Microsoft Azure Blocks Record 15.7 Tbps DDoS Attack as Kenyan Government Websites Recover and ‘EVALUSION’ Malware Campaign Emerges

On November 18, 2025, Microsoft disclosed the largest cloud DDoS attack ever recorded, Kenya confirmed recovery from a major government website defacement, and researchers detailed a new “EVALUSION” malware campaign. Together, these stories show just how fast the global cyber threat landscape is escalating.

Microsoft Azure neutralized a 15.72 Tbps DDoS attack on October 24, the largest cloud DDoS ever publicly reported, powered by the Aisuru IoT botnet using more than 500,000 compromised devices. ^[1]
Kenya’s government websites were defaced with extremist messages on November 17, briefly knocking multiple ministries offline before services were restored and monitoring tightened. ^[2]
A new EVALUSION phishing and malware operation is abusing the “ClickFix” technique to install Amatera Stealer and NetSupport RAT, giving attackers powerful data theft and remote-control capabilities. ^[3]
Collectively, the incidents highlight three converging trends: weaponized consumer IoT, vulnerable public-sector digital infrastructure, and increasingly sophisticated social-engineering campaigns.

Azure vs. a 15.72 Tbps “Data Tsunami”

Microsoft has confirmed that on October 24, 2025, its Azure cloud platform automatically detected and mitigated a multi‑vector distributed denial-of-service (DDoS) attack peaking at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The attack targeted a single public endpoint in Australia, but was fully absorbed by Azure’s DDoS protection systems, with no reported customer downtime. ^[4]

In a technical blog post, Microsoft describes the event as “the largest DDoS attack ever observed in the cloud,” emphasizing that the scale was enabled by a rapidly expanding pool of high‑bandwidth home internet connections and insecure IoT devices. ^[5]

Security outlets including PCMag, Tom’s Hardware, The Register, BleepingComputer, Security Affairs, Network World and The Hacker News have since echoed the “largest-ever” characterization, citing the same Microsoft figures and describing the traffic volume as roughly comparable to millions of simultaneous HD video streams. ^[6]

How the Aisuru Botnet Turned IoT Devices into a DDoS Superweapon

Microsoft and subsequent reports attribute the attack to Aisuru, described as a “Turbo Mirai-class” IoT botnet built from compromised:

Home and small‑office routers
IP cameras and DVR/NVR devices
Other vulnerable consumer and SOHO equipment

Aisuru’s operators exploit known security flaws in devices from multiple vendors and even compromised a router firmware update server earlier this year, allowing them to mass‑infect additional hardware. ^[7]

Key technical details from Microsoft and independent reporting include: ^[8]

Peak size: 15.72 Tbps and ~3.64 billion pps
Source: More than 500,000 unique IP addresses across several regions
Method: Extremely high‑rate UDP flood traffic with minimal spoofing and randomized source ports
Target: A single Azure public IP address in Australia
Impact: No customer workloads were taken offline, according to Microsoft

Crucially, this is not Aisuru’s first record-breaking strike. Earlier in 2025, Cloudflare linked the same botnet to a 22.2 Tbps DDoS attack – at the time, the largest on record – and to another incident that hit 11.5 Tbps while the botnet controlled around 300,000 devices. ^[9]

In other words, the October Azure attack is part of a pattern, not a one‑off outlier.

What Azure Did Right

In its postmortem, Microsoft says Azure’s global DDoS infrastructure automatically detected and filtered the attack, routing malicious traffic away from customer workloads and dropping it at the network edge. ^[10]

A few design choices helped:

Globally distributed scrubbing capacity – multiple regions share the load
Automated detection and mitigation, so there’s no need for manual intervention once thresholds are crossed
Traffic characteristics (very little spoofing, random source ports) actually made traceback and provider enforcement easier, according to Microsoft. ^[11]

Even so, Microsoft is warning customers not to be complacent, urging organizations to:

Ensure all internet-facing workloads are onboarded to DDoS protection
Conduct regular attack simulations
Validate runbooks, contacts, and escalation paths before holiday‑season traffic spikes

Kenyan Government Websites Defaced, Then Brought Back Online

While Azure was withstanding a data tsunami, Kenya faced a very different kind of incident.

