Mirai Botnets Evolve Into Major DDoS and Proxy Abuse Threats
Mirai-based botnets have evolved from simple IoT malware into large-scale DDoS and proxy abuse platforms underpinning record-breaking attacks and stealthy cybercrime operations.
Over 21,000 C2 servers were observed from July to December 2025, showing a significant shift towards using compromised devices as residential proxies alongside traditional DDoS activities.
This growth coincided with escalating DDoS campaigns; Cloudflare’s Q4 2025 data reveals hyper-volumetric attacks, including a 31.4 Tbps assault linked to the Aisuru-Kimwolf botnet family.

Spamhaus reports a 26% surge in botnet C2 activity in early 2025 and a further 24% increase by year-end, reversing 18 months of relative stability.
Mirai as the base framework
First identified in 2016, Mirai targets internet-connected devices running lightweight Linux, typically secured only by default or weak credentials.

Once compromised, these IoT systems form a botnet capable of high-volume UDP, TCP, and application-layer floods against targets.
The public release of Mirai’s source code sparked an explosion of variants and “branches,” many adding new exploits, CPU architectures, and evasion features while preserving core scanning and DDoS logic.
Satori, a well-known Mirai derivative, was first detected in late 2017, infecting hundreds of thousands of routers by weaponizing remote code execution flaws and deploying architecture-specific binaries for broad coverage.

These scripts automate downloading, permission changes, and execution, enabling rapid enrollment of reachable routers into the botnet without user interaction.
Aisuru-Kimwolf: DDoS and proxy abuse
More recently, the Aisuru and Kimwolf families have expanded Mirai’s role to include extreme-scale DDoS engines and rentable residential proxy networks.

Cloudflare and researchers link Aisuru-Kimwolf to the 31.4 Tbps attack and floods exceeding tens of billions of packets per second, often using randomized packet characteristics for evasion.
Kimwolf, an Android-focused Aisuru variant, abuses residential proxy providers like IPIDEA to infiltrate internal networks, smart TVs, and mobile devices, then resells access for fraud, credential-stuffing, and other abuse via underground channels.
Authorities have countered at scale: U.S. efforts targeted IoT DDoS botnet C2 infrastructure, while Google and partners disrupted domains and accounts used to market and control abused residential proxy pools.

Despite disruption efforts, Mirai-based ecosystems persist, fueled by unpatched routers, insecure Android devices, and quickly recycled infrastructure enabling rapid rebuilds.
For defenders, prioritizing edge device hygiene, monitoring for abnormal outbound traffic, and tracking Mirai-derived indicators remains essential as these botnets grow in both DDoS power and proxy abuse capabilities.