The availability of AI tools is behind a record-breaking increase in the use of DDoS botnets, according to Qrator Labs.
Cybercriminals are increasingly using AI, with a recent report from Darktrace revealing 78% of CISOs say AI-powered threats are already having a significant impact on their organizations.
Earlier this summer, NetScout warned that the use of AI assistants and chatbots was starting to 'democratize' DDoS attacks by allowing lower-level hackers and those lacking technical expertise to wage highly effective attacks.
According to Qrator, this is really starting to show, as AI tools become more readily available, enhancing the effectiveness of automated attacks.
The Qrator research reveals a shift in the location of bot networks, too. The researchers put this down to accelerated digitalization in developing regions, resulting in a surge of devices with low cybersecurity awareness and numerous vulnerabilities.
Brazil has recently overtaken Russia and the US as the largest source of application-layer (L7) DDoS attacks, now accounting for 19% of all malicious traffic observed in the third quarter of this year.
Vietnam, meanwhile, has shown the fastest growth, climbing from 15th to fourth place in just one year.
In one example this month, the company recorded an attack by a multi-million-device botnet that it has been tracking for six months. This network is made up of 5.76 million infected devices, most of which were located in Brazil, Vietnam, the US, India, and Argentina.
“The sheer number of vulnerable devices is nothing new – we’ve seen this before in previous years. What has changed in 2025 is that attackers can now find and capture them much faster and more efficiently, thanks to AI,” said Andrey Leskin, chief technology officer at Qrator Labs.
“To put it in perspective, last year, the largest DDoS botnet we recorded included around 227,000 devices. As you can see, using AI tools, attackers have increased the scale by about 25 times in just one year.”
During the third quarter, DDoS attacks most frequently targeted the fintech sector, which accounted for 26% of attacks. Ecommerce was next, at 22%, followed by media at 16%, and information and communication at 15%.
The most intensive L3-L4 DDoS attack of the quarter was aimed at the eCommerce sector, peaking at 1.15 Tbps – slightly higher than the 2024 record of 1.14 Tbps.
Meanwhile, the longest bot attack took place on 4 September, also targeting the eCommerce sector and lasting 14 hours and 33 minutes.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Critical networks face unprecedented threat as DDoS attacks are getting shorter and more intense
- Application layer DDoS attacks are skyrocketing – here's why
- How to recover from a DDoS attack – and what they can teach businesses
-
Pure Storage’s expanded partner ecosystem helps fuel Q3 growthNews The data storage vendor has announced a 16% year-over-year revenue hike in its latest earnings report, driven by continued channel and product investment
-
Partners have been ‘critical from day one’ at AWS, and the company’s agentic AI drive means they’re more important than everNews The hyperscaler is leaning on its extensive ties with channel partners and systems integrators to drive AI adoption
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
