Botnet Surge in 2025: Record DDoS Attacks and Evolving Threats Botnet activity reached unprecedented levels in 2025, with security researchers documenting a sharp rise in distributed denial-of-service (DDoS) attacks and advanced evasion tactics. Spamhaus reported a 26% increase in botnet command-and-control (C2) servers in the first half of the year, followed by a 24% jump in the second half, culminating in 21,425 C2 servers detected between July and December alone. The surge is attributed to the proliferation of open-source botnet code, the expansion of poorly secured IoT devices, and the evolution of Mirai-based malware variants. First identified in 2016, Mirai remains a dominant threat, exploiting devices running ARC processors with default credentials or unpatched vulnerabilities. The public release of its source code enabled threat actors to create 116 distinct variants from over 21,000 analyzed samples, including Satori, which infected 260,000 routers in 2017 by targeting a flaw in D-Link DSL-2750B devices. The most disruptive botnet in 2025 was Aisuru-KimWolf, a Mirai descendant responsible for record-breaking DDoS attacks, including a 31.4 terabit-per-second (Tbps) assault and a 14.1 billion packet-per-second (PPS) attack. The botnet compromised 1–4 million devices globally, with its infrastructure spanning Canada and Germany. On March 19, 2026, the U.S. Department of Justice announced coordinated disruption efforts, seizing DigitalOcean virtual servers linked to Aisuru, KimWolf, JackSkid, and Mossad botnets. Court documents revealed over 3 million infected devices and hundreds of thousands of DDoS attacks, often accompanied by extortion demands. Despite law enforcement actions, the commoditization of botnet tools, unpatched IoT devices, and persistent default credentials ensure that Mirai and its variants will remain a persistent threat.

Masjesu Botnet: A Stealthy, Evolving IoT Threat for DDoS-as-a-Service The Masjesu botnet, first detected in early 2023 and still active through 2026, has established itself as a highly sophisticated DDoS-for-hire service targeting Internet of Things (IoT) devices. Unlike traditional botnets that rely on large-scale, noisy infections, Masjesu prioritizes stealth and long-term persistence, avoiding high-profile networks like U.S. Department of Defense systems to evade detection and legal action. ### Stealth Tactics & Operational Methods Masjesu employs advanced evasion techniques to bypass security measures, including: - XOR-based encryption to conceal command-and-control (C2) domains and payloads, decrypting them only at runtime. - Hardened persistence by binding to a hardcoded TCP port and ignoring termination signals. - Process masquerading, renaming its executable to mimic legitimate system files (e.g., a Linux dynamic linker) and using cron jobs to re-execute every 15 minutes. ### Exploitation & Propagation The botnet spreads by scanning random IP addresses for vulnerable open ports, targeting devices from manufacturers like D-Link, Netgear, Huawei, and GPON. Upon exploitation, it deploys a malicious shell script to recruit devices into its network. Once integrated, bots receive instructions to launch DDoS attacks under a unique "masjesu" user-agent. ### Defensive Measures & Impact Due to its obfuscation-heavy approach, traditional antivirus detection is often ineffective. Organizations are advised to: - Monitor outbound traffic for unusual HTTP requests or connections to known malicious domains. - Implement process and file integrity monitoring to detect spoofed system files or unauthorized cron jobs. - Enforce basic IoT security hygiene, including changing default credentials and applying firmware updates to patch known vulnerabilities. Masjesu’s commercial DDoS-for-hire model and low-profile operations make it a persistent threat, underscoring the need for behavior-based defenses in IoT security.

A critical stack-based buffer overflow vulnerability in the D-Link DIR-825 Rev.B 2.10 router firmware allows unauthenticated, zero-click remote attackers to crash the device’s HTTP server. This flaw resides in the router’s httpd binary and stems from improper handling of the language parameter in the switch_language.cgi endpoint. Exploitation requires no valid credentials or user interaction, meaning an adversary only needs network access to the target device’s management interface to trigger a denial-of-service condition. This vulnerability disrupts VPNs, guest Wi-Fi, and IoT device management, leading to potential service outages and loss of network functionality.

A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. The vulnerability affects DIR-605L v2.13B01 and DIR-816L v2.06B01 models, scoring 6.5 on the CVSS v3.1 scale with medium severity. Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. The vulnerability allows unauthenticated attackers to bypass authentication and execute arbitrary commands remotely.

