NZ DDoS and Botnet Attacks: March 2026

Over the past few months, there has been a dramatic increase in both the number and intensity of cyberattacks on NZ and AU websites. As such; I’ve been dealing with DDoS and botnet attacks on multiple websites that I provide website maintenance plans for.

My WordPress website maintenance services do cover basic security for brute force login attacks and include a web application firewall using the ‘free’ version of Wordfence Security.

However, the scale, intensity, and severity of the rapidly increasing DDoS and botnet attacks are far beyond what “basic security” services can cover. That’s because it takes hours of work to implement an effective, custom-made plan of action to defend against these sophisticated attacks. See our Comprehensive DDoS Guide for more information. My experience has been that botnet attack activities automatically adapt as defenses are applied. The type of botnets targeting your website may vary depending on the site’s attractiveness to hackers, the types of databases stored, and whether the site has an e-commerce facility or not.

As a general rule, hosting companies don’t provide DDoS or botnet attack protection and/or mitigation services.

Of 12 NZ-related websites I’ve worked on the past month (February/March) to counter active DDoS/Botnet attacks, I’ve apparently encountered 19 different active botnets!

1. RondoDox
2. Androxgh0st
3. The “ALFA” / Web Shell Injector
4. The “POST Bomb” / Brute-Force Botnet
5. Data Center Scrapers & Vulnerability Scanners
6. Headless Browser “Low-Friction” Bots
7. High-Velocity Data Center Botnets
8. Known Automated “Crawler” Botnets
9. “Privacy-Preserving” Probes
10. Mirai & Flax Typhoon (The “Vendor” Probers)
11. Vidar & Stealc (The Malware Droppers)
12. The “Configuration Harvesters” (High Threat)
13. The “Cloud-Scale Scanners” (The Giant Nets)
14. The “POST Bomb” Infiltrators (Data Injectors)
15. The “Path Hunters” (Directory Brute-Forcers)
16. KimWolf & the Aisuru variant (The Search Flood & Timeout Culprits)
17. JackSkid (The “Sniper” Scanner)
18. Mossad

Most websites had more than one named active attacker, including the following:

Full List of known/named Botnets and DDoS active in NZ/AU region. (I suspect that the “names” may vary, and that Gemini isn’t always 100% certain about identification and hazards a guess. The Cloudflare event logs show the attack patterns, so “educated” guesses are possible.)

The attackers using these systems may be state actors, foreign gangs, hactivists, financially motivated criminals or even your competitors.

The AI analysis of the botnet landscape in New Zealand reveals a sophisticated, multi-layered threat environment. This is rapidly evolving to simultaneously target modern website frameworks and their cloud infrastructure too. As security weaknesses emerge in NZ, so the criminal elements exploit them without mercy via automated botnet attacks.

In the past year, it is reported that almost 20% of NZ businesses have suffered a financial penalty due to cybercrimes, ranging from fraudulent transactions to ransomware attacks. This problem isn’t going away any time soon.

Sources: Kordia NZ Business Cyber Security Report 2025 |  National Cyber Security Center  | 1 in 2 large businesses successfully attacked by cybercriminals in 2024/25 | Cloudflare 2026 Threat Report

Key 2025/2026 NZ Cybercrime Citations & Trends:

Ransomware and Cyber-Enabled Fraud (2025/2026):

• It is estimated that New Zealanders are losing more than $1.6 billion annually to cybercrime, with a significant portion attributed to cyber-enabled fraud. 
• Ransomware-as-a-Service (RaaS) has been commercialized, allowing less skilled actors to use ransomware to steal data and demand payment, often causing severe operational disruption to NZ businesses.
• In a 2026 report, 19% of Kiwi businesses impacted by cyber incidents reported financial extortion, and 8% paid a ransom. 

Source: Kordia NZ Business Cyber Security Report 2026

New Zealand-Specific Impact

For New Zealand organizations, the financial impact is often measured by total incident cost rather than just the demand, as local businesses are frequently targeted by “mid-tier” groups.

• Small Businesses: Average financial loss per incident is approximately $56,600. 
• Medium Businesses: Average financial loss per incident is $97,166. 
• Large Businesses: Average financial loss per incident is $202,700. 
• Recent Local Example: A 2025 attack on a major New Zealand medical patient portal involved a demand of $60,000.

Source: Australian Cyber Crisis Hits NZ: What Businesses Must Know

What Can I Do to Protect my Website?

An effective botnet strategy has multiple stages. The estimated hours per stage depends on the complexity of the website. The inclusion of E-commerce, memberships, subscriptions and external connectivity to databases etc. complicates the protection and mitigation efforts.

For a normal “small business” without WooCommerce, the “attack surface” to be protected is minimal and the time frame may be as follows:

Stage 1: DDoS & Botnet Protection

Getting your website onto a ‘free’ Cloudflare plan, where you can take advantage of their “Security Rules” functionality. By adding an initial set of fundamental Security Rules that exclude you from any blocks, and adding blocks on a likely set of attack vectors, you can detect what activity is occurring.

