Microsoft Azure Blocks Largest Cloud DDoS Attack Ever: 15.72 Tbps Onslaught by AISURU Botnet

Microsoft has reported the largest cloud-targeted DDoS attack ever recorded, detected on one of its nodes in Australia. The company’s infrastructure automatically identified and neutralized an onslaught reaching 15.72 Tbps and nearly 3.64 billion packets per second—a level of pressure never before observed in cloud environments and yet another sign of the escalating power of botnets composed of everyday consumer devices.

According to Microsoft, the attack originated from AISURU, an IoT-botnet built on principles similar to the TurboMirai family. Waves of UDP packets were launched from more than 500,000 distributed addresses across multiple regions. The use of randomized ports simplified route tracing and enabled service providers to swiftly block the malicious traffic. The intended target of the attack has not been disclosed.

Researchers at QiAnXin XLab estimate that AISURU comprises roughly 300,000 compromised devices, including home routers, surveillance cameras, and DVRs. NETSCOUT reports that the botnet’s operators limit their clientele and avoid attacks on government and law-enforcement structures. Most observed incidents have been directed at gaming services.

Propagation of such networks often comes with additional capabilities. Beyond exceptionally powerful DDoS attacks, AISURU is used for credential brute-forcing, automated content harvesting via AI algorithms, and the distribution of spam and phishing messages. The botnet even includes a residential proxy service designed to bypass network blocks.

Microsoft notes that the scale of these operations grows in lockstep with global infrastructure: increased network bandwidth and rising performance of consumer electronics continually expand the arsenal available to attackers.

Against this backdrop, NETSCOUT has described another TurboMirai-based botnet known as Eleven11, also referred to as RapperBot. Their findings indicate that between late February and August 2025, it executed thousands of attacks using compromised IoT devices controlled by threat actors.

During that same period, authorities announced arrests of individuals involved and the dismantling of portions of the infrastructure. Several command-and-control servers were registered in the libre domain zone, which relies on an alternative DNS root and has previously appeared in connection with botnets such as CatDDoS and Fodcha. Despite the shutdown of Eleven11, the compromised equipment remains susceptible to renewed exploitation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy