Skip to content
.ca
sign in
Work being done in the backend.
4 minmedium

Apps, APIs, and DDoS 2026: The Industrialization of Cyberattack Campaigns

The Akamai 2026 SOTI report highlights the industrialization of cyberattacks, driven by automation and the convergence of API threats, web exploits, and DDoS campaigns. Key trends include a massive 104% surge in Layer 7 DDoS attacks powered by super botnets, increased risks from untested AI-generated code, and a 73% rise in web application attacks.

Conf:highAnalyzed:2026-03-18reports

Authors: Akamai, Brent Maynard, Steve Winterfeld

ActorsKimwolfAisuru
BotnetsAPI SecurityDDoSWeb AttacksAI Security

Source:Akamai

Key Takeaways

  • APIs have become the primary attack surface, with threat actors shifting from traditional web exploits to behavior-based threats.
  • Layer 7 DDoS attacks have surged by 104% over the last two years, driven by super botnets like Kimwolf and Aisuru.
  • AI-assisted 'vibe coding' is introducing misconfigurations and vulnerabilities into production environments due to a lack of testing.
  • Web attack volumes have increased by 73% between 2023 and 2025, often causing cumulative damage through degraded performance.
  • DNS misconfigurations, such as dangling CNAME records, continue to quietly facilitate underlying security incidents.

Affected Systems

  • APIs
  • Web Applications
  • DNS Infrastructure
  • SaaS Platforms

Attack Chain

Attackers are industrializing their campaigns by combining web application exploits, API abuse, and DDoS attacks into converged, automated assaults. Super botnets like Kimwolf and Aisuru are leveraged to launch crippling Layer 7 volumetric floods against target infrastructure. Additionally, threat actors exploit misconfigurations introduced by AI-assisted coding and unresolved DNS records (such as dangling CNAMEs) to compromise systems, leak data via shadow APIs, and degrade performance over time.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article, as it is a high-level threat landscape report.

Detection Engineering Assessment

EDR Visibility: Low — The threats discussed (DDoS, API abuse, DNS misconfigurations) are primarily network and application-layer issues, which are outside the primary scope of traditional endpoint detection and response tools. Network Visibility: High — WAFs, API gateways, and network traffic analysis are essential for detecting Layer 7 DDoS surges, API behavioral anomalies, and web application attacks. Detection Difficulty: Moderate — While volumetric DDoS is relatively easy to spot, subtle API behavioral abuse and slow-burn attacks require baseline profiling and advanced anomaly detection to distinguish from legitimate traffic.

Required Log Sources

  • WAF Logs
  • API Gateway Logs
  • DNS Query Logs
  • Network Flow Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Unauthenticated or anomalous API endpoints (shadow/zombie APIs) are receiving unusual traffic volumes or unexpected parameter payloads.API Gateway LogsInitial AccessMedium
Dangling CNAME records are being hijacked to route traffic to attacker-controlled infrastructure.DNS LogsDefense EvasionLow
Layer 7 traffic spikes originating from distributed sources are targeting specific web applications, indicating a potential botnet-driven DDoS attack.WAF LogsImpactLow

Control Gaps

  • Lack of API visibility (Shadow/Zombie APIs)
  • Unverified AI-generated code (Vibe coding)
  • Unresolved DNS misconfigurations

Key Behavioral Indicators

  • Spikes in Layer 7 traffic
  • Anomalous API request patterns
  • Dangling CNAME resolutions

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Audit DNS records to identify and remove dangling CNAMEs.
  • Ensure WAF and DDoS protection services are actively monitoring Layer 3, Layer 4, and Layer 7 traffic.

Infrastructure Hardening

  • Implement a defense-in-depth API security strategy combining WAFs with dedicated API behavioral protection.
  • Establish comprehensive visibility and inventory of all APIs, including shadow and zombie APIs.

User Protection

  • N/A

Security Awareness

  • Train development teams on the risks of 'vibe coding' and mandate security testing for AI-assisted code before production deployment.
  • Foster cross-functional collaboration between developers, IT, and infosec to ensure best practices are followed for countering converged threats.

MITRE ATT&CK Mapping

  • T1498.001 - Network Denial of Service: Direct Network Flood
  • T1498.002 - Network Denial of Service: Reflection Amplification
  • T1190 - Exploit Public-Facing Application
  • T1584.005 - Compromise Infrastructure: Botnet

Related