One of the largest DDoS botnet operations observed in recent years may be facing sustained disruption after hundreds of command-and-control (C2) servers linked to the Aisuru and Kimwolf botnets were taken offline.
According to research published by Lumen’s Black Lotus Labs, more than 550 C2 servers used by the botnets have been null-routed over the past four months, significantly impairing their ability to control infected devices.
Aisuru and its successor, Kimwolf, have been linked to record-breaking DDoS attacks and are estimated to control well over two million Android devices, most of them low-cost, uncertified Android TV boxes deployed in residential networks.
Record-scale attacks and rapid expansion
After the RapperBot botnet was disrupted in August 2025, Aisuru quickly expanded to fill the gap. By September, attacks attributed to the botnet exceeded 11 Tbps, making it the most powerful DDoS botnet observed at the time.
Black Lotus Labs reported a sharp rise in bot activity during this period, with the daily average number of active bots increasing from around 50,000 to 200,000 in a matter of weeks.
As activity intensified, network-level action was taken against known C2 infrastructure, cutting off infected devices from receiving further instructions.
Botnet control linked to residential infrastructure
Analysis of Aisuru backend servers revealed traffic aggregation from multiple C2 nodes and active operator access via residential SSH connections. Several of the IP addresses involved were traced to Canada, and the activity was reported to law enforcement.
Independent reporting by cybersecurity journalist Brian Krebs, who was previously targeted by a massive DDoS attack attributed to Aisuru, later identified overlapping infrastructure tied to the botnet’s operation.
Kimwolf emerges as operators shift tactics
In early October, researchers observed a series of infrastructure changes, including new domain names, modified ports, and updated malware payloads. Malware samples retrieved from affected servers initially connected to Aisuru C2 nodes but were later replaced with binaries pointing to newly established infrastructure.
Security researchers, including Xlab, later confirmed that these changes marked the emergence of a new botnet, now tracked as Kimwolf.
The transition did little to slow growth. Within days, Kimwolf infections surged by 300%, reaching approximately 800,000 active bots by mid-October. Many of the compromised devices were found listed for sale through a single residential proxy service.
Residential proxy abuse fuels scale
Traffic analysis showed Kimwolf infrastructure interacting heavily with multiple residential proxy networks, particularly PYPROXY. Researchers observed large-scale scanning activity targeting vulnerable devices, which preceded each major growth phase.
Research published by Synthient later confirmed that Kimwolf exploited weaknesses in residential proxy services to compromise devices at scale. Synthient estimates the total botnet size to be well above two million devices, with major concentrations in Vietnam, Brazil, India, and Saudi Arabia.
Disruptions trigger visible operator response
As C2 servers were identified, they were null-routed to prevent further coordination. In several cases, botnet operators were observed restoring infrastructure within hours, highlighting the resilience of the operation.
However, subsequent disruptions triggered spikes in traffic to malware hosting servers, suggesting that operators were attempting to push updated payloads to retain control of infected devices. These servers were also taken offline.
Following the disruptions, operators launched DDoS attacks containing profanity-laden payloads aimed at researchers, a reaction previously documented by Xlab.
Botnet activity continues under pressure
While Aisuru and Kimwolf infrastructure continues to reappear, researchers note that sustained C2 disruption at this scale is unusual and may limit the botnets’ ability to operate at peak strength.
Black Lotus Labs and other security researchers continue to monitor the botnets’ activity, while Synthient has released a public tool allowing users to check whether their Android devices are part of the Kimwolf botnet.
Further developments are expected as infrastructure churn continues and investigations progress.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com.