Microsoft said the Aisuru botnet struck its Azure network with a distributed denial-of-service attack that peaked at 15.72 terabits per second and was launched from more than 500,000 IP addresses. The attack targeted a specific public IP address in Australia and used high-rate UDP floods that reached nearly 3.64 billion packets per second.
Azure Security senior product marketing manager Sean Whalen described Aisuru as a Turbo Mirai-class IoT botnet that exploits compromised home routers and cameras, primarily in residential ISPs in the United States and other countries, and noted the attack featured minimal source spoofing and random source ports that simplified traceback and provider enforcement.
Security firms have recently linked the same botnet to other record-setting floods. Cloudflare previously reported mitigating an attack that reached 22.2 Tbps and 10.6 billion packets per second, an event that lasted about 40 seconds and was described as roughly equivalent to streaming one million 4K videos simultaneously.
One week earlier, the XLab research division of Qi’anxin attributed an 11.5 Tbps DDoS attack to the Aisuru botnet, saying it was controlling roughly 300,000 bots at that time.
Researchers say the botnet exploits vulnerabilities in IP cameras, DVRs/NVRs and Realtek chips and has targeted routers from vendors including T-Mobile, Zyxel, D-Link and Linksys. XLab analysts also reported the botnet abruptly grew in April 2025 after operators breached a TotoLink router firmware update server and infected about 100,000 devices.
Infosec journalist Brian Krebs reported that Cloudflare removed multiple domains linked to the botnet from its public Top Domains rankings after malicious query traffic began overtaking legitimate sites. Cloudflare said operators were flooding its DNS service to boost their domains’ apparent popularity, and the company now redacts or hides suspected malicious domains to protect ranking integrity.