InfoSecBulletin Cybersecurity for mankind
The Aisuru/Kimwolf botnet launched the largest known DDoS attack, reaching a peak of 31.4 terabits per second (Tbps). The massive attack known as “The Night Before Christmas” began on December 19, 2025, hitting Cloudflare’s infrastructure and customers with high-volume DDoS attacks. It featured record bandwidth Layer 4 attacks and HTTP floods over 200 million requests per second.
The “Night Before Christmas” attack raised the DDoS threat level significantly, exceeding the record of 29.7 Tbps set by the same Aisuru botnet in September 2025.
Dahua patches multiple critical vulnerabilities in its products
South Korea fines Coupang Record $409 mln fine for data leak
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the Wild
The campaign used hacked Android TV devices to create massive traffic, relying on millions of unofficial streaming boxes.
The 31.4 Tbps peak would exceed the capacity of most DDoS mitigation providers. Competitors like Akamai Prolexic (20 Tbps), Netscout Arbor Cloud (15 Tbps), and Imperva (13 Tbps) could experience bandwidth utilization rates of 150-240%.
Attack Distribution and Characteristics:
The attack involved many smaller strikes that showed careful planning by the botnet operators.
Analysis revealed that 90.3% of attacks peaked between 1-5 Tbps, 5.5% hit 5-10 Tbps, and only 0.1% surpassed 30 Tbps. Regarding packet rates, 94.5% generated 1-5 billion packets per second (Bpps), 4% peaked at 5-10 Bpps, and 1.5% reached 10-15 Bpps.
Attack patterns favored quick, intense bursts to overwhelm defenses before any countermeasures could be activated. Only 9.7% of attacks lasted under 30 seconds, 27.1% lasted 30-60 seconds, and the majority, 57.2%, lasted 60-120 seconds.
Only 6% of attacks lasted over two minutes, indicating that botnet operators preferred quick strikes instead of prolonged efforts.
The campaign clearly targeted critical infrastructure and high-value sectors. Gaming companies were hit hardest, facing 42.5% of the hyper-volumetric attacks, while Information Technology and Services organizations accounted for 15.3%.
Telecom companies made up 2.2% of targets, while internet service providers, gambling operations, and software firms were the other main targets.
Attacks were concentrated on key internet hubs and economic centers. The U.S. experienced 30.8% of all major network-layer attacks, making it the top target, followed by China with 7.7% and Hong Kong with 3.2%.
Attack Infrastructure Sources:
In Q4 2025, the origins of online attacks changed significantly. Bangladesh became the top source of DDoS attacks, replacing Indonesia, which fell to third place. Ecuador ranked second, and Argentina improved by 20 spots to fourth.
Significant attack sources were Hong Kong (5th), Ukraine (6th), Vietnam (7th), Taiwan (8th), Singapore (9th), and Peru (10th). Russia dropped five ranks to tenth, and the U.S. fell four spots to sixth.
Analysis of attack sources showed that threat actors mainly used cloud computing platforms and telecom networks.
Cloud providers like DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner are primary sources of attacks, making up 50% of the top 10 networks and highlighting the risk of easily-accessible virtual machines for large-scale attacks.
Traditional telecom providers in the Asia-Pacific region, especially from Vietnam, China, Malaysia, and Taiwan, were the main sources. Cloudflare’s “Night Before Christmas” campaign showed its strength, achieving 449 Tbps in mitigation capacity at 330 locations.
