Deepfield

RE: @jmeyer@infosec.exchange

Latest report from our ERT on another proxy/ADB-based botnet: #Maskify

https://github.com/deepfield/public-research/blob/main/maskify/report.md

Most Mirai forks are disposable. #Jackskid was built not to be.

Joint research with Comcast Threat Research Labs — we tracked this botnet across 80+ samples and 13 build generations as it evolved from a bare-bones prototype into a dual-vector Android TV/IoT platform with triple-layer encryption and DNS-over-HTTPS C2.

Report and IoCs: https://github.com/deepfield/public-research/blob/main/jackskid/report.md

#threatintel #ddos

RE: @jmeyer@infosec.exchange

ICYMI: a story about pulling one thread linking multiple botnets — four of which were targeted by coordinated law enforcement actions this week, and an adjacent one for which our team publishes the C2 decryption scheme.

#aisuru #kimwolf #mossad #jackskid #cecilio

Yesterday, the U.S. Department of Justice announced a coordinated international operation to disrupt four of the world's largest IoT DDoS botnets — Aisuru, Kimwolf, Jackskid, and Mossad — responsible for record-breaking attacks reaching approximately 30 Tbps.

Together, these botnets had hijacked over three million devices worldwide and launched hundreds of thousands of DDoS attacks against victims across the globe.

This was a massive collaborative effort involving law enforcement agencies in the U.S., Canada, and Europe, alongside many private-sector partners. We're proud that Nokia was among the companies that contributed — our Deepfield Emergency Response Team helped map botnet infrastructure and supported the takedown efforts.

Full DOJ press release: https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks

#operationpoweroff

Excellent work by @nicter_jp@bird.makeup documenting a Xiongmai DVR campaign deploying residential proxy SDKs: https://blog.nicter.jp/2026/03/iot_proxyware/

We pulled the payloads and decompiled the chain.

The downloader is Mirai with all DDoS stripped out — repurposed as a vehicle for proxy monetization. It delivers two proxy SDKs: IPRoyal Pawns and PacketSDK, part of the IPIDEA network Google disrupted in January.

NICTER's IOC timeline tells the rest: PacketSDK v1.0.2 (original domains) → v1.0.6 (scrambled replacements) → v1.0.8.4 (single fallback) → not deployed. Every dispatch path is now NXDOMAIN.

A concrete view of Google's takedown continuing to have impact.

https://github.com/deepfield/public-research/blob/main/reports/2026-03-19-xiongmai-packetsdk-ipidea.md

#Mirai #IPIDEA #threatintel

Why bother with n-day exploits when a residential proxy subscription gives you unauthenticated root shell on tens of millions of Android TV devices?

Our new ERT report on the #Katana botnet documents 30K+ bots, an on-device compiled kernel rootkit, and almost certainly more engineering effort in persistence than the devices received in firmware support.

https://github.com/deepfield/public-research/blob/main/katana/report.md

#DDoS #threatintel

New deployment: @hetzner@mastodon.hetzner.social is strengthening #DDoS protection across its European data center infrastructure with Deepfield Defender; a great choice by one of Europe's leading hosting providers.

https://hetzner.com/pressroom/nokia-network-security/

We reached a point with #DDoS attacks are now affecting shared infrastructure — well beyond the intended targets.

Read on to learn about why networks need to address outbound DDoS traffic, and to build defenses as part of the network.

https://www.nokia.com/blog/the-internet-commons-under-siege-why-33-tbps-ddos-attacks-are-everyones-problem/

Nothing says "controlled chaos" like a live DDoS demo where the attacker literally has paperwork from the Ministry of Finance.

(And yes, this is in-line Layer 2 mitigation on a live network.)

https://www.youtube.com/watch?v=BxsEaXUT94k

On 26 February 2025, the Nokia Deepfield Emergency Response Team (ERT) identified a significant new DDoS botnet, now tracked under #Eleven11bot

Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices. Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.

Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. Attack intensity has varied widely, ranging from a few hundred thousand to several hundred million packets per second (pps). Public forums report sustained attack campaigns causing service degradation lasting multiple days, some of which remain ongoing.