Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Aisuru botnet. Show all posts
Network Layer DDoS
Aisuru botnet Botnet Infrastructure Cloud Security Cyber Threat Intelligence DDOS Attack HTTP Flood Attacks Hyper Volumetric Attacks malware Network Layer DDoS

Largest Ever 31.4 Tbps DDoS Attack Attributed to Aisuru Botnet


 

A surge of traffic unprecedented to the public internet occurred in November 2025 for thirty five seconds. The acceleration was immediate and absolute, peaking at 31.4 terabits per second before dissipating nearly as quickly as it formed. As the result of the AISURU botnet, also known as Kimwolf, the event demonstrated the use of distributed infrastructure to achieve extreme bandwidth saturation over a short period of time. 

Cloudflare has released findings indicating that the incident was the largest distributed denial of service attack disclosed to date as well as contributing to an overall rise in hyper volumetric HTTP DDoS activity observed during the year 2025. In contrast to being an isolated outlier, the November spike is associated with a sustained upward trend in both the scale and operational speed of large-scale DDoS campaigns. 

Throughout the year, Cloudflare's telemetry indicated significant increases in attack frequency and intensity, culminating in a sharp increase in hypervolumetric incidents during the fourth quarter. There has been an increase in observed attack sizes by more than 700 percent since late 2024, reflecting a significant change in bandwidth resources and orchestration techniques available to contemporary botnet operators as compared to late 2024. 31.4 Tbps burst was attributed to AISURU Kimwolf infrastructure, which researchers have linked with multiple coordinated campaigns in 2025.

Automated traffic analysis and inline filtering systems helped spot and mitigate the November event, proving how relying on them is becoming more important to combat high speed volumetric floods. This botnet was also involved in the operation that began on December 19, which has been referred to as The Night Before Christmas. 

At the peak of that campaign, attack volumes were measured at approximately 3 billion packets per second, 4 Tbps of throughput, and 54 million HTTP requests per second. The peak rates were 9 billion packets a second, 24 Tbps, and 205 million requests a second, which shows simultaneous exploitation of application and network layer vectors. These year-end metrics help you understand the operational environment that inspired these campaigns. 

According to Cloudflare, DDoS activity increased by 121 percent during 2025, with defensive systems mitigating an average of 5,376 attacks per hour. The number of aggregated attacks exceeded 47.1 million, more than doubling that of the previous year. It is estimated that 34.4 million network layer attacks took place in the fourth quarter, an increase from 11.4 million in 2024. 

These attacks accounted for 78 percent of all DDoS activity. During the last quarter, DDoS incidents increased 31 percent, while year over year, they increased by 58 percent, suggesting a sustained expansion instead of episodic surges. 

A distinctive component of that growth curve was hyper volumetric attacks. In the fourth quarter alone, 1,824 such incidents were recorded, as compared to 1,304 recorded in the previous quarter and 717 during the first quarter. As a result, attack volumes increased severalfold within a single annual cycle, and not only the frequency of attacks has increased, but the amplitude has also increased notably. 

Combined, the data indicates that the threat landscape has been enhanced by compressed attack windows, increased packet rates, and unprecedented throughput levels, which reinforces concerns that record-breaking DDoS capacity is becoming an iterative benchmark rather than an exceptional event.

It was a calculated extension of the same operational doctrine in the December campaign, known as The Night Before Christmas. As of December 19, 2025, Cloudflare's infrastructure and downstream customers have been subjected to sustained hypervolumetric traffic directed by the botnet, which blends record scale Layer 4 floods with HTTP surges exceeding 200 million requests per second at the application layer. 

In September 2025, this operation exceeded the botnet's own previous benchmark of 29.7 Tbps, which marked a significant increase in bandwidth deployment and request augmentation. Upon examining the campaign, investigators determined that millions of unofficial streaming boxes were conscripted into the campaign, which generated packets and requests rarely seen at such a high rate. 

At its apex, 31.4 Tbps, the attack reached a magnitude that would have exceeded several major providers' publicly disclosed mitigation ceilings. In purely theoretical terms, Akamai Prolexic's capacity of 20 Tbps, Netscout Arbor Cloud's capacity of 15 Tbps, and Imperva's capacity of 13 Tbps would have reached bandwidth utilization levels exceeding 150 to 240 percent under equivalent load based on stated capacities. 

