The AISURU botnet, also known as Kimwolf, has been identified as the source of an unprecedented distributed denial-of-service (DDoS) attack. This cyber onslaught reached a peak of 31.4 terabits per second (Tbps) and persisted for 35 seconds. The attack, which occurred in November 2025, was quickly detected and neutralized by Cloudflare, underscoring a rising trend in hyper-volumetric HTTP DDoS attacks during the fourth quarter of the year.
Attack Details and Impact
In addition to the November assault, AISURU/Kimwolf was also associated with another DDoS initiative, named ‘The Night Before Christmas’, which began on December 19, 2025. During this campaign, the average attack size was 3 billion packets per second (Bpps), 4 Tbps, and 54 million requests per second (Mrps), with peak figures hitting 9 Bpps, 24 Tbps, and 205 Mrps. Omer Yoachimik and Jorge Pacheco from Cloudflare reported a 121% surge in DDoS attacks in 2025, with an average of 5,376 incidents mitigated hourly, resulting in a total of 47.1 million attacks throughout the year.
Trends in DDoS Activity
Network-layer DDoS attacks saw a dramatic increase, with Cloudflare mitigating 34.4 million such attacks in 2025, up from 11.4 million in 2024. The fourth quarter of 2025 alone accounted for 78% of all DDoS attacks that year. A staggering 31% rise in DDoS incidents was noted compared to the previous quarter, and a 58% increase from 2024. Hyper-volumetric attacks, in particular, rose by 40% in Q4 2025, reaching 1,824 cases, a significant jump from 1,304 in the previous quarter.
Botnet Mechanics and Global Implications
The AISURU/Kimwolf botnet has compromised over 2 million Android devices, primarily off-brand Android TVs, by exploiting residential proxy networks like IPIDEA. In recent developments, Google has disrupted these proxy networks and initiated legal proceedings against several domains used to control compromised devices. Collaborative efforts with Cloudflare have further impacted IPIDEA’s operational capabilities. The botnet has utilized approximately 600 trojanized Android applications, along with over 3,000 Windows binaries disguised as legitimate software, to covertly transform devices into proxy nodes.
Telecommunications and service providers were the most targeted sectors, followed closely by information technology, gambling, gaming, and software industries. Countries such as China, Hong Kong, and Germany were among the most frequently attacked. Meanwhile, Bangladesh emerged as the leading source of DDoS attacks, surpassing Indonesia, with other notable sources including Ecuador, Argentina, and Vietnam.
Cloudflare emphasized the increasing sophistication and scale of DDoS threats, which now surpass previous expectations. The evolving threat landscape presents significant challenges for organizations, highlighting the need to reconsider existing defense strategies, particularly for those relying on traditional on-premise solutions or on-demand scrubbing centers.
