AISURU Botnet Fuels Record-Breaking 11.5 Tbps DDoS Attack With 300,000 Hijacked Routers

The newly identified AISURU botnet, leveraging an estimated 300,000 compromised routers worldwide, has been pinpointed as the force behind a record-shattering 11.5 Tbps distributed denial-of-service (DDoS) attack in September 2025.

This unprecedented assault eclipses the previous 5.8 Tbps peak seen earlier in the year and underscores a dangerous escalation in botnet scale and sophistication.

First disclosed by XLab in August 2024, AISURU reemerged in March 2025 when XLab’s Cyber Threat Insight and Analysis System (CTIA) began capturing fresh samples.

According to an anonymous insider, the group is led by three operators codenamed Snow (botnet development), Tom (vulnerability research), and Forky (botnet sales).

In April 2025, Tom orchestrated the compromise of a Totolink router firmware update server by planting a malicious script (t.sh) that redirected devices to download AISURU malware.

Within weeks, the botnet swelled past ...