Re: ISP Operators AISURU/Kimwolf botnet

[Mel Beckman via NANOG <nanog () lists nanog org>]

Benjamin,


It sounds like you recognize that this botnet exploits compromised devices on your customers’ networks, which are 
generating massive volumes of outbound DDoS traffic from your network. It’s thus your responsibility to address egress 
hygiene as a core operational standard and monitor and suppress malicious traffic leaving your network.


One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting 
the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but 
the problem on your network is due to your customers, not anybody else’s.  It is your customers’ android IoT devices 
that are compromised.


You could ask your complaining customers to shut off their android devices and see if their Internet improves, thus 
demonstrating the problem is with their IoT gear.


As for mainstream media coverage, “big” ISPs can’t make them publish anything. But you can point your customers to this 
well-written piece by Krebs On Security that clearly identifies consumers as the problem before it goes into the 
technical details:

<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/>
[pawsat-eth.png]
Who Benefited from the Aisuru and Kimwolf 
Botnets?<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/>
krebsonsecurity.com<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/>

 -mel beckman

On Jan 16, 2026, at 7:16 AM, Benjamin Hatton via NANOG <nanog () lists nanog org> wrote:

As a smaller ISP, I think the biggest thing that would help us would be a
'mainstream' media outlet covering some of it so we have something to show
customers who call in about their internet being bad, us telling them it is
their android streaming box that is taking up their entire connection
moving TBs of data a day, and them responding with "but I bought it from
Walmart/Amazon" or "you are just trying to get me to sign up for your
cable" and refusing to do anything about it because 'free TV'.

Cybersecurity blogs are not on our typical customers reading list.

On Fri, Jan 16, 2026 at 9:03 AM Josh Luthman via NANOG <
nanog () lists nanog org> wrote:

How?

On Fri, Jan 16, 2026 at 8:34 AM Corey Smith via NANOG <
nanog () lists nanog org>
wrote:

I would appreciate if any ISP Operators could help some of the smaller
ISP
like us in stopping the traffic from these new Malware infected customers
that have devices with Aisiura/Kimwolf botnet,

These are Residential Proxies for the most part, but hard to stop.

Any help would be greatly appreciated.
_______________________________________________
NANOG mailing list


https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SAWGTYD5FM22MEKO5WIQP2YTSASVV4P7/

_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZKPV5KFPLDHSHWJEILE6B472BLMA57EP/
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/OCDKF3WFIVYLZ2QHZROTSHAQINNRZGZD/
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/KJVO2YPEHQKX2RAMYBF55YI37IY4SVXD/