The world’s largest and most disruptive botnet, Aisuru, has shifted its focus from compromised Internet-of-Things (IoT) devices worldwide to the US market, with a majority of its firepower now coming from infected devices hosted on major internet providers such as AT&T, Comcast, and Verizon. This change in strategy is making it increasingly difficult for ISPs to limit collateral damage from Aisuru’s attacks.
Aisuru, which has been steadily outcompeting other IoT-based botnets since its debut more than a year ago, recently shattered previous records with a brief traffic flood of nearly 30 trillion bits of data per second. The botnet’s attacks are causing widespread disruptions to gaming servers and ISPs, with many networks experiencing brief but repeated outages.
The Aisuru botnet is built on the bones of malicious code leaked in 2016 by the original creators of the Mirai IoT botnet. It has a similar composition to Mirai, using compromised consumer-grade routers, security cameras, digital video recorders, and other devices with insecure and outdated firmware and/or factory-default settings.
The Aisuru botmasters are continuously scanning the internet for vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic. As Aisuru’s size has grown, so have its capabilities, with recent attacks reaching speeds of up to 29.6 terabits per second.
Experts warn that the heavy concentration of infected devices at US providers is complicating efforts to limit collateral damage from Aisuru’s attacks. Steven Ferguson, principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia, said: “The impact extends beyond victim networks… For instance, we have seen 500 gigabits of traffic via Comcast’s network alone.”
Roland Dobbins, principal engineer at Netscout, added that many ISPs are far less prepared to manage the service degradation caused by large numbers of customers suddenly using all available bandwidth to attack others. “The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,” he said.
As Aisuru continues to wreak havoc on gaming servers and ISPs, experts stress the need for effective and universal outbound DDoS attack suppression. Meanwhile, researchers suspect that Aisuru’s operators are renting out their botnet as a distributed proxy network, allowing cybercriminals anywhere in the world to anonymize their malicious traffic.
The FBI has seized Forky, one of Aisuru’s alleged operators, but it remains unclear who is behind the botnet. Experts believe that the DDoS-for-hire market will continue to be a significant threat, with cheap Chinese hardware being a key factor in its success.
Source: https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos