Microsoft says it has seen the largest cloud DDoS attack ever recorded, a whopping 15.72 terabits per second. The attack hit a single endpoint in Australia and 3.64 billion packets per second. The victim hasn’t been named, but this is a reminder of how fast DDoS attacks are evolving.
The attack came from AISURU, a massive TurboMirai-class botnet of hundreds of thousands of compromised Internet of Things devices. For everyday users and businesses, this is a reminder that the devices sitting on your shelves, from routers to security cameras, can be enablers of attacks if not secured properly.
AISURU’s growing power in the botnet landscape
Microsoft noted that the attack involved sudden, extremely high-volume bursts of UDP traffic. These floods came from more than half a million source IP addresses that were distributed across different regions. Although the packets used random source ports, experts suggest the minimal spoofing made it easier to trace the traffic back to providers and enforce mitigation.
Security researchers at QiAnXin XLab estimate that AISURU controls close to 300,000 infected devices, most of them consumer-grade hardware like DVR systems, IP cameras, and home networking gear. Industry leaders indicate that AISURU has been responsible for some of the biggest DDoS assaults seen in recent years, even as its operators appear selective about their targets.
According to prior analysis, the group behind AISURU avoids hitting government, military, and law enforcement systems. Instead, the majority of recorded attacks appear tied to the online gaming world, where competitive rivalries and high traffic volumes often make services tempting targets.
A broader toolkit for cybercriminal activity
This versatility reflects a broader trend across the cyber threat landscape. Many modern botnets now serve multiple purposes, giving attackers flexible ways to generate profit. And with some capable of surpassing 20 terabits per second, the threshold for what counts as a “large-scale” attack keeps climbing.
Microsoft emphasized that attackers are scaling alongside the internet itself. Faster home fiber connections and increasingly powerful IoT hardware give threat actors more raw bandwidth to work with. For companies defending cloud services, that means constantly preparing for attacks that could exceed anything seen even a year ago.
Another TurboMirai botnet resurfaces in recent findings
The disclosure of the AISURU attack came as NETSCOUT published new findings about a related TurboMirai botnet called Eleven11, also known as RapperBot. That botnet is estimated to have carried out around 3,600 DDoS attacks between February and August 2025. Around that time, authorities announced an arrest and the takedown of the botnet’s infrastructure.
Cybersecurity experts say the rise of AISURU, Eleven11, and other networks proves how IoT security needs to get better. Without better default protections, patching, and consumer awareness, the pool of exposed devices will just keep growing.
Microsoft’s latest mitigation shows just how high the stakes are in keeping cloud infrastructure up and running. And if these trends continue, the next record-breaking attack won’t be far away.
