I'd heard that Comcast was getting ready to issue a report on how it's been dealing ...

2026-01-23 16:28:04 UTC

I'd heard that Comcast was getting ready to issue a report on how it's been dealing with the massive number of Aisuru/Kimwolf botnet infections on their network. Also, Kimwolf piggybacked on IPIDEA's proxy network, and data from Synthient shows Comcast's email service (imap.comcast.net) was the most-requested domain of IPIDEA users (these are credential-stuffing attacks).

Glad I didn't wait for their report. It's basically a recap of everything we know so far, but narry a word about how it's affecting their customers. Instead, the blog post uses the old "we ran the malware in a lab and here's what we saw" approach to admiring the problem.

https://corporate.comcast.com/press/releases/localhost-as-an-attack-multiplier-resproxy-co-infection-and-lateral-expansion

Author Public Key

npub1rfdvtvmesnz7x7s3hjg5q2dgrup9xfh209gvj36angljrfy5edtq25t9xk

Show more details

Published at

2026-01-23 16:28:04 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "c286082b4c1bfeefdef6f9b6a0e1c87a2234707e3bc23272760fc7da00ae9837", "pubkey": "1a5ac5b37984c5e37a11bc914029a81f025326ea7950c9475d9a3f21a494cb56", "created_at": 1769185684, "kind": 1, "tags": [ [ "e", "88d3317238b88c112f2401c425519e03ccee465844e1d58556a3725e925ca70b", "wss://relay.ditto.pub", "reply" ], [ "imeta", "url https://media.infosec.exchange/infosec.exchange/media_attachments/files/115/945/344/780/125/499/original/3bcc659d52e9e255.png", "m image/png", "dim 934x574", "blurhash UnQJG;Sc_Ma6Xonhs7S%%gahMytP-4ShNfwH" ], [ "proxy", "https://infosec.exchange/users/briankrebs/statuses/115945353001367284", "activitypub" ], [ "client", "Mostr", "31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr", "wss://relay.ditto.pub" ] ], "content": "I'd heard that Comcast was getting ready to issue a report on how it's been dealing with the massive number of Aisuru/Kimwolf botnet infections on their network. Also, Kimwolf piggybacked on IPIDEA's proxy network, and data from Synthient shows Comcast's email service (imap.comcast.net) was the most-requested domain of IPIDEA users (these are credential-stuffing attacks). \n\nGlad I didn't wait for their report. It's basically a recap of everything we know so far, but narry a word about how it's affecting their customers. Instead, the blog post uses the old \"we ran the malware in a lab and here's what we saw\" approach to admiring the problem.\n\nhttps://corporate.comcast.com/press/releases/localhost-as-an-attack-multiplier-resproxy-co-infection-and-lateral-expansion\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/115/945/344/780/125/499/original/3bcc659d52e9e255.png", "sig": "f61693f3bae83fcc29ca280f567f65c0f0da25899174c1ba22b6aadd991f3c59e0e729e38869c78d671cac9bf8230e7e73d3e59d89324f330d9b64edd2d835db" }

BrianKrebs on Nostr: I'd heard that Comcast was getting ready to issue a report on how it's been dealing ...