Jackskid
JackSkid is an Internet of Things (IoT) botnet used to conduct distributed denial-of-service (DDoS) attacks. In March 2026, U.S., German, and Canadian authorities disrupted command-and-control infrastructure associated with JackSkid alongside the related botnets Aisuru, KimWolf, and Mossad. Across reporting, these four botnets were assessed to have infected more than 3 million devices worldwide and to have launched hundreds of thousands of DDoS attacks collectively; court documents attributed more than 90,000 DDoS attack commands to JackSkid specifically. Reported infected device types in the broader cluster included routers, DVRs, IP cameras, webcams, and Wi‑Fi routers, and JackSkid was specifically described as targeting devices that are traditionally firewalled or shielded from direct internet exposure. The botnet operators used a cybercrime-as-a-service model, selling access to infected devices to other criminals for DDoS activity, and some attacks in this ecosystem targeted Department of Defense Information Network IP space. High-confidence reporting links JackSkid to the same multinational law-enforcement action and victim pool as Aisuru, KimWolf, and Mossad, but the provided content does not include deeper technical details on JackSkid malware internals, propagation method, or specific indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniques
Resource Development
The disruption itself focused on seizing domains and backend systems used to coordinate the botnets, effectively cutting off the instructions that tell infected devices where and when to send traffic.
KimWolf and JackSkid targeted devices designed to be shielded from direct internet exposure, compromising and bringing them under the control of their operators.
Initial Access
1 technique
Initial Access
Command and Control
2 techniques
Command and Control
Impact
4 techniques
Impact
The infected devices were enslaved by the botnet operators. The operators then used a “cybercrime as a service” model to sell access to the infected devices to other cyber criminals.
Kimwolf — DDoS-платформой, которую сдавали в аренду «по подписке» другим хакерам... ботнет использовался для проведения более чем 25 000 атак по всему миру... пиковая мощность отдельных атак достигала 31,4 Тбит/с.
Recent activity
25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Один из четырех DDoS-ботнетов, чья управляющая инфраструктура была отключена в ходе международной правоохранительной операции. Участвовал в заражении IoT-устройств.
Named as one of several high-impact IoT DDoS botnets disrupted through seizure of command-and-control infrastructure.
An IoT botnet disrupted by law enforcement as part of an operation against DDoS-for-hire infrastructure. The botnet was reported to have launched about 90,000 attack commands.
A botnet whose command-and-control infrastructure was disrupted alongside Kimwolf, AISURU, and Mossad in a law enforcement operation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.