Aisuru Botnet Launches Record-Breaking DDoS Attacks Against US ISPs and Enterprises
The Aisuru botnet, now recognized as the world’s largest and most disruptive DDoS botnet, has escalated its operations by leveraging a vast network of compromised Internet-of-Things (IoT) devices, particularly those hosted on major US Internet providers such as AT&T, Comcast, and Verizon. Security experts have observed that the concentration of infected devices within these US-based ISPs is complicating mitigation efforts and increasing the risk of collateral damage during attacks. In recent months, Aisuru has demonstrated its dominance over other IoT-based botnets, with its arsenal estimated at 300,000 compromised hosts globally, including consumer-grade routers, security cameras, and digital video recorders running outdated firmware or default settings. The botnet’s operators continuously scan for vulnerable devices, conscripting them into their network to launch distributed denial-of-service (DDoS) attacks of unprecedented scale.
Aisuru’s attack capabilities have grown rapidly, with a notable incident in May 2025 where KrebsOnSecurity was targeted with a 6.35 Tbps DDoS attack, then the largest ever mitigated by Google’s Project Shield. This record was quickly surpassed days later when Aisuru unleashed an 11 Tbps assault. By late September, the botnet was observed flexing its power with attacks exceeding 22 Tbps, culminating in a staggering 29.6 Tbps traffic flood on October 6, 2025. This latest demonstration, though brief and directed at a server designed to measure such events, shattered previous DDoS records and highlighted the botnet’s potential for catastrophic disruption.
The technical sophistication of these attacks is not limited to sheer bandwidth. Recent case studies reveal that Aisuru and similar botnets are employing complex, multi-vector strategies. For example, a major US technology company was recently hit by two massive network-layer DDoS attacks in a single day, with the first peaking at 1.2 Tbps and 563 million packets per second (PPS), and the second reaching nearly 1.5 Tbps and sustaining over 1 billion PPS for 20 minutes. These attacks targeted Layers 3 and 4 of the OSI model, using high PPS rates to overwhelm not just bandwidth but also the routing and switching infrastructure of the victim. The attackers utilized UDP-driven floods and, in subsequent waves, introduced TCP components to increase complexity and resource exhaustion. Amplification techniques, exploiting misconfigured services, were also employed to magnify the impact.
The globally distributed nature of the botnet, with compromised devices spanning multiple regions, has made it difficult for defenders to block malicious traffic without affecting legitimate users. The attacks have underscored the limitations of relying solely on raw network capacity for DDoS defense. Instead, effective mitigation now requires distributed defense architectures, rapid time-to-mitigation, high-quality traffic scrubbing, and resilience against both volumetric and packet-intensive floods. The evolving tactics of the Aisuru botnet demonstrate a deliberate escalation in both scale and sophistication, posing a significant threat to ISPs, enterprises, and the broader Internet infrastructure. Security teams are urged to reassess their DDoS defense strategies in light of these developments, as traditional approaches may no longer suffice against the scale and complexity of modern botnet-driven attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Reporting links Aisuru's growth to compromised IoT infrastructure and botnet expansion
By 2025-10-09, analysis of the incident described Aisuru as having evolved beyond a DDoS botnet into a residential proxy network using infected home routers, IP cameras, and DVRs. Researchers also suggested its rapid expansion may have been fueled by a firmware server compromise and the absorption of devices from a rival botnet.
Aisuru botnet launches record 29.6 Tbps DDoS attack on US ISP networks
On 2025-10-08, the Mirai-derived Aisuru botnet generated a DDoS attack peaking at 29.6 Tbps, primarily hitting networks that support major online gaming platforms. The attack lasted only a few seconds but caused significant disruption, with much of the traffic coming from compromised IoT devices inside US ISP networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Aisuru’s 30 Tbps botnet traffic crashes through major US ISPs
csoonline.com
Open sourceDDoS Botnet Aisuru Blankets US ISPs in Record DDoS
krebsonsecurity.com
Open sourceRethinking DDoS Defense: Why Scale Isn’t the Only Metric That Matters
imperva.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Aisuru Botnet Drove Record-Breaking Multi-Terabit DDoS Attacks
Researchers and network defenders linked the **Aisuru** botnet to a wave of hyper-volumetric distributed denial-of-service attacks that pushed internet-scale flooding to new highs. Reports described attacks reaching **11.5 Tbps** and later **22.2 Tbps** with **10.6 billion packets per second**, with one major incident lasting about 40 seconds and being automatically mitigated by Cloudflare. Coverage from Cloudflare, The Register, Cybersecurity Dive, and QiAnXin XLab said the botnet helped fuel a broader rise in DDoS activity and turned parts of the internet into what one report characterized as a terabit-scale stress test. Government and industry tracking indicated the botnet was not an isolated spike but an active threat affecting organizations across regions, including the UK. Germany's **BSI** published an Aisuru botnet profile as defenders continued cataloging its infrastructure and behavior, while media reports said British businesses were hit by record botnet-driven barrages. Across the referenced reporting, Aisuru emerged as a large-scale botnet associated with compromised devices and capable of launching short, extremely intense floods that set new benchmarks for DDoS volume and forced providers to rely on automated mitigation at massive scale.
May 31, 2026
Aisuru Botnet Launches Record-Breaking DDoS Attacks and Expands to Residential Proxy Services
The Aisuru botnet, a Mirai-based IoT malware network, has been responsible for a series of unprecedented distributed denial-of-service (DDoS) attacks, with some exceeding 20 terabits per second and 4 gigapackets per second. These attacks have primarily targeted online gaming platforms and have caused significant disruptions for broadband providers, with infected consumer routers, CCTV/DVRs, and other vulnerable devices being leveraged to generate massive traffic floods. The botnet's operators have avoided government and military targets, focusing instead on commercial and consumer-facing services, and have demonstrated the ability to overwhelm network infrastructure, including causing router line card failures at ISPs. In addition to its DDoS capabilities, Aisuru has recently shifted towards monetizing its vast network of compromised devices by renting them out as residential proxies. This move has enabled cybercriminals to anonymize their traffic, facilitating large-scale data harvesting and content scraping operations, often tied to artificial intelligence projects. The proliferation of Aisuru-controlled proxies has made it easier for malicious actors to evade detection by routing their activities through what appear to be legitimate residential connections, further complicating mitigation efforts for ISPs and targeted organizations.
Mar 21, 2026
Record-Breaking 29.7 Tbps DDoS Attack Orchestrated by AISURU Botnet
Cloudflare successfully detected and mitigated the largest distributed denial-of-service (DDoS) attack on record, which peaked at 29.7 terabits per second and was attributed to the AISURU botnet. The attack, which lasted 69 seconds, utilized UDP carpet-bombing techniques targeting an average of 15,000 destination ports per second, and originated from a botnet-for-hire service leveraging between one and four million compromised routers and IoT devices worldwide. While the specific target of the attack was not disclosed, Cloudflare noted that the AISURU botnet has been responsible for a surge in hyper-volumetric DDoS attacks, particularly against telecommunications, gaming, hosting, and financial services sectors. AISURU's operations have resulted in over 2,800 attacks mitigated by Cloudflare since the start of the year, with nearly half classified as hyper-volumetric, exceeding 1 Tbps or 1 billion packets per second. The botnet's activity has not only set new records for DDoS attack volume but has also demonstrated the potential to disrupt internet service providers even when they are not the direct targets. The majority of attack sources have been traced to locations in Asia, and the overall frequency and scale of DDoS attacks have seen significant increases compared to previous quarters and years.
Mar 21, 2026