Microsoft’s Azure network was targeted by the **Aisuru botnet**, a Turbo Mirai-class IoT botnet exploiting vulnerabilities in routers, IP cameras, and Realtek chips. The attack peaked at **15.72 Tbps** (terabits per second) with **3.64 billion packets per second**, originating from over **500,000 compromised IP addresses**—primarily residential devices in the U.S. and other regions. The DDoS assault leveraged **UDP floods** with minimal spoofing, targeting a public IP in Australia. While Azure mitigated the attack, the botnet’s scale and persistence posed significant risks to service availability, network integrity, and customer trust. The same botnet was linked to prior record-breaking attacks (e.g., **22.2 Tbps** against Cloudflare in September 2025), demonstrating its evolving threat capability. The incident also revealed Aisuru’s manipulation of Cloudflare’s DNS rankings by flooding its **1.1.1.1 service** with malicious queries, distorting domain popularity metrics. Though no data breach or financial loss was confirmed, the attack’s sheer volume threatened **operational disruption**, potential **reputation damage**, and **infrastructure strain**, underscoring the escalating sophistication of IoT-based cyber threats.
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "MIC4792247111725",
"linkid": "microsoft",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Technology',
'location': 'Global (Targeted IP in Australia)',
'name': 'Microsoft',
'size': 'Large Enterprise',
'type': 'Cloud Service Provider'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Cloudflare',
'size': 'Large Enterprise',
'type': 'Cloud/CDN Provider'},
{'customers_affected': '500,000+ IP Addresses (Botnet '
'Size)',
'industry': 'Multiple (Home Networks)',
'location': ['United States',
'Other Countries (Global)'],
'name': 'End Users of Compromised IoT Devices',
'type': 'Consumers/Residential Users'}],
'attack_vector': ['UDP Flood',
'Compromised IoT Devices (Routers, IP Cameras, DVRs/NVRs)',
'Exploitation of Firmware Update Server (TotoLink)'],
'customer_advisories': ['Users of affected IoT devices advised to update '
'firmware and change default credentials.',
'Azure/Cloudflare customers informed of mitigated '
'attacks and ongoing monitoring.'],
'description': 'Microsoft disclosed that the Aisuru botnet executed a 15.72 '
'Tbps DDoS attack on its Azure network, originating from over '
'500,000 IP addresses. The attack targeted a public IP in '
'Australia with UDP floods reaching 3.64 billion packets per '
'second (bpps). Aisuru, a Turbo Mirai-class IoT botnet, '
'exploits vulnerabilities in home routers and cameras, '
'primarily in the U.S. and other countries. The botnet was '
'also linked to a 22.2 Tbps attack on Cloudflare in September '
"2025 and an 11.5 Tbps attack attributed by Qi'anxin’s XLab. "
'Aisuru’s growth surged in April 2025 after compromising a '
'TotoLink firmware update server, infecting ~100,000 devices. '
"Cloudflare removed Aisuru-linked domains from its 'Top "
"Domains' rankings after they distorted DNS query volumes, "
'undermining trust in the system.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Cloudflare’s DNS Rankings',
'Perception of Vulnerability in IoT '
'Devices'],
'operational_impact': ['Disruption of Azure Services (Targeted IP)',
'Distortion of Cloudflare’s DNS Query '
'Volume Rankings',
'Mitigation Efforts by Cloudflare and '
'Microsoft'],
'systems_affected': ['Microsoft Azure Network (Public IP in '
'Australia)',
'Cloudflare DNS Service (1.1.1.1)',
'Legitimate Domains in Cloudflare’s Top '
'Rankings (e.g., Amazon, Microsoft, Google)']},