On Monday, November 17, 2025, multiple Kenyan government websites – including key ministries and state agencies – were defaced with extremist, white‑supremacist messaging and rendered unavailable for several hours. ^[12]

According to reporting from Recorded Future News, local outlets and official statements: ^[13]

A group identifying itself as “PCP@Kenya” is suspected of carrying out the attack.
Compromised or disrupted sites reportedly included the Interior, Health, Education, Labour, Energy and Water ministries, as well as agencies like the Directorate of Criminal Investigations (DCI), the Immigration Department, Government Press, the Hustler Fund portal and the State House website.
Some core services, such as the eCitizen portal and the National Transport and Safety Authority (NTSA) site, remained accessible, preventing a complete digital shutdown.

Kenya’s Interior Ministry and Principal Secretary Dr. Raymond Omollo said services have since been restored, with systems now under continuous monitoring and multi-agency incident response teams investigating the breach. Authorities are still assessing whether any sensitive government data was accessed as part of the intrusion. ^[14]

The incident follows earlier large‑scale disruption, including a 2023 attack linked to a Sudanese hacker group and a major DDoS campaign that struck the country’s eCitizen platform. Analysts say it underscores how government digitalization initiatives often outpace their underlying security investment and governance.

EVALUSION: A New ClickFix Campaign Delivering Amatera Stealer and NetSupport RAT

The third major development highlighted today by CISO Series’ “Cyber Security Headlines” is a newly documented malware campaign dubbed EVALUSION. ^[15]

Research from eSentire, The Hacker News and Cyber Security News shows that EVALUSION abuses the increasingly popular “ClickFix” social engineering tactic to trick users into infecting their own systems. ^[16]

How ClickFix Works in This Campaign

Instead of sending a traditional attachment, attackers lure victims to fake CAPTCHA or security-check pages. There, users are told they must:

Press Win + R to open the Windows Run dialog, and
Paste and execute a specific command to “fix” an issue or pass a verification step. ^[17]

Behind the scenes, that command launches a multi-stage infection chain:

mshta.exe + PowerShell are leveraged to fetch a .NET-based downloader hosted on a public file-sharing service. ^[18]
The downloader is protected with commercial obfuscation and packing tools, and pulls down a payload encrypted with RC2.
That payload is a PureCrypter-packed DLL containing Amatera Stealer, which injects into legitimate Windows processes such as MSBuild.exe. ^[19]

Once active, Amatera Stealer:

Targets browsers, crypto-wallets, messaging apps, FTP clients and email clients
Uses WoW64 SysCalls and other tricks to evade anti‑virus and EDR products
Exfiltrates sensitive data via encrypted channels to attacker-controlled servers ^[20]

In many cases, Amatera then pulls down NetSupport RAT, a remote-access tool that gives attackers hands-on-keyboard control of infected machines. If the malware determines a device is not part of a domain and doesn’t hold assets like crypto wallets, it may skip installing NetSupport, focusing effort on higher-value targets. ^[21]

The EVALUSION campaign appears to be active throughout November 2025, and researchers warn that the same ClickFix methodology is being reused in other phishing operations delivering a wide range of stealers and RATs.

One Day, Three Stories – One Direction of Travel

At first glance, the Azure DDoS, Kenyan government defacements, and EVALUSION ClickFix campaign look like separate events:

One is a massive infrastructure‑level DDoS against a cloud provider
One is a website takeover targeting a national government
One is a targeted phishing-and-stealer campaign aimed at individual users and organizations

But taken together, they paint a clear picture of where cyber risk is headed:

Scale is exploding. A single botnet can now push more than 15 Tbps of traffic at one endpoint, with room to grow. ^[22]
Public institutions are in the crosshairs. As Kenya digitalizes services, attackers see high-impact opportunities with strong political and social signalling. ^[23]
Human factors remain a critical weak point. EVALUSION doesn’t rely on a zero‑day exploit; it relies on convincing people to run a command they don’t fully understand. ^[24]

The through-line: attackers are combining bandwidth, automation and social-engineering at industrial scale.

