RE: https://infosec.exchange/@jmeyer/116259050557048999

ICYMI: a story about pulling one thread linking multiple botnets — four of which were targeted by coordinated law enforcement actions this week, and an adjacent one for which our team publishes the C2 decryption scheme.

#aisuru #kimwolf #mossad #jackskid #cecilio

Yesterday, the U.S. Department of Justice announced a coordinated international operation to disrupt four of the world's largest IoT DDoS botnets — Aisuru, Kimwolf, Jackskid, and Mossad — responsible for record-breaking attacks reaching approximately 30 Tbps.

Together, these botnets had hijacked over three million devices worldwide and launched hundreds of thousands of DDoS attacks against victims across the globe.

This was a massive collaborative effort involving law enforcement agencies in the U.S., Canada, and Europe, alongside many private-sector partners. We're proud that Nokia was among the companies that contributed — our Deepfield Emergency Response Team helped map botnet infrastructure and supported the takedown efforts.

Full DOJ press release: https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks

#operationpoweroff

Excellent work by @nicter_jp documenting a Xiongmai DVR campaign deploying residential proxy SDKs: https://blog.nicter.jp/2026/03/iot_proxyware/

We pulled the payloads and decompiled the chain.

The downloader is Mirai with all DDoS stripped out — repurposed as a vehicle for proxy monetization. It delivers two proxy SDKs: IPRoyal Pawns and PacketSDK, part of the IPIDEA network Google disrupted in January.

NICTER's IOC timeline tells the rest: PacketSDK v1.0.2 (original domains) → v1.0.6 (scrambled replacements) → v1.0.8.4 (single fallback) → not deployed. Every dispatch path is now NXDOMAIN.

A concrete view of Google's takedown continuing to have impact.

https://github.com/deepfield/public-research/blob/main/reports/2026-03-19-xiongmai-packetsdk-ipidea.md

#Mirai #IPIDEA #threatintel

Why bother with n-day exploits when a residential proxy subscription gives you unauthenticated root shell on tens of millions of Android TV devices?

Our new ERT report on the #Katana botnet documents 30K+ bots, an on-device compiled kernel rootkit, and almost certainly more engineering effort in persistence than the devices received in firmware support.

https://github.com/deepfield/public-research/blob/main/katana/report.md

#DDoS #threatintel

New deployment: @hetzner is strengthening #DDoS protection across its European data center infrastructure with Deepfield Defender; a great choice by one of Europe's leading hosting providers.

https://hetzner.com/pressroom/nokia-network-security/

We reached a point with #DDoS attacks are now affecting shared infrastructure — well beyond the intended targets.

Read on to learn about why networks need to address outbound DDoS traffic, and to build defenses as part of the network.

https://www.nokia.com/blog/the-internet-commons-under-siege-why-33-tbps-ddos-attacks-are-everyones-problem/

Nothing says "controlled chaos" like a live DDoS demo where the attacker literally has paperwork from the Ministry of Finance.

(And yes, this is in-line Layer 2 mitigation on a live network.)

https://www.youtube.com/watch?v=BxsEaXUT94k