Record-breaking botnets disrupted as a new challenger quietly appears
March 19, 2026, international law enforcement announced one of the largest coordinated disruptions of IoT DDoS infrastructure to date. Authorities in the United States, Germany, and Canada targeted command-and-control infrastructure behind the Aisuru, KimWolf, JackSkid, and Mossad botnets: the networks responsible for hundreds of thousands of attacks worldwide and most of the largest DDoS events recently recorded.
According to U.S. Department of Justice disclosures, the combined botnets infected more than three million devices globally, primarily consumer IoT hardware such as DVRs, IP cameras, and home routers. Investigators linked the infrastructure to attacks reaching approximately 30 Tbps, placing them among the most powerful DDoS campaigns publicly acknowledged so far.
At nearly the same time, however, researchers were documenting something familiar to anyone tracking the DDoS ecosystem: a new Mirai-based botnet variant already competing for control of vulnerable IoT devices. Analysis published by Nokia Deepfield researchers shows an emerging actor aggressively infecting exposed devices and even removing rival malware – a sign that competition for botnet dominance remains active.
One botnet infrastructure is dismantled, while another begins expanding. So what is actually happening in the botnet ecosystem at this very moment? Let’s look closer.
Law enforcement operation targets large-scale DDoS infrastructure
The coordinated operation focused on disrupting the botnets Aisuru, Kimwolf, and others that have recently caused the majority of record-breaking DDoS attacks. According to court documents, botnet operators rented access to infected devices, allowing customers to launch DDoS attacks on demand.
Authorities report:
- Over 3 million infected devices worldwide
- Hundreds of thousands of executed DDoS attacks
- Extortion campaigns demanding payment to stop attacks
- Significant financial losses reported by victims
- Targets including commercial services and Department of Defense infrastructure
Attack commands attributed to individual botnets illustrate their operational scale:
- Aisuru: more than 200,000 attack commands issued
- KimWolf: more than 25,000 attack commands
- JackSkid: over 90,000 attack commands
- Mossad: more than 1,000 attack commands
The operation involved collaboration between multiple international agencies alongside industry partners and infrastructure providers, demonstrating how mitigation of large botnets increasingly requires coordinated global response, across public and private sectors.
While disruptions of this scale can temporarily reduce attack capacity, history shows they rarely eliminate the underlying ecosystem – and some of the recently published research points to the same direction.
Researchers observe a new Mirai evolution
Right before the takedown operation, on March 18th, Nokia Deepfield researchers reported active deployment of a new Mirai-derived botnet targeting Android-based TV set-top boxes exposed through Android Debug Bridge (ADB) services.
Unlike earlier Mirai variants that relied heavily on automated scanning, this botnet appears to leverage externally identified vulnerable devices and focuses on persistence and control once access is obtained.
Key observations include:
- Infection of tens of thousands of Android TV devices
- Installation of malicious Android applications to maintain persistence
- Aggressive removal of competing malware from infected hosts
- Multiple supported DDoS attack vectors
- Encrypted and rotating command-and-control infrastructure
Perhaps most notably, researchers observed behavior indicating active competition between botnets for the same pool of vulnerable devices; effectively a resource war over available IoT bandwidth.
This mirrors patterns seen repeatedly since the original Mirai source code leak in 2016: disruption events reduce one operator’s footprint, while others rapidly expand to fill the gap.
Takeaways from the recent Mirai activity
The two events together highlight several practical realities about today’s DDoS landscape:
- IoT remains the dominant attack platform. Cheap, exposed consumer devices continue to provide scalable bandwidth for attackers.
- Botnets behave like replaceable infrastructure. Takedowns reduce capacity temporarily, but new variants quickly reuse the same infection surface.
- Operator competition is increasing. Modern botnets actively remove rivals to retain control of compromised devices.
- Attack scale keeps growing. Multi-terabit attacks are no longer theoretical edge cases.
For network operators, the implication is straightforward: The disruption of Aisuru and KimWolf represents a significant operational success for international law enforcement. But as current research already shows, the broader botnet cycle continues: evolving, competing, and scaling alongside the internet itself. Botnet disruption helps, but exposure persists. Continuous traffic visibility and automated mitigation remain necessary because new botnets emerge faster than the global IoT ecosystem can be secured.
