The world’s largest botnet is drawing on US-based Internet Service Providers (ISPs) to power a series of overwhelming attacks against major online gaming platforms.
In a campaign on October 8th, the Aisuru botnet hit several online gaming platforms with 29.6 Terabits per second (Tbps) of junk DDoS traffic—and the majority of the power behind the attack came from compromised devices hosted under US ISPs including AT&T, Charter Communications, Comcast, T-Mobile, and Verizon.
The owners of the botnet scan the internet for vulnerable devices such as routers, security cameras, and other Internet of Things (IoT) devices operating with outdated firmware or default factory settings. They then hack these systems, bringing them into the botnet so that they can be used to carry out distributed denial-of-service (DDoS) attacks that overwhelm targeted websites and servers with huge amounts of traffic.
Since it was created over a year ago, Aisuru has grown steadily. In May 2025, it targeted cyber news platform KrebsOnSecurity with an attack of 6.35 Tbps; in September, it hit cybersecurity provider Cloudflare with a then-record-breaking barrage of 22.2 Tbps.
Aisuru has now outcompeted all other IoT-based botnets, with its most recent attacks siphoning bandwidth from approximately 300,000 compromised devices globally.
While the botnet’s most recent attacks only targeted ISPs serving online gaming communities, these assaults often lead to widespread disruption. In the case of the targeted ISPs, for example, it could result in a reduced of service amongst not only customers whose devices are being used in attacks, but also non-compromised customers whose neighbors have become attack nodes.
The Bigger Picture
As well as operational disruption, botnets expose organizations to potential network compromise and data exfiltration. Unfortunately, large-scale attacks are only becoming more prevalent, with the Aisuru being one of three major assaults that have taken place this week.
Threat researchers at GreyNoise reported a multi-country botnet campaign using over 100,000 IP addresses to target Remote Desktop Protocol (RDP) services in the US.
Additionally, researchers at Trend Micro have identified a RondoDox botnet campaign exploiting 56 vulnerabilities across more than 30 vendors, including Apache and Cisco.
“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation, demonstrating how threat actors continue to weaponize both publicly disclosed vulnerabilities and zero-day exploits discovered at security competitions like Pwn2Own,” Trend Micro said.
“Organizations that delay patching or fail to maintain comprehensive asset inventories of their network edge devices create opportunities for campaigns like RondoDox to establish persistent footholds within their infrastructure.”
To avoid compromise, the company recommended that organizations should patch all listed vulnerabilities, conduct regular vulnerability assessments, segment networks to limit lateral movement, restrict internet exposure, and continuously monitor their endpoints for anomalous activity.
