On October 24, 2025, Microsoft Azure experienced an unprecedented Distributed-Denial-of-Service (DDoS) attack, marking the highest recorded assault on cloud infrastructure to date. This significant cyber event peaked at 15.72 Terabits per second (Tbps) and 3.64 billion packets per second (pps), specifically targeting a single endpoint located in Australia.
In a fortunate turn of events, Microsoft reported that its Azure global protection system effectively detected and mitigated the attack, ensuring that client services remained operational throughout the crisis.
The Growing Aisuru Threat
The source of this mammoth attack has been identified as the Aisuru botnet, which security analysts from Netscout classify as a “Turbo Mirai-class” threat, capable of launching multi-terabyte per second DDoS attacks. First identified in August 2024, Aisuru has since compromised at least 700,000 Internet of Things (IoT) devices such as home routers and security cameras. Its extensive reach has been linked not only to the Azure incident, but also to a 22.2 Tbps attack mitigated by Cloudflare in September 2025, and even a 6.3 Tbps attack targeting cybersecurity journalist Brian Krebs’s blog, KrebsOnSecurity, in May. Such levels of attack intensity were largely unprecedented until recent developments.
Moreover, the impact of Aisuru has been substantial for US-based Internet Service Providers (ISPs) like AT&T, Comcast, and Verizon. Attacks originating from compromised user devices have led to outbound traffic surges exceeding 1.5 Tbps, crippling service for numerous customers and in some instances, causing physical failures in network hardware.
Interestingly, Netscout indicates that Aisuru’s operators adhere to a self-imposed code of conduct, refraining from targeting governmental, military, and law enforcement organizations. This restraint appears to be a tactical decision aimed at maintaining operational anonymity and sustaining the botnet’s criminal utility.
The Botnet’s Lucrative New Business
The cybercriminals behind Aisuru have evolved beyond merely offering DDoS-for-hire services, which previously included targeting gaming servers, as was seen with Minecraft servers. Their malware has been enhanced to pivot to a more sustainable income model: renting out compromised devices as ‘residential proxies.’ These proxies enable illicit users to obscure their activities by routing their connections through ordinary residential internet connections, making detection and blocking significantly more challenging.
This operation now fuels extensive data harvesting aimed at artificial intelligence projects and content scraping endeavors. The situation has escalated to such an extent that social media platform Reddit has initiated legal action against proxy providers, alleging their roles in facilitating mass user data scraping. The proliferation of other botnets, like BADBOX 2.0, further compounds this growing cybersecurity concern.
In many cases, the infection of these devices occurs through Software Development Kits (SDKs), which package code within applications that quietly transform users’ devices into relay points for illicit traffic, allowing operators to receive transaction fees for the usage of these devices.
The Aisuru botnet incident serves as a stark reminder that inadequately secured IoT devices in households are increasingly being exploited as vectors for malicious cyber activity, posing risks not only to internet stability but also to the unsuspecting users globally. Observing the frameworks outlined in the MITRE ATT&CK Matrix, tactics such as initial access, persistence, and privilege escalation may have been essential components in the enabling of this extensive attack, underlining the critical importance of robust cybersecurity measures in today’s digital landscape.
