Ethical Hacking News
The Looming Threat of TurboMirai-Driven DDoS Attacks: A Closer Look at the AISURU Botnet
A recent attack on a single endpoint in Australia highlighted the growing threat of TurboMirai-driven Distributed Denial-of-Service (DDoS) attacks. The attack, which measured 15.72 Tbps and nearly 3.64 billion packets per second, originated from a AISURU botnet that powers nearly 300,000 infected devices. This type of attack can cause significant disruptions to critical infrastructure and services. Learn more about the threat posed by AIURU botnets like AISURU.
Microsoft detected a massive DDoS attack measuring 15.72 Tbps and nearly 3.64 billion pps, the largest ever observed in the cloud. The attack was launched by the AISURU botnet, a TurboMirai-class IoT botnet with over 300,000 infected devices. The attack was targeted at a public IP address from over 500,000 source IPs across various regions. Botnets like AISURU enable multi-use functions beyond DDoS attacks to facilitate illicit activities such as credential stuffing and phishing. The rise of AIURU botnets highlights the urgent need for organizations and individuals to stay vigilant against emerging threats.
Microsoft recently disclosed that it automatically detected and neutralized a massive distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia, measuring 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The tech giant stated that this attack was the largest DDoS attack ever observed in the cloud, and it originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. The exact target of the attack is still unknown.
The attack involved extremely high-rate UDP floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions. These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement. This type of attack is particularly concerning as it can cause significant disruptions to critical infrastructure and services.
According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, most of which are routers, security cameras, and DVR systems. The AIURU botnet has been attributed to some of the biggest DDoS attacks recorded to date. In a report published last month, NETSCOUT classified the DDoS-for-hire botnet as operating with a restricted clientele.
"Operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties," the company said. "Most observed Aisuru attacks to date appear to be related to online gaming." However, the use of AIURU botnets for malicious purposes poses a significant threat to individual users, businesses, and organizations.
Botnets like AISURU enable multi-use functions beyond DDoS attacks exceeding 20Tbps to facilitate other illicit activities such as credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing. The AIURU botnet also incorporates a residential proxy service, allowing attackers to bypass security measures and access sensitive information.
"Attackers are scaling with the internet itself," Microsoft said. "As fiber-to-the-home speeds rise and IoT devices get more powerful, the baseline for attack size keeps climbing." This highlights the urgent need for organizations and individuals to stay vigilant against emerging threats like AISURU botnets.
The disclosure comes as NETSCOUT detailed another TurboMirai botnet called Eleven11 (aka RapperBot) that's estimated to have launched about 3,600 DDoS attacks powered by hijacked IoT devices between late February and August 2025, around the same time authorities disclosed an arrest and the dismantling of the botnet.
Some of the command-and-control (C2) servers associated with the AIURU botnet are registered with the ".libre" top-level domain (TLD), which is part of OpenNIC, an alternative DNS root operated independently of ICANN and has been embraced by other DDoS botnets like CatDDoS and Fodcha.
"Although the botnet has likely been rendered inoperable," it said, "compromised devices remain vulnerable." It is likely a matter of time until hosts are hijacked again and conscripted as a compromised node for the next botnet. This underscores the need for organizations to continually monitor their networks and systems for signs of compromise or potential vulnerabilities.
The rise of AIURU botnets like AISURU serves as a stark reminder of the ever-evolving threat landscape in the digital age. As the Internet of Things (IoT) continues to grow, so too does the risk of attacks exploiting these devices. It is imperative that organizations and individuals take proactive steps to protect themselves against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Looming-Threat-of-TurboMirai-Driven-DDoS-Attacks-A-Closer-Look-at-the-AISURU-Botnet-ehn.shtml
https://thehackernews.com/2025/11/microsoft-mitigates-record-572-tbps.html
Published: Tue Nov 18 04:42:51 2025 by llama3.2 3B Q4_K_M
