Emergence and Impact of the Aisuru and Eleven11 IoT DDoS Botnets
Security researchers identified the rapid growth and evolution of the Aisuru and Eleven11 botnets, both part of the TurboMirai Internet of Things (IoT) botnet family. The Eleven11 botnet, discovered after analysis of high-bandwidth DDoS attacks in early 2025, was found to share command-and-control infrastructure with the previously known RapperBot, indicating a longer operational history than initially believed. NETSCOUT analysts observed that the operators of these botnets implemented innovative resiliency features, such as leveraging OpenNIC for alternative DNS resolution, and noted a significant drop in activity following law enforcement actions in mid-2025.
Concurrently, the Aisuru botnet, comprising hundreds of thousands of compromised IoT devices, demonstrated the capability to launch record-breaking DDoS attacks, with observed peaks nearing 30 terabits per second. The botnet manipulated Cloudflare’s public domain rankings by artificially inflating the popularity of its command-and-control domains, prompting Cloudflare to redact these domains from their lists and issue warnings to users. Both botnets highlight the increasing sophistication and scale of IoT-based DDoS threats, as well as the challenges faced by defenders in tracking, mitigating, and publicly reporting on such large-scale malicious infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
NETSCOUT publishes analysis of 161 days of Eleven11 activity
NETSCOUT ASERT released a report summarizing 161 days of activity tied to Eleven11, providing technical analysis and documenting the campaign's observed behavior over that period.
Cloudflare removes Aisuru botnet domains from its top domains list
Cloudflare scrubbed domains associated with the Aisuru botnet from its top domains rankings, a moderation action highlighted in reporting about the botnet's visibility on popular domain lists.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Aisuru Botnet Launches Record-Breaking DDoS Attacks Against US ISPs and Enterprises
The Aisuru botnet, now recognized as the world’s largest and most disruptive DDoS botnet, has escalated its operations by leveraging a vast network of compromised Internet-of-Things (IoT) devices, particularly those hosted on major US Internet providers such as AT&T, Comcast, and Verizon. Security experts have observed that the concentration of infected devices within these US-based ISPs is complicating mitigation efforts and increasing the risk of collateral damage during attacks. In recent months, Aisuru has demonstrated its dominance over other IoT-based botnets, with its arsenal estimated at 300,000 compromised hosts globally, including consumer-grade routers, security cameras, and digital video recorders running outdated firmware or default settings. The botnet’s operators continuously scan for vulnerable devices, conscripting them into their network to launch distributed denial-of-service (DDoS) attacks of unprecedented scale. Aisuru’s attack capabilities have grown rapidly, with a notable incident in May 2025 where KrebsOnSecurity was targeted with a 6.35 Tbps DDoS attack, then the largest ever mitigated by Google’s Project Shield. This record was quickly surpassed days later when Aisuru unleashed an 11 Tbps assault. By late September, the botnet was observed flexing its power with attacks exceeding 22 Tbps, culminating in a staggering 29.6 Tbps traffic flood on October 6, 2025. This latest demonstration, though brief and directed at a server designed to measure such events, shattered previous DDoS records and highlighted the botnet’s potential for catastrophic disruption. The technical sophistication of these attacks is not limited to sheer bandwidth. Recent case studies reveal that Aisuru and similar botnets are employing complex, multi-vector strategies. For example, a major US technology company was recently hit by two massive network-layer DDoS attacks in a single day, with the first peaking at 1.2 Tbps and 563 million packets per second (PPS), and the second reaching nearly 1.5 Tbps and sustaining over 1 billion PPS for 20 minutes. These attacks targeted Layers 3 and 4 of the OSI model, using high PPS rates to overwhelm not just bandwidth but also the routing and switching infrastructure of the victim. The attackers utilized UDP-driven floods and, in subsequent waves, introduced TCP components to increase complexity and resource exhaustion. Amplification techniques, exploiting misconfigured services, were also employed to magnify the impact. The globally distributed nature of the botnet, with compromised devices spanning multiple regions, has made it difficult for defenders to block malicious traffic without affecting legitimate users. The attacks have underscored the limitations of relying solely on raw network capacity for DDoS defense. Instead, effective mitigation now requires distributed defense architectures, rapid time-to-mitigation, high-quality traffic scrubbing, and resilience against both volumetric and packet-intensive floods. The evolving tactics of the Aisuru botnet demonstrate a deliberate escalation in both scale and sophistication, posing a significant threat to ISPs, enterprises, and the broader Internet infrastructure. Security teams are urged to reassess their DDoS defense strategies in light of these developments, as traditional approaches may no longer suffice against the scale and complexity of modern botnet-driven attacks.
Mar 21, 2026
Aisuru Botnet Drove Record-Breaking Multi-Terabit DDoS Attacks
Researchers and network defenders linked the **Aisuru** botnet to a wave of hyper-volumetric distributed denial-of-service attacks that pushed internet-scale flooding to new highs. Reports described attacks reaching **11.5 Tbps** and later **22.2 Tbps** with **10.6 billion packets per second**, with one major incident lasting about 40 seconds and being automatically mitigated by Cloudflare. Coverage from Cloudflare, The Register, Cybersecurity Dive, and QiAnXin XLab said the botnet helped fuel a broader rise in DDoS activity and turned parts of the internet into what one report characterized as a terabit-scale stress test. Government and industry tracking indicated the botnet was not an isolated spike but an active threat affecting organizations across regions, including the UK. Germany's **BSI** published an Aisuru botnet profile as defenders continued cataloging its infrastructure and behavior, while media reports said British businesses were hit by record botnet-driven barrages. Across the referenced reporting, Aisuru emerged as a large-scale botnet associated with compromised devices and capable of launching short, extremely intense floods that set new benchmarks for DDoS volume and forced providers to rely on automated mitigation at massive scale.
May 31, 2026
Aisuru Botnet Launches Record-Breaking DDoS Attacks and Expands to Residential Proxy Services
The Aisuru botnet, a Mirai-based IoT malware network, has been responsible for a series of unprecedented distributed denial-of-service (DDoS) attacks, with some exceeding 20 terabits per second and 4 gigapackets per second. These attacks have primarily targeted online gaming platforms and have caused significant disruptions for broadband providers, with infected consumer routers, CCTV/DVRs, and other vulnerable devices being leveraged to generate massive traffic floods. The botnet's operators have avoided government and military targets, focusing instead on commercial and consumer-facing services, and have demonstrated the ability to overwhelm network infrastructure, including causing router line card failures at ISPs. In addition to its DDoS capabilities, Aisuru has recently shifted towards monetizing its vast network of compromised devices by renting them out as residential proxies. This move has enabled cybercriminals to anonymize their traffic, facilitating large-scale data harvesting and content scraping operations, often tied to artificial intelligence projects. The proliferation of Aisuru-controlled proxies has made it easier for malicious actors to evade detection by routing their activities through what appear to be legitimate residential connections, further complicating mitigation efforts for ISPs and targeted organizations.
Mar 21, 2026