4 Major Botnets Dismantled: Aisuru, KimWolf, JackSkid, Mossad
Published
Key Takeaways
- Global infrastructure: A coordinated international task force took down four malicious networks that infected more than three million devices globally.
- Targeting defense networks: Operators utilized the compromised IoT devices to launch severe DDoS attacks against U.S. Department of Defense infrastructure.
- Exploiting connected appliances: Threat actors weaponized critical IoT vulnerabilities to compromise webcams, digital video recorders, and Wi-Fi routers.
The Aisuru, KimWolf, JackSkid, and Mossad Command and Control (C2) infrastructure was dismantled during a massive botnet takedown in a U.S. Department of Justice (DOJ) operation targeting the individuals behind the botnets. These four major Internet of Things (IoT) botnets had compromised over three million devices worldwide as of March 2026, including hundreds of thousands within the U.S.
Before the disruption, operators controlled these sprawling networks to execute hundreds of thousands of DDoS attacks – some of them at record-breaking speeds of 30 Terabits per second.
Neutralizing Severe DDoS Attacks
The Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) seized multiple U.S.-registered internet domains, virtual servers, and other allegedly cybercrime-leveraged infrastructure, including some that targeted IP addresses managed by the Department of Defense Information Network (DoDIN), the recent DOJ announcement said.
According to court documents, the KimWolf and JackSkid botnets are accused of targeting and infecting devices that are “traditionally ‘firewalled’ from the rest of the internet,” using a Cybercrime-as-a-Service model to sell access to the infected devices. In addition to overwhelming network bandwidth to force system outages, the operators frequently extorted their victims.
Court documents revealed the number of alleged DDoS attack commands:
- Aisuru – more than 200,000,
- KimWolf – more than 25,000,
- JackSkid – more than 90,000,
- Mossad – more than 1,000.
Aisuru emerged in late 2024 and, in October 2025, was used to seed Kimwolf, an Aisuru variant that introduced a novel spreading mechanism that allowed infecting devices hidden in the user’s internal network.
Widespread IoT Vulnerabilities
The expansion of these malicious networks relied heavily on exploiting unpatched IoT vulnerabilities. The botnets primarily infected internet-connected devices such as webcams, digital video recorders, and Wi-Fi routers, transforming standard household and enterprise hardware into a coordinated swarm of attack nodes, the DOJ said.
This complex cybersecurity operation was conducted in coordination with law enforcement agencies in Germany and Canada, with integrated operational support from Europol's PowerOff team. It also required extensive private sector collaboration, including AWS, Akamai, Cloudflare, Lumen, Google, Nokia, and PayPal.
In May 2025, Aisuru hit the KrebsOnSecurity website with a then-near-record DDoS attack reaching over 6.3 terabits per second. Investigations link the botnet’s management to individuals operating under the alias “Forky,” who also run Botshield, a purported DDoS mitigation and hosting business registered in the U.K.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular