You are currently viewing AISURU Botnet: Inside the 29.7 Tbps Mega-Scale DDoS Weapon

AISURU Botnet: Inside the 29.7 Tbps Mega-Scale DDoS Weapon

  • Post author:
  • Reading time:5 mins read

AISURU is one of the most powerful and rapidly expanding botnets observed in recent years. With an estimated 300,000 compromised routers, DVRs, gateways, and IoT devices, it has played a central role in the unprecedented surge of global DDoS attack peaks in 2025, reaching up to 29.7 Tbps. AISURU’s technical sophistication, aggressive propagation methods, and continuous capability enhancements highlight the growing security risks posed by vulnerable consumer networking devices and IoT ecosystems.

Executive Summary

Since early 2025, AISURU has driven multiple record-breaking DDoS attacks, including the 29.7 Tbps incident recorded in September 2025. First emerging around 2024, the botnet has evolved into a highly advanced cybercriminal platform, combining large-scale supply-chain compromise with automated exploitation of N-day and 0-day vulnerabilities. Its architecture incorporates custom encryption, multi-layered command-and-control obfuscation, process masquerading, and anti-analysis features designed to ensure persistence and resilience.

AISURU operators exploit a broad range of vulnerabilities across various vendors, allowing the botnet to propagate globally at high speed. Once infected, devices are enrolled into an encrypted and obfuscated C2 infrastructure that supports high-volume DDoS attacks, residential proxy services, reverse shells, remote command execution, and continuous scanning for additional targets. Intelligence gathered from independent sources and XLab telemetry confirms that AISURU is well-organized, actively maintained, and steadily expanding its offensive capabilities. Its scale, adaptability, and operational maturity make AISURU one of the most significant IoT-based threats currently active worldwide.

Attack Methodology

AISURU employs a multi-phase, multi-vector attack chain designed for rapid propagation, stealthy operation, and overwhelming offensive capacity.

1. Initial Compromise

AISURU spreads through:

  • Compromised router update servers
  • Automated exploitation of N-day and 0-day vulnerabilities across routers, DVRs, gateways, and IoT devices
  • Malicious shell scripts distributed via injected upgrade URLs
  • High-frequency scanning and exploitation routines

2. Persistence & Anti-Analysis

The bot samples implement:

  • VM and debugging tool detection (tcpdump, Wireshark, QEMU, VMware, etc.)
  • OOM-killer evasion by modifying /proc/self/oom_score_adj
  • Process masquerading (names like telnetd, udhcpc, ntpclient)
  • File renaming to libcow.so to evade malware-killers used by competitor botnets
  • Dynamically mapping .so libraries to appear legitimate

3. Command-and-Control Communication

AISURU uses:

  • Multi-layered C2 domain generation (subdomain splitting + obfuscated TXT records)
  • Modified RC4 algorithm with custom S-box and keystream mutations
  • XOR-based DNS TXT record decoding for C2 IP retrieval
  • ChaCha20 (earlier versions) for initial key exchange

Message types include:

  • DDoS attack commands
  • Proxy service enablement
  • Reverse shell
  • Telnet scan reports
  • Node speed benchmarking

4. Attack Execution

The botnet supports several DDoS vectors and continuously performs:

  • Heartbeats to C2
  • Randomized traffic tests
  • Latency-based server selection for optimized throughput

AISURU nodes with higher bandwidth or better latency are flagged for more resource-intensive operations such as proxy services or high-volume DDoS bursts.

