Aisuru Botnet: Record 29.69 Tbps DDoS Attacks on US ISPs

Aisuru botnet DDoS attacks IoT security botnet evolution cybersecurity threats ISP disruption gaming outages
Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
October 29, 2025 4 min read

TL;DR

The Aisuru botnet is behind recent record-breaking DDoS attacks, peaking at nearly 30 terabits per second. Primarily targeting gaming platforms and impacting major U.S. ISPs like AT&T and Comcast, the botnet leverages hundreds of thousands of compromised IoT devices. Evolving from the Mirai botnet, Aisuru's rapid growth and sophisticated tactics pose a significant and growing threat to internet stability and online services.

Aisuru Botnet Dominates with Record DDoS Attacks

The Aisuru botnet has emerged as a dominant force in the DDoS landscape, leveraging compromised IoT devices to launch massive attacks. Recent evidence indicates a significant concentration of infected devices within U.S. Internet providers such as AT&T, Comcast, and Verizon, complicating mitigation efforts. The botnet's attacks have reached unprecedented levels, briefly hitting nearly 30 terabits of data per second.

Scale and Impact of Aisuru Attacks

The Aisuru botnet has grown substantially since its emergence over a year ago, now utilizing an estimated 300,000 compromised hosts globally. These compromised systems primarily consist of consumer-grade routers, security cameras, digital video recorders, and other IoT devices with insecure firmware or default settings. The botnet's operators continuously scan the Internet for vulnerable devices, enslaving them for use in distributed denial-of-service (DDoS) attacks.

As the botnet's size has increased, so has its attack power. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was the largest assault that Google's DDoS protection service Project Shield had ever mitigated. Subsequently, Aisuru shattered this record with a data blast exceeding 11 Tbps. By late September, Aisuru was publicly demonstrating DDoS capabilities exceeding 22 Tbps, and on October 6, it unleashed a massive 29.6 terabits per second attack.

Measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet
Image courtesy of Krebs on Security

Gaming Platforms Targeted

Aisuru's attacks have primarily targeted ISPs serving online gaming communities like Minecraft, resulting in widespread collateral Internet disruption. Gaming platforms including Steam, Riot Games, and PlayStation Network have experienced simultaneous disruptions. Games like Counter-Strike, Dota 2, Valorant, and League of Legends have faced connectivity issues.

Steven Ferguson, principal security engineer at Global Secure Layer (GSL), reported that TCPShield, which offers DDoS protection to over 50,000 Minecraft servers, was hit with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second. OVH, TCPShield's upstream provider, subsequently terminated their service due to the congestion caused by the attacks.

Aisuru botnet attack on TCPShield (AS64199) on Sept. 28
Image courtesy of Krebs on Security

Concentration of Infected Devices in the U.S.

Ferguson noted a shift in the botnet's composition towards infected systems at ISPs in the United States. Logs from an attack on October 8 showed that 11 of the top 20 traffic sources were U.S. based ISPs. AT&T customers were the biggest U.S. contributors, followed by systems on Charter Communications, Comcast, T-Mobile, and Verizon. The high volume of data packets from these infected IoT hosts has begun to affect the quality of service for other customers.

Roland Dobbins, principal engineer at Netscout, emphasized that while ISPs are equipped to handle large incoming DDoS attacks, they are less prepared to manage service degradation caused by large numbers of customers using bandwidth to attack others. He noted that outbound DDoS attacks are causing significant operational problems.

Aisuru's Origins and Evolution

Aisuru is built upon code leaked in 2016 by the creators of the Mirai IoT botnet. Like Aisuru, Mirai was used to launch massive DDoS attacks, including a 620 gigabit-per-second siege that sidelined KrebsOnSecurity for nearly four days in 2016. Aisuru's operators also appear to be renting out their botnet as a distributed proxy network, allowing cybercriminals to anonymize their malicious traffic.

A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016
Image courtesy of Krebs on Security

Rapid Spread and Vulnerabilities

Aisuru has been rumored to exploit multiple zero-day vulnerabilities in IoT devices to facilitate its rapid growth. XLab reported that one of the Aisuru botmasters compromised the firmware distribution website for Totolink, a maker of low-cost routers. This allowed them to distribute malicious scripts and expand the botnet.

A malicious script implanted into a Totolink update server in April 2025
Image courtesy of Krebs on Security

Key Figures Behind Aisuru

XLab identified three key figures operating Aisuru: "Snow," responsible for botnet development; "Tom," tasked with finding new vulnerabilities; and "Forky," responsible for botnet sales. KrebsOnSecurity interviewed Forky in May 2025, identifying him as a 21-year-old from Sao Paulo, Brazil. Forky also operates a DDoS mitigation service called Botshield.

Forky
Image courtesy of Krebs on Security

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related News

China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors
BRICKSTORM malware

China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors

Uncover the sophisticated BRICKSTORM malware campaign linked to China. Learn about its tactics, targets, and how to defend your organization. Read more!

By Jim Gagnard December 5, 2025 4 min read
Read full article
Critical RCE Vulnerabilities in React and Next.js Expose Millions
React security

Critical RCE Vulnerabilities in React and Next.js Expose Millions

React & Next.js hit by critical RCE flaws! Learn about CVE-2025-55182, CVE-2025-66478, and CVE-2025-11953. Patch immediately to protect your applications. Read more!

By Divyansh Ingle December 4, 2025 3 min read
Read full article
Combating Cyber Threats: Harnessing AI for Effective Defense
AI cybersecurity

Combating Cyber Threats: Harnessing AI for Effective Defense

Cyberattackers are leveraging AI for sophisticated threats. Discover how to defend your organization with AI-driven strategies and tools. Learn more at Gopher Security.

By Alan V Gutnov December 3, 2025 7 min read
Read full article
Google Patches 120 Android Vulnerabilities, 2 Zero-Days Fixed
Android security updates

Google Patches 120 Android Vulnerabilities, 2 Zero-Days Fixed

Google's latest Android security updates tackle critical vulnerabilities and actively exploited zero-days. Ensure your device is protected! Learn more.

By Alan V Gutnov December 2, 2025 2 min read
Read full article