TurboMirai
TurboMirai is a class of Mirai-like, DDoS-capable IoT botnet malware associated with record-breaking, multi-terabit-per-second distributed denial-of-service activity observed in 2025. Reporting cited TurboMirai as a major driver of new DDoS peaks, and describes related botnets such as Aisuru as part of this class. TurboMirai-class botnets are capable of attacks exceeding 20 Tbps and have been linked to hyper-volumetric attacks, including activity in the AISURU/Kimwolf ecosystem. Observed attack methods include UDP, TCP, GRE, and DNS query flooding, as well as HTTP application-layer DDoS; reports also note pseudo-randomization of ports and TCP flags, carpet-bombing, and both high-bandwidth and high-packet-rate floods. These botnets have been described as incorporating additional dedicated DDoS capabilities and multi-use functions beyond classic Mirai behavior, including credential stuffing, AI-based web scraping, phishing, spamming, and residential proxy services. The botnet population associated with this class is primarily composed of compromised consumer-grade routers, CCTV cameras, DVRs, customer-premises equipment, and other devices running similar OEM firmware; related ecosystem reporting also links Android botnet activity via Kimwolf, especially Android TV boxes. Aisuru, a related TurboMirai botnet, has been described as a DDoS-for-hire service that mainly targeted online gaming platforms and also caused major disruption to broadband providers through infected customer devices, while large attacks in late 2025 primarily targeted telecommunications, service providers, carriers, gaming, and generative AI services. Akamai also linked TurboMirai-driven DDoS activity to severe impacts on the financial sector, especially banking, where attacks were reported to have grown substantially in duration and volume. Netscout noted that many observed TurboMirai/Aisuru attacks were direct-path and non-spoofed, likely because the malware does not run in privileged processes and many source networks enforce source-address validation, which can aid traceback and remediation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Impact
2 techniques
Impact
Artificial Intelligence-powered bots and hacktivists bombarded financial services with denial-of-service attacks at record volume and duration in 2025. Network and transport layer DDoS attacks on financial services lasted 738% longer, and the number of these attacks reached 2.41 billion.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet associated with driving record DDoS attack volume and duration against the financial sector, including large-scale multi-terabit-per-second attacks.
Referenced as a botnet lineage/type used for comparison; the content implies Aisuru is similar to TurboMirai-style botnets with enhanced DDoS and multi-use criminal functionality.
TurboMirai is a botnet used for DDoS attacks, related to the Aisuru botnet, and is the subject of mitigation and suppression efforts.
A class of Mirai-reminiscent IoT botnet malware characterized by increased attack traffic per node and multi-use capabilities beyond DDoS (e.g., credential stuffing, scraping, phishing, spamming), sometimes including residential proxy services. Observed attacks are often direct-path and may lack spoofing, aiding traceback when SAV is present.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.