Exploited Vulnerabilities

VulnerabilityAffected VendorAffected Devices / ProductsCVSS/EPSS Score
AMTK-CAMERA-CMD-RCEA-MTKCameraN/A
CVE-2013-1599D-LinkDCS-3411 (and other D-Link cameras) firmware9.8/92.11%
CVE-2013-3307LinksysLinksys X3000 (E1000/E1200/E3200 series)8.3/4.58%
CVE-2013-5948T-MobileTM-AC1900 router8.5/38.49%
CVE-2017-5259Cambium NetworkscnPilot R190V (firmware)8.8/59.54%
CVE-2022-44149NexxtNexxt router8.8/81.67%
CVE-2023-28771ZyxelZyxel ATP, USG FLEX, VPN, ZyWALL/USG firewall/VPN devices9.8/94.35%
CVE-2023-50381Realtekrtl819x Jungle SDK v3.4.11 (embedded in devices)7.2/0.46%
LILIN-DVR-RCELILINDVR devicesN/A
CVE-2022-35733UNIMODVR UDR-JA1004 / JA1008 / JA101 (firmware)9.8/1.68%
CVE-2024-3721TBKTBK DVR (e.g. DVR-4104 / DVR-4216)6.3/85.42%
CNPILOT-0DAY-RCECambium NetworkscnPilot devices (unspecified firmware)N/A
SANHUI-GATEWAY-DEBUG-PHP-RCESANHUIGateway Management SoftwareN/A
TVT-OEM-API-RCEShenzhen TVTDVR (OEM/API) devicesN/A

CVE-2023-28771: Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute OS commands remotely by sending crafted packets to an affected device. This vulnerability carries a CVSS v3 score of 9.8, indicating critical severity.

Botnet Capabilities

DDoS Operations: Supports multi-vector high-volume attacks, with observed peaks at 5.8 Tbps, 11.5 Tbps, and 29.7 Tbps, leveraging ~300k nodes for extreme traffic bursts.

Proxy & Monetization Layer: Enables residential proxy services, speed-based node profiling, and uses dedicated proxy C2 relays across the US, UK, and EU.

Advanced Cryptography & Obfuscation: Utilizes custom RC4 with altered S-box, modified xxhash, XOR-decoded TXT records for C2 hiding, ChaCha20 in earlier builds, and encrypted displacement strings.

Anti-Competition Techniques: Detects and disables competitor malware (e.g., RapperBot), employs shared library mapping to evade kill-on-sight tools, and disguises processes as system utilities.

Remote Command Execution: Supports reverse shells, file download and execution, proxy relay setup, and automated telnet scanning and reporting.

Visual Flow

Vulnerability Scan (Routers, DVRs, IoT) -> Exploit CVEs & 0-days -> Initial Infection (t.sh, firmware hijack) -> Anti-analysis, VM evasion, OOM bypass -> Persistence (Process masking, SO mapping) -> C2 Discovery (TXT + XOR) -> Encrypted C2 Communication (Modified RC4 / xxhash) -> Node Profiling (Speedtest, Latency, Load) -> DDoS Command (Up to 29.7 Tbps) / Proxy Mode (Residential) / Reverse Shell Access / Telnet Scan Reporting

Indicators of Compromise (IoCs)

Malicious Domains (C2 & Download Servers)

  • coerece.ilovegaysex[.]su
  • approach.ilovegaysex[.]su
  • ministry.ilovegaysex[.]su
  • lane.ilovegaysex[.]su
  • u.ilovegaysex[.]su
  • updatetoto[.]tw
  • a.6mv1eyr328y6due83u3js6whtzuxfyhw[.]ru

Proxy Relay C2 IPs

  • 194.46.59[.]169 (UK)
  • 104.171.170[.]241 (US)
  • 104.171.170[.]253 (US)
  • 107.173.196[.]189 (US)
  • 64.188.68[.]193 (US)
  • 78.108.178[.]100 (Czech Republic)

Known Malware Hashes

  • 09894c3414b42addbf12527b0842ee7011e70cfd
  • 51d9a914b8d35bb26d37ff406a712f41d2075bc6
  • 616a3bef8b0be85a3c2bc01bbb5fb4a5f98bf707
  • ccf40dfe7ae44d5e6922a22beed710f9a1812725
  • 26e9e38ec51d5a31a892e57908cb9727ab60cf88
  • 08e9620a1b36678fe8406d1a231a436a752f5a5e
  • 053a0abe0600d16a91b822eb538987bca3f3ab55

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.