The cybersecurity landscape is grappling with a significant resurgence of Mirai-based botnets, evolving into a formidable threat capable of launching massive Distributed Denial of Service (DDoS) attacks and orchestrating widespread proxy abuse. First identified in 2016, the Mirai malware, initially designed to exploit vulnerabilities in Internet of Things (IoT) devices, has seen its source code widely disseminated, fostering an ecosystem of hundreds of active variants that now compromise millions of devices globally. This proliferation has led to a substantial increase in botnet command and control (C2) servers, with the United States recently surpassing China in hosting capacity.
Researchers have pinpointed specific Mirai derivatives, such as Aisuru and Kimwolf, as particularly destructive. These variants are behind some of the most colossal DDoS attacks ever recorded, demonstrating a quantum leap in destructive potential compared to earlier iterations. The operators of these botnets have established profitable criminal enterprises, selling access to compromised devices on underground forums and dark web marketplaces. Their continuous adaptation to law enforcement actions highlights the persistent and evolving nature of these cyber threats.
The growth in botnet activity is starkly illustrated by Spamhaus’s findings, which documented a 26% surge in botnet C2 servers in the first half of 2025, followed by an additional 24% increase in the latter half of the year. This rapid expansion underscores the ease with which the Mirai codebase can be modified and deployed by a range of threat actors. The shift in C2 server hosting locations, with the US taking the lead from China, reflects ongoing global efforts to track and mitigate these pervasive threats.
Kimwolf’s Infection Mechanism and Infrastructure Evasion Strategies
Kimwolf, an Android-centric variant of Aisuru, specifically targets mobile devices and smart televisions, having already infected an estimated two million Android devices worldwide. It employs an infection mechanism that leverages a sequential execution of downloaded .apk files from attacker-controlled servers, designed to maximize compatibility across different CPU architectures. This strategy ensures a broad reach and high infection rates on vulnerable mobile platforms.
The operators of these botnets are adept at circumventing detection and disruption efforts. Following the disruption of the IPIDEA residential proxy infrastructure tied to Kimwolf by Google and the U.S. Department of Justice, reports indicate the botnet has migrated to The Invisible Project (I2P). I2P is a decentralized, encrypted network known for its anonymity, making it significantly more challenging for authorities to monitor and dismantle compared to conventional internet infrastructure.
This strategic shift to I2P exemplifies the adaptability of these criminal operations. Threat actors are continuously surveying law enforcement actions and swiftly rerouting their activities to maintain operational continuity whenever disruptions occur. This cat-and-mouse game is a defining characteristic of the modern cybercrime landscape, requiring constant vigilance from cybersecurity professionals and network providers alike.
The financial implications of these botnets are substantial, with Aisuru-Kimwolf operators monetizing their infrastructure through the sale of compromised device access. This criminal business model fuels the ongoing development and deployment of new variants, creating a self-sustaining threat ecosystem. The ability to launch multi-terabit-per-second DDoS attacks and billions of packets per second assaults underscores the significant disruption potential these botnets possess.
Mitigation and Defense Strategies
To counter the escalating threat of Mirai-based botnets and similar IoT malware, proactive security measures are crucial for both individuals and organizations. Network providers often offer robust DDoS protection solutions that can detect and effectively block the overwhelming traffic characteristic of botnet attacks. Organizations should fully leverage these services to safeguard their online presence.
Implementing protective DNS services can add another layer of defense by filtering suspicious domain queries before they can reach internal systems, preventing potential malware infections. For publicly accessible network devices, particularly routers, consistent patching of firmware is paramount. This practice ensures that known vulnerabilities exploited by botnets like Mirai are closed, significantly reducing the attack surface.
Furthermore, the indiscriminate use of default credentials on networking equipment remains a primary vector for botnet infections. It is imperative that default passwords are immediately replaced with strong, unique credentials during the initial setup of any networking device and that these credentials are never left unchanged. This simple yet effective measure can prevent a vast number of unauthorized accesses and subsequent compromises.
The ongoing efforts by international law enforcement agencies, such as the U.S. Department of Justice’s disruption actions against Aisuru, KimWolf, JackSkid, and Mossad botnets, demonstrate a commitment to combating these pervasive threats. However, the continuous evolution and adaptation of these botnets, including their migration to anonymized networks like I2P, suggest that the fight against Mirai-based threats will remain a significant challenge. The cybersecurity community will need to closely monitor the development of new evasion techniques and the emergence of future Mirai variants to stay ahead of these sophisticated criminal operations.