The 30-Terabit Siege: How AI-Driven Botnets and “ZombieAgents” Shattered Cyber Records in 2025

The latest Radware Global Threat Analysis Report characterizes the year 2025 as a pivotal epoch for cyber warfare. According to the firm’s findings, adversaries have concurrently amplified the magnitude of network-layer DDoS offensives while intensifying the pressure exerted upon web applications and APIs; meanwhile, automation catalyzed by generative AI has significantly lowered the threshold for entry.

Radware documents the resurgence of gargantuan network-layer DDoS attacks, highlighted by a record-shattering 29.7 Tbps event attributed to the Aisuru botnet. The dossier also identifies the Kimwolf collective and the proliferation of the “DDoS-for-hire” market, which has rendered multi-terabit assaults accessible to even the most rudimentary actors. On average, during the latter half of 2025, a single Radware client weathered upwards of 25,351 DDoS incursions—approximately 139 daily—representing a year-over-year surge of 168.2%. Regarding network vectors, UDP floods accounted for half of the mitigated volume, with North America emerging as the primary target, absorbing 63.1% of the global onslaught.

Concurrently, there has been an escalation in “volatile” incidents. The report indicates that the majority of record-breaking assaults persisted for less than sixty seconds, effectively rendering manual response protocols obsolete. In contrast, “standard” offensives ranging between 100 and 500 Gbps typically endured for approximately ten hours, while multi-terabit events spanned roughly 35 minutes.

Radware posits that the most debilitating strikes are increasingly concentrated at the application layer. The Cloud Application Protection service recorded a 128% increase in deleterious transactions compared to 2024, with vulnerability exploitation attempts constituting the largest share at 41.8%.

A notable surge in such offensives occurred in the fourth quarter, which the authors correlate with the rapid “weaponization” of nascent CVEs, including React2Shell (CVE-2025-55182). Malicious bot activity escalated by 91.8% throughout the year, with North America serving as the epicenter for web application and API assaults, hosting 73.7% of such transactions.

A dedicated section of the report addresses the complexities of identifying AI agents. Radware notes that platforms must permit automated POST requests for “beneficial” agents, thereby providing a conduit for identity spoofing. The company advocates for more resilient methodologies involving cryptographic signatures or the validation of DNS and IP ranges, while cautioning against reliance on easily forged User-Agent strings. Within this context, scenarios involving “zero-click” data exfiltration and indirect prompt injections—such as ShadowLeak and ZombieAgent—are described, where compromise can achieve persistence through an agent’s long-term memory.

Against a backdrop of geopolitical upheaval, the tide of hacktivism remains relentless. Radware estimated approximately 16,000 unique DDoS claims on Telegram throughout 2025, identifying NoName057(16) as the most prolific syndicate with 4,692 proclamations. Other frequently mentioned actors include Keymous+, Hezi Rash, Mr Hamza, Anonymous VNLBN, and RipperSec, with Israel, the United States, and Ukraine emerging as the most beleaguered nations.