AISEC > Security News > Malware > Kimwolf Botmaster Dort: World's Largest Botnet
February 28, 2026 #malware Source: Krebs on Security 2 min read · 541 words

Who is the Kimwolf Botmaster “Dort”?

Хто такий ботмастер Kimwolf «Dort»?

A threat actor operating under the alias "Dort" is running what security researchers believe to be the world's largest active botnet. According to reporting from Krebs on Security, this isn't some theoretical risk buried in a white paper. This is a documented, active threat with a clear pattern of coordinated attacks against real people—specifically a security researcher and journalist who had the misfortune of drawing Dort's attention.

The implications here are significant. We're not talking about passive malware sitting dormant on infected systems. Dort's botnet is actively being weaponized.

What We Know

Krebs on Security documented a sustained harassment campaign targeting a security researcher, with attacks spanning multiple vectors simultaneously. The assault included what is a cyber attack manifesting in four distinct forms: distributed denial-of-service (DDoS) flooding, email spam campaigns, doxing operations, and swatting incidents. The coordination and scale suggest sophisticated command-and-control infrastructure.

The timeline matters here. This wasn't a one-off incident. The harassment spanned an extended period, suggesting Dort has both the motivation and the operational capacity to maintain focused pressure against targets.

Identity confirmation remains incomplete. But Krebs on Security's investigation has narrowed the field considerably, documenting enough behavioral and technical signatures that law enforcement has concrete leads to pursue.

How It Works

What does a cyber attack actually accomplish when you're running botnet infrastructure at this scale?

Dort maintains command infrastructure that controls thousands—potentially hundreds of thousands—of compromised systems. These infected machines execute attack directives on demand. A DDoS attack floods a target with traffic. Email flooding campaigns hammer inboxes with thousands of unwanted messages per hour. Doxing operations expose personal information. Swatting dispatches armed police to a target's residence under false pretenses.

The infrastructure itself probably runs on a combination of compromised servers, bulletproof hosting providers, and intentionally obfuscated command channels. Attribution becomes deliberately difficult. But Krebs on Security's investigators found enough operational overlap and unique fingerprints to build a coherent picture of who's pulling the strings.

This level of sustained coordination requires either significant technical sophistication or access to someone who has it.

Why It Matters

The real question is: why target a security researcher in the first place?

Likely because that researcher was doing their job—documenting Kimwolf's operations, tracking botnet activity, or investigating Dort's identity. In other words, this is retaliation. And frankly, it's a warning signal to everyone else in the security community: investigate this botnet and face consequences.

That's a problem. When threat actors can successfully intimidate researchers through coordinated harassment and physical threats, the entire threat intelligence ecosystem weakens. Documentation slows. Researchers self-censor. Botnets operate with less scrutiny.

And the infrastructure itself remains dangerous. Every infected system is a pivot point, a potential beachhead into corporate networks. Every DDoS attack is a proof-of-concept for larger operations. Every swatting incident risks someone's life.

Next Steps

If you operate infrastructure that's been targeted by DDoS activity, start correlating attack timestamps with known Kimwolf campaign windows. There's probably overlap.

Security teams should review email security logs for evidence of mass flooding campaigns—those leave forensic traces. Look for sudden spikes in blocked messages from rotating sender addresses over short timeframes.

Most importantly: if you've got information about Dort's identity, you should be talking to federal law enforcement. Krebs on Security's reporting has already provided investigators with a roadmap. Your technical details could be the missing piece.

The botnet won't disappear on its own. Neither will Dort.

Read original article →

// FAQ

What is a cyber attack and how does Kimwolf carry them out?

A cyber attack is a deliberate attempt to harm systems or people through digital means. Kimwolf's botmaster Dort executes attacks by controlling compromised computers to launch DDoS floods, email spam campaigns, doxing (exposing personal information), and swatting (sending armed police to someone's home).

Who is Dort and has he been identified?

Dort is the alias of the botmaster controlling Kimwolf, reportedly the world's largest active botnet. While Krebs on Security has documented enough behavioral and technical evidence to narrow down the identity significantly, full confirmation and public identification have not yet occurred.

Could there be another cyber attack from Kimwolf targeting my organization?

Yes. Kimwolf remains active and has demonstrated willingness to target journalists, researchers, and potentially organizations. Monitor for sudden spikes in DDoS traffic, suspicious email floods, and unusual network activity as early warning signs of an impending attack.

// RELATED

#malware Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience 2026-02-27 #malware Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor 2026-02-27 #malware Europol-led crackdown on The Com hackers leads to 30 arrests 2026-02-27

Concerned about your project's security? Run an automated pentest with AISEC — AI-powered scanner with expert verification. Go to dashboard →