AISURU/Kimwolf Botnet Unleashes Record-Breaking 31.4 Tbps DDoS Attack

CyberDefender 6 mins0

In November 2025, the distributed denial-of-service (DDoS) botnet ecosystem known as AISURU/Kimwolf was observed launching the largest publicly disclosed DDoS attack on record, peaking at 31.4 terabits per second (Tbps) and lasting roughly 35 seconds. This event, automatically detected and mitigated by Cloudflare’s network defense systems, underscores the rapidly evolving scale and sophistication of internet-scale attacks.

Botnet Structure and Capability

The AISURU/Kimwolf threat complex represents a hybrid botnet architecture combining traditional IoT-class infected hosts with a specialized Android device component:

  • AISURU is a large, multi-platform DDoS botnet comprising compromised IoT hardware, consumer appliances, and virtual instances.
  • Kimwolf is a variant focused on Android-based devices, particularly off-brand Android TVs, streaming boxes, tablets, and other devices with lax security settings.

Together, this ecosystem is estimated to include 1–4 million infected hosts, with recent intelligence confirming over 2 million Android devices enlisted into proxy and attack operations.

The botnet’s modular nature enables both packet-intensive and bit-intensive DDoS traffic, allowing threat actors to tailor attacks across multiple vectors. Common flood types include HTTP/S floods, UDP flood and packet-saturation “carpet bombing” techniques that randomize packet attributes to evade legacy mitigation signatures.

Record-Setting DDoS Activity

The November 2025 attack broke all previous throughput records for publicly disclosed DDoS strikes:

  • Peak Throughput: 31.4 Tbps
  • Duration: ~35 seconds
  • Attack Type: HTTP hyper-volumetric flood
  • Mitigation: Fully neutralized by Cloudflare’s automated defenses without reported downstream outages.

This burst was one of many during a period of extreme DDoS activity in late 2025. Cloudflare’s quarterly threat reporting showed:

  • Hyper-volumetric attacks increase: 40 % QoQ growth in Q4 2025.
  • Total DDoS attacks in 2025: ~47.1 million — more than double 2024 levels.
  • Network-layer traffic dominance: 78 % of all mitigated events in Q4 were at the network layer.

In addition to sheer volume, the attacks included sustained campaigns such as the December 19 “Night Before Christmas” sequence, which involved hyper-volumetric flows reaching 205 million requests per second and 9 billion packets per second (Bpps) at their respective peaks.

Propagation via Residential Proxy Networks

A key factor in the botnet’s growth and impact is its use of third-party residential proxy infrastructures to amplify both infection and DDoS capability:

  • Many Android devices were co-opted into the botnet by passing through proxy-centric ecosystems operated by companies such as IPIDEA, which embedded proxy SDKs into apps and marketed residential exit nodes.
  • Legal and technical disruption by Google and partnering infrastructure providers significantly hindered many of these proxy services used for botnet command, control, and traffic pivoting.

These residential proxies serve two malicious purposes: (1) making attack sources highly distributed and difficult to filter, and (2) obscuring the geographic origin of traffic to frustrate attribution efforts.

Mitigation and Defensive Implications

The intensity and scope of AISURU/Kimwolf attacks have forced defenders to reconsider DDoS preparedness:

  • Automated, cloud-scale mitigation is no longer optional — on-premise appliances and static scrubbing centers are frequently overwhelmed by bursts exceeding multiple Tbps.
  • Multi-vector adaptive defenses that correlate packet, session, and application signals are essential to counter both volumetric saturation and layer-7 floods.

Telecommunications providers, cloud platforms, gaming networks, and generative AI service providers have all been high-value targets, reflecting the financial incentives behind crippling service availability or extracting ransom via disruption.

Outlook

The AISURU/Kimwolf phenomenon marks a new era in botnet-driven disruption — one in which massively parallel device fleets, often hidden within consumer hardware, can be leveraged for short but extraordinarily powerful assaults. The rapid expansion from IoT appliances to mobile and Android ecosystems highlights a broader trend: attackers are exploiting the proliferation of connected devices to build botnets that dwarf even the most notorious predecessors.

CyberDefender