However, this comparison highlights the structural stress such volumes impose on conventional scrubbing architectures when comparing distributed absorption and traffic engineering strategies with real world resilience. In contrast to a single monolithic flood, telemetry from this campaign revealed a pattern of distributed, highly coordinated bursts.

Thousands of discrete attack waves exhibited consistent scaling characteristics, each exhibiting a similar pattern. Ninety-three percent of events reached peak rates between one and five Tbps, while 5.5 percent reached peak rates between five and ten Tbps. There was only a fractional 0.1 percent of events exceeding 30 Tbps, demonstrating that the headline-breaking spike was not only rare, but deliberate from a statistical perspective. 

According to packet rate analysis, 94.5 percent of attacks generated packets between one and five billion per second, while 4 percent peaked at five to ten billion, and 1.5 percent reached ten to fifteen billion packets per second. A number of attack waves were engineered as concentrated bursts rather than prolonged sieges, highlighting the tactical refinement of the operation. 

 There were 9.7 percent of attacks lasting less than 30 seconds, 27.1% lasting between 30 and 60 seconds, and 57.2% lasting 60 to 120 seconds. Only 6% exceeded the two-minute mark, suggesting a focus on high intensity volleys designed to strain defensive thresholds before adaptive mitigation can fully adjust. 

In hyper volumetric incidents, 42.5 percent of incidents were targeted against gaming organizations, while 15.3 percent were targeting IT and services organizations. This distribution indicates that it is aimed at industries with high latency sensitives and infrastructure-dependent infrastructures where even brief disruptions can have a substantial impact on operational and financial performance. 

In the wake of the December offensive, a botnet has gradually evolved into one of the most significant distributed denial of service threats observed over the past few years. Through the compromise of consumer grade devices, the Aisuru operation, which split into an Android-focused Kimwolf variant in August 2025, expanded aggressively.

According to Synthient, Kimwolf infected more than two million unofficial Android TVs, making them into a global attack grid. They built layered command and control architectures using residential proxy networks to make origin infrastructure look bad and make takedown harder. 

Botnet activity captured the attention of the public after it briefly pushed its own domain activity to the top of Cloudflare's global rankings, an outcome achieved as a consequence of artificial traffic amplification rather than organic traffic. Disruption efforts are ongoing. Black Lotus Labs, a division of Lumen Technologies, began counter-operations in early October 2025, disrupting traffic to more than 550 command and control servers connected to Kimwolf and Aisuru. 

Although the network displayed adaptive resilience, the endpoints were rapidly migrating to newly provisioned hosts, frequently using IP address space associated with Resi Rack LLC and recurring autonomous system numbers to reconstitute its control plane, and reconfiguring its control plane in a timely manner. This infrastructure rotation illustrates a trend in botnet engineering which emphasizes redundancy and rapid redeployment as part of operational design rather than as a contingency measure. 

An accelerating level of DDoS activity was evident across the entire internet as the record-setting events unfolded. There will be 47.1 million DDoS incidents in the year 2025, which represents a 121 percent increase over 2024 and a 236 percent increase over 2023. In the past year, automated mitigation systems processed approximately 5,376 attacks per hour, which included approximately 3,925 network level events and 1,451 HTTP layer floods. 

Most of the expansion has occurred at the network layer, with network layer attacks doubling from 11.4 million incidents to 34.4 million incidents year over year. In the fourth quarter alone, 8.5 million such attacks took place, reflecting 152 percent year-over-year growth and 43 percent quarter-over-quarter increase, with network layer vectors accounting for 78 percent of all DDoS activity in that quarter. 

Indicators of scale and sophistication reveal an intensifying threat model. There was a 600 percent increase in network layer attacks exceeding 100 million packets per second over the previous quarter, while those surpassing 1 Tbps increased by 65 percent. Nearly 1 percent of network layer attacks exceeded the 1 million packet per second threshold, emphasizing the increasing use of high intensity traffic bursts designed to stress routing and filtering systems. 

