CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure

First reported
Last updated
5 unique sources, 14 articles

Summary

Hide ▲

The **Aisuru botnet** and its **Android-focused sibling, Kimwolf**, now represent a **multi-botnet threat ecosystem** with **over 4 million compromised devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf). Together, they have executed **record-breaking DDoS campaigns** (e.g., Aisuru’s **29.7 Tbps** in Q3 2025; Kimwolf’s **1.7 billion attack commands** in three days) while evolving into **large-scale residential proxy networks** for cybercrime monetization. Since October 2025, **over 550 C2 nodes** tied to both botnets were **null-routed** by Black Lotus Labs, disrupting operations but revealing their resilience. Kimwolf’s infrastructure—hosted on providers like **Resi Rack LLC** (linked to a **Discord-based proxy marketplace**)—exploited **exposed ADB services** and **proxy service flaws** to hijack devices, while Aisuru’s IoT army targeted **telecom, financial services, AI firms, and automotive sectors**. Both botnets share **operators (Snow, Tom, Forky)**, **code-signing certificates**, and **EtherHiding (ENS domains)** for C2 resilience, with Kimwolf’s **96% of commands** dedicated to proxy services. Collateral damage includes **disruptions to U.S. ISPs, critical infrastructure, and global DNS services**, with **Cloudflare and Microsoft** mitigating thousands of hyper-volumetric attacks. The botnets’ **rapid tactical shifts**—from DDoS to proxy monetization—underscore their systemic risk to internet stability, now compounded by **automated router exploitation** (e.g., 832 KeeneticOS devices in Russia) and **cross-botnet collaboration**.

Timeline

  1. 17.12.2025 20:09 2 articles · 29d ago

    Kimwolf botnet emerges as Aisuru sibling, hijacks 1.8M Android devices

    The **Kimwolf botnet** was discovered in December 2025, initially hijacking **1.8 million Android TVs/set-top boxes** but now expanded to **over 2 million infected devices** by exploiting **exposed Android Debug Bridge (ADB)** services and tunneling through residential proxy networks. Operated by the **same hacker group** as Aisuru (Snow, Tom, Forky), Kimwolf shares **code, infrastructure, and a common downloader server (93.95.112[.]59)**, with **96% of commands** dedicated to **proxy services** (via **ByteConnect SDK** and **Rust modules**). Since October 2025, **over 550 Kimwolf/Aisuru C2 nodes** were **null-routed** by Black Lotus Labs, including domains like *greatfirewallisacensorshiptool.14emeliaterracewestroxburyma02132[.]su* (hosted on **Resi Rack LLC**, a Utah provider tied to a **Discord proxy marketplace**). Kimwolf’s infrastructure **scanned PYPROXY services** (October 20–November 6, 2025) to exploit a flaw enabling internal network access, fueling a **300% bot surge** (800K new devices in a week) sold via **resi[.]to**. The botnet’s **C2 domains migrated between Resi Rack IPs** (e.g., *104.171.170[.]21 → 104.171.170[.]201*) post-takedown, with traffic spiking to **176.65.149[.]19:25565**, a malware host shared with Aisuru. Kimwolf’s **EtherHiding** (ENS domains like *pawsatyou[.]eth*) and **proxy monetization** (bandwidth sold for upfront cash) reflect the group’s **shift toward Android-based infections** and **multi-botnet coordination**, escalating risks to **ISP stability, AI scraping, and critical infrastructure**. A parallel **proxy network of 832 compromised KeeneticOS routers** (Russian ISPs) was also uncovered, using **automated SSH/HTTP access**—a tactic aligning with Kimwolf’s residential proxy abuse, demonstrating the **broader ecosystem of consumer device exploitation**.

