Botnet

Cybersecurity researchers have revealed details about a new botnet loader called Aeternum C2, which uses a blockchain-based command and control (C2) infrastructure to resist takedown efforts. Instead of relying on traditional servers or domains, Aeternum stores its instructions on the public Polygon blockchain, making its C2 infrastructure permanent and resistant to conventional takedown methods. Aeternum C2: A New Generation of Crimeware The Aeternum C2 botnet operates as a native C++ loader available in x32 and x64 builds. Its operation is based on writing commands directed to infected hosts in smart contracts on the Polygon blockchain. Infected bots read these commands by querying public remote procedure endpoints (RPCs). ...

The Kimwolf botnet, a new distributed denial of service (DDoS) threat, has recruited a massive army of at least 1.8 million infected devices, primarily Android-based TVs, set-top boxes, and tablets. According to research by QiAnXin XLab, the botnet is associated with the infamous AISURU botnet. Kimwolf Threat Summary Massive reach: Kimwolf has infected 1.8 million devices, primarily Android TV boxes, set-top boxes, and tablets. Advanced Capabilities: In addition to typical DDoS attack capabilities, Kimwolf integrates proxy forwarding, reverse shell, and file management features. It is compiled using the Android NDK (Native Development Kit). Attack Activity: The botnet issued an estimated 1.7 billion DDoS attack commands over a three-day period (November 19-22, 2025). Primary Targets: The most affected devices include popular models such as TV BOX, SuperBOX, HiDPTAndroid, P200, X96Q, XBOX, SmartTV and MX10. The global spread is notable, with high concentrations in Brazil, India, the USA, Argentina, South Africa and the Philippines. Ties with the AISURU Botnet and TTPs XLab research has uncovered significant links between Kimwolf and the AISURU botnet, known for record-breaking DDoS attacks over the past year. Researchers suspect that the same hacking group reused code from AISURU in the early stages of Kimwolf. ...

Cloudflare has announced the detection and mitigation of a distributed denial of service (DDoS) attack that peaked at 29.7 terabits per second (Tbps), the largest ever recorded by the company. The attack, lasting 69 seconds, was launched by the botnet for hire known as AISURU. The AISURU Botnet: The Engine of the Attack Cloudflare identified that the attack came from the AISURU botnet, a cybercrime network that has been linked to numerous hypervolume DDoS attacks over the past year. The AISURU botnet is estimated to be powered by a massive network of between 1 and 4 million infected hosts worldwide. ...

A newly discovered cyberattack campaign, dubbed Operation WrtHug, has compromised tens of thousands of ASUS routers that are end-of-life (EoL) or outdated. The operation has recruited these devices into a vast network of botnets. Over the past six months, SecurityScorecard’s STRIKE team identified more than 50,000 unique IP addresses of compromised devices globally. The most affected regions include Taiwan, the United States and Russia, although infections have also been reported in Southeast Asia and European countries. ...

The RondoDox botnet malware is actively exploiting unpatched XWiki servers via the critical vulnerability CVE-2025-24893 (CVSS 9.8), allowing arbitrary remote code execution. 🔍 CVE-2025-24893 Evaluation injection bug that allows any guest user to execute remote code via the /bin/get/Main/SolrSearch endpoint. Affected versions: All before XWiki 15.10.11, 16.4.1 or 16.5.0RC1 Patch available from: February 2025 🤖 RondoDox: Expanding Botnet RondoDox incorporates vulnerable devices to: DDoS attacks (HTTP, UDP, TCP) Cryptocurrency mining Persistent access (reverse shells, backdoors) Chronology: March 2025 (first evidence) → Nov 3 (first RondoDox exploitation) → Nov 7 (maximum peak) → Nov 11 (new wave) ...