Most HTTP DDoS activity was caused by known botnets, accounting for 71.5 percent, anomalous HTTP attributes accounted for 18.8 percent, fake or headless browser signatures accounted for 5.8 percent, and generic flood techniques accounted for 1.8%. As indicated by the duration analysis, 78.9 percent of HTTP floods ended within ten minutes, suggesting a tactical preference for high impact, compressed attack cycles. 

It has been estimated that roughly three out of each hundred HTTP events qualified as hyper volumetric at the application layer while 69.4 percent of HTTP events remain below 50,000 requests per second, whereas 2.8% exceed 1 million requests per second. More than half of HTTP DDoS attempts were automatically neutralized without human intervention through Cloudflare's real-time botnet detection systems, reflecting an increased reliance on machine learning-driven mitigation frameworks. 

DDoS traffic observed in the fourth quarter exhibited notable changes in source distribution. Bangladesh emerged as the largest origin, replacing Indonesia, which fell to third place. In second place, Ecuador was ranked, while Argentina rose by twenty places to become the fourth largest source. Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru also contributed significantly.

Analyzing data from autonomous systems indicates that adversaries disproportionately exploit cloud computing platforms and telecommunications infrastructure to gain an edge over their adversaries. In this report, Russia has lost five positions in the rankings, while the United States has lost four positions. 

There were six cloud providers collectively represented in the top ten source networks, including DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner, reflecting the misuse of rapidly deployable virtual machines to generate traffic. The remaining high volume infrastructure has been mainly provided by telecommunications carriers in Asia Pacific, primarily in Vietnam, China, Malaysia, and Taiwan. 

With Cloudflare's globally distributed architecture, despite the extraordinary magnitude of the Night Before Christmas campaign, the load was contained within operational limits owing to Cloudflare's global distribution. The spike of 31.4 Tbps consumed approximately 7 percent of available bandwidth across 330 points of presence, leaving considerable residual bandwidth available for the next few months. 

In this case, the attack was detected and contained autonomously, without triggering any emergency escalation protocols. This episode highlights the gap between the capabilities of adversarial traffic generators and those of smaller providers in terms of their defensive capabilities. 

With volumetric ceilings on the rise and botnets adopting increasingly modular command frameworks, the sustainability of internet-facing services will depend on the availability of hyperscale mitigation infrastructure that can handle not only record-setting spikes in DDoS activity but also an accelerated baseline of global DDoS activity as it continues to grow. These events indicate a trajectory that has clear implications for enterprises, service providers, and infrastructure operators. 

In a world where volumetric thresholds continue to grow and botnets continue to industrialize device compromises at scale, incremental upgrades and reactive control cannot be relied upon to maintain a defensive edge. Mitigation partners must be evaluated based on their demonstrated absorption capacity, architectural distribution, maturity in automated response, and transparency in telemetry.

Edge assets, IoT ecosystems, and cloud workloads must also be hardened in order to prevent them from becoming targets and unwitting launch platforms, as they are increasingly exploited. 

In addition to indicating a structural shift in adversarial capability, the November and December campaigns serve not only as record setting anomalies. Defining resilience in this environment is less about preventing every attack and more about engineering networks that are capable of sustaining, absorbing, and recovering from traffic volumes that were once considered unimaginable.

Read more »
Record DDoS Attack
Aisuru botnet Botnet Infrastructure Cloudflare Mitigation Cyber Attacks Cyber Threats Global DDoS Trends Hyper-Volumetric DDoS IoT Botnets Network Layer Attacks Record DDoS Attack

Aisuru Botnet Drives DDoS Attack Volumes to Historic Highs


Currently, the modern internet is characterized by near-constant contention, in which defensive controls are being continuously tested against increasingly sophisticated adversaries. However, there are some instances where even experienced security teams are forced to rethink long-held assumptions about scale and resilience when an incident occurs. 


There has been an unprecedented peak of 31.4 terabits per second during a recent Distributed Denial of Service attack attributed to the Aisuru botnet, which has proven that the recent attack is firmly in that category. 

