Malware

Mossad

Mossad is an Internet of Things (IoT) DDoS botnet identified alongside Aisuru, KimWolf, and JackSkid. According to U.S. Department of Justice and related reporting cited in the content, Mossad was part of a cluster of botnets whose command-and-control infrastructure was disrupted in a court-authorized multinational law-enforcement operation in March 2026 involving the United States, Germany, and Canada. The botnet was used to launch distributed denial-of-service attacks against victims worldwide, including attacks targeting IP addresses associated with the U.S. Department of Defense Information Network. The four botnets collectively infected more than 3 million devices worldwide, primarily IoT systems such as routers, Wi‑Fi routers, digital video recorders, web cameras, and IP cameras, and collectively launched hundreds of thousands of DDoS attacks; court documents cited in the content attribute more than 1,000 DDoS attack commands specifically to Mossad. Reporting in the content describes Mossad as a Mirai-variant botnet and notes that it competed with the related botnets for the same pool of vulnerable devices. Infrastructure associated with Mossad included virtual servers, domains, and IP addresses seized by authorities. One source in the content states Mossad has no relation to the Israeli intelligence service, and another attributes its development involvement to a German hacker known as "Snow" or "Lucy," possibly as a solo undertaking, but this attribution appears in reporting rather than official confirmation.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

4 techniques

T1583.005BotnetEvidence1

The disruption itself focused on seizing domains and backend systems used to coordinate the botnets, effectively cutting off the instructions that tell infected devices where and when to send traffic.

T1584Compromise InfrastructureEvidence1

Devices infected by the four botnets include digital video recorders, web cameras, Wi-Fi routers and TV boxes.

T1584.005BotnetEvidence5

Под контроль операторов попадали Android-приставки, стриминговые устройства, веб-камеры, цифровые фоторамки и другая IoT-техника... Владельцы ботнета продавали доступ к зараженным устройствам другим злоумышленникам по модели cybercrime-as-a-service.

T1584.008Network DevicesEvidence1

The four botnets were composed of about three million compromised devices around the world, many of which are Internet of Things (IoT) devices like cameras, routers and video recorders.

Command and Control

1 technique

T1071Application Layer ProtocolEvidence8

The arrest follows a broader March 2026 court-authorized operation that disrupted several high-impact IoT DDoS botnets, including Aisuru, KimWolf, JackSkid, and Mossad, by seizing their command-and-control (C2) infrastructure.

Impact

4 techniques

T1496Resource HijackingEvidence3

The infected devices were enslaved by the botnet operators. The operators then used a “cybercrime as a service” model to sell access to the infected devices to other cyber criminals.

T1498Network Denial of ServiceEvidence10

Kimwolf — DDoS-платформой, которую сдавали в аренду «по подписке» другим хакерам... ботнет использовался для проведения более чем 25 000 атак по всему миру... пиковая мощность отдельных атак достигала 31,4 Тбит/с.

T1498.001Direct Network FloodEvidence1

The KimWolf botnet, likely with the assistance of the Aisuru botnet, in December 2025 launched an attack against content delivery network Cloudflare that reached 31.4 terabits per seconds.

T1657Financial TheftEvidence1

Prosecutors said the operators monetized access to the networks by offering DDoS-for-hire services and, in some cases, extorting victims by threatening to sustain attacks unless payments were made.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

xakepNews

May 27, 2026

В Канаде арестован оператор ботнета Kimwolf - Хакер

Один из четырех DDoS-ботнетов, чья управляющая инфраструктура была отключена в ходе международной правоохранительной операции. Участвовал в заражении IoT-устройств.

cyber security newsNews

May 22, 2026

Canadian Man Arrested for Running KimWolf DDoS Botnet Service that Hacked 2 Million Devices

Named as one of several high-impact IoT DDoS botnets disrupted through seizure of command-and-control infrastructure.

security affairsNews

May 22, 2026

Authorities arrest 23-year-old accused of running the Kimwolf botnet

An IoT botnet disrupted in the same coordinated law-enforcement operation targeting DDoS botnets. The botnet was reported to have issued over 1,000 attack commands.

the hacker newsNews

May 22, 2026

Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks

A botnet whose command-and-control infrastructure was disrupted alongside Kimwolf, AISURU, and JackSkid in a law enforcement operation.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.