Stopped abuser
Found that since 7-Nov-2019, CPU load has been over 90% – almost constantly – as well that buffered IO and, in a lesser extent, direct IO followed the same trend, but memory wasn’t involved:
Found it was caused by two accesses from the same address (188.213.49.139, given Whois likely a hacked system in Romania) constantly accessing xmlrpc.php in WordPress.
This one blocked in WASD:
if (remote-addr:188.213.49.139)
fail /*
endif
and CPU load dropped immediately.
Network 188.213.49.0/24 blocked in the router.