Ben

@whyherro1 @FBIAnchorage The botnet was named mossad

@FBIAnchorage Wait, was the botnet named Mossad or was Mossad operating one of the botnets?

🚨JUST IN🚨The Defense Criminal Investigative Service (DCIS), FBI Anchorage, and international partners disrupted four of the world’s largest Internet of Things (IoT) botnets that together were responsible for millions of infected devices and hundreds of thousands of DDoS attacks worldwide. 🔗ow.ly/PBQb50YwAHN @USAO_AK | @DoD_IG

@menscher 🎉

In 2025 botnets started using residential proxy networks (like IPIDEA which Google disrupted in Jan) to spread to vulnerable IoT within home networks. DDoS quadrupled in size, a step change in the expected exponential growth trend (here shown on a log scale).

Synthient Helps Disrupt World's Largest DDoS Botnet The U.S. Department of Justice, in coordination with international law enforcement, has announced a major operation to disrupt the infrastructure of four of the world’s largest IoT botnets, including Aisuru and Kimwolf. Together, these botnets hijacked over three million devices worldwide to launch record-breaking Distributed Denial of Service (DDoS) attacks. The Kimwolf botnet specifically targeted devices traditionally firewalled from the broader internet, enslaving them to act as proxy traffic for criminal networks and launch attacks reaching up to 30 Terabits per second. Synthient is proud to have contributed to the DOJ's efforts. By identifying active exploitation, sharing malware samples, and coordinating disclosures with impacted parties, we helped neutralize this threat. We remain dedicated to making the web a safer place and are grateful to have played a role in this historic takedown. Link: justice.gov/usao-ak/pr/aut…

Not quite x.com/vxdb/status/20…

🧐http://169[.]40[.]135[.]213:47000/mypantsarefullofshit/arm7

@deobfuscately Next is banana botnet?

Potassium Botnet Installer: http://169[.]40[.]135[.]69/1000mgofpotassiumaday/arm7 C2: potassium[.]vitacocoyougolocobecauseyouaresodamndeliciocobarampam[.]st #ioc #hunting #mirai

@vxdb 🔥

Everyone please go read my friends new blog post on the Russian Market

🚨#Botnet In February, an invisible war broke out within #Android TV Boxes between #Bigpanzi and #Kimwolf. Bigpanzi issued the "pm uninstall" command to remove Kimwolf's APK，哈哈，果然同行是冤家😂 Happy hunting 🍷@Xlab_qax

Not just bigpanzi 😄 other tv boxes also observed removing it [ "com.n2.systemservice06", "com.n2.systemservice061", "com.n2.systemservice062", "com.n2.systemservice063", "com.n2.systemservice0644", "com.android.systemservice0644", "com.a.androidsvc", "com.k.sdk", "com.abcproxy.proxysdk", "com.abcproxy.lolsdk" ]

I have said this quite a few times, but there is this misconception that the scanning engines on VT tell you whether the AV product detects the malware. They do not.

#IPIDEA Post Google takedown stats across all internal pools. Slowly shifting towards relying on 3rd party providers for IP sourcing instead of IPIDEA SDKs.

@solostalking @500mk500 What did it say?

@500mk500 Zscalar deleted your comment, lol

Google’s Threat Intelligence Team just disrupted one of the largest residential proxy network, IPIDEA. Read more: cloud.google.com/blog/topics/th…

bye bye ipdea

@HackingLZ New bubble indicator

@UK_Daniel_Card What about by ASN?

You can see a mixture of vertical attacks and horizontal attacks....

I exposed RDP to the internet for a year... it was hit with over 7 million authentication attempts from cyber criminals/botnets etc. that's about 20K login attempts per day! to a single server. #CyberCrime #Reality

Interesting growth. Scanning observed on Jan 7th

Since the disclosure of the #kimwolf exploit we are starting to observe other proxy providers attempting to make their own land grab for vulnerable devices.

cc: @UK_Daniel_Card @RussianPanda9xx @banthisguy9349 @Gi7w0rm @g0njxa @malwrhunterteam @vxunderground @Analyst1 @dprkcert

Installer: 89.125.255[.]206:8001 Backdoor: 89.125.255[.]206:8000 C2s: peer.packetstream-sdk[.]su, peer.packetstream-sdk[.]ru