What Organizations Should Do Now

1. For Cloud and Enterprise Teams: Stress-Test DDoS Readiness

Given the Azure incident, security leaders should assume that 15+ Tbps attacks will become more common, not less.

Practical steps:

Verify DDoS coverage for all public endpoints (including test and legacy systems), not just front-door web apps.
Work with your cloud provider or ISP to understand scrubbing capacity, SLAs and fail‑open vs. fail‑closed behaviors.
Run tabletop exercises based on the Azure incident:
- What if a single IP or region is saturated for 30+ minutes?
- How will you communicate with customers and regulators?
Make sure logging, metrics, and alerts for sudden spikes in UDP traffic are tuned and integrated with your SOC.

2. For Governments and Critical Infrastructure: Harden the Public Face

The Kenyan incident is a warning shot for any public-sector organization that hosts high-visibility portals.

Short-term priorities:

Conduct rapid external attack-surface mapping – catalogue every domain and subdomain, including those managed by third‑party contractors.
Enforce strong authentication and change-control for CMS access, DNS changes and hosting accounts.
Deploy WAFs and modern content security controls where possible, even on information-only sites.
Establish clear incident-response playbooks for defacement:
- Takedown and containment
- Forensic image capture
- Public communications (avoiding amplifying extremist messaging)

Longer term, governments should invest in centralized security governance, shared SOC capabilities and common baselines for agencies and ministries.

3. For Everyone: Defend Against ClickFix and EVALUSION-Style Phishing

Because ClickFix relies on users entering commands manually, it can bypass many traditional attachment filters and URL defenses.

Mitigations:

Awareness training: Teach staff that any instruction to open the Windows Run dialog and paste a command – especially from web pages or unsolicited emails – is a major red flag.
Application control: Where feasible, restrict or monitor high‑risk binaries such as mshta.exe and PowerShell, particularly for non‑IT users.
EDR and logging: Ensure endpoint telemetry can:
- Flag suspicious PowerShell execution chains
- Detect abuse of process injection into unusual hosts like MSBuild.exe
Browser isolation and URL rewriting to reduce exposure from compromised sites and phishing pages.

Security teams should also watch for indicators tied to Amatera Stealer, PureCrypter and NetSupport RAT as these tools continue to appear in varied campaigns. ^[25]

FAQ: Azure DDoS, Aisuru Botnet and EVALUSION

How big is a 15.72 Tbps DDoS attack?

Very big. At 15.72 Tbps, attackers are pushing more data every second than many national ISPs handled in total backbone traffic just a few years ago. It’s enough bandwidth to rival millions of simultaneous HD video streams, all focused on a single target. ^[26]

Did the Azure DDoS cause downtime for customers?

Microsoft says its DDoS protection successfully absorbed the attack without disrupting customer workloads, thanks to automated detection and global scrubbing capacity. Independent outlets have not reported significant Azure outages directly tied to this event. ^[27]

What exactly is the Aisuru botnet?

Aisuru is a large-scale IoT botnet built from hacked routers, cameras and other internet-connected devices. Researchers classify it as an evolution of Mirai‑style botnets, but operating at much higher bandwidth and sophistication. It has been linked to multiple record‑breaking DDoS attacks in 2025, including peaks of 22.2 Tbps. ^[28]

Are the Kenyan and Azure attacks related?

There is no public evidence that the Azure DDoS and the Kenyan government website defacements are connected. The two incidents appear to involve different techniques, targets and threat actors, but they are part of the same broader trend of increasingly aggressive cyber operations. ^[29]

What is the EVALUSION campaign trying to achieve?

EVALUSION is primarily focused on data theft and long-term access. Amatera Stealer aims to collect credentials, financial data and crypto assets, while NetSupport RAT gives attackers persistent remote control over infected systems. Together, they can enable account takeover, fraud, espionage and further lateral movement within organizations. ^[30]

As of November 18, 2025, the picture is clear: whether you run a global cloud, a national government, or a small business, massive DDoS floods, politically charged defacements and stealthy phishing campaigns are now part of the same daily threat stream. The defenders who keep up will be the ones who assume that today’s “record-breaking” attack is simply tomorrow’s new normal.

DDoS Protection Overview and Azure Offerings - Lecture 38