Black Lotus Labs

Black Lotus Labs commends the DOJ and international law enforcement for the arrest of the Kimwolf botnet's primary operator, “Dort!” KimWolf enabled cybercrime-as-a-service at massive scale, launching record-breaking DDoS attacks approaching 30 Tbps. Black Lotus Labs drove deep insights into #KimWolf's C2 operations in partnership with law enforcement, reining in this threat as noted in the affidavit released by the DoJ. This on the heels of a multi-month partnered operation to null route KimWolf C2s on the global backbone. This defining action taken by law enforcement in arresting “Dort” is a huge accomplishment by both the US Department of Justice and International Law Enforcement along with the many private industry organizations who played pivotal roles. Congratulations to all who were involved for their outstanding work to bring the responsible actors to justice! DOJ announcement: https://lnkd.in/e_vXWv6T Affidavit: https://lnkd.in/d5Y9egQQ

What do record setting DDoS attacks and Russian cyber-espionage have in common? In this case, a couple of interesting podcasts. The Wall Street Journal had a great podcast on the discovery and background of Kimwolf’s operators, with our own Chris Formosa discussing the work done behind the scenes by a wide range of industry and Law Enforcement teams. Go ahead and c/p this into your Spotify account even if you need to make one just for the occasion: https://lnkd.in/eyZ9uKpB Second, the Microsoft Threat Intelligence podcast had the inimitable Sherrod DeGrippo sit down with Danny A. to talk about Forest Blizzard’s most recent campaign. Lumen and Microsoft worked with Law Enforcement to identify and interdict an espionage activity that relied on some old-school tricks to steal credentials from select targets across the world. This one is brought to your courtesy of the CyberWire: https://lnkd.in/dvfdjUBe

Following up on Unit 42's report of an 0-day last week, we found some early reconnaissance taking place ahead of the CVE

In this LinkedIn Live conversation, the experts from Lumen Technologies, IDC, Commvault, and NetApp unpacked the cyber-threat landscape and why it matters for security leaders right now. Key takeaway: according to IDC research, only 31% of companies are able to fully recover from an attack without paying a ransom. 🔗 Watch the full replay to learn how to move your organization from reactive to ready: https://bit.ly/4am5dwE #TrustedNetwork

Some of the most telling signals from the 2026 Lumen Defender Threatscape Report are in the data. Our new infographic visualizes: ∙ Top 2025 Trends ∙ 2026 Predictions ∙Kimwolf/Aisuru Campaign View the full infographic ⬇️ #TrustedNetwork

Infrastructure is the new early‑warning layer. That’s one of the key takeaways from recent coverage of the 2026 Lumen Defender Threatscape Report. Thank you to Network World, Sean M. Kerner for covering this work. Read the full article, and drop any questions you have below 👇

The 2026 Lumen Defender Threatscape Report is live. From our vantage point inside the global internet backbone, our team at Lumen Technologies monitored more than 200B NetFlow sessions and DNS queries per day, tracking 2.3M unique threats and 46K C2s to understand how modern operations are built at infrastructure scale. This report breaks down the biggest threat trends from 2025, predictions for 2026, and defense guidance focused on infrastructure‑aware detection and edge security. Read the full report: https://bit.ly/4vbHDet #TrustedNetwork

Today we published a new report on some old-school techniques by the Forest Blizzard threat actor. We're lucky to be able to work alongside our friends at MSTIC and the FBI, as well as a handful of international partners to expose and disrupt this network. Since it's Fancy Bear we know they'll be back around, but so will we. Please enjoy the good news right here: https://lnkd.in/eaKu_yJT

Following the release of a PoC for certain Cisco SD-WAN devices, we observed an increase in scanning for and targeting those who were not yet patched. IoCs attached:

Black Lotus Labs helps disrupt world’s largest DDoS botnets Lumen is proud to have partnered with the Department of Justice and international law enforcement in helping to disrupt several large-scale DDoS botnets, including Kimwolf, the world's largest. These new super sized botnets date back to August 2024, as Aisuru grew to one of the most powerful on record. In late 2025, it was surpassed by a closely related botnet known as Kimwolf, which would go on to launch the most powerful DDoS attacks in history. Kimwolf owed its size to the exploitation of a vulnerability in residential proxy services, gathering millions of victims at its peak. The security industry collaborated behind the scenes to keep this botnet from growing unrestrained. Since October of 2025, Lumen was able to track and null-route close to 1,000 servers in the infrastructure of the Kimwolf and Aisuru botnets. In January of 2026, Synthient published research on the vulnerability used by Kimwolf. Owing to the vast number of vulnerable devices worldwide, several new threat actors came into this space to exploit residential proxies, as mentioned by the DoJ report. Once again, industry partnered with law enforcement to keep these threat actors from doing serious harm. Lumen would like to thank all those involved in tracking and disrupting this malicious activity; especially the U.S. DoJ, DCIS, FBI, German Bundeskriminalamt (BKA) Cyber, Canada Royal Canadian Mounted Police (RCMP), Ontario Provincial Police (OPP), Sûreté du Québec (SQ), and our industry partners in this effort. https://lnkd.in/ehCVdWms