Mirai Botnets Evolve Into Major DDoS and Proxy Abuse Threats

Mirai-based botnets have evolved from simple IoT malware into large-scale DDoS and proxy abuse platforms underpinning record-breaking attacks and stealthy cybercrime operations.

Over 21,000 C2 servers were observed from July to December 2025, showing a significant shift towards using compromised devices as residential proxies alongside traditional DDoS activities.

This growth coincided with escalating DDoS campaigns; Cloudflare’s Q4 2025 data reveals hyper-volumetric attacks, including a 31.4 Tbps assault linked to the Aisuru-Kimwolf botnet family.

Number of DDoS attacks tracked by Cloudflare (Source : Spamhaus).
Number of DDoS attacks tracked by Cloudflare (Source : Spamhaus).

Spamhaus reports a 26% surge in botnet C2 activity in early 2025 and a further 24% increase by year-end, reversing 18 months of relative stability.

Mirai as the base framework

First identified in 2016, Mirai targets internet-connected devices running lightweight Linux, typically secured only by default or weak credentials.

Top locations for botnet C2s (Source : Spamhaus).
Top locations for botnet C2s (Source : Spamhaus).

Once compromised, these IoT systems form a botnet capable of high-volume UDP, TCP, and application-layer floods against targets.

The public release of Mirai’s source code sparked an explosion of variants and “branches,” many adding new exploits, CPU architectures, and evasion features while preserving core scanning and DDoS logic.

Satori, a well-known Mirai derivative, was first detected in late 2017, infecting hundreds of thousands of routers by weaponizing remote code execution flaws and deploying architecture-specific binaries for broad coverage.

How attackers can use botnets in brute force attacks (Source : Spamhaus).
How attackers can use botnets in brute force attacks (Source : Spamhaus).

These scripts automate downloading, permission changes, and execution, enabling rapid enrollment of reachable routers into the botnet without user interaction.

Aisuru-Kimwolf: DDoS and proxy abuse

More recently, the Aisuru and Kimwolf families have expanded Mirai’s role to include extreme-scale DDoS engines and rentable residential proxy networks.

The many variants of Mirai (Source : Spamhaus).
The many variants of Mirai (Source : Spamhaus).

Cloudflare and researchers link Aisuru-Kimwolf to the 31.4 Tbps attack and floods exceeding tens of billions of packets per second, often using randomized packet characteristics for evasion.

Kimwolf, an Android-focused Aisuru variant, abuses residential proxy providers like IPIDEA to infiltrate internal networks, smart TVs, and mobile devices, then resells access for fraud, credential-stuffing, and other abuse via underground channels.

Authorities have countered at scale: U.S. efforts targeted IoT DDoS botnet C2 infrastructure, while Google and partners disrupted domains and accounts used to market and control abused residential proxy pools.

Additional Mirai variants outlined in a presentation by Ya Liu and Hui Wang (Source : Spamhaus).
Additional Mirai variants outlined in a presentation by Ya Liu and Hui Wang (Source : Spamhaus).

Despite disruption efforts, Mirai-based ecosystems persist, fueled by unpatched routers, insecure Android devices, and quickly recycled infrastructure enabling rapid rebuilds.

For defenders, prioritizing edge device hygiene, monitoring for abnormal outbound traffic, and tracking Mirai-derived indicators remains essential as these botnets grow in both DDoS power and proxy abuse capabilities.

Related Articles

Back to top button