnet, which peaked at 29 Tbps. Cloudflare successfully mitigated this attack, highlighting the growing severity of DDoS threats and the need for robust cybersecurity measures.

Cloudflare's Q3 2025 DDoS Threat Report highlights the unprecedented scale of a DDoS attack launched by the Aisuru botnet, reaching 29.7 Tbps. This surge in attacks indicates a growing threat landscape, particularly affecting critical sectors and emphasizing the need for enhanced cybersecurity measures.

Cloudflare has reported the largest DDoS attack ever recorded, reaching 29.7 Tbps, attributed to the AISURU botnet, which has been linked to multiple significant attacks over the past year. This incident underscores the growing threat posed by botnets and the need for robust cybersecurity measures to mitigate such high-volume attacks.