Aisuru
Aisuru is a DDoS botnet-for-hire and Mirai/TurboMirai-class IoT botnet associated with some of the largest publicly reported distributed denial-of-service attacks observed in 2025 and early 2026. It has been described as responsible for record-setting attacks including 29.7 Tbps and, together with Kimwolf, a 31.4 Tbps campaign dubbed "The Night Before Christmas." Reporting attributes Aisuru activity to hyper-volumetric Layer 4 floods, UDP carpet-bombing, and large HTTP flood activity, and notes repeated targeting of telecommunications, gaming, hosting, and financial services, with gaming and IT/services especially highlighted in some reporting. Aisuru primarily compromises internet-connected devices including routers, digital video recorders, security cameras, Wi-Fi access points, gateways, and other IoT equipment. Multiple reports also note its use of commandeered DVRs specifically. It has been characterized as a botnet-for-hire/cybercrime-as-a-service operation that rents attack capacity to other criminals, and reporting also states that infected devices have been used for residential proxy and proxy-service activity in addition to DDoS operations. The content links Aisuru closely with Kimwolf. Several sources describe Kimwolf as also known as AISURU, an Android-focused variant of Aisuru, or a botnet operated by the same group. Cloudflare and other reporting attribute late-December 2025 attacks to a combination of Aisuru and Kimwolf, and Chinese security researchers reportedly assessed that Kimwolf and Aisuru were almost certainly operated by the same cybercrime group. Related botnets disrupted alongside Aisuru include KimWolf, JackSkid, and Mossad. By March 2026, international law enforcement actions led by the U.S. Department of Justice, with partners in the United States, Canada, and Germany, disrupted Aisuru along with KimWolf, JackSkid, and Mossad by seizing domains, virtual servers, and command-and-control infrastructure. Reporting states the botnets collectively compromised more than three million devices globally, and that Aisuru alone issued more than 200,000 attack commands. Some reporting also links a threat actor involved with the AISURU botnet to Brazil, but this attribution is described as suggestive rather than definitive.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
22 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Observables
8 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Major botnet allegedly responsible for large-scale DDoS attacks.
Botnet targeting compromised streaming devices, with infected devices observed in Brazil, India, the US, and Argentina; reporting suggests an involved threat actor is likely based in Brazil.
Botnet used in large-scale DDoS attacks and operated under a cybercrime-as-a-service model, renting attack capacity to other hackers.
Botnet operation involved in large-scale DDoS activity; the content says Aisuru primarily targets networking and adjacent gear such as home and office routers, IP cameras, Wi-Fi access points, and gateways, and was responsible for about 200,000 DDoS attacks.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.