Operation Botnet Smash: Disrupting Aisuru, Kimwolf, JackSkid, and Mossad

It is rare we get to celebrate a solid win in this industry, but the coordinated takedown by the DOJ, RCMP, and German authorities is significant. We are talking about 3M+ IoT devices (routers, webcams) hijacked for massive volumetric attacks.

The technical breakdown suggests these botnets—specifically Mossad and Kimwolf—were exploiting UPnP vulnerabilities and utilizing default credentials on end-of-life SOHO routers. While the news didn't explicitly drop the CVEs for the payloads, previous analysis of similar infrastructure points to exploitation of:

• CVE-2024-7029: A known RCE in popular DVR firmware.
• CVE-2025-1102: An authentication bypass in specific x86-based IP cameras.

If you manage a fleet of edge devices, I highly recommend checking for these Indicators of Compromise (IOCs) in your perimeter logs. Here is a quick KQL query to hunt for the specific user agents historically associated with these variants:

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("telnet", "busybox")
| where RemotePort in (23, 2323, 80, 8080)
| extend UA = parse_url(RequestURL)["User-Agent"]
| where UA contains "MIRAI" or UA contains "AISURU" or UA contains "MOSSAD"
| project Timestamp, DeviceName, RemoteIP, RemotePort, UA


Additionally, since these devices often rely on hardcoded Telnet passwords, you might want to run a quick internal scan (carefully!) to identify open management interfaces that shouldn't be facing the internet:

nmap -p 23,2323,80,8080,554 --open -sV 192.168.1.0/24

The disruption is great, but without patching the underlying vulnerabilities or replacing the devices, they will be re-infected within days. How are you guys handling the "un-patchable" IoT trash pile in your environments? Do you aggressively segment it off or just try to block the known C2 IPs?