    Show sources
    Open in new tab
  2. 03.12.2025 16:01 2 articles · 1mo ago

    Aisuru botnet sets 29.7 Tbps DDoS record with expanded targets

    In Q3 2025, the Aisuru botnet launched a **29.7 Tbps DDoS attack** (the largest recorded to date) and a **14.1 Bpps assault**, both mitigated by Cloudflare. The 29.7 Tbps attack lasted **69 seconds**, used **UDP carpet-bombing** to flood **15,000+ destination ports/second**, and was part of **1,304 hyper-volumetric incidents** in Q3—a **227% QoQ increase** for >1 Tbps attacks. Cloudflare mitigated **2,867 Aisuru attacks in 2025** (45% hyper-volumetric) and **36.2 million DDoS attacks total** (40% YoY increase), with **8.3 million blocked in Q3 alone** (15% QoQ rise). The botnet now controls **1–4 million infected hosts** (up from 700,000) and has expanded targets beyond gaming to **telecom, hosting, financial services, AI companies, and automotive sectors**. Attacks originated from **Indonesia, Thailand, Bangladesh, Vietnam, and Ecuador**, with **70% of HTTP DDoS attacks** linked to known botnets. Cloudflare averaged **3,780 mitigations/hour** in Q3, noting **347% spike in AI-sector attacks** and **automotive becoming the 6th most targeted industry**. Collateral traffic continues to disrupt **uninvolved U.S. ISPs and critical infrastructure**, underscoring systemic risks to global internet stability.

    Show sources
    Open in new tab
  3. 17.11.2025 19:13 2 articles · 1mo ago

    Microsoft Azure hit by 15.72 Tbps DDoS attack using Aisuru botnet

    Microsoft Azure was hit by a **15.72 Tbps** DDoS attack in November 2025, followed by a **5.72 Tbps** attack on November 18—now the largest ever observed in Microsoft’s cloud. Both attacks targeted Australian endpoints using **UDP floods from 500,000+ source IPs** with minimal spoofing, simplifying traceback. The Aisuru botnet, powered by compromised IoT devices (routers, cameras, DVRs), leverages **Turbo Mirai** variants to exploit vulnerabilities in Realtek chips and firmware from manufacturers like T-Mobile and Zyxel. Aisuru’s operators have implemented **preventive measures** to avoid targeting government, law enforcement, or military infrastructure, focusing instead on online gaming and DDoS-for-hire services. The botnet’s infrastructure also supports **residential proxy networks**, enabling credential stuffing, AI-driven web scraping, and phishing. The botnet’s rapid growth stems from exploits like the **April 2025 Totolink firmware breach**, which infected ~100,000 devices.

    Show sources
    Open in new tab
  4. 06.11.2025 04:04 2 articles · 2mo ago

    Aisuru botnet manipulates Cloudflare's top domains list

    Aisuru botnet domains have repeatedly appeared in Cloudflare's top domains list, displacing legitimate sites like Amazon, Apple, Google, and Microsoft. Cloudflare redacted these domains from their top domains list to address security and brand confusion concerns. The botnet's domains were using Cloudflare's DNS server 1.1.1.1, shifting from Google's 8.8.8.8. Cloudflare's domain ranking system is based on DNS query volume, not actual web visits. Cloudflare CEO Matthew Prince confirmed that the botnet was generating excessive DNS requests to influence rankings and attack Cloudflare's DNS service. Cloudflare plans to improve its ranking algorithm to better distinguish between legitimate and malicious traffic. The botnet's domains were predominantly registered in the .su top-level domain, frequently abused for cybercrime. Cloudflare removed multiple domains linked to the Aisuru botnet from its public 'Top Domains' rankings after they began overtaking legitimate sites. Cloudflare now redacts or completely hides suspected malicious domains to avoid similar incidents in the future.

    Show sources
    Open in new tab
  5. 29.10.2025 02:51 2 articles · 2mo ago

    Aisuru botnet spreads to 700,000 IoT systems

    The Aisuru botnet has spread to at least 700,000 IoT systems, including poorly secured Internet routers and security cameras. The botnet's operators have demonstrated DDoS capabilities of nearly 30 Tbps, exceeding the mitigation capabilities of most Internet destinations. The botnet has caused significant operational impact on U.S.-based ISPs, with outbound DDoS attacks exceeding 1.5 Tbps. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices.

