The world's largest and most disruptive botnet, Aisuru, has been drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon, according to new evidence. This heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet's attacks, which shattered previous records with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.

Background and Context

Aisuru has been steadily outcompeting virtually all other IoT-based botnets in the wild since its debut more than a year ago. The botnet's owners are continuously scanning the Internet for vulnerable devices, enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.

The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders, and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru's size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google's DDoS protection service Project Shield had ever mitigated.

Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps. By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host.

Why it Matters to the Industry

The heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet's attacks, which often result in widespread collateral Internet disruption. For the past several weeks, ISPs hosting some of the Internet's top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.

Steven Ferguson, principal security engineer at Global Secure Layer (GSL), an ISP in Brisbane, Australia, told KrebsOnSecurity that on October 8, TCPShield was walloped with a blitz from Aisuru that flooded its network with more than 15 terabits of junk data per second. Ferguson said he's been tracking Aisuru for about three months and recently noticed the botnet's composition shifted heavily toward infected systems at ISPs in the United States.

Ferguson shared logs from an attack on October 8 that indexed traffic by the total volume sent through each network provider, and the logs showed that 11 of the top 20 traffic sources were U.S. based ISPs. AT&T customers were by far the biggest U.S. contributors to that attack, followed by botted systems on Charter Communications, Comcast, T-Mobile, and Verizon.

Impact on Internet Infrastructure

The volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers. Ferguson said, "The impact extends beyond victim networks. For instance we have seen 500 gigabits of traffic via Comcast's network alone."

This amount of egress leaving their network, especially being so US-East concentrated, will result in congestion towards other services or content trying to be reached while an attack is ongoing." Roland Dobbins, principal engineer at Netscout, said that while most ISPs have effective mitigations in place to handle large incoming DDoS attacks, many are far less prepared to manage the inevitable service degradation caused by large numbers of their customers suddenly using some or all available bandwidth to attack others.

What Comes Next

The recent spate of crippling Aisuru attacks on gaming servers can be seen at the website blockgametracker.gg, which indexes the uptime and downtime of the top Minecraft hosts. In the following example from a series of data deluges on the evening of September 28, we can see an Aisuru botnet campaign briefly knocked TCPShield offline.

A screenshot shared by XLabs showing the Aisuru botmasters recently celebrating a record-breaking 7.7 Tbps DDoS. The user at the top has adopted the name "Ethan J. Foltz" in a mocking tribute to the alleged Rapper Bot operator who was arrested and charged in August 2025.

Key Facts

  • The Aisuru botnet is drawing a majority of its firepower from compromised IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon.
  • Aisuru has been steadily outcompeting virtually all other IoT-based botnets in the wild since its debut more than a year ago.
  • The botnet's owners are continuously scanning the Internet for vulnerable devices, enslaving them for use in DDoS attacks that can overwhelm targeted servers with crippling amounts of junk traffic.
  • Aisuru shattered previous records with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second on October 6.
  • The volume of data packets per second coming from infected IoT hosts on these ISPs is often so high that it has started to affect the quality of service that ISPs are able to provide to adjacent (non-botted) customers.