Besides marking a historical milestone, the event is revealing a sharp change in botnet orchestration, traffic amplification, and infrastructure abuse, demonstrating that threat actors are now capable of generating disruptions at levels previously thought to be theoretical. As a consequence of this attack, critical questions are raised regarding the effectiveness of current mitigation architectures and the readiness of global networks to withstand such an attack.

Aisuru-Kimwolf is at the center of this escalation, a vast array of compromised systems that has rapidly developed into the most formidable DDoS platform to date. Aisuru and its Kimwolf offshoot are estimated to have infected between one and four million hosts, consisting of a diverse array of consumer IoT devices, digital video recorders, enterprise network appliances, and virtual machines based in the cloud. 

As a result of this diversity, the botnet has been able to generate volumes of traffic which are capable of overwhelming critical infrastructure, destabilizing national connectivity, and surpassing the handling capacities of many legacy cloud-based DDoS mitigation services. As far as operational performance is concerned, Aisuru-Kimwolf has demonstrated its consistency in executing hyper-volumetric and packet-intensive campaigns at a scale previously deemed impractical. 

As documented by the botnet, the botnet is responsible for record-breaking flooding reaches 31.4 Tbps, packet rates exceeding 14.1 billion packets per second, and highly targeted DNS-based attacks, including random prefixes and so-called water torture attacks, as well as application-layer HTTP floods that exceed 200 million requests per second. 

As part of these operations, carpet bombing strategies are used across wide areas and packet headers and payload attributes are randomly randomized, a deliberate design choice meant to frustrate signature-based detection and slow automated mitigation. 

The attack usually occurs rapidly and in high intensity bursts that reach peak throughput almost instantly and subside within minutes, creating a hit-and-run attack that makes attribution and response more difficult. 

There was an increase of more than 700 percent in attack potential observed in the Aisuru-Kimwolf ecosystem between the years 2025 and 2026, demonstrating the rapid development of this ecosystem. Aisuru botnets serve as the architectural core of this ecosystem, which are responsible for this activity. 

In addition to serving as a foundational platform, Aisuru enables the development and deployment of derivative variants, including Kimwolf, which extends the botnet's reach and operational flexibility. By continuously exploiting exposed or poorly secured devices in the consumer and cloud environments, the ecosystem has created a globally distributed attack surface reflective of a larger shift in how modern botnets are designed. 

In contrast to the traditional techniques of DDoS relying solely on persistence, Aisuru-based networks emphasize scalability, rapid mobilization, and adaptive attack techniques, signalling the development of an evolving threat model that is reshaping the upper limits of large-scale DDoS attacks. 

Additionally, people have seen a clear shift from long-duration attacks to short-duration, high-intensity attacks that are designed to maximize disruptions while minimizing exposure. There has been a significant decrease in the number of attacks that persist longer than a short period of time, with only a small fraction lasting longer than that period.

There were overwhelmingly three to five billion packets per second at peak for the majority of incidents, while the overall packet rate was overwhelmingly clustered between one and five terabits per second. It reflects a deliberate operational strategy to concentrate traffic within narrowly defined, yet extremely extreme thresholds, with the goal of promoting rapid saturation over prolonged engagement. 

Although these attacks were large in scope, Cloudflare's defenses were automatically able to identify and mitigate them without initiating internal escalation procedures, highlighting the importance of real-time, autonomous mitigation systems in combating modern DDoS threats. 

Although Cloudflare's analysis indicates a notable variation in attack sourcing during the so-called "Night Before Christmas" campaign as compared to previous waves of Aisuru botnet activity originating from compromised IoT devices and consumer routers, Cloudflare's analysis shows a significant change in attack sourcing. 

As part of that wave of activity, Android-based television devices became the primary source of traffic, which highlights how botnet ecosystems continue to engulf non-traditional endpoints. In addition to expanding attack capacity, this diversity of compromised hardware complicates defensive modeling, as traffic originates from devices which blend into legitimate consumer usage patterns, increasing the complexity of defensive modeling. 

These findings correspond to broader trends documented in Cloudflare's fourth-quarter 2025 DDoS Threat Report, which documented a 121 percent increase in attack volume compared with the previous year, totaling 47.1 million incidents. 

