Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

AISURU/Kimwolf

Aisuru/Kimwolf is a distributed denial-of-service (DDoS) botnet family used for large-scale attacks. The content describes Aisuru and Aisuru-Kimwolf as having compromised approximately 1-4 million hosts globally, and attributes record-setting DDoS activity to the botnet, including an attack peaking at 31.4 Tbps and 14.1 billion packets per second. Aisuru is noted to randomize packet characteristics to complicate detection, and to encode command-and-control IP addresses in TXT DNS records associated with its C2 domains. KimWolf is described as an Android-specific subvariant of Aisuru that reuses Aisuru DDoS functionality modified for Android devices, targeting Android-based systems including smart TVs and mobile devices; KimWolf alone is said to have compromised about 2 million devices globally. The operators reportedly monetized access to compromised devices via Discord and Telegram, used the IPIDEA residential proxy network to mask activity, and KimWolf was later reported to have shifted to I2P after takedown actions. The U.S. Department of Justice announced disruption actions on March 19, 2026 targeting command-and-control infrastructure used by the Aisuru and KimWolf botnets, including actions in Canada and Germany and attempted seizure of DigitalOcean droplets used as KimWolf C2 servers.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence1

Spamhaus noted that July to December 2025 saw a 24% increase in the number of botnet command & control servers identified... law enforcement attempted to take down Command and Control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets.

T1090.002External ProxyEvidence1

Kimwolf has rapidly infected a large number of devices through residential proxy networks... IPIDEA is a residential proxy that was used by Aisuru and Kimwolf in recent times. Attackers used IPIDEA nodes to mask their activity.

T1568Dynamic ResolutionEvidence1

Aisuru encodes a list of C2 IPs in TXT records, associated with the C2 domains.

Impact

1 technique
T1498Network Denial of ServiceEvidence1

These compromised computers can be used to initiate large-scale distributed denial-of-service (DDoS) attacks... Aisuru-Kimwolf is a botnet used to conduct large-scale DDoS attacks.

INDICATORS OF COMPROMISE

IOCs tracked for this family

12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
12 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
pulsedive blogNews
Mar 24, 2026
The Operations of the Swarm: Inside the Complex World of Mirai-Based Botnets

Large-scale botnet family used for record-setting DDoS attacks. It can randomize packet characteristics to hinder detection, encodes C2 IPs in DNS TXT records, and has been monetized by selling access to compromised devices to other cybercriminals.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Large-scale DDoS botnet ecosystem (including Android variant Kimwolf) attributed to hyper-volumetric HTTP DDoS activity; also monetized via proxy bandwidth and other services (per excerpted headlines).

Read more
the hacker newsNews
Feb 5, 2026
AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

A large-scale HTTP/network-layer DDoS botnet reported to have compromised over 2 million Android devices (notably off-brand Android TVs) and used to launch hyper-volumetric DDoS attacks, including a 31.4 Tbps event and the campaign dubbed 'The Night Before Christmas.'

Read more
the hacker newsNews
Feb 5, 2026
AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

A large-scale DDoS botnet responsible for hyper-volumetric HTTP and network-layer DDoS attacks; reported to have compromised/ensnared over 2 million Android devices (notably off-brand Android TVs), leveraging residential proxy networks for traffic and potentially command-and-control reachability.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching12

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.