Coordinated DDoS campaign overwhelms Russian online services

Russian companies were struck by one of the largest waves of distributed denial-of-service (DDoS) attacks in early March 2026, with more than 4 million devices involved, a press release from cybersecurity firm StormWall said. The campaign was reportedly driven by the Kimwolf botnet.

The attacks unfolded over several days in a multi-stage format. Peak intensity was recorded on March 4, when traffic surged to around 700,000 requests per second. Attackers employed a segmented approach, activating only parts of the botnet at a time rather than deploying it in full, a tactic that complicated detection and mitigation efforts, Caliber.Az reports, citing Russian media.

According to StormWall, the malicious traffic originated from multiple countries. Brazil accounted for the largest share of IP addresses at 30.1%, followed by the United States (24.9%) and India (18.8%). Other countries in the top ten included the United Kingdom (8.1%), Türkiye (5.3%), Pakistan (5%), Bangladesh (3.1%), Canada (3.1%), and Argentina (2.9%). Russia ranked fifth in terms of the number of infected devices involved, representing 6.7% of the total IP pool.

Experts warn that attacks of this magnitude—particularly those targeting the application layer (L7)—pose a significant threat to online services, as bots can closely imitate legitimate user behavior. This undermines traditional defense methods that rely on IP filtering and geolocation.

StormWall did not rule out the possibility that the campaign was commissioned. The cost of maintaining large botnets and the complexity of coordinating such infrastructure suggest potential involvement by organized groups acting on behalf of commercial interests.

“The DDoS services market has reached a new level,” said StormWall CEO and co-founder Ramil Khantimirov. “The Kimwolf botnet is a clear example: in just a few months, it has evolved from a shadow proxy service into a tool for commissioned attacks. Even short-term disruptions can result in significant revenue and customer losses. We expect both the scale and frequency of such attacks in Russia to continue growing, and we strongly recommend that companies implement multi-layered defence systems capable of detecting anomalous behavior, rather than relying solely on IP-based or geolocation filtering.”

By Vafa Guliyeva