AISURU Botnet: From Record-Breaking DDoS to Residential Proxy Empire

The AISURU botnet, first disclosed by XLab in 2024, has rapidly become one of the most dangerous forces in the DDoS landscape. In 2025 alone, it was linked to multiple record-breaking attacks, including a staggering 11.5 Tbps assault mitigated by Cloudflare. What began as a DDoS-focused botnet has now evolved into a multi-purpose criminal infrastructure, expanding into residential proxy services.

XLab’s researchers explain, “Since 2025, peak bandwidth for global DDoS attacks has repeatedly broken historical records, rising from 3.12 Tbps at the start of the year to a staggering 11.5 Tbps recently. In multiple high-impact or record-breaking attack incidents, we consistently observed a botnet named AISURU operating behind the scenes.”

The group behind AISURU—comprised of three operators codenamed Snow, Tom, and Forky—gained notoriety by exploiting vulnerabilities in consumer networking devices. In April 2025, Tom breached a Totolink router firmware update server, hijacking update requests to distribute malware. As XLab notes, “This intrusion rapidly increased AISURU’s scale, surpassing 100,000 devices in a short time.”

By mid-year, the botnet had grown to nearly 300,000 active nodes, many of them home routers spread across China, the U.S., Germany, the U.K., and Hong Kong.

AISURU has cultivated a notorious reputation, partly due to its operators’ brashness. The report describes them as “flamboyant, often launching highly destructive attacks on ISPs under the pretext of ‘for fun.’”

They have also clashed with rival botnets such as Rapperbot, fighting over control of vulnerable devices. AISURU samples even mocked competitors with embedded taunts, including a decrypted message that read: “tHiS mOnTh At qiAnXin shitlab a NeW aisurU vErSiOn hIt oUr bOtMoN sYsTeM dOiNg tHe CHAaCha sLiDe.”

AISURU has continuously updated its malware with sophisticated encryption, obfuscation, and evasion techniques. Recent versions employ:

• Modified RC4 algorithms for communication encryption.
• Anti-VM and anti-debugging checks (detecting Wireshark, VMware, VirtualBox, etc.).
• Process name spoofing to masquerade as benign Linux daemons like telnetd and dhclient.
• Out-of-Memory Killer evasion to prolong runtime.

These measures make AISURU harder to analyze and remove, ensuring its resilience across a massive device pool.

While AISURU’s early notoriety came from massive DDoS floods—including an 11.5 Tbps event in September 2025—the botnet has since expanded into the proxy service business.

XLab highlights the shift: “Clearly, AISURU is no longer satisfied with a single DDoS business model and is branching into proxy services to monetize its large node pool.”

By leveraging compromised routers with strong bandwidth, AISURU operators now offer residential proxy capabilities—a lucrative service in high demand for anonymity and bypassing geo-restrictions.

The scale and adaptability of AISURU demonstrate the growing convergence of DDoS botnets and proxy services. Not only can attackers rent AISURU for destructive traffic floods, but they can also exploit its infrastructure for stealthier operations, including fraud, credential stuffing, and cyberespionage.

Related Posts:

• AISURU Botnet Identified in Massive DDoS Attack on Steam
• Cloudflare Sets New Standard by Auto-Mitigating Record-Breaking 3.8 Tbps DDoS Attack
• ChatGPT May Soon Introduce Ads to Monetize Its Free User Base