The newly identified AISURU botnet, leveraging an estimated 300,000 compromised routers worldwide, has been pinpointed as the force behind a record-shattering 11.5 Tbps distributed denial-of-service (DDoS) attack in September 2025.
This unprecedented assault eclipses the previous 5.8 Tbps peak seen earlier in the year and underscores a dangerous escalation in botnet scale and sophistication.
First disclosed by XLab in August 2024, AISURU reemerged in March 2025 when XLab’s Cyber Threat Insight and Analysis System (CTIA) began capturing fresh samples.
According to an anonymous insider, the group is led by three operators codenamed Snow (botnet development), Tom (vulnerability research), and Forky (botnet sales).
In April 2025, Tom orchestrated the compromise of a Totolink router firmware update server by planting a malicious script (t.sh) that redirected devices to download AISURU malware.
Within weeks, the botnet swelled past 100,000 nodes, ultimately peaking at approximately 300,000 infected routers worldwide.
XLab’s CTIA offers strong visibility into AISURU’s infrastructure, encompassing sample collection, command-and-control C2 servers, and attack telemetry.
Cross-referencing leaked screenshots of the botnet management panel—showing over 30,000 Chinese nodes among 300,000 total—and Cloudflare mitigation logs helped validate the insider’s claims and establish AISURU’s culpability in several record-breaking attacks.
Propagation and Attack Statistics
AISURU samples exploit a diverse array of vulnerabilities to propagate. While most infections spread via publicly known “N-day” flaws, the botnet continues to leverage a zero-day in Cambium Networks’ cnPilot routers first observed in June 2024.
Rose to rank 672,588 globally within one month, proving the AISURU group’s infection campaign was highly successful.
Vulnerabilities abused include CVE-2017-5259 (Cambiumnetworks), CVE-2023-28771 (Zyxel devices), CVE-2023-50381 (Realtek Jungle SDK), and numerous DVR and gateway flaws dating back to 2013.
This broad vulnerability canvas allows AISURU to infiltrate a wide spectrum of router and IoT devices.
Attack data reveals daily DDoS campaigns targeting hundreds of organizations across China, the United States, Germany, the United Kingdom, and Hong Kong without discernible sector bias.
Notably, AISURU conducted a 5.8 Tbps onslaught that Cloudflare mitigated in April and later ramped up to 11.5 Tbps in September by amplifying traffic through GRE tunnels configured on four C2 IPs (151.242.2.22–25) and hijacked devices worldwide.
Technical Insights
Analysis of AISURU’s Version 2 bot sample exposes advanced anti-analysis and evasion measures.
On startup, the malware scans process names and hardware identifiers—for example, “wireshark,” “VirtualBox,” and “QEMU”—and exits if detected to thwart dynamic inspection. It disables Linux’s OOM Killer by writing “-1000” to /proc/self/oom_score_adj, ensuring persistent execution even under memory pressure.
To resist rival botnet “kill” tactics, the binary maps shared libraries from /lib/, renames itself to libcow.so, and obfuscates its process name as common daemons like “telnetd” and “dhclient”.
Encryption routines also diverge from standard implementations. AISURU’s modified RC4 algorithm employs a fixed key (“PJbiNbbeasddDfsc”), introduces custom perturbations during initialization, and integrates a bespoke keystream generation process that blends seed-based state changes with bitwise operations.
This variant decrypts command strings and communication keys far more resiliently than vanilla RC4, as demonstrated by a taunting post-decryption message embedded in the sample.
C2 extraction retains the legacy method of decoding TXT records via XOR (abandoning previous ChaCha20 usage), splitting decrypted strings on ‘|’ and ‘,’ to enumerate subdomains.
Recent builds also incorporate an optional network speed test module—leveraging Speedtest endpoints—to report node performance metrics back to C2, facilitating the recruitment of high-bandwidth proxies for future campaigns.
AISURU’s rapid growth, multi-vector propagation, and sophisticated evasion techniques position it as one of the most formidable botnets in history.
Security teams should prioritize patching known router vulnerabilities, monitor anomalous GRE tunnel establishment, and scrutinize DNS-TXT record anomalies to detect and disrupt AISURU’s operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
