Mirai Botnet Variants Fuel Record-Breaking DDoS Attacks in 2025–2026
The Mirai botnet, first discovered in 2016, has evolved into a sprawling cybercriminal ecosystem, driving a surge in botnet-driven threats over the past year. Originally designed to hijack IoT devices running on ARC processors often by exploiting default credentials or unpatched vulnerabilities Mirai’s source code release enabled threat actors to develop hundreds of variants, targeting millions of devices worldwide.
In 2025, Spamhaus reported a 26% increase in botnet command-and-control (C2) servers in the first half of the year, followed by a 24% rise in the latter half. The U.S. surpassed China as the top host of these servers, a position China had held since late 2023. Among the most destructive variants, Aisuru and Kimwolf collectively known as Aisuru-Kimwolf compromised 1–4 million devices, powering some of the largest DDoS attacks on record, including a 31.4 Tbps flood and a 14.1 billion packet-per-second assault.
Beyond DDoS, the botnets monetized access to infected devices via platforms like Discord and Telegram, while also abusing residential proxy networks to obscure attack traffic. On March 19, 2026, the U.S. Department of Justice, in coordination with Canada and Germany, disrupted C2 servers linked to Aisuru, Kimwolf, JackSkid, and Mossad, though the botnets quickly adapted.
Kimwolf, an Android-focused subvariant, infected 2 million devices by distributing malicious .apk files targeting multiple CPU architectures. After Google and the DOJ dismantled its IPIDEA proxy infrastructure, Kimwolf shifted to The Invisible Project (I2P), a decentralized, encrypted network that complicates tracking and takedown efforts. This rapid pivot underscores the operators’ ability to evade law enforcement by rerouting infrastructure in real time.
Source: https://cybersecuritynews.com/mirai-based-botnets-evolve-into-massive-ddos/
The Spamhaus Project cybersecurity rating report: https://www.rankiteo.com/company/the-spamhaus-project
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "THEGOO1774470489",
"linkid": "the-spamhaus-project, google",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'location': 'Global (U.S. and China as top C2 server '
'hosts)',
'type': 'IoT Devices'},
{'location': 'Global', 'type': 'Android Devices'}],
'attack_vector': ['Exploiting default credentials',
'Unpatched vulnerabilities',
'Malicious .apk files'],
'data_breach': {'file_types_exposed': ['.apk']},
'description': 'The Mirai botnet, first discovered in 2016, has evolved into '
'a sprawling cybercriminal ecosystem, driving a surge in '
'botnet-driven threats over the past year. Variants like '
'Aisuru and Kimwolf compromised 1–4 million devices, powering '
'record-breaking DDoS attacks, including a 31.4 Tbps flood and '
'a 14.1 billion packet-per-second assault. The botnets '
'monetized access via platforms like Discord and Telegram and '
'abused residential proxy networks. Law enforcement disrupted '
'C2 servers in March 2026, but the botnets adapted by shifting '
'to decentralized networks like I2P.',
'impact': {'operational_impact': 'Large-scale DDoS attacks causing service '
'disruptions',
'systems_affected': '1–4 million devices (IoT and Android)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (via Discord, '
'Telegram, and residential '
'proxies)'},
'investigation_status': 'Ongoing (botnets adapted post-disruption)',
'lessons_learned': 'Botnets rapidly adapt to law enforcement takedowns by '
'shifting infrastructure (e.g., to I2P). Decentralized '
'networks complicate tracking and disruption efforts.',
'motivation': ['Financial gain',
'Disruption',
'Monetization of botnet access'],
'post_incident_analysis': {'corrective_actions': ['Law enforcement disruption '
'of C2 servers',
'Shift to decentralized '
'infrastructure by botnet '
'operators'],
'root_causes': ['Exploitation of default '
'credentials and unpatched '
'vulnerabilities',
'Proliferation of Mirai source '
'code enabling variant development',
'Use of decentralized networks '
'(I2P) to evade takedowns']},
'recommendations': ['Patch IoT devices and update default credentials',
'Monitor for malicious .apk files on Android devices',
'Enhance DDoS mitigation strategies',
'Collaborate with law enforcement for botnet disruption',
'Improve tracking of decentralized botnet infrastructure'],
'references': [{'source': 'Spamhaus'},
{'source': 'U.S. Department of Justice'}],
'response': {'containment_measures': 'Disruption of C2 servers',
'law_enforcement_notified': 'Yes (U.S. DOJ, Canada, Germany)'},
'threat_actor': ['Aisuru', 'Kimwolf', 'JackSkid', 'Mossad'],
'title': 'Mirai Botnet Variants Fuel Record-Breaking DDoS Attacks in '
'2025–2026',
'type': 'DDoS Attack',
'vulnerability_exploited': ['Default credentials',
'Unpatched IoT/ARC processor vulnerabilities',
'Android APK vulnerabilities']}