On October 24, 2025, Microsoft Azure's DDoS Protection platform automatically detected and mitigated a massive 15.72 terabit-per-second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever recorded in the Azure ecosystem.
The high-throughput assault targeted a single public IP address hosted in Australia, flooding it with nearly 3.64 billion packets per second (pps) in a multi-vector campaign.
The attack was traced back to the AISURU botnet, an increasingly aggressive threat actor that has been behind a series of record-breaking DDoS events throughout 2025. Azure's global mitigation infrastructure successfully intercepted and filtered the attack traffic in real-time, preserving service availability and shielding downstream workloads from any visible impact.
The offending traffic, primarily high-speed UDP floods, originated from over 500,000 unique source IP addresses, spanning multiple geographies. The traffic exhibited low source spoofing and randomized source ports, suggesting an intentional design to evade traditional mitigation strategies while simplifying traceback by hosting providers.
Azure, Microsoft's cloud computing platform, is one of the largest cloud providers globally, serving enterprises, governments, and critical services worldwide.
AISURU was first identified by researchers at XLab in mid-2024. The botnet has rapidly expanded over the past year, now believed to encompass over 300,000 compromised routers, IP cameras, and embedded systems, primarily infected through exploits targeting unpatched or poorly secured consumer networking equipment. A key turning point came in April 2025, when AISURU exploited a Totolink firmware update server, hijacking traffic to distribute malware via a rogue domain, updatetoto[.]tw. This campaign alone added over 100,000 bots to its arsenal.
AISURU exhibits several advanced techniques to avoid analysis and persist on infected devices, including RC4-based encryption, anti-virtualization checks, OOM score manipulation, and system binary impersonation. The botnet's infrastructure supports not only DDoS but also proxy services and reverse shell access, allowing for a variety of monetization pathways beyond disruptive attacks.
Microsoft's report about AISURU targeting Azure comes just weeks after Cloudflare mitigated a still-unmatched 22.2 Tbps attack, which remains the largest known DDoS event to date. That incident, though unattributed at the time, bore key similarities to AISURU-linked activity. AISURU's earlier 11.5 Tbps attack, also in September, marked the first time the group was observed operating at a global scale with such intensity.
As the holiday season approaches, historically a high-risk period for DDoS attacks, Microsoft urges organizations to proactively review their exposure and ensure their cloud workloads are protected.
Home users can protect their devices from botnet takeover by keeping router firmware up to date, changing default administrative credentials, disabling WAN access and UPnP where not needed, and replacing unsupported or end-of-life equipment.
Leave a Reply