'initial_access_broker': {'entry_point': ['Exploited Vulnerabilities in IoT '
'Devices',
'Compromised TotoLink Firmware '
'Update Server'],
'high_value_targets': ['Public Cloud IPs (Microsoft '
'Azure)',
'DNS Services (Cloudflare '
'1.1.1.1)',
'Firmware Update '
'Infrastructure']},
'investigation_status': 'Ongoing (Mitigation Completed; Botnet Activity '
'Persists)',
'lessons_learned': ['IoT devices remain a critical attack vector for '
'large-scale DDoS botnets.',
'Firmware update servers (e.g., TotoLink) are high-value '
'targets for botnet expansion.',
'DNS query volume rankings can be manipulated by '
'malicious traffic, requiring proactive redaction.',
'Collaboration between cloud providers (Microsoft, '
'Cloudflare) is essential for mitigating record-breaking '
'attacks.'],
'motivation': ['Disrupting Services',
'Distorting DNS Rankings (Cloudflare 1.1.1.1)',
'Undermining Trust in Public Rankings',
'Potential Financial Gain or Competitive Sabotage'],
'post_incident_analysis': {'corrective_actions': ['Microsoft and Cloudflare '
'enhanced DDoS mitigation '
'capacities (e.g., 21.3M '
'attacks blocked in 2024).',
'Cloudflare modified '
'ranking algorithms to '
'exclude/hide malicious '
'domains.',
'Increased industry '
'awareness of IoT botnet '
'risks (e.g., Mirai-class '
'threats).',
'Potential ISP-level '
'collaborations to disrupt '
'Aisuru’s C2 '
'infrastructure.'],
'root_causes': ['Proliferation of insecure IoT '
'devices with default/exploitable '
'credentials.',
'Lack of segmentation or '
'monitoring for firmware update '
'servers (e.g., TotoLink).',
'Effectiveness of UDP floods with '
'minimal spoofing in evading '
'traditional defenses.',
'Abuse of DNS query volumes to '
'manipulate public rankings.']},
'recommendations': ['Strengthen IoT device security (e.g., router/camera '
'firmware updates, default credential changes).',
'Monitor and secure firmware update servers to prevent '
'supply-chain-style compromises.',
'Implement rate-limiting and anomaly detection for UDP '
'traffic to mitigate volumetric DDoS attacks.',
'Enhance transparency in public rankings (e.g., '
'Cloudflare’s Top Domains) to account for malicious '
'traffic distortion.',
'Expand ISP-level enforcement to disrupt botnet '
'command-and-control (C2) infrastructure.'],
'references': [{'source': 'Microsoft Azure Security Blog'},
{'date_accessed': 'April 2025',
'source': 'Cloudflare 2025 Q1 DDoS Report'},
{'source': "Qi'anxin XLab Research"},
{'source': 'Brian Krebs (Infosec Journalist)'}],
'response': {'communication_strategy': ['Public Disclosure by Microsoft and '
'Cloudflare',
'Media Coverage by Infosec '
'Journalists (e.g., Brian Krebs)'],
'containment_measures': ['Mitigation of UDP Flood Traffic',
'Traceback and Enforcement by ISPs',
'Redaction/Hiding of Malicious Domains '
'in Cloudflare Rankings'],
'enhanced_monitoring': ['Increased DDoS Mitigation Capabilities '
'(Cloudflare, Microsoft)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Cloudflare’s Adjustment of DNS Ranking '
'Algorithm',
'Removal of Aisuru-Linked Domains from '
'Public Rankings']},
'stakeholder_advisories': ['Microsoft Azure Customers',
'Cloudflare Customers',
'IoT Device Manufacturers (T-Mobile, Zyxel, '
'D-Link, Linksys, TotoLink)'],
'threat_actor': 'Aisuru Botnet Operators',
'title': 'Aisuru Botnet Launches Record-Breaking 15.72 Tbps DDoS Attack on '
'Microsoft Azure',
'type': ['DDoS Attack',
'Botnet Activity',
'Exploitation of IoT Vulnerabilities'],
'vulnerability_exploited': ['Security vulnerabilities in IP cameras',
'DVRs/NVRs',
'Realtek chips',
'Routers from T-Mobile, Zyxel, D-Link, Linksys',
'TotoLink router firmware update server']}