Aisuru Botnet Unleashes Record 29.6 Tbps DDoS Attack, Abusing 100,000+ US ISP Devices

The notorious Aisuru botnet continues to grow in destructive power — it now commands over 300,000 infected IoT devices, the majority of which are located within networks operated by major U.S. providers such as AT&T, Comcast, T-Mobile, and Verizon.

According to security researchers, the botnet’s heavy concentration within these networks not only complicates mitigation efforts, but also degrades connection quality for ordinary users. Its most recent display of force occurred on October 6, when a brief surge of junk traffic peaked at an unprecedented 29.6 Tbps, surpassing all previous DDoS records.

Emerging just over a year ago, Aisuru has already displaced nearly all rival IoT botnets. Its operators continue to compromise devices such as home routers, security cameras, and DVRs, exploiting firmware vulnerabilities and default security settings to seize control.

In May 2025, Aisuru launched a 6.35 Tbps assault on the KrebsOnSecurity blog — the largest ever recorded by Google’s Project Shield. Within days, its attack capacity rose to 11 Tbps, and by September, it reached 22 Tbps. The October 6 peak attack, lasting only a few seconds, appeared to be a test, targeting a server designed to measure DDoS surges.

Despite the brevity of each incident, Aisuru’s activity has severely affected thousands of gamers. According to Stephen Ferguson, an engineer at Australian provider GSL, which protects over 50,000 Minecraft servers, Aisuru unleashed more than 15 Tbps against their infrastructure on October 8. The assault overwhelmed OVH’s external ports in Miami, forcing the partner to withdraw from cooperation — leaving GSL as the sole defense provider for TCPShield.

Data from uptime trackers such as BlockGameTracker.gg shows that on September 28, numerous Minecraft hosts, including Cosmic, suffered mass outages linked to Aisuru’s attacks.

Ferguson also observed a growing reliance on U.S.-based network infrastructure. Logs from the October 8 assault reveal that 11 of the 20 largest traffic sources originated from American ISPs, led by AT&T, followed by Charter, Comcast, T-Mobile, and Verizon. Comcast alone contributed over 500 Gbps of botnet traffic, causing noticeable disruptions across interconnected services.

According to Netscout, modern DDoS defense systems are primarily designed to filter inbound traffic, yet the Aisuru case demonstrates that ISPs must now also manage outbound malicious flows generated by infected customer devices.

Charter Communications emphasized that it continuously monitors both inbound and outbound traffic, urging customers to use secure devices, install antivirus software, and keep firmware up to date. A Comcast representative confirmed that the company is managing the load effectively and has not observed service disruptions.

Like its predecessor Mirai, Aisuru is based on the malware source code leaked in 2016. Mirai once targeted Minecraft servers to sell DDoS protection and later rented its capacity for operations like click-fraud obfuscation. Aisuru employs similar tactics: according to Netscout, its operators now market the botnet not only as a DDoS-for-hire service, but also as a proxy network, allowing cybercriminals to disguise malicious activity as legitimate residential traffic.

Of particular note is the pseudonym of one Aisuru administrator, “9gigsofram,” previously linked to Proxypipe, a DDoS protection service attacked by Mirai in 2016. That project was developed by Robert Coelho and Eric “9gigsofram” Buckingham, both of whom remain active in the cybersecurity field.

Coelho stated he has no knowledge of why current Aisuru operators revived the old alias, but described the recent attacks as “monstrous”, occurring multiple times daily across the globe. He noted that defending against such onslaughts now requires at least one million dollars per month solely for maintaining adequate network capacity.

Aisuru’s rapid expansion is also tied to its exploitation of zero-day vulnerabilities. In September, the Chinese firm XLab, which first documented Aisuru in 2024, reported that attackers had compromised the Totolink firmware distribution site, implanting malicious scripts to spread infected updates automatically. At that stage, the botnet had already amassed 300,000 active nodes.

Aisuru gained further momentum in August 2025, following the U.S. Department of Justice’s arrest of the operator behind the RapperBot network. With its rival dismantled, Aisuru swiftly absorbed the abandoned infrastructure and commandeered numerous previously hijacked IoT devices.

Like Mirai, Aisuru has its own key figures. According to XLab, the botnet is managed by three individuals: “Snow”, responsible for development; “Tom”, tasked with vulnerability discovery; and “Forky”, who oversees commercial operations. Forky also runs Botshield, a DDoS protection service, and has previously spoken with KrebsOnSecurity, claiming to be involved only in development and sales, not in actual attacks. However, his refusal to identify other operators and abrupt termination of conversations when pressed on accountability only deepen suspicions of his direct involvement in Aisuru’s devastating wave of global assaults.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy