CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure

First reported
Last updated
5 unique sources, 10 articles

Summary

Hide ▲

The Aisuru botnet, a Turbo Mirai-class IoT threat, continues its campaign of record-breaking DDoS attacks, most recently with Microsoft mitigating a **5.72 Tbps** assault targeting an Australian endpoint—now the largest attack observed in the cloud. This follows prior attacks exceeding **22.2 Tbps** (Cloudflare) and **15.72 Tbps** (Microsoft Azure), all leveraging over **500,000 compromised IoT devices** (routers, cameras, DVRs) primarily hosted on U.S. ISPs like AT&T and Comcast. Aisuru’s operators—identified as cybercriminals *Snow*, *Tom*, and *Forky*—have expanded the botnet’s use beyond DDoS, renting infected devices as **residential proxies** for credential stuffing, AI scraping, and phishing. The botnet avoids targeting government or military infrastructure but focuses on **online gaming communities**, causing repeated outages for ISPs. Recent disclosures reveal Aisuru’s **preventive measures** to evade law enforcement scrutiny, while compromised devices from dismantled botnets (e.g., Eleven11/RapperBot) remain at risk of re-infection. Cloudflare and Microsoft have both redacted Aisuru-linked domains from public rankings after they displaced legitimate sites like Amazon and Google, highlighting the botnet’s manipulation of DNS query volumes.

Timeline

  1. 17.11.2025 19:13 2 articles · 1d ago

    Microsoft Azure hit by 15.72 Tbps DDoS attack using Aisuru botnet

    Microsoft Azure was hit by a **15.72 Tbps** DDoS attack in November 2025, followed by a **5.72 Tbps** attack on November 18—now the largest ever observed in Microsoft’s cloud. Both attacks targeted Australian endpoints using **UDP floods from 500,000+ source IPs** with minimal spoofing, simplifying traceback. The Aisuru botnet, powered by compromised IoT devices (routers, cameras, DVRs), leverages **Turbo Mirai** variants to exploit vulnerabilities in Realtek chips and firmware from manufacturers like T-Mobile and Zyxel. Aisuru’s operators have implemented **preventive measures** to avoid targeting government, law enforcement, or military infrastructure, focusing instead on online gaming and DDoS-for-hire services. The botnet’s infrastructure also supports **residential proxy networks**, enabling credential stuffing, AI-driven web scraping, and phishing. The botnet’s rapid growth stems from exploits like the **April 2025 Totolink firmware breach**, which infected ~100,000 devices.

    Show sources
    Open in new tab
  2. 06.11.2025 04:04 2 articles · 13d ago

    Aisuru botnet manipulates Cloudflare's top domains list

    Aisuru botnet domains have repeatedly appeared in Cloudflare's top domains list, displacing legitimate sites like Amazon, Apple, Google, and Microsoft. Cloudflare redacted these domains from their top domains list to address security and brand confusion concerns. The botnet's domains were using Cloudflare's DNS server 1.1.1.1, shifting from Google's 8.8.8.8. Cloudflare's domain ranking system is based on DNS query volume, not actual web visits. Cloudflare CEO Matthew Prince confirmed that the botnet was generating excessive DNS requests to influence rankings and attack Cloudflare's DNS service. Cloudflare plans to improve its ranking algorithm to better distinguish between legitimate and malicious traffic. The botnet's domains were predominantly registered in the .su top-level domain, frequently abused for cybercrime. Cloudflare removed multiple domains linked to the Aisuru botnet from its public 'Top Domains' rankings after they began overtaking legitimate sites. Cloudflare now redacts or completely hides suspected malicious domains to avoid similar incidents in the future.

    Show sources
    Open in new tab
  3. 29.10.2025 02:51 2 articles · 21d ago

    Aisuru botnet spreads to 700,000 IoT systems

    The Aisuru botnet has spread to at least 700,000 IoT systems, including poorly secured Internet routers and security cameras. The botnet's operators have demonstrated DDoS capabilities of nearly 30 Tbps, exceeding the mitigation capabilities of most Internet destinations. The botnet has caused significant operational impact on U.S.-based ISPs, with outbound DDoS attacks exceeding 1.5 Tbps. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices.

