AISURU/Kimwolf Botnet’s Record 31.4 Tbps Hyper-Volumetric DDoS Attack Mitigated by Cloudflare
Cloudflare reported mitigating a record-setting hyper-volumetric DDoS attack attributed to the AISURU/Kimwolf botnet that peaked at 31.4 Tbps and lasted 35 seconds in November 2025. The activity was described as part of a broader late-2025 surge in hyper-volumetric HTTP DDoS events that Cloudflare said were automatically detected and blocked, with Q4 2025 hyper-volumetric attacks increasing 40% quarter-over-quarter and the largest attacks growing 700% compared to late 2024.
Reporting tied AISURU/Kimwolf to DDoS-for-hire style operations and additional campaigns such as “The Night Before Christmas” (starting December 19, 2025), with Cloudflare citing campaign averages around 3 Bpps, 4 Tbps, and 54 Mrps, and peaks up to 9 Bpps, 24 Tbps, and 205 Mrps. The botnet’s capabilities and impact extend beyond web-layer floods: it has been associated with UDP/TCP/GRE flooding techniques and disruption of broadband providers via traffic sourced from compromised customer devices/CPE, and it has been described as enabling other illicit activity (e.g., credential stuffing, scraping, spam, phishing); separate reporting also stated the botnet has leveraged a large pool of compromised devices, including millions of Android-based endpoints such as off-brand Android TVs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cloudflare reports major 2025 DDoS surge and AISURU/Kimwolf attribution
Cloudflare disclosed that DDoS activity surged in 2025, with 47.1 million total attacks, sharp growth in network-layer attacks, and major increases in large attacks during Q4 2025. The company also linked the record November 2025 attack to AISURU/Kimwolf and described the botnet as leveraging more than 1.8 to 2 million infected Android devices, many of them off-brand Android TVs.
Google and Cloudflare disrupt IPIDEA infrastructure
Google, working with Cloudflare, disrupted infrastructure tied to the IPIDEA residential proxy network and pursued legal action against domains used to control devices and route proxy traffic. The action targeted infrastructure associated with the AISURU/Kimwolf botnet ecosystem.
Cloudflare blocks 31.4 Tbps DDoS attack in November 2025
In November 2025, Cloudflare automatically detected and mitigated a record-setting hyper-volumetric HTTP DDoS attack that peaked at 31.4 Tbps and lasted 35 seconds. The attack was attributed to the AISURU/Kimwolf botnet ecosystem.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Aisuru/Kimwolf Botnet Sets 31.4 Tbps DDoS Record Against Cloudflare-Protected Targets
Cloudflare reported mitigating a record-breaking **hyper-volumetric DDoS campaign** attributed to the **Aisuru/Kimwolf botnet**, with a peak of **31.4 Tbps** and application-layer floods exceeding **200 million HTTP requests per second**. Cloudflare said the activity—named **“The Night Before Christmas”** due to its timing—began on **December 19, 2025** and targeted both **Cloudflare customers** and **Cloudflare’s own dashboard/infrastructure**, with many victims described as telecommunications providers and IT organizations. Reporting on Cloudflare’s findings indicates the campaign consisted of **thousands of individual attacks** that were typically short in duration (often **1–2 minutes**), with the majority peaking in the **1–5 Tbps** range and **1–5 billion packets per second**. The botnet was also linked to prior record-setting activity (including a previously disclosed **29.7 Tbps** peak), and Cloudflare attributed the attack sources in this campaign primarily to **compromised Android TV/streaming devices**; Cloudflare stated the attacks were **automatically detected and mitigated** without triggering internal alerts.
Mar 21, 2026
Record-Breaking 29.7 Tbps DDoS Attack Orchestrated by AISURU Botnet
Cloudflare successfully detected and mitigated the largest distributed denial-of-service (DDoS) attack on record, which peaked at 29.7 terabits per second and was attributed to the AISURU botnet. The attack, which lasted 69 seconds, utilized UDP carpet-bombing techniques targeting an average of 15,000 destination ports per second, and originated from a botnet-for-hire service leveraging between one and four million compromised routers and IoT devices worldwide. While the specific target of the attack was not disclosed, Cloudflare noted that the AISURU botnet has been responsible for a surge in hyper-volumetric DDoS attacks, particularly against telecommunications, gaming, hosting, and financial services sectors. AISURU's operations have resulted in over 2,800 attacks mitigated by Cloudflare since the start of the year, with nearly half classified as hyper-volumetric, exceeding 1 Tbps or 1 billion packets per second. The botnet's activity has not only set new records for DDoS attack volume but has also demonstrated the potential to disrupt internet service providers even when they are not the direct targets. The majority of attack sources have been traced to locations in Asia, and the overall frequency and scale of DDoS attacks have seen significant increases compared to previous quarters and years.
Mar 21, 2026
Aisuru Botnet Drove Record-Breaking Multi-Terabit DDoS Attacks
Researchers and network defenders linked the **Aisuru** botnet to a wave of hyper-volumetric distributed denial-of-service attacks that pushed internet-scale flooding to new highs. Reports described attacks reaching **11.5 Tbps** and later **22.2 Tbps** with **10.6 billion packets per second**, with one major incident lasting about 40 seconds and being automatically mitigated by Cloudflare. Coverage from Cloudflare, The Register, Cybersecurity Dive, and QiAnXin XLab said the botnet helped fuel a broader rise in DDoS activity and turned parts of the internet into what one report characterized as a terabit-scale stress test. Government and industry tracking indicated the botnet was not an isolated spike but an active threat affecting organizations across regions, including the UK. Germany's **BSI** published an Aisuru botnet profile as defenders continued cataloging its infrastructure and behavior, while media reports said British businesses were hit by record botnet-driven barrages. Across the referenced reporting, Aisuru emerged as a large-scale botnet associated with compromised devices and capable of launching short, extremely intense floods that set new benchmarks for DDoS volume and forced providers to rely on automated mitigation at massive scale.
May 31, 2026