1. The first rule is designed to prevent you from shooting yourself in the foot – friendly fire from security rules can lock YOU out too!
2. I like to focus the second rule on attacks on structural elements like subdirectories, and page attacks on login, cart, checkout and xmlrpc pages etc.
3. The third rule defends against “post bombs” or “slow burn” post attacks designed to cripple your sites ability to function properly by overloading it.
4. The 4th rule allows traffic from your target market through, and serves a managed challenge to every other country.
5. Cloudflare also screens out some bot traffic, and diverts visitors from known problematic IP addresses and sources.

The security rules generate a granular set of log files that detail events as they are occurring. The log files can be downloaded and analysed by Gemini AI. Based on the analysis of “Events last 24h“, the rules can be immediately updated to counter the specific attack in progress. In practice, as one attack tactic fails, the botnet may adjust its target. Some botnets have the ability to target multiple attack vectors. Regular monitoring is important to detecting and fending off varying attacks. (approx. 4 hours work.) Here’s a link to our DIY Guide to Cloudfree free plan’s Security Rules.

Stage 2: Website Security:

First: improve security on your website. Entry level brute force login plugins are not as effective as a plugin with 2FA activated. Wordfence with a premium licence has a firewall with up to date defence against recently discovered security vulnerabilites.

Second: improving page load speed performance so the higher-volume DDoS attacks don’t overwhelm your site. Note that any perceived slowness on your website is likely to be an indicator of botnet activity.  (+2 hours work)

• Ensuring all website caching opportunities for performance improvements are implemented.
• Realtime firewall rule updates on Wordfence. (premium version)
• 2-Factor Authentication: provides extended protection in case a User ID/Password combination is ‘cracked’ – that should stop full direct access by the attacker.

Stage 3: Cloudflare Cache Rules

Implement Cloudflare Cache Rules: to increase the “percentage cached” on your content delivered to visitors. The more page content Cloudflare can deliver directly to a visitor, the lower the stress on your web server. (+3 hours work)

Example: on this website, as part of fighting a month-long DDoS/botnet attack, I lifted the Percentage Cached from under 30% to over almost 80% at peak times. The average is 67.85% for the past 30 days.

Ready for some DIY DDoS? See my Guide to free Cloudflare Security Rules for WordPress.”

Stage 4: Hosting Account Security

Improving security on your hosting account and cPanel. Secure passwords are essential and 2-Factor Authentication is advisable. Plus taking steps to Block access to any traffic not coming through Cloudflare – anyone trying to access your server whilst bypassing Cloudflare security is an enemy… (+30 minutes work)

Why does this work? 

Think of Wordfence security as your last line of defence – just like the locked gates and doors, security cameras and alarms on your home. But Wordfence can potentially be overwhelmed by a mass assault by cybercriminals with the latest AI-powered attack tools. 

But Cloudflare provides you with multiple defensive perimeters!

• A block at the attacker’s front door, based on the intent conveyed in the request to access your website. Trying to access forbidden directories or files and payload upload attempts are blocked instantly. The attacker never gets on the digital highway to your website. 
• A block based on previous malicious activity by the IP Address being used to visit your website.
• Screening by country, where potentially bad actors can’t cross the border into NZ. 
• Blocks on compromised NZ devices trying to access sensituve website directories, files or databases et. 

“The integration of Cloudflare and Wordfence creates a robust defense-in-depth architecture. Cloudflare acts as the perimeter fence, neutralizing hyper-volumetric DDoS attacks (reaching up to 31.4 Tbps as of late 2025) and generic bot traffic at the network edge. Simultaneously, Wordfence provides granular application-level security, mitigating billions of WordPress-specific credential stuffing and plugin exploit attempts that occur behind the edge proxy.”

Thoughtful implementation of Wordfence and Cloudflare provides a threefold benefit:

1. Effective outer perimeter layers that significantly reduce the number of threats that can ever connect to your New Zealand website.
2. At the same time, making your inner Wordfence defences against brute-force logins and plugin vulnerability attacks more effective.
3. Making the website more resilient by improving content delivery through Cloudflare caching.

Citation: Wordfence vs Cloudflare

What should YOU do?

Seriously consider what will happen to your business if you lose control of your website. i.e.:

• The cost in terms of bounce rate and conversion cost increases if your website is reduced to a crawl
• The financial impact if your website is off-line for days?
• The damage to your brand if existing and potential customers see your website down for days
• The reputational damage if customer data, financial data or credit card information is accessed from your website
• Does your insurance cover meet the average financial loss per incident for your business size?

If the modest cost of preventive botnet measures is more appealing than the average financial loss per incident, send me a message today and ask for a quote to implement proactive measures to counter threats outlined above…