The world\u2019s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T<\/strong>, Comcast<\/strong> and Verizon<\/strong>, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet\u2019s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.<\/p>\n Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide.<\/p>\n The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and\/or factory-default settings. Aisuru\u2019s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.<\/p>\n As Aisuru\u2019s size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru,<\/a> which was then the largest assault that Google\u2019s DDoS protection service Project Shield<\/strong> had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps.<\/p>\n By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru\u2019s capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.<\/p>\n A measurement of an Oct. 6 DDoS believed to have been launched through multiple botnets operated by the owners of the Aisuru botnet. Image: DDoS Analyzer Community on Telegram.<\/p>\n<\/div>\n Aisuru\u2019s overlords aren\u2019t just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft<\/strong>, those digital sieges often result in widespread collateral Internet disruption.<\/p>\n For the past several weeks, ISPs hosting some of the Internet\u2019s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.<\/p>\n Steven Ferguson<\/strong> is principal security engineer at Global Secure Layer<\/strong> (GSL), an ISP in Brisbane, Australia. GSL hosts TCPShield<\/strong>, which offers free or low-cost DDoS protection to more than 50,000 Minecraft servers worldwide. Ferguson told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second.<\/p>\n Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH<\/strong> that they were no longer welcome as a customer.<\/p>\n \u201cThis was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,\u201d he said, explaining that TCPShield is now solely protected by GSL.<\/p>\n Traces from the recent spate of crippling Aisuru attacks on gaming servers<\/a> can be still seen at the website blockgametracker.gg<\/a>, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.<\/p>\n An Aisuru botnet attack on TCPShield (AS64199) on Sept. 28\u00a0 can be seen in the giant downward spike in the middle of this uptime graphic. Image: grafana.blockgametracker.gg.<\/p>\n<\/div>\n Paging through the same uptime graphs for other network operators listed shows almost all of them suffered brief but repeated outages around the same time. Here is the same uptime tracking for Minecraft servers on the network provider Cosmic<\/strong> (AS30456), and it shows multiple large dips that correspond to game server outages caused by Aisuru.<\/p>\n Multiple DDoS attacks from Aisuru can be seen against the Minecraft host Cosmic on Sept. 28. The sharp downward spikes correspond to brief but enormous attacks from Aisuru. Image: grafana.blockgametracker.gg.<\/p>\n<\/div>\n Ferguson said he\u2019s been tracking Aisuru for about three months, and recently he noticed the botnet\u2019s composition shifted heavily toward infected systems at ISPs in the United States. Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs.<\/p>\n AT&T<\/strong> customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications<\/strong>, Comcast<\/strong>, T-Mobile<\/strong> and Verizon<\/strong>, Ferguson found. He said the volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.<\/p>\n \u201cThe impact extends beyond victim networks,\u201d Ferguson said. \u201cFor instance we have seen 500 gigabits of traffic via Comcast\u2019s network alone. This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing.\u201d<\/p>\n Roland Dobbins<\/strong> is principal engineer at Netscout<\/strong>. Dobbins said Ferguson is spot on, noting that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.<\/p>\n \u201cThe outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff,\u201d Dobbin said.<\/span> \u201cWe\u2019re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems.\u201d<\/p>\n \u201cThe crying need for effective and universal outbound DDoS attack suppression is something that is really being highlighted by these recent attacks,\u201d Dobbins continued. \u201cA lot of network operators are learning that lesson now, and there\u2019s going to be a period ahead where there\u2019s some scrambling and potential disruption going on.\u201d<\/p>\n KrebsOnSecurity sought comment from the ISPs named in Ferguson\u2019s report. Charter Communications pointed to a recent blog post on protecting its network<\/a>, stating that Charter actively monitors for both inbound and outbound attacks, and that it takes proactive action wherever possible.<\/p>\n \u201cIn addition to our own extensive network security, we also aim to reduce the risk of customer connected devices contributing to attacks through our Advanced WiFi solution that includes Security Shield, and we make Security Suite available to our Internet customers,\u201d Charter wrote in an emailed response to questions. \u201cWith the ever-growing number of devices connecting to networks, we encourage customers to purchase trusted devices with secure development and manufacturing practices, use anti-virus and security tools on their connected devices, and regularly download security patches.\u201d<\/p>\n A spokesperson for Comcast responded, \u201cCurrently our network is not experiencing impacts and we are able to handle the traffic.\u201d<\/span><\/p>\n Aisuru is built on the bones of malicious code that was leaked in 2016<\/a>\u00a0by the original creators of the Mirai<\/strong> IoT botnet<\/a>. Like Aisuru, Mirai quickly outcompeted all other DDoS botnets in its heyday, and obliterated previous DDoS attack records with a 620 gigabit-per-second siege that sidelined this website for nearly four days in 2016<\/a>.