A Cloudflare application has been able to mitigate over 5,300 DDoS attacks a day, nearly three quarters of which occurred on the network layer and the remainder targeting HTTP application services. During the final quarter, the number of DDoS attacks accelerated further, increasing by 31 percent from the previous quarter and 58 percent from the previous year, demonstrating a continuing increase in both frequency and intensity. 

A familiar pattern of industry targeting was observed during this period, but it was becoming increasingly concentrated, with telecommunications companies, IT and managed services companies, online gambling platforms and gaming companies experiencing the greatest levels of sustained pressure. Among attack originators, Bangladesh, Ecuador, and Indonesia appeared to be the most frequently cited sites, with Argentina becoming a significant source while Russia's position declined. 

Throughout the year, organizations located in China, Hong Kong, Germany, Brazil, and the United States experienced the largest amount of DDoS attacks, reflecting the persistent focus on regions with dense digital infrastructure and high-value online services. 

According to a review of attack source distribution in the fourth quarter of 2025, there have been notable changes in the geographical origins of malicious traffic, which supports the emergence of a fluid global DDoS ecosystem.

A significant increase was recorded in attack traffic by Bangladesh during the period, displace Indonesia, which had maintained the top position throughout the previous year but subsequently fell to third place. Ecuador ranked second, while Argentina climbed twenty positions to take the fourth position, regaining its first place in attack traffic. 

In addition to Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru, there were other high-ranking origins, which emphasize the wide international dispersion of attack infrastructure. The relative activity of Russia declined markedly, falling several positions, while the United States also declined, reflecting shifting operational preferences rather than a decline in regional engagement. 

According to a network-level analysis, threat actors continue to favor infrastructure that is scalable, flexible and easy to deploy. A significant part of attacks observed in the past few months have been generated by cloud computing platforms, with providers such as DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner dominating the higher tiers of originating networks with their offerings. 

Throughout the trend, there has been a sustained use of on-demand virtual machines to generate high-volume attack traffic on a short notice basis. In addition to cloud services, traditional telecommunications companies remained prominent players as well, especially in parts of the Asia-Pacific region, including Vietnam, China, Malaysia, and Taiwan.

Large-scale DDoS operations are heavily reliant on both modern cloud environments and legacy carrier infrastructure. The Cloudflare global mitigation infrastructure was able to absorb the unprecedented intensity of the "Night Before Christmas" campaign without compromising service quality. 

In spite of 330 points of presence and a total mitigation capacity of 449 terabits per second, only a small fraction of the total mitigation capacity was consumed, which left the majority of defensive capacity untouched during the record-setting flood of 31.4 Tbps. 

It is noteworthy that detection and mitigation were performed autonomously, without the need for internal alerts or manual intervention, thus underscoring the importance of machine-learning-driven systems for responding to attacks that unfold at a rapid pace. 

As a whole, the campaign illustrates the widening gap between hackers’ growing capability and the defensive limitations of organizations relying on smaller-scale protection services, many of which would have been theoretically overwhelmed by an attack of this magnitude if it had taken place. 

An overall examination of the Aisuru campaign indicates that a fundamental shift has taken place in the DDoS threat landscape, with attack volumes no longer constrained by traditional assumptions about bandwidth ceilings and device types.

The implications for defenders are clear: resilience cannot be treated as a static capability, but must evolve concurrently with adversaries operating at a machine-scale and speed that is increasingly prevalent. 

Due to the complexity of the threats that are becoming more prevalent in the world, organizations have been forced to reevaluate not only their mitigation capabilities, but also the architectural assumptions that lay behind their security strategies, particularly when latency, availability, and trust are essential factors. 

Hypervolumetric attacks are becoming shorter, sharper, and more automated over time. Therefore, effective defense will be dependent on global infrastructure, real-time intelligence, and automated response mechanisms that are capable of absorbing disruptions without human intervention. Accordingly, the Aisuru incident is less of an anomaly and more of a preview of the operational baseline against which modern networks must prepare.
Read more »
malware
Aisuru botnet Android Malware Black Lotus Labs command and control servers cybersecurity research DDOS Attacks Kimwolf botnet Lumen security malware

Lumen Disrupts Aisuru–Kimwolf Botnet Powering Massive DDoS Attacks

 

Lumen Technologies’ Black Lotus Labs has successfully disrupted more than 550 command-and-control (C2) servers connected to the Aisuru and Kimwolf botnets, a large-scale malicious infrastructure widely used for distributed denial-of-service (DDoS) attacks and residential proxy abuse.

