Full Report
The distributed denial-of-service (DDoS) botnet known as AISURU/Kimwolf has been attributed to a record-setting attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds. Cloudflare, which automatically detected and mitigated the activity, said it's part of a growing number of hyper-volumetric HTTP DDoS attacks mounted by the botnet in the fourth quarter of 2025. The
Analysis Summary
# Incident Report: AISURU/Kimwolf Record 31.4 Tbps DDoS Attack
## Executive Summary
In November 2025, the AISURU/Kimwolf botnet executed a record-setting Distributed Denial-of-Service (DDoS) attack peaking at 31.4 Terabits per second (Tbps) over a 35-second duration. This incident is part of a growing trend of hyper-volumetric HTTP DDoS attacks driven by the botnet, which primarily leverages compromised, off-brand Android devices. Cloudflare automatically detected and mitigated the attack.
## Incident Details
- **Discovery Date:** During the attack in November 2025.
- **Incident Date:** November 2025 (specific date not provided).
- **Affected Organization:** Victim undisclosed, but general target sectors included Telecommunications, service providers, carriers, information technology, gambling, gaming, and computer software.
- **Sector:** Multiple victims across critical infrastructure and IT sectors.
- **Geography:** Attack originated primarily from Bangladesh, Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Taiwan, Singapore, and Peru.
## Timeline of Events
### Initial Access
- **Date/Time:** November 2025 (part of Q4 2025 activity).
- **Vector:** Infection of Android devices (smart TVs, streaming boxes) via trojanized Android apps or Windows binaries (posing as updates/software). The botnet utilizes devices turned into proxy exit nodes, often through compromised residential proxy networks like IPIDEA.
- **Details:** The infrastructure relied on residential proxy networks, allowing the botnet to scale its infection base to over 2 million devices.
### Lateral Movement
*(No lateral movement details specific to this one DDoS event were provided; the attack was executed via volumetric amplification/reflection from the established botnet.)*
### Data Exfiltration/Impact
- **Impact:** The immediate impact was a high-volume, short-duration denial of service, characterized by 31.4 Tbps volumetric traffic. While the source was linked to the botnet, the specific damage to the victim's operations is not detailed beyond the outage caused by the attack volume.
### Detection & Response
- **Detection:** Automatically detected by Cloudflare's threat monitoring systems.
- **Response Actions:** Cloudflare automatically mitigated the activity. Cloudflare, in coordination with Google, also acted against the underlying infrastructure by disrupting the IPIDEA proxy network, impacting command and control (C2) capabilities.
## Attack Methodology
- **Initial Access:** Compromise of off-brand Android devices and Windows PCs via trojanized applications embedding proxy software development kits (SDKs) or malicious binaries.
- **Persistence:** Devices were used as residential proxy exit nodes, maintaining control via centralized C2 infrastructure (previously linked to IPIDEA).
- **Privilege Escalation:** *(Not specified for this specific DDoS incident.)*
- **Defense Evasion:** The use of high-volume, short-burst attacks (35 seconds) and volumetric HTTP methods aims to overwhelm standard defenses rapidly.
- **Credential Access:** *(Not specified.)*
- **Discovery:** *(Not specified.)*
- **Lateral Movement:** *(Not specified as a primary component of this volumetric DDoS attack.)*
- **Collection:** *(Not applicable to a pure DDoS attack, but the botnet infrastructure collects access via proxying.)*
- **Exfiltration:** *(Not applicable.)*
- **Impact:** Hyper-volumetric HTTP DDoS, peaking at 31.4 Tbps, measured by volume (Tbps) and packet rate (average 3 billion packets per second, max 9 Bpps).
## Impact Assessment
- **Financial:** Undisclosed, but significant due to the record-breaking traffic volume and likely ensuing downtime for the targeted services.
- **Data Breach:** No data exfiltration confirmed in this specific DDoS report.
- **Operational:** Service disruption occurred during the 35-second peak, mitigated by sophisticated scrubbing capabilities.
- **Reputational:** Public disclosure highlights the growing sophistication and size of contemporary DDoS threats.
## Indicators of Compromise
*(No specific IPs, domains, or file hashes were provided in the context for defanging, beyond the botnet name AISURU/Kimwolf and the associated proxy infrastructure.)*
- **Network Indicators:** N/A
- **File Indicators:** N/A
- **Behavioral Indicators:** Sustained, hyper-volumetric HTTP DDoS traffic exceeding 31 Tbps.
## Response Actions
- **Containment:** Cloudflare automatically mitigated the record-setting traffic spike.
- **Eradication:** Google and Cloudflare partnered to disrupt the malicious residential proxy network (IPIDEA) used for C2 and traffic relay, taking down control domains and disrupting proxy functionality.
- **Recovery:** Service availability was restored quickly following mitigation.
## Lessons Learned
- DDoS attacks are rapidly increasing in size and sophistication, surpassing historical benchmarks (e.g., 31.4 Tbps).
- Hyper-volumetric HTTP DDoS attacks are a growing trend, requiring defensive strategies capable of handling sustained high packet/request rates (average 4 Tbps, 3B Bpps).
- Reliance on on-premise mitigation appliances or on-demand scrubbing centers may be insufficient against modern hyper-volumetric threats operating at multi-Tbps scales.
## Recommendations
- Organizations, particularly those in Telecommunications, IT, and service provision, should re-evaluate their DDoS defense strategy to ensure reliance on always-on, highly scalable cloud-based mitigation services.
- Continue monitoring and coordinating with infrastructure providers (like Google/Cloudflare) to dismantle underlying C2 and proxy networks enabling botnet scaling.