Aisuru/Kimwolf Botnet Sets 31.4 Tbps DDoS Record Against Cloudflare-Protected Targets
Cloudflare reported mitigating a record-breaking hyper-volumetric DDoS campaign attributed to the Aisuru/Kimwolf botnet, with a peak of 31.4 Tbps and application-layer floods exceeding 200 million HTTP requests per second. Cloudflare said the activity—named “The Night Before Christmas” due to its timing—began on December 19, 2025 and targeted both Cloudflare customers and Cloudflare’s own dashboard/infrastructure, with many victims described as telecommunications providers and IT organizations.
Reporting on Cloudflare’s findings indicates the campaign consisted of thousands of individual attacks that were typically short in duration (often 1–2 minutes), with the majority peaking in the 1–5 Tbps range and 1–5 billion packets per second. The botnet was also linked to prior record-setting activity (including a previously disclosed 29.7 Tbps peak), and Cloudflare attributed the attack sources in this campaign primarily to compromised Android TV/streaming devices; Cloudflare stated the attacks were automatically detected and mitigated without triggering internal alerts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Cloudflare publicly discloses the record Aisuru attack
On January 29, 2026, multiple outlets reported Cloudflare's disclosure of the December Aisuru/Kimwolf campaign, including details that the botnet relied heavily on compromised Android TV and other consumer devices.
Cloudflare reports 47.1 million DDoS attacks in 2025
Cloudflare's year-end reporting said it mitigated 47.1 million DDoS attacks in 2025, a 121% increase over 2024, with continued growth in Q4 and sharp increases in terabit-scale and high packet-rate attacks.
Record 31.4 Tbps and 200M rps attack is mitigated by Cloudflare
During the December 19 campaign, Cloudflare mitigated a publicly disclosed record DDoS event peaking at 31.4 Tbps and more than 200 million HTTP requests per second, attributing it to the Aisuru/Kimwolf botnet and saying mitigation was fully automated.
Aisuru/Kimwolf launches 'The Night Before Christmas' DDoS campaign
Beginning on December 19, 2025, the Aisuru/Kimwolf botnet launched a hyper-volumetric DDoS campaign targeting Cloudflare customers, Cloudflare infrastructure, and its dashboard, with attacks delivered in short, intense bursts.
Cloudflare labels Aisuru the 'apex of botnets' in Q3 2025
In its 2025 Q3 DDoS threat reporting, cited by ZDNET, Cloudflare characterized Aisuru as the 'apex of botnets' and noted its frequent targeting of telecommunications, gaming, hosting, ISP, and financial services organizations.
Kimwolf botnet emerges and expands during 2025
Barracuda reported Kimwolf as active since 2025, portraying it as a stealthy botnet that embeds in enterprise and public-sector environments and uses dynamic communications to evade detection.
Aisuru botnet becomes active against IoT devices
Barracuda described Aisuru as active since 2024, using automated scanning and exploitation to rapidly compromise vulnerable IoT devices and build a botnet capable of large volumetric DDoS attacks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Massive 31.4 Tbps DDoS attack breaks records: How the 'apex' of botnets could be weaponizing your home devices | ZDNET
zdnet.com
Open sourceBotnet smashes DDoS traffic record, equivalent to streaming 2.2 million Netflix 4K movies at once - 31.4 Tb/s attack was large enough to take entire countries offline | Tom's Hardware
tomshardware.com
Open sourceAnother record breaking Aisuru botnet attack averted | SC Media
scworld.com
Open source31.4 Tbps DDoS Attack Via Aisuru Botnet Breaks Internet With New World Record
cybersecuritynews.com
Open sourceAisuru botnet sets new record with 31.4 Tbps DDoS attack
bleepingcomputer.com
Open sourceMalware Brief: New wave of botnets driving DDoS chaos | Barracuda Networks Blog
blog.barracuda.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AISURU/Kimwolf Botnet’s Record 31.4 Tbps Hyper-Volumetric DDoS Attack Mitigated by Cloudflare
Cloudflare reported mitigating a **record-setting hyper-volumetric DDoS attack** attributed to the **AISURU/Kimwolf** botnet that peaked at **31.4 Tbps** and lasted **35 seconds** in **November 2025**. The activity was described as part of a broader late-2025 surge in hyper-volumetric HTTP DDoS events that Cloudflare said were automatically detected and blocked, with **Q4 2025** hyper-volumetric attacks increasing **40%** quarter-over-quarter and the largest attacks growing **700%** compared to late 2024. Reporting tied AISURU/Kimwolf to DDoS-for-hire style operations and additional campaigns such as **“The Night Before Christmas”** (starting **December 19, 2025**), with Cloudflare citing campaign averages around **3 Bpps**, **4 Tbps**, and **54 Mrps**, and peaks up to **9 Bpps**, **24 Tbps**, and **205 Mrps**. The botnet’s capabilities and impact extend beyond web-layer floods: it has been associated with UDP/TCP/GRE flooding techniques and disruption of broadband providers via traffic sourced from compromised customer devices/CPE, and it has been described as enabling other illicit activity (e.g., credential stuffing, scraping, spam, phishing); separate reporting also stated the botnet has leveraged a large pool of compromised devices, including **millions of Android-based endpoints** such as off-brand Android TVs.
Mar 21, 2026
Record-Breaking 29.7 Tbps DDoS Attack Orchestrated by AISURU Botnet
Cloudflare successfully detected and mitigated the largest distributed denial-of-service (DDoS) attack on record, which peaked at 29.7 terabits per second and was attributed to the AISURU botnet. The attack, which lasted 69 seconds, utilized UDP carpet-bombing techniques targeting an average of 15,000 destination ports per second, and originated from a botnet-for-hire service leveraging between one and four million compromised routers and IoT devices worldwide. While the specific target of the attack was not disclosed, Cloudflare noted that the AISURU botnet has been responsible for a surge in hyper-volumetric DDoS attacks, particularly against telecommunications, gaming, hosting, and financial services sectors. AISURU's operations have resulted in over 2,800 attacks mitigated by Cloudflare since the start of the year, with nearly half classified as hyper-volumetric, exceeding 1 Tbps or 1 billion packets per second. The botnet's activity has not only set new records for DDoS attack volume but has also demonstrated the potential to disrupt internet service providers even when they are not the direct targets. The majority of attack sources have been traced to locations in Asia, and the overall frequency and scale of DDoS attacks have seen significant increases compared to previous quarters and years.
Mar 21, 2026
Aisuru Botnet Drove Record-Breaking Multi-Terabit DDoS Attacks
Researchers and network defenders linked the **Aisuru** botnet to a wave of hyper-volumetric distributed denial-of-service attacks that pushed internet-scale flooding to new highs. Reports described attacks reaching **11.5 Tbps** and later **22.2 Tbps** with **10.6 billion packets per second**, with one major incident lasting about 40 seconds and being automatically mitigated by Cloudflare. Coverage from Cloudflare, The Register, Cybersecurity Dive, and QiAnXin XLab said the botnet helped fuel a broader rise in DDoS activity and turned parts of the internet into what one report characterized as a terabit-scale stress test. Government and industry tracking indicated the botnet was not an isolated spike but an active threat affecting organizations across regions, including the UK. Germany's **BSI** published an Aisuru botnet profile as defenders continued cataloging its infrastructure and behavior, while media reports said British businesses were hit by record botnet-driven barrages. Across the referenced reporting, Aisuru emerged as a large-scale botnet associated with compromised devices and capable of launching short, extremely intense floods that set new benchmarks for DDoS volume and forced providers to rely on automated mitigation at massive scale.
May 31, 2026