Here's the current state of the Aisuru botnet saga:

Record-breaking attacks throughout 2025: Aisuru hit KrebsOnSecurity with a 6 Krebs on Security.35 Tbps attack in May 2025, then shattered that record days later with a blast exceeding 11 Tbps. By late September, it was publicly flexing DDoS capabilities topping 22 Tbps. Cloudflare reported attacks peaking at 29.7 Tbps and 14.1 billion packets per second in Q3 2025. Cloudflare Most recently, the botnet launched a 31.4 Tbps attack, with the potential attack size growing by over 700% within a single year (2025-2026). Cloudflare

The infrastructure damage: On October 8, 2025, nearly 29.6 Tbps of DDoS packets temporarily disrupted major online gaming platforms. The bulk of the botnet's muscle came from compromised home routers, IP cameras, and DVRs hosted under leading US ISPs like AT&T, Comcast, Verizon, T-Mobile, and Charter. CSO Online

When Aisuru launches attacks, the volume of outgoing traffic from infected systems on these ISPs is often so high that it disrupts or degrades Internet service for adjacent (non-botted) customers. Multiple broadband access network operators experienced significant operational impact, with outbound attack traffic exceeding 1 Tbps causing high-throughput attacks that resulted in chassis-based router line card failures. Krebs on Security

How it got so big: In April 2025, an operator known as "Tom" successfully breached a Totolink router firmware update server and set the firmware upgrade URL to download and execute a malicious script. This means any Totolink router that performed the update could be infected, rapidly increasing Aisuru's scale to surpass 100,000 devices in a short time. Qianxin

Who's running it: Multiple sources say Aisuru is operated by three cybercriminals: "Snow" (botnet development), "Tom" (finding vulnerabilities), and "Forky" (botnet sales). Forky is identified as a 21-year-old man from São Paulo, Brazil who has been extremely active in the DDoS-for-hire scene since at least 2022. Krebs on Security

The business model shift: Aisuru's operators recently updated their malware so that compromised devices can more easily be rented to residential proxy providers, allowing paying customers to route their Internet communications through someone else's device. Krebs on Security Chunks of the botnet are monetized by distributors as botnet-for-hire (DDoS-as-a-service) sold over Discord and Telegram channels for as low as tens of dollars up to thousands, depending on attack size and duration. Cloudflare

Current state: In Q3 2025 alone, Cloudflare mitigated 1,304 hyper-volumetric attacks launched by Aisuru, representing a 54% increase quarter-over-quarter. Since the start of 2025, Cloudflare has mitigated 2,867 Aisuru attacks. Cloudflare

The Aisuru/Kimwolf connection you mentioned earlier is that Kimwolf is essentially the "Android variant" of Aisuru—using Aisuru's core DDoS functionality but specialized to infect and operate within the Android ecosystem, comprising approximately 2 million devices globally. Cloudflare

It's basically become the apex predator of botnets right now.