Aisuru Botnet Sets New DDoS Records in Q3 2025
Aisuru proves that rented botnets can cripple national networks in minutes, forcing a rethink of how governments and industries defend critical systems.
• Aisuru commands 1–4 million infected devices globally, creating coordinated DDoS attacks that routinely exceed 1 Tbps and 1 billion packets per second.
• In Q3 2025, Aisuru launched 1,304 hyper-volumetric attacks, including a record 29.7 Tbps UDP flood, overwhelming traditional infrastructure.
• Network-layer attacks rose 87% QoQ, driven by poorly secured consumer devices; HTTP-layer attacks fell 41% due to automated defences but still included extreme bursts.
Remember the last time your internet froze mid-scroll, a video buffered endlessly, or a webpage refused to load? Now imagine that disruption scaled up to millions of users across an entire country, from a single command executed by a hacker renting a botnet for the price of a laptop.
In the third quarter of 2025, the world faced the Aisuru botnet, a massive, highly advanced cyber threat that hijacks millions of poorly secured devices to launch hyper-volumetric Distributed Denial of Service (DDoS) attacks, it has been called the “apex of botnets” by cybersecurity firms because of the record-breaking size and scale of its attacks.
MORE INSIGHTS ON THIS TOPIC:
- DDoS attacks were down in the second quarter of 2025
- MTN set to exit three African markets; OpenAI's ChatGPT faces DDoS attack, and other top stories
- Global ransomware activity rises 36% in Q3 2025, but average payments collapse
Hyper-Volumetric Attacks Reach New Heights
Cloudflare estimates that Aisuru commands between one and four million infected devices globally. These devices ranging from smart cameras to home routers, simultaneously send traffic that routinely exceeds 1 terabit per second (Tbps) and 1 billion packets per second (Bpps).
This is because the botnet aggregates traffic from millions of devices, each sending thousands of requests per second, creating a coordinated surge far beyond what standard infrastructure can handle. In Q3 alone, Aisuru launched 1,304 hyper-volumetric attacks, including a record 29.7 Tbps UDP carpet-bombing attack targeting 15,000 destination ports per second.
The attack randomized packet attributes to evade detection, yet Cloudflare’s automated mitigation was still able to stop the threat, proving both the botnet’s destructive capacity and the growing necessity for autonomous defences.
Network-layer attacks dominated, making up 71% of total attacks. These rose 87% quarter-over-quarter (QoQ) because botnets like Aisuru increasingly exploited vast numbers of consumer devices, which are often poorly secured. In contrast, HTTP-layer attacks fell 41% QoQ, reflecting the effectiveness of automated protections against previously known botnets and widespread adoption of security measures in web applications.
Yet these attacks still included extreme bursts, with four out of every 100 exceeding one million requests per second. Most attacks lasted under ten minutes, but recovery often stretched for hours as IT teams restored data consistency and service reliability.
Collateral Damage Extends Beyond Targets
Aisuru attacks didn’t always hit who it was aiming at. Its traffic moved through American ISPs at such volume that it slowed unrelated services across entire regions. Analyst Brian Krebs documented these slowdowns, showing how hyper-volumetric attacks strain public networks even when the victim sits elsewhere.
This is the new reality: an attack on one company can degrade hospitals, emergency dispatch centres, stock exchanges, and commuter networks downstream.
Aisuru’s rental model makes the situation much worse. Portions of the botnet are hired out for a few hundred to a few thousand dollars. With that, an inexperienced actor can unleash the kind of disruption once reserved for state-sponsored groups. Cloudflare mitigated 2,867 Aisuru attacks this year alone, a sign of how available and frequently deployed this botnet has become.
Oyinebiladou Omemu
Politics, Protests, and the New Geography of Outages
The surge in attacks tracked tightly with real-world tension points. Mining, Minerals & Metals companies experienced spikes during the EU–China trade summit, reflecting tensions over EV tariffs and rare-earth exports. Automotive companies jumped 62 positions in attack rankings, while generative AI firms saw HTTP DDoS traffic surge 347% month-over-month, triggered by heightened scrutiny and regulatory debate in the UK.
Social unrest also aligned with attack surges. The Maldives saw a 125-place rise during nationwide protests, France rose 65 spots amid strikes, and Belgium climbed 63 places as demonstrations intensified. The United States rose 11 spots to become the fifth most attacked country. These patterns show that DDoS attacks now function as instruments to amplify the disruption caused by geopolitical and social events.
Kelechi Edeh
Changing Tactics and Persistent Threats
Aisuru relied heavily on UDP floods, rising 231% QoQ as botnets exploited insecure devices. DNS, SYN, and ICMP floods followed, while Mirai variants remained active in 2% of network attacks. HTTP-layer attacks were largely from known botnets, enabling automatic protection, but newer attacks leveraged headless browsers and unusual request patterns.
Short, high-intensity attacks magnify disruption. Attacks exceeding 100 million packets per second rose 189% QoQ, while those above 1 Tbps increased 227% QoQ. Even attacks lasting only seconds triggered multi-step recovery processes, illustrating that hyper-volumetric attacks leave lasting operational and infrastructural challenges.
Traditional on-premise mitigation appliances and reactive scrubbing centres cannot manage attacks exceeding 1 Tbps or those lasting minutes. Cloud-based, automated defences capable of real-time detection and mitigation are critical. Cloudflare’s performance demonstrates that continuous, autonomous protection is now essential, especially as botnets operate as rentable services and the collateral damage of attacks can ripple through national networks.
Conclusion
Q3 2025 confirms that manual mitigation can’t keep up with attacks that move this fast. On-premise appliances cap out below the volumes Aisuru routinely produces, and scrubbing centres take too long to activate.
Only always-on, cloud-based automated systems kept the worst attacks from causing extended national-scale outages.
Now, governments, industries from AI to automotive, and critical service operators must recognise that cyber disruption can strike as quickly as a keystroke, with national and global consequences. The Aisuru era has arrived, resetting the boundaries of what cyberwarfare can achieve.
David Adubiina