Aisuru operates as a DDoS-for-hire platform and deliberately avoids targeting government and military entities. However, broadband service providers have borne the brunt of its activity, with attacks surpassing 1.5Tb/sec originating from compromised customer devices, causing severe service interruptions.

Similar to other TurboMirai-based botnets, Aisuru includes enhanced DDoS capabilities alongside multifunctional features. These allow threat actors to engage in a range of illegal operations such as credential stuffing, AI-powered web scraping, spam campaigns, phishing attacks, and proxy services.

The botnet launches assaults using UDP, TCP, and GRE flood techniques, leveraging medium-sized packets with randomized ports and flags. Traffic volumes exceeding 1Tb/sec from infected customer premises equipment (CPEs) have disrupted broadband networks, while packet floods surpassing 4 billion packets per second have led to router line card failures.

Kimwolf, a recently identified Android-based botnet closely associated with Aisuru, has compromised more than 1.8 million devices and generated over 1.7 billion DDoS commands, according to cybersecurity firm XLab.

Primarily targeting Android TV boxes, the Kimwolf botnet is built using the Android NDK and includes capabilities such as DDoS attacks, proxy forwarding, reverse shell access, and file management. To conceal its operations, it encrypts sensitive information using a simple Stack XOR method, employs DNS over TLS for communication obfuscation, and verifies C2 commands through elliptic curve digital signatures. Newer variants also use EtherHiding, leveraging blockchain-based domains to evade takedown efforts.

Kimwolf variants follow a consistent naming convention of “niggabox + v[number],” with versions v4 and v5 currently observed in the wild. Researchers who seized control of a single C2 domain recorded interactions from approximately 2.7 million IP addresses within three days, reinforcing estimates that infections exceed 1.8 million devices. The botnet’s globally distributed infrastructure, multiple C2 servers, and varied versions make precise infection counts difficult.

Although Kimwolf borrows elements from the Aisuru codebase, its operators significantly modified it to avoid detection. While traffic proxying is its primary function, the botnet is capable of executing large-scale DDoS campaigns. This was evident during a three-day window between November 19 and 22, when it issued 1.7 billion attack commands.

Lumen observed daily bot traffic to Aisuru C2 servers rise sharply from 50,000 to 200,000 connections in September 2025. Upon validating the emergence of a new botnet, the company blocked the traffic and null-routed more than 550 C2 servers.

By examining C2 infrastructure and residential proxy traffic, researchers traced links to Canadian IP addresses and shared this intelligence with law enforcement agencies.

“The Canadian IPs in question were using SSH to access 194.46.59[.]169, which resolved to proxy-sdk.14emeliaterracewestroxburyma02132[.]su. In short order, we would learn that the Aisuru backend C2 we were tracking adopted the domain name client.14emeliaterracewestroxburyma02132[.]su, a similarity that further tied these servers together” reads the report published by Lumen.

In early October, Black Lotus Labs detected infrastructure shifts signaling the rise of the Kimwolf botnet. Its growth was rapid, adding hundreds of thousands of infected devices within weeks, largely through exploitation of insecure residential proxy services. By mid-October, infections had reached approximately 800,000 devices, with the botnet actively scanning proxy networks to accelerate expansion.

Black Lotus Labs initiated disruption efforts against Kimwolf in October by swiftly null-routing its C2 servers. While operators were able to reestablish operations within hours, Lumen persistently blocked new infrastructure as it surfaced. Through continuous monitoring, collaboration with industry partners, and integration of threat indicators into its security products, Lumen worked to reduce the botnet’s operational capacity over time.

“To date, we have null-routed over 550 Aisuru/Kimwolf servers in 4 months as part of our efforts to combat this botnet, leading its operators to some distress, as noted in Xlabs’ post, showing the actors addressing Lumen with profanity in one DDoS payload” concludes the report.


Read more »
Subscribe to: Comments (Atom)