    Show sources
    Open in new tab
  6. 10.10.2025 19:10 4 articles · 3mo ago

    Aisuru botnet operators rent out botnet as proxy network

    The botnet's operators have updated their malware to rent out compromised devices as residential proxies, facilitating cybercriminal activities. The botnet's operators are actively involved in the proxy network industry, enabling aggressive content scraping for AI projects. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. **New Development:** A related botnet, **Kimwolf**, has emerged with **1.8 million infected Android TVs/set-top boxes**, sharing **code, infrastructure, and operators** with Aisuru. Kimwolf primarily focuses on **proxy services (96% of commands)** and uses **EtherHiding (ENS domains)** to evade takedowns, demonstrating the group’s **expanded monetization and resilience tactics**.

    Show sources
    Open in new tab
  7. 23.09.2025 18:58 6 articles · 3mo ago

    Cloudflare blocks 22.2 Tbps DDoS attack

    The attack was aimed at a single IP address of an unnamed European network infrastructure company. The attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. The attack was described as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47,000 ports. The attack was conducted using the Aisuru botnet, which has been around for more than a year. **Update (December 2025):** Cloudflare later mitigated a **new record-breaking 29.7 Tbps attack** from Aisuru in Q3 2025, lasting **69 seconds** and using UDP carpet-bombing to target **15,000 destination ports/second**. This attack was part of **1,304 hyper-volumetric incidents** in Q3, marking a **227% QoQ increase** in >1 Tbps attacks. The botnet’s total infected hosts are now estimated at **1–4 million devices**, up from prior reports of 700,000.

    Show sources
    Open in new tab
  8. 02.09.2025 18:52 6 articles · 4mo ago

    Cloudflare blocks 11.5 Tbps UDP flood DDoS attack

    The attack was part of a series of hyper-volumetric DDoS attacks that have been increasing in frequency and intensity. Cloudflare's defenses have autonomously blocked hundreds of such attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps, 11.5 Tbps, and now 22.2 Tbps. The attack was conducted using botnets that infected various devices with malware. Volumetric DDoS attacks can be used as a cover for more sophisticated exploits, known as 'smoke screen' attacks. The attack was actually sourced from a combination of several IoT and cloud providers, not just Google Cloud. The attack's complexity and impact on users are highlighted as critical factors, not just its magnitude. The attack occurred in mid-May right after Cloudflare's publication of its quarterly DDoS threat report. The attacks reached 6.5Tbps and delivered 4.8 billion packets per second (pps). The Aisuru botnet has been responsible for a series of increasingly massive and disruptive attacks, targeting mostly ISPs that serve online gaming communities like Minecraft. The botnet's firepower is now drawing a majority of its power from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon. The botnet's operators have been renting out their botnet as a distributed proxy network, allowing cybercriminal customers to anonymize their malicious traffic. The botnet's operators have also compromised the firmware distribution website for Totolink to expand the botnet. The botnet's operators received an unexpected boost when the U.S. Department of Justice charged the alleged proprietor of Rapper Bot, a competing DDoS-for-hire botnet, leading to the commandeering of vulnerable IoT devices. The botnet's operators have been actively scanning the Internet for vulnerable devices and enslaving them for use in DDoS attacks. The botnet's operators have been using multiple zero-day vulnerabilities in IoT devices to aid its rapid growth. The botnet's operators have been selling the botnet as residential proxies, which are used to reflect application layer attacks through the proxies on the bots. The botnet's operators have been identified as three cybercriminals: Snow, Tom, and Forky, each responsible for different aspects of the botnet's operations. The botnet's operators have been involved in the development and marketing of Aisuru but deny participating in attacks launched by the botnet. The botnet's operators have been actively involved in the DDoS-for-hire scene since at least 2022. The botnet's operators have been identified as operating a DDoS mitigation service called Botshield, which has successfully mitigated large DDoS attacks launched against other DDoS-for-hire services.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GoBruteforcer Botnet Expands Attacks on Linux Servers

