Aisuru/Kimwolf Botnet Sets New Record with 31.4 Tbps DDoS Attack
Summary:
In late 2025, the Aisuru botnet (also known as Kimwolf) launched a series of massive distributed denial-of-service (DDoS) attacks, culminating in a record-breaking peak of 31.4 Terabits per second (Tbps) and 200 million requests per second (rps).
The campaign, dubbed "The Night Before Christmas" by Cloudflare due to its timing around December 19, 2025, represents the largest publicly disclosed DDoS attack to date. It surpassed the botnet's previous record of 29.7 Tbps and another massive 15.72 Tbps attack earlier in the year.
The botnet is primarily made up of compromised Android TVs, IoT devices, and routers to generate its massive volume. The campaign consisted of hyper-volumetric HTTP DDoS attacks (Layer 7) alongside massive Layer 4 (network layer) floods. Most attacks were short but intense, with over half lasting between one and two minutes, designed to overwhelm infrastructure before manual intervention could occur.
Security Officer Comments:
Despite the unprecedented scale, the immediate operational impact was minimized by automated mitigation systems, but the broader implications are significant. The primary victims were telecommunications service providers and IT organizations. Attacks also targeted Cloudflare’s own dashboard and infrastructure.
While automated defenses held, an attack of 31.4 Tbps is capable of saturating the backbone of most regional internet service providers (ISPs). This attack confirms a "new normal" in DDoS scale. Cloudflare reported a 121% increase in DDoS incidents in 2025 compared to 2024, with 47.1 million incidents total.
Millions of low-cost unbranded Android TV boxes are being used to create residential proxies and promote large scale distributed-denial-of-service (DDoS) attacks. As of January 2026, the Kimwolf and Badbox 2.0 botnets have infected over 2 million devices worldwide, creating a global network used for criminal activity.
In some cases, threat actors are abusing the Android Debug Bridge (ADB) port which is often left open by manufacturers. This open port, typically 5555, allows an adversary to remotely take control of a device without needing a password. While the open ADB port is the result of poor security practices by device manufacturers, a majority of these devices are compromised before they even reach customers' home networks via malicious firmware implants.
The impacted devices are typically "off-brand" Android TV boxes sold on major e-commerce platforms (e.g., Amazon, AliExpress, Alibaba, etc.) that promise "free" or "unlimited" streaming. In some cases the devices come pre-installed with malicious firmware, while others trick users into downloading malicious Android applications during installation that create initial access points.
Suggested Corrections:
To defend against botnets like Aisuru/Kimwolf, organizations must move beyond traditional manual firewall rules and adopt a multi-layered, automated approach:
Manufacturer’s of IoT devices need to strengthen default credentials and ensuring regular firmware updates for Android TVs and routers. Threat actors are abusing the Android Debug Bridge (ADB) port which is often left open by manufacturers, highlighting the need for better security by default and education for consumers on picking safe products.
For ISPs
Customer Alerting
https://www.bleepingcomputer.com/ne...et-sets-new-record-with-314-tbps-ddos-attack/
In late 2025, the Aisuru botnet (also known as Kimwolf) launched a series of massive distributed denial-of-service (DDoS) attacks, culminating in a record-breaking peak of 31.4 Terabits per second (Tbps) and 200 million requests per second (rps).
The campaign, dubbed "The Night Before Christmas" by Cloudflare due to its timing around December 19, 2025, represents the largest publicly disclosed DDoS attack to date. It surpassed the botnet's previous record of 29.7 Tbps and another massive 15.72 Tbps attack earlier in the year.
The botnet is primarily made up of compromised Android TVs, IoT devices, and routers to generate its massive volume. The campaign consisted of hyper-volumetric HTTP DDoS attacks (Layer 7) alongside massive Layer 4 (network layer) floods. Most attacks were short but intense, with over half lasting between one and two minutes, designed to overwhelm infrastructure before manual intervention could occur.
Security Officer Comments:
Despite the unprecedented scale, the immediate operational impact was minimized by automated mitigation systems, but the broader implications are significant. The primary victims were telecommunications service providers and IT organizations. Attacks also targeted Cloudflare’s own dashboard and infrastructure.
While automated defenses held, an attack of 31.4 Tbps is capable of saturating the backbone of most regional internet service providers (ISPs). This attack confirms a "new normal" in DDoS scale. Cloudflare reported a 121% increase in DDoS incidents in 2025 compared to 2024, with 47.1 million incidents total.
Millions of low-cost unbranded Android TV boxes are being used to create residential proxies and promote large scale distributed-denial-of-service (DDoS) attacks. As of January 2026, the Kimwolf and Badbox 2.0 botnets have infected over 2 million devices worldwide, creating a global network used for criminal activity.
In some cases, threat actors are abusing the Android Debug Bridge (ADB) port which is often left open by manufacturers. This open port, typically 5555, allows an adversary to remotely take control of a device without needing a password. While the open ADB port is the result of poor security practices by device manufacturers, a majority of these devices are compromised before they even reach customers' home networks via malicious firmware implants.
The impacted devices are typically "off-brand" Android TV boxes sold on major e-commerce platforms (e.g., Amazon, AliExpress, Alibaba, etc.) that promise "free" or "unlimited" streaming. In some cases the devices come pre-installed with malicious firmware, while others trick users into downloading malicious Android applications during installation that create initial access points.
Suggested Corrections:
To defend against botnets like Aisuru/Kimwolf, organizations must move beyond traditional manual firewall rules and adopt a multi-layered, automated approach:
- Automated Cloud Suggested Corrections: Given the speed and volume (200 million rps), manual intervention is impossible. Defense relies on "always-on" cloud-based scrubbing services that can absorb and filter traffic at the edge before it reaches the origin server.
- Hyper-Volumetric Filtering: Utilizing systems specifically tuned to detect and block L7 (HTTP) requests that mimic legitimate traffic but arrive at impossible rates.
- Rate Limiting and Behavioral Analysis: Implementing strict rate limits and using machine learning to identify bot-like behavior (e.g., suspicious request headers or repetitive patterns from known botnet IP ranges).
Manufacturer’s of IoT devices need to strengthen default credentials and ensuring regular firmware updates for Android TVs and routers. Threat actors are abusing the Android Debug Bridge (ADB) port which is often left open by manufacturers, highlighting the need for better security by default and education for consumers on picking safe products.
For ISPs
Customer Alerting
- Automated systems may be able to flag impacted customers and send an advisory email suggesting they check or remove their malicious Android TV boxes.
- If an ISP identifies a customer device as part of the Kimwolf botnet, they could automatically redirect their web browser to a captive portal (Walled Garden). This page could inform them that a "streaming device" on their network is compromised and provide a link to a "How-To" guide for removal.
- ISPs could send a quarterly security update to their customers listing known malicious brands (e.g., generic "X96" or "T95" boxes) and recommending certified alternatives like Chromecast, Roku, or Onn.
- Kimwolf specifically targets Port 5555 (Android Debug Bridge). ISPs can monitor for unusual levels of external scanning or outbound traffic on this port from residential blocks. There is typically no legitimate reason for a residential customer to have this port open to the public internet. While it may be tempting to completely block this port, customers may have other uses for this port and complain.
- If you provide the customer’s router (CPE), ensure that UPnP (Universal Plug and Play) is disabled by default. UPnP is often how these TV boxes automatically open holes in the firewall to allow remote hacker access.
https://www.bleepingcomputer.com/ne...et-sets-new-record-with-314-tbps-ddos-attack/