Massive L7 DDoS botnet expands to 5.76M devices, Qrator Labs reports

On September 1, 2025, Qrator.AntiDDoS detected and mitigated another large-scale attack carried out by the largest L7 DDoS botnet observed to date. The target was an organization in the government sector. In total, 5.76 million IP addresses were blocked during the incident.

Qrator Labs has been monitoring this botnet for several months. The first attack, recorded on March 26, targeted an organization in the online betting sector. It involved about 1.33 million IP addresses, mostly from Brazil, Argentina, Russia, Iraq, and Mexico.

A second incident followed on May 16, this time hitting an organization in the government sector, with the botnet already grown to 4.6 million devices. Most of the traffic originated from IP addresses in Brazil, the United States, Vietnam, India, and Argentina.

By September, the botnet had expanded even further. The third attack, once again aimed at the government sector, mobilized 5.76 million IP addresses. The incident unfolded in two stages: roughly 2.8 million IP addresses were engaged in the first wave, and about an hour later another 3 million were added.

The largest share of malicious traffic still came from Brazil (1.41M), Vietnam (661K), the United States (647K), India (408K), and Argentina (162K). Over the three months between incidents, the steepest growth in the number of devices participating in the botnet was observed in Vietnam (+83%) and India (+202%).

“When targeting unprotected or poorly protected resources, a DDoS botnet of this scale can generate tens of millions of requests per second, overwhelming servers within minutes. What’s more, not every DDoS protection provider is capable of withstanding such a massive attack, which means the availability of all their clients’ resources could be at risk simultaneously,” said Andrey Leskin, CTO at Qrator Labs.