The Aisuru botnet has established a new benchmark in distributed denial-of-service attacks (DDoS), reaching 31.4 terabits per second in a campaign that Cloudflare detected and stopped in December 2025. The attack exceeded the botnet’s previous record of 29.7 Terabits per second (Tbps) from just three months earlier, making it the largest publicly disclosed DDoS attack to date.
Dubbed “The Night Before Christmas” DDoS attack campaign, Cloudflare revealed the details of the attack in early February 2026 as part of its fourth-quarter threat report for 2025. While the attack only lasted for a few seconds, it still demonstrated the rapidly expanding capabilities of modern botnets.
According to the cybersecurity company’s data, the campaign specifically targeted telecommunications providers alongside IT service firms, gambling platforms, and gaming companies, meaning industries where even brief disruptions can create immediate and widespread consequences.
Aisuru Botnet The “Night Before Christmas” Campaign
Cloudflare named the attack campaign “The Night Before Christmas” because it began on December 19, 2025. The operation involved a series of short but extremely intense network-layer attacks that combined hyper-volumetric HTTP floods with traditional DDoS methods. The campaign saw attacks that exceeded 200 million requests per second on the application layer while simultaneously pushing Layer 4 attacks to the record 31.4 Tbps peak.
Over half of the individual attacks during the campaign lasted between one and two minutes. Despite their brief duration, 90% of the strikes reached between 1 and 5 terabits per second, delivering 1 to 5 billion packets per second. However, Cloudflare’s autonomous defense systems detected and mitigated all 902 hyper-volumetric attacks throughout the campaign without requiring manual intervention or causing service disruptions for protected customers.
Additionally, Android TV streaming devices were compromised and became a major infection vector and source exploited by the related Kimwolf botnet infrastructure, which in turn powered parts of the Aisuru botnet’s large-scale attacks,
A Year of Escalating Attacks
The record-breaking assault occurred against a backdrop of rapidly accelerating DDoS activity, Cloudflare reports. The company’s report shows that total DDoS attacks reached 47.1 million in 2025, representing a 121% increase compared to 2024, where they only mitigated an average of 5,376 attacks per hour throughout the year.
Additionally, network-layer attacks more than tripled during 2025, growing from 11.4 million in 2024 to 34.4 million. The fourth quarter alone saw a 31% increase over the previous quarter and a 58% rise year-over-year. Attacks exceeding 100 million packets per second grew by 600%, while those larger than 1 terabit per second continued to rise quarter after quarter.
The size of attacks also escalated dramatically. Hyper-volumetric assaults grew by over 700% compared to the large attacks observed in late 2024, with the total number of such attacks jumping from 717 in the first quarter to 1,824 by the fourth quarter.
Telecommunications providers bore the brunt of DDoS attacks in the fourth quarter of 2025, followed by IT services, gambling, and gaming sectors. Generative AI companies also experienced a 347% monthly spike in attacks amid ongoing regulatory debates around the technology.
However, Cloudflare did not confirm whether this escalation was as a result of the wide adoption of AI tools in almost every sector.
The Evolving Threat Landscape
The Aisuru botnet builds on code from the Mirai botnet, whose source code leaked in 2016 and has since formed the foundation for several major botnets. Beyond DDoS capabilities, Aisuru incorporates additional functions that allow operators to conduct credential stuffing, web scraping, spamming, and phishing campaigns.
Cloudflare’s data reveals that more than 71.5% of all HTTP-based DDoS attacks in 2025 came from known and documented botnets. This highlights the growing role of automated attack networks in modern cybercrime. The attacks typically use UDP carpet bombing techniques, targeting multiple IP addresses simultaneously rather than a single target, along with heavy randomization of packet attributes to avoid detection.
For network operators and organizations relying on on-premise mitigation systems or on-demand scrubbing centers, the challenge has shifted to consistently detecting and mitigating frequent, short-lived but extremely aggressive network-layer attacks. As botnets continue to evolve and expand, especially with the wide acceleration of AI into everyday lives, manual intervention and slow detection systems are now inadequate.
