Organized Crime and Corruption Reporting Project (OCCRP)
January 12, 2026
•[ DDoS, botnet, distributed denial-of-service ]
OCCRP reported its website was targeted by a sophisticated distributed denial-of-service (DDoS) attack beginning on Monday and still ongoing as of January 13, 2026. The organization said the assault appeared to involve a large international botnet and adaptive tactics, suggesting a coordinated effort with a human element responding to defenses. Recent infrastructure upgrades reportedly prevented a complete outage; however, readers could experience slower access and additional verification steps designed to block automated traffic. OCCRP stated the source of the attack had not been identified and framed the incident as an attempt to make its investigative reporting inaccessible by overwhelming online services rather than compromising internal data systems.
Undisclosed UK Construction Firm
January 1, 2026
•[ malware, botnet, cryptojacking ]
eSentire TRU finds that a UK construction firm discovered Prometei malware on a Windows Server in January 2026. Researchers assessed initial access likely occurred via Remote Desktop Protocol using guessed weak/default credentials. Once inside, Prometei established persistence (service UPlugPlay and file sqhost.exe), downloaded an encrypted payload (zsvc.exe), routed traffic through TOR, and used Mimikatz (labelled miWalk) to steal passwords across the network. The report described Prometei as a Russia-linked botnet used for Monero mining and credential theft, and did not describe customer data exposure or service shutdown.
At least one IoT device compromised
December 31, 2025
•[ botnet, iot, vulnerability ]
Security researchers reported that the RondoDox botnet successfully exploited a critical vulnerability to take control of at least one internet-connected networking device, enrolling it into a botnet for malicious activity.
Operation Endgame 3.0
November 14, 2025
•[ infostealer, remote access trojan, botnet ]
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers and provided 2 million impacted email addresses and 7.4 million passwords to HIBP.
Operation Endgame 3.0
November 13, 2025
•[ infostealer, remote access trojan, botnet ]
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers and provided 2 million impacted email addresses and 7.4 million passwords to HIBP.
Abraham Andreu's computer (part of Andromeda botnet)
November 6, 2025
•[ botnet, malware ]
A ComputerHoy journalist describes deliberately infecting a Windows PC in 2025 with the Andrmeda malware, which enrolls machines into a botnet so attackers can download additional payloads and execute arbitrary files remotely. The piece walks through how the author obtained the malware sample, how the infection behaves on the system, the use of Spains INCIBE antibotnet service and security tools to detect and remove Andrmeda, and what readers should do if they discover their own devices are part of the botnet. This is a self-inflicted test infection rather than an unsolicited attack on an organization.
Gcore
October 1, 2025
•[ DDoS attack, botnet, volumetric flood ]
Technology site CDR.cz and an underlying TechRadar report describe how gaming hosting and cloud provider Gcore was hit in October 2025 by one of the largest DDoS attacks ever recorded, a so called short burst volumetric flood that generated roughly 6 terabits per second of traffic and about 5.3 billion packets per second over 30 to 45 seconds. Analysis attributed the event to the AISURU botnet, with more than half of the malicious traffic sourced from Brazil and about a quarter from the United States, suggesting widespread abuse of poorly secured systems in those regions. Gcore stated that its globally distributed DDoS protection network, with over 210 points of presence and more than 200 terabits per second of filtering capacity, absorbed the attack and kept services online, but security experts warned that such brief, intense
University of California San Diego (USArhythms subdomain)
June 22, 2025
•[ botnet, infrastructure compromise, remote code execution ]
CloudSEK and HackRead report the Androxgh0st botnet compromised a UC San Diego subdomain to host command-and-control/logging infrastructure using RCE and web shells; no confirmed data theft or service disruption reported.
ASUS consumer routers
May 29, 2025
•[ botnet, compromised devices ]
Report describes thousands of ASUS routers compromised to build a botnet; this is a broad campaign summary effect.
