The distributed denial of service (DDoS) botnet known as AISURU/Kimwolf is believed to be responsible for the record-setting attack, which lasted just 35 seconds at a peak of 31.4 terabits per second (Tbps).
Cloudflare, which automatically detected and mitigated this activity, said it was part of a growing volume of HTTP DDoS attacks launched by botnets in Q4 2025. The attack occurred in November 2025.
AISURU/Kimwolf is also linked to another DDoS campaign codenamed The Night Before Christmas that was launched on December 19, 2025. According to Cloudflare, the average size of hypervolume DDoS attacks during the campaign was 3 billion packets per second (Bpps), 4 Tbps, and 54 requests per second (Mrps), with peak rates reaching 9 Bpps, 24 Tbps, and 205 Bpps. Mr. Miss.
“DDoS attacks will jump 121% in 2025, with an average of 5,376 attacks automatically mitigated per hour,” said Cloudflare’s Omer Yoachimik and Jorge Pacheco. “In 2025, the total number of DDoS attacks will more than double to an astonishing 47.1 million.”
The web infrastructure company announced that it mitigated 34.4 million network-layer DDoS attacks in 2025, compared to 11.4 million in 2024. In Q4 2025 alone, network layer DDoS attacks accounted for 78% of all DDoS attacks. In total, the number of DDoS attacks increased by 31% sequentially and by 58% compared to 2024.
In the fourth quarter of 2025, mass attacks increased by 40% compared to the previous quarter, jumping from 1,304 to 1,824. A total of 717 attacks were recorded in the first quarter of 2025. In addition to the spike in the number of attacks, the size of these attacks has also grown, increasing by more than 700% compared to large-scale attacks seen in late 2024.
AISURU/Kimwolf ensnared over 2 million Android devices into its botnet, often by tunneling through residential proxy networks such as IPIDEA. Most of them are compromised off-brand Android TVs. Last month, Google began legal action to disrupt its proxy network and take down dozens of domains used to control devices and proxy traffic through them.
It also partnered with Cloudflare to disrupt IPIDEA’s domain resolution, impacting its ability to command and control infected devices and sell its products.
IPIDEA is assessed to have registered devices with at least 600 Trojanized Android apps embedded with various proxy software development kits (SDKs) and over 3,000 Trojanized Windows binaries masquerading as OneDriveSync or Windows Updates. Additionally, the Beijing-based company promoted several VPN and proxy apps that silently turn a user’s Android device into a proxy exit node without the user’s knowledge or consent.
In addition, these operators have been found to operate at least 12 residential proxy businesses disguised as legitimate services. Behind the scenes, all these products are connected to a centralized infrastructure under the control of IPIDEA.
Other notable trends observed by Cloudflare in Q4 2025 include:
Telecommunications, service providers and carriers emerged as the most attacked sectors, followed by information technology, gambling, gaming and computer software sectors. The most attacked countries were China, Hong Kong, Germany, Brazil, the United States, the United Kingdom, Vietnam, Azerbaijan, India, and Singapore. Bangladesh has surpassed Indonesia as the largest source of DDoS attacks. Other top sources included Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru.
“DDoS attacks are rapidly increasing in sophistication and scale beyond anything previously imagined,” Cloudflare said. “This evolving threat landscape poses a significant challenge for many organizations to keep up. Organizations that currently rely on on-premises mitigation appliances or on-demand scrubbing centers may benefit from reevaluating their defense strategies.”
Source link