    Show sources
    Open in new tab
  4. 10.10.2025 19:10 3 articles · 1mo ago

    Aisuru botnet operators rent out botnet as proxy network

    The botnet's operators have updated their malware to rent out compromised devices as residential proxies, facilitating cybercriminal activities. The botnet's operators are actively involved in the proxy network industry, enabling aggressive content scraping for AI projects. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots.

    Show sources
    Open in new tab
  5. 23.09.2025 18:58 5 articles · 1mo ago

    Cloudflare blocks 22.2 Tbps DDoS attack

    The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the Aisuru botnet, which has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services.

    Show sources
    Open in new tab
  6. 02.09.2025 18:52 6 articles · 2mo ago

    Cloudflare blocks 11.5 Tbps UDP flood DDoS attack

    The attack was part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. Cloudflare's defenses have autonomously blocked hundreds of such attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps, 11.5 Tbps, and now 22.2 Tbps. The attack was conducted using botnets that infected various devices with malware. Volumetric DDoS attacks can be used as a cover for more sophisticated exploits, known as 'smoke screen' attacks. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). The Aisuru botnet has been responsible for a series of increasingly massive and disruptive attacks, targeting mostly ISPs that serve online gaming communities like Minecraft. The botnet's firepower is now drawing a majority of its power from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Open in new tab

Microsoft reports surge in AI-driven cyber threats and defenses

Microsoft's Digital Defense Report 2025 highlights a dramatic escalation in AI-driven cyber attacks. Microsoft systems analyze over 100 trillion security signals daily, indicating the growing sophistication and volume of cyber threats. Adversaries are leveraging generative AI to automate phishing, scale social engineering, and discover vulnerabilities faster than humans can patch them. Autonomous malware adapts tactics in real-time to bypass security systems, and AI tools themselves are becoming high-value targets. Microsoft's AI-powered defenses have reduced response times from hours to seconds, but defenders must remain vigilant as AI increases the speed and impact of cyber operations. Identity compromise remains a dominant attack vector, with phishing and social engineering accounting for 28% of breaches. Multi-factor authentication (MFA) prevents over 99% of unauthorized access attempts, but adoption rates are uneven. The rise of infostealers has fueled credential-based intrusions. The United States accounted for 24.8% of all observed attacks between January and June 2025, followed by the United Kingdom, Israel, and Germany. Government agencies, IT providers, and research institutions were among the most frequently targeted sectors. Ransomware remains a primary threat, with over 40% of recent cases involving hybrid cloud components.

Open in new tab

Large-scale RDP targeting campaign detected from multi-country botnet

A large-scale botnet targeting Remote Desktop Protocol (RDP) services in the United States has been detected. The campaign, which began on October 8, 2025, originates from over 100,000 IP addresses across multiple countries. The botnet uses two primary attack methods: RD Web Access timing attacks and RDP web client login enumeration. The botnet's activity was first detected by GreyNoise, a threat monitoring platform, following an unusual traffic spike from Brazil. Subsequent activity was observed from Argentina, Iran, China, Mexico, Russia, South Africa, Ecuador, and over 100 countries in total. The campaign highlights the ongoing threat to RDP services, which are commonly used by administrators, helpdesk staff, and remote workers. Attackers often exploit vulnerabilities, perform brute-force logins, or use timing attacks to gain unauthorized access.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. In late September, a 230% surge in the botnet's attacks was reported, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs. The infected devices are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab

Technology Sector Surpasses Gaming as Top DDoS Attack Target in Q1–Q2 2025

The Gcore Radar report for Q1–Q2 2025 reveals a 41% year-on-year increase in DDoS attack volume, with the technology sector now the most targeted, surpassing gaming. The largest recorded attack peaked at 2.2 Tbps, demonstrating growing scale and sophistication in DDoS campaigns. Attacks are longer, multi-layered, and increasingly target web applications and APIs. The financial services industry remains a significant target, facing heightened risks. The report highlights the rising complexity and impact of DDoS attacks, driven by accessible attack tools, vulnerable IoT devices, geopolitical tensions, and advanced attack techniques. The shift in targeted industries and the increasing use of multi-vector and application-layer attacks underscore the need for robust, proactive defenses.

Open in new tab