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Open in new tab

Mirai Broadside Botnet Targets Maritime IoT with Advanced Tactics

A new Mirai botnet variant, Broadside, is exploiting a critical-severity vulnerability (CVE-2024-3721) in TBK DVR to target the maritime logistics sector. Unlike previous Mirai variants, Broadside employs a custom C2 protocol, a unique 'Magic Header' signature, and an advanced 'Judge, Jury, and Executioner' module for exclusivity. It uses Netlink kernel sockets for stealthy, event-driven process monitoring and payload polymorphism to evade static defenses. Broadside attempts to maintain exclusive control over hosts by terminating other processes and harvesting system credential files to establish a strategic foothold. The botnet extends beyond denial-of-service attacks, aiming to compromise devices within the maritime sector, which could have significant operational and security implications.

Open in new tab

ShadowRay 2.0 Campaign Hijacks Ray Clusters for Cryptomining and DDoS Attacks

A threat actor, tracked as IronErn440, is exploiting an old code execution flaw (CVE-2023-48022) in exposed Ray Clusters to convert them into a self-propagating cryptomining botnet. The campaign, dubbed ShadowRay 2.0, also involves data and credentials theft, as well as distributed denial-of-service (DDoS) attacks. The vulnerability affects over 230,000 Ray servers exposed on the internet. The attacks use AI-generated payloads to compromise vulnerable Ray infrastructure, leveraging the Ray Jobs API to deploy malware across all nodes. The payloads include a crypto-mining module that mines Monero using XMRig, while evading detection by limiting CPU usage to 60%. The attacker also ensures exclusive mining access by terminating rival mining scripts and blocking other mining pools. The campaign has two attack waves: one using GitLab for payload delivery, which ended on November 5, and another using GitHub, ongoing since November 17. The attackers have also been found to use the Sockstress tool to launch DDoS attacks, targeting port 3333 commonly used by mining pools.

Open in new tab

Hacktivist-Driven DDoS Attacks Dominate Public Sector Cyber Incidents

Distributed denial of service (DDoS) attacks, primarily driven by hacktivist groups, represented the majority of cybersecurity incidents in the public sector in 2024. Although DDoS attacks were the most frequent, data breaches and ransomware incidents caused significant disruption. The public sector, which manages large volumes of sensitive data and delivers critical services, remains a key target for cyber threats. The European Union Agency for Cybersecurity (ENISA) reported that 60% of cybersecurity incidents in the public sector were DDoS attacks, with 63% attributed to hacktivist groups. Cybercriminals and state actors were responsible for most of the remaining incidents, which included data breaches and ransomware attacks. The public sector's resilience to cyber threats is still not optimal, and ENISA warns of increased attacks in the mid- to long-term.

Open in new tab

Increased Botnet Activity Targeting PHP Servers, IoT Devices, and Cloud Gateways

Botnets such as Mirai, Gafgyt, and Mozi are exploiting known vulnerabilities and cloud misconfigurations to target PHP servers, IoT devices, and cloud gateways. This trend is driven by the widespread use of PHP in web applications and the prevalence of cloud misconfigurations, which expand the attack surface. The attacks aim at remote code execution (RCE) and data theft. The vulnerabilities exploited include CVE-2022-47945 in ThinkPHP, CVE-2021-3129 in Laravel Ignition, and CVE-2017-9841 in PHPUnit. Additionally, insecure configurations and exposed AWS credentials are being targeted. IoT devices with outdated firmware and cloud-native environments are also at risk, with botnets being used for credential stuffing and password spraying campaigns. Xdebug debugging sessions are being exploited to gain insight into application behavior or extract sensitive data. The scanning activity often originates from cloud infrastructures like Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Digital Ocean, and Akamai Cloud, illustrating how threat actors are abusing legitimate services to their advantage while obscuring their true origins.

Open in new tab