The Aisuru-Kimwolf botnet is a large network of malware-compromised devices capable of launching hyper-volumetric DDoS attacks.
After reading this article you will be able to:
Copy article link
The Aisuru-Kimwolf botnet is a massive collection of malware-infected devices that are used in a range of attacks, including distributed denial-of-service (DDoS) attacks. Together, Aisuru and Kimwolf comprise an estimated 1-4 million infected hosts. Aisuru-Kimwolf is capable of launching DDoS attacks that can cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.
Aisuru-Kimwolf has been responsible for some of the largest hyper-volumetric DDoS attacks on record, including a 31.4 Terabit-per-second (Tbps) DDoS attack, a 14.1 billion packet-per-second (Bpps) DDoS attack, sophisticated DNS-based DDoS attacks such as “Water Torture” and Random Prefix attacks, and HTTP DDoS attacks exceeding 200 million requests per second.
These bit-intensive and packet-intensive attacks usually use a carpet bombing technique along with heavy randomization of packet attributes in an attempt to avoid detection. The attacks are usually executed in a "hit and run" technique: a fast burst of attack traffic reaching the max rates almost instantly, and lasting anywhere from a few seconds to a few minutes. Within a single year (2025-2026), the potential Aisuru-Kimwolf attack size grew by over 700%.
The Aisuru botnet is a network of malware-infected computing devices ranging from consumer Internet of Things (IoT) devices and DVRs to network appliances and even cloud-hosted virtual machines (VMs). These infected devices work together to launch DDoS attacks.
Aisuru serves as the architectural foundation or "parent" botnet from which other variants have been developed. It is part of a broader malware ecosystem that targets various devices to launch hyper-volumetric DDoS attacks.
Kimwolf is a highly active and rapidly growing botnet that specifically targets Android devices, such as TV streaming boxes (Smart TVs), Android streamers, and Android mobile devices. Kimwolf itself comprises approximately 2 million devices globally with significant infection rates in Vietnam, Brazil, India, and Saudi Arabia.
It is used for hyper-volumetric DDoS attacks, credential stuffing, and unauthorized app installations.
The relationship is essentially that of a variant to a parent. Kimwolf is the "Android variant" of the Aisuru DDoS botnet. It uses the core DDoS functionality of Aisuru but is specialized to infect and operate within the Android ecosystem.
Both are part of a system that monetizes compromised devices by turning them into "residential proxies." The parties who run Aisuru and Kimwolf sell access to these infected devices' IP addresses to other users or proxy providers, allowing cyber criminals to keep their attacks anonymous. Aisuru's proxying services have been used especially for data scraping attacks.
Additionally, chunks of the botnet are monetized by many distributors as a botnet-for-hire, also known as DDoS-as-a-service. They sell these services over Discord and Telegram channels, sometimes for as low as tens of US dollars. Their DDoS services can however cost up to thousands of US dollars — depending on the size and duration of the attack they sell. The revenue helps fund further development of the botnet.
To summarize, Aisuru is the original DDoS framework, and Kimwolf is the specialized Android "arm" that has fueled the network's massive growth by exploiting the lax security of residential proxy services. The Aisuru-Kimwolf botnet is a parasitic, high-velocity DDoS ecosystem. It represents a modern shift in cybercrime where threat actors do not just target end users, but specifically exploit the residential proxy industry to achieve massive scale.
A botnet is a collection of network-connected computing devices that have been compromised by malware and are controlled by a malicious party. Many, if not most, computers in a botnet may appear to be running normally while the malware runs in the background, awaiting orders. Botnet operators want to remain undetected so that their networks remain as large as possible. Generally, the more devices there are in a botnet, the more effective the botnet is: more devices means greater volumes of traffic from a wider range of IP addresses.
Botnets mostly contain ordinary, everyday devices in homes and offices. IoT devices are particularly susceptible to becoming part of a botnet. This is because IoT devices are:
Routers are often targets for botnet-spreading malware as well because they are constantly connected to the Internet, rarely turned off or updated, and often contain security flaws. Many, if not most, homes and businesses have routers, and many people do not know how to properly secure them.
Botnet devices wait for instructions before performing malicious activity. Once they have instructions, they send packets of information — network "traffic" — to the target, which is typically some specified application, website, network, or server. With thousands of devices working together, the target can be overwhelmed.
Imagine several hundred packages from a variety of senders all arrive at an office's front desk at once, and the front desk receptionist has to sign for all of them. Visitors to the office will have to wait to receive service from the receptionist, and may not receive service at all. A botnet has a similar effect on its target, causing service to be denied to legitimate application users.
It is worth noting that while Aisuru-Kimwolf's attacks can be huge, the largest attacks rarely last more than a few seconds.
The devices Aisuru targets can be vulnerable for any of the reasons listed above — default credentials, outdated firmware that contains known vulnerabilities, and so on. The operators of the botnet scan the Internet for devices that are vulnerable and insert their malware on whatever devices they can.
Aisuru may also use zero-day vulnerabilities in router firmware to spread rapidly. There is no defense against such vulnerabilities until the manufacturer identifies them and issues a patch.
Kimwolf exploits vulnerable Android Debug Bridge (ADB) services. Many low-cost TV boxes come "pre-infected" with proxy SDKs; Kimwolf then scans these residential proxy networks and exploits the devices within minutes as it propagates.
For DDoS attacks, Aisuru tends to use DNS, TCP, UDP, and GRE protocol attacks. UDP carpet bombing is the most common, and this was the tactic used for Aisuru's massive 31.4 Tbps attack and similarly sized attacks. In a UDP carpet bombing attack, the attack traffic targets multiple IP addresses instead of one. The traffic directed at an individual IP address may fall below the threshold for it to be identified as an attack, but the combined force of the traffic can exhaust the network's bandwidth.
Additionally, Aisuru-Kimwolf has been launching hyper-volumetric HTTP DDoS attacks, mainly targeting the gaming industry.
To learn how TCP-based attacks work, see SYN flood attacks and ACK flood attacks.
A proxy is a server that sits in between a network-connected computer and the rest of the network and forwards traffic on its behalf. While proxies are used for a number of legitimate purposes (including enhancing security), for cyber criminals, using a proxy is one way to conceal the true source of malicious network traffic.
Researchers have identified Aisuru as the source of large amounts of proxied malicious traffic. Aisuru sells "residential proxy" services: traffic can be made to appear to come from regular home users in the US. These services have been used in large part to conceal the true source of data scraping bots that harvest data from websites in defiance of those websites' wishes.
The Mirai botnet is a large and powerful DDoS botnet that was especially active in the late 2010s. Mirai's code was leaked in 2016, and its code has formed the basis for several other major botnets since, including Aisuru. Both Aisuru-Kimwolf and Mirai contain large amounts of IoT devices.
Other examples of botnets include Moobot and Meris.
Cloudflare mitigates DDoS attacks no matter their size. The 31.4 Tbps Aisuru-Kimwolf attack described above was automatically detected and mitigated by Cloudflare’s autonomous DDoS protection defenses. Any network, website, application, or API can use Cloudflare to block Aisuru attacks both large and small. See Cloudflare plans here.
To learn more about Aisuru, including indicators of compromise (IoC) that signify an Aisuru-based attack, see the threat brief "Aisuru botnet: Early October attacks escalate into record-setting DDoS activity."