AISURU/Kimwolf Botnet
The distributed denial-of-service (DDoS) botnet tracked as AISURU/Kimwolf has been linked to an unprecedented attack that peaked at 31.4 terabits per second (Tbps). Despite its extreme intensity, the assault was brief, lasting only 35 seconds. The incident occurred in November 2025 and now stands as the largest DDoS attack ever observed.
Table of Contents
Rise of Hyper-Volumetric HTTP Attacks
Security researchers have identified this event as part of a broader surge in hyper-volumetric HTTP DDoS activity driven by AISURU/Kimwolf during the fourth quarter of 2025. These attacks represent a growing trend toward short-duration but extraordinarily high-throughput assaults designed to overwhelm modern internet infrastructure before traditional defenses can fully react.
'The Night Before Christmas' Campaign
AISURU/Kimwolf has also been connected to a subsequent large-scale operation known as The Night Before Christmas, which began on December 19, 2025. During this campaign, hyper-volumetric attacks averaged 3 billion packets per second (Bpps), 4 Tbps of bandwidth, and 54 million requests per second (Mrps). Peak levels reached as high as 9 Bpps, 24 Tbps, and 205 Mrps, underscoring the botnet's ability to generate sustained and extreme traffic volumes.
Explosive Growth of DDoS Activity in 2025
DDoS activity accelerated dramatically throughout 2025, increasing by 121% year over year. On average, 5,376 attacks were automatically mitigated every hour. The total annual volume more than doubled, reaching approximately 47.1 million attacks. Network-layer attacks accounted for a substantial portion of this growth, with 34.4 million mitigated in 2025 compared to 11.4 million in 2024. In the fourth quarter alone, network-layer attacks represented 78% of all DDoS incidents, reflecting a 31% increase over the previous quarter and a 58% rise compared to 2024.
Escalation in Scale and Frequency
The final quarter of 2025 saw a 40% increase in hyper-volumetric attacks compared to the prior quarter, climbing from 1,304 to 1,824 incidents. Earlier in the year, only 717 such attacks were recorded in the first quarter. Beyond sheer frequency, attack magnitude also expanded significantly, with sizes growing more than 700% compared to large-scale attacks observed in late 2024.
Botnet Expansion Through Compromised Devices
AISURU/Kimwolf is assessed to control a botnet of more than two million Android devices. The majority are compromised, off-brand Android televisions that have been covertly enrolled and routed through residential proxy networks such as IPIDEA. These proxy services have been leveraged to obscure attack origins and amplify traffic.
Disruption of Proxy Infrastructure and Legal Action
In response to these activities, experts recently disrupted the IPIDEA residential proxy network and initiated legal measures to dismantle dozens of domains used for command-and-control operations and traffic proxying. The takedown also interfered with IPIDEA's domain resolution capabilities, significantly degrading its ability to manage infected devices and commercialize its proxy services. Numerous accounts and domains were suspended after being identified as facilitating malware distribution and illicit access to residential proxy networks.
Malware Distribution and Covert Proxy Enrollment
Investigations indicate that IPIDEA enrolled devices through at least 600 trojanized Android applications embedding proxy software development kits, as well as more than 3,000 trojanized Windows binaries disguised as OneDrive synchronization tools or Windows updates. In addition, the Beijing-based operation advertised VPN and proxy applications that silently converted users' Android devices into proxy exit nodes without user awareness or consent. Operators have also been linked to at least a dozen residential proxy services that presented themselves as legitimate offerings while ultimately feeding into a centralized IPIDEA-controlled infrastructure.
Key DDoS Trends Observed in Q4 2025
Targeted sectors, affected regions, and attack origins: Telecommunications providers and carriers were the most targeted organizations, followed by information technology, gambling, gaming, and computer software sectors. The most attacked countries included China, Hong Kong, Germany, Brazil, the United States, the United Kingdom, Vietnam, Azerbaijan, India, and Singapore. Bangladesh emerged as the largest source of DDoS traffic, surpassing Indonesia, with other prominent sources including Ecuador, Argentina, Hong Kong, Ukraine, Taiwan, Singapore, and Peru.
Implications for Defensive Strategies
DDoS attacks are rapidly increasing in both sophistication and scale, far exceeding previously anticipated limits. This evolving threat landscape poses serious challenges for organizations attempting to keep pace using traditional defenses. Enterprises that continue to rely primarily on on-premises mitigation appliances or on-demand scrubbing centers may need to reassess their DDoS protection strategies to address the realities of hyper-volumetric, short-duration attacks.
