The latest global threat intelligence report issued by NETSCOUT, a leading provider of observability, AIOps, cybersecurity and distributed denial of service (DDoS) attack protection solutions, has spotlighted Keymous+ as a significant cyber threat actor targeting nations across North African and the Middle East.

According to NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT), the group has launched 249 DDoS attacks across 15 countries and 21 different sectors, with Morocco and Sudan identified among the most affected. 

From an industry perspective, government agencies, hospitality and tourism, transportation and logistics, financial services and telecommunications organisations face the highest risk.

Bryan Hamman, NETSCOUT's regional director for Africa, notes the group's evolving tactics: "Keymous+ is leveraging DDoS-for-hire services and compromised devices, making their attacks more accessible and harder to defend against."

The threat actor employs a variety of attack vectors, including reflection and amplification attacks using protocols such as chargen, Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), memcached, Network Time Protocol (NTP), NetBIOS, rpcbind, Simple Network Management Protocol (SNMP), L2TP and Web Services Dynamic Discovery (WS-DD), as well as direct floods over DNS query, User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). 

Each attack conducted by Keymous+ draws on an average of more than 42,000 unique source IPs, ranging from tens of thousands to hundreds of thousands, distributed across diverse infrastructure, such as Tor exit nodes, public cloud instances, VPNs, access networks, compromised consumer and Internet of Things (IoT) devices, proxies and direct-path traffic from infected hosts. Peak observed bandwidth reached 11.8Gbps for individual attacks and 44Gbps for coordinated campaigns.

NETSCOUT’s report also highlights a public collaboration between Keymous+ and DDoS54, announced on April 12, 2025, further amplifying the threat’s scale and coordination. The group’s operations are characterised by strategic timing, often launching attacks during peak hours to maximise disruption.

“The broad, opportunistic targeting of Keymous+ suggests expanding operations, requiring organisations to prepare for sustained, high-scale attacks,” warns Hamman. “The rising frequency and sophistication of these attacks also highlight the need for enhanced cybersecurity resilience across the continent.”

NETSCOUT maps the DDoS landscape through passive, active and reactive vantage points, providing unparalleled visibility into global attack trends. NETSCOUT protects two-thirds of the routed IPv4 space, securing network edges that carried global peak traffic of over 800 Tbps in 1H2025. It monitors tens of thousands of daily DDoS attacks by tracking multiple botnets and DDoS-for-hire services that leverage millions of abused or compromised devices.