<\/p>\n The Mirai botmasters likewise used their crime machine to attack mostly Minecraft servers, but with the goal of forcing Minecraft server owners to purchase a DDoS protection service that they controlled. In addition, they rented out slices of the Mirai botnet to paying customers, some of whom used it to mask the sources of other types of cybercrime, such as click fraud.<\/p>\n A depiction of the outages caused by the Mirai botnet attacks against the internet infrastructure firm Dyn on October 21, 2016. Source: Downdetector.com.<\/p>\n<\/div>\n Dobbins said Aisuru\u2019s owners also appear to be renting out their botnet as a distributed proxy network that cybercriminal customers anywhere in the world can use to anonymize their malicious traffic and make it appear to be coming from regular residential users in the U.S.<\/p>\n \u201cThe people who operate this botnet are also selling (it as) residential proxies,\u201d he said. \u201cAnd that\u2019s being used to reflect application layer attacks through the proxies on the bots as well.\u201d<\/p>\n The Aisuru botnet harkens back to its predecessor Mirai in another intriguing way. One of its owners is using the Telegram handle \u201c9gigsofram<\/strong>,\u201d which corresponds to the nickname used by the co-owner of a Minecraft server protection service called Proxypipe<\/strong> that was heavily targeted in 2016 by the original Mirai botmasters<\/a>.<\/p>\n Robert Coelho<\/strong> co-ran Proxypipe back then along with his business partner Erik \u201c9gigsofram\u201d Buckingham<\/strong>, and has spent the past nine years fine-tuning various DDoS mitigation companies that cater to Minecraft server operators and other gaming enthusiasts. Coelho said he has no idea why one of Aisuru\u2019s botmasters chose Buckingham\u2019s nickname, but added that it might say something about how long this person has been involved in the DDoS-for-hire industry.<\/p>\n \u201cThe Aisuru attacks on the gaming networks these past seven day have been absolutely huge, and you can see tons of providers going down multiple times a day,\u201d Coelho said.<\/p>\n Coelho said the 15 Tbps attack this week against TCPShield was likely only a portion of the total attack volume hurled by Aisuru at the time, because much of it would have been shoved through networks that simply couldn\u2019t process that volume of traffic all at once. Such outsized attacks, he said, are becoming increasingly difficult and expensive to mitigate.<\/p>\n \u201cIt\u2019s definitely at the point now where you need to be spending at least a million dollars a month just to have the network capacity to be able to deal with these attacks,\u201d he said.<\/p>\n Aisuru has long been rumored to use multiple zero-day vulnerabilities in IoT devices to aid its rapid growth over the past year. XLab<\/strong>, the Chinese security company that was the first to profile Aisuru\u2019s rise in 2024<\/a>, warned last month that one of the Aisuru botmasters had compromised the firmware distribution website for Totolink<\/strong>, a maker of low-cost routers and other networking gear.<\/p>\n \u201cMultiple sources indicate the group allegedly compromised a router firmware update server in April and distributed malicious scripts to expand the botnet,\u201d XLab wrote<\/a> on September 15. \u201cThe node count is currently reported to be around 300,000.\u201d<\/p>\n A malicious script implanted into a Totolink update server in April 2025. Image: XLab.<\/p>\n<\/div>\n Aisuru\u2019s operators received an unexpected boost to their crime machine in August when the U.S. Department Justice<\/strong>\u00a0charged the alleged proprietor of Rapper Bot<\/strong><\/a>, a DDoS-for-hire botnet that competed directly with Aisuru for control over the global pool of vulnerable IoT systems.<\/p>\n Once Rapper Bot was dismantled, Aisuru\u2019s curators moved quickly to commandeer vulnerable IoT devices that were suddenly set adrift by the government\u2019s takedown, Dobbins said.<\/p>\n \u201cFolks were arrested and Rapper Bot control servers were seized and that\u2019s great, but unfortunately the botnet\u2019s attack assets were then pieced out by the remaining botnets,\u201d he said. \u201cThe problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.\u201d<\/p>\n A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name \u201cEthan J. Foltz\u201d in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.<\/p>\n<\/div>\n XLab\u2019s September blog post<\/a> cited multiple unnamed sources saying Aisuru is operated by three cybercriminals: \u201cSnow,\u201d who\u2019s responsible for botnet development; \u201cTom,\u201d tasked with finding new vulnerabilities; and \u201cForky<\/strong>,\u201d responsible for botnet sales.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/29-69t.png?resize=743%2C93&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/tcpshield-aisuru.png?resize=750%2C457&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/cosmic-aisuru.png?resize=747%2C463&ssl=1\")
<\/a><\/p>\nBOTNETS R US<\/h2>\n
9 YEARS OF MIRAI<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2016\/10\/l3outage-580x330.png?resize=733%2C417&ssl=1\")
<\/p>\nRAPID SPREAD<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/xlab-totoscript.png?resize=706%2C190&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/xlabs-aisuru.png?resize=738%2C810&ssl=1\")
<\/p>\nBOTMASTERS AT LARGE<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/05\/forky.png?resize=750%2C500&ssl=1\")
<\/p>\n