Honeypot Data Reveals Persistent Cyber Threats: A Year in Exploit Trends (2025–2026) Between May 2025 and May 2026, a global network of honeypots recorded over 9.2 million security events originating from 54,000 unique IP addresses across 163 countries, offering a snapshot of evolving cyber threats. The data, collected from strategically deployed decoy systems, highlights sustained attacker interest in vulnerable services, with SSH (75% of events) dominating activity reinforcing the risks of exposing the protocol directly to the internet. Web applications (10%) and SMTP services (10%) followed, while attacks on medical protocols remained negligible. ### Top Exploited Vulnerabilities Nine vulnerabilities stood out for their high exploitation rates, with React2Shell (CVE-2025-55182) a critical flaw in Next.js servers leading the pack. Disclosed in December 2025, it triggered a surge in attacks, with six IP addresses accounting for 90% of December’s activity. Other notable targets included: - ProxyLogon/ProxyShell/ProxyNotShell (Microsoft Exchange): Persistent exploitation since 2021, leveraging unpatched servers for SYSTEM-level access. - Shellshock (CVE-2014-6271): A decade-old Bash vulnerability still actively probed for initial access. - ThinkPHP (CVE-2018-25270): Sustained attacks on the Chinese PHP framework post-2026 disclosure. - Log4Shell (CVE-2021-44228): Declining but still targeted, reflecting its historical impact. - Legacy Router Flaws: D-Link Dir-645 (CVE-2015-2051) and Netgear DGN1000/DGN2000 (CVE-2024-12847) saw renewed activity, tied to campaigns like Rondodox. - CrushFTP (CVE-2025-54309): A single, concentrated attack on October 13, 2025, exploiting a race-condition flaw. ### Key Observations - Web applications faced relentless attacks, with CVEs like React2Shell and ProxyShell driving spikes. - Routers and IoT devices remained prime targets, often via decade-old vulnerabilities. - Exploit timelines varied: Some flaws (e.g., CrushFTP) saw brief, intense campaigns, while others (e.g., Shellshock) endured as persistent threats. - Attacker behavior aligned globally, with honeypot operators reporting similar patterns. The data underscores the longevity of high-impact vulnerabilities and the risks of unpatched systems, even years after disclosure. Honeypots continue to serve as critical tools for detecting emerging threats and attacker methodologies.

Global networking equipment and technology company D-Link revealed a breach after stolen data was offered for sale on the Breach Forums platform by a threat actor. Upon learning of the purported data breach, the corporation promptly enlisted the assistance of security firm Trend Micro to investigate the purported event. The threat actor declared that it had obtained the source code for D-Link's D-View network management software as well as 3 million lines of personal data. The exposed information includes names, emails, addresses, phone numbers, firms, dates of registration, and the most recent times a user signed in among the stolen data.

A pair of vulnerabilities – one old, and one new – has been added to the United States Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog. CVE-2022-37055 is a three-year-old buffer overflow vulnerability in D-Link Go-RT-AC750 routers, which is a sticky one, as the product has reached “end of life” (EoL) and is no longer supported by D-Link. JavaScript is required for CAPTCHA verification to submit this form. By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement. Create free account to get unlimited news articles and more! JavaScript is required for CAPTCHA verification to submit this form. If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later. Keep me signed in on this device. To continue reading the rest of this article, please log in. You’re out of free articles for this month The company’s own security announcement regarding the vulnerability outlined the dangers of using EoL network hardware, and with hackers now on the warpath, it makes for timely reading. “D-Link strongly recommends that this pro

D-Link Routers Targeted in Long-Running DNS Hijacking Campaign D-Link has confirmed critical unauthenticated command injection vulnerabilities in multiple router models, enabling attackers to remotely modify DNS settings without authentication. These flaws, exploited since at least 2016, allow threat actors to redirect user traffic to malicious infrastructure, facilitating malware distribution, phishing, and traffic interception. Security researchers have tracked ongoing exploitation campaigns targeting home and enterprise networks across multiple continents. The vulnerabilities stem from improper input validation in the routers’ web interfaces, permitting attackers to alter DNS configurations persistently. A large-scale malvertising campaign first reported in December 2016 affected at least 166 router models, including D-Link devices, by redirecting users to malicious ad servers and phishing sites. By April 2019, threat intelligence teams observed sustained attacks against D-Link routers over three consecutive months. Attackers leveraged Google Cloud Platform to deploy the DNSChanger malware variant, automating exploits and increasing the vulnerability’s severity. Publicly disclosed exploits further amplified the risk. Affected Models and Regions: - DSL-2740R (Rev. A, Europe) – Firmware EU v1.15 and older (EDB-35917) - DSL-2640B (Rev. T, Malaysia) – Firmware GE v1.07 and older (EDB-42197) - DSL-2780B (Rev. A, AU/NZ/EU) – Firmware v1.01.14 and older (EDB-37237) - DSL-526B (Rev. B, Australia) – Firmware AU v2.01 and older (EDB-37241) These models are primarily deployed outside the U.S. through regional carriers with custom firmware. D-Link advises users to perform factory resets, set unique admin passwords, and manually configure DNS settings using trusted providers like Google DNS (8.8.8.8) or Cloudflare (1.1.1.1). Official firmware patches should be obtained through regional carriers.