Aisuru Rising: Inside the 22.2 Tbps DDoS Botnet

The Aisuru botnet is currently one of the most powerful DDoS botnets in existence. It is distinguished by its capacity to launch record-shattering Distributed Denial of Service (DDoS) attacks, repeatedly breaking global bandwidth records throughout 2025. Aisuru leverages a massive, globally distributed network of compromised devices, primarily home routers and cameras, to generate devastating traffic surges. Its operators are known for high-volume UDP floods, and the botnet has recently evolved to offer residential proxy services, signifying a dual monetization strategy beyond DDoS-for-hire.

Severity: High

Overview And Key Statistics

Attribute	Details
Name	Aisuru (also referred to as Airashi in some intelligence)
Classification	Turbo Mirai-class IoT botnet
Botnet Size	Over 300,000 devices infected globally, with a rapid increase observed in April 2025
Primary Goal	Launching high-bandwidth DDoS attacks and providing Proxy functionality via infected nodes
Motivation	Often acts flamboyantly, launching highly destructive attacks “for fun”

Major Attack Incidents

AISURU is linked to some of the largest DDoS attacks recorded, frequently leveraging extremely high-rate UDP floods.

1. 22.2 Tbps DDoS Attack (Record-Breaking): Cloudflare mitigated an attack that peaked at a record-breaking 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps) in September 2025. While Cloudflare did not share details about this specific attack, AISURU has been active in setting new records.
2. 15.72 Tbps DDoS Attack on Azure: On October 24, 2025, Azure DDoS Protection neutralized a multi-vector attack measuring 15.72 Tbps and nearly 3.64 billion packets per second (bpps), which was the largest DDoS attack ever observed in the cloud and targeted a single endpoint in Australia. This attack originated from the Aisuru botnet.
3. 11.5 Tbps DDoS Attack: Cloudflare mitigated a massive 11.5 Tbps and 5.1 Bpps attack in September 2025. XLab research attributed this attack to the Aisuru botnet.

Threat Actors And Operations

The Aisuru group is operated by three key figures who previously worked on the catddos botnet:

• Snow – Developer of the botnet and malware
• Tom – Exploit specialist (0-Day and N-Day)
• Forky- Handles botnet monetization & sales

The group has earned a poor reputation in the DDoS community due to their erratic behavior, including cheating people in business, targeting innocent companies, and launching highly destructive attacks on ISPs “just because it was fun”.

Initial Infection And Target Devices

The botnet achieved its rapid growth in April 2025 when the operator Tom successfully breached a Totolink router firmware update server and set the upgrade URL to download and execute a malicious script. This single intrusion allowed the botnet to surpass 100,000 devices.

Infected devices, primarily comprised of compromised home routers and cameras from residential ISPs, include:

• Routers: Totolink, T-Mobile, Zyxel, D-Link, Linksys, Nexxt Router.
• Cameras/DVRs/NVRs: A-MTK Camera, D-Link DCS-3411, LILIN DVR, UNIMO DVR, TBK DVR, Shenzhen TVT DVR.
• Other: Cambium Networks cnPilot routers (exploiting a 0-day vulnerability) and devices with Realtek rtl819x chips.

Advanced Features

• Proxy-as-a-Service: Nodes tested for speed and repurposed for residential proxy operations
• Anti-Analysis Techniques:
  • Virtualization detection (VMware, QEMU, VirtualBox)
  • Process name cloaking (telnetd, ntpclient, etc.)
  • oom_score_adj manipulation to prevent kill

Command And Control (C2)

• The botnet uses a modified RC4 algorithm with the static key PJbiNbbeasddDfsc to decrypt strings and communication keys.
• The samples use encrypted DNS TXT records, decoding them with base64 + XOR (a change from earlier base64 + ChaCha20) to obtain C2 IPs.
• In addition to DDoS attacks, the new samples support executing commands, a reverse shell, and proxy functionality. A network speed test feature is used to identify high-quality nodes, likely to be used for residential proxy services.

Recommendations

1. Utilize high-capacity cloud-based DDoS protection services (like Cloudflare Magic Transit or Azure DDoS Protection) that can handle Terabit-scale volumetric attacks.
2. Since Aisuru primarily uses high-rate UDP floods, implement strict rate limiting and filtering for non-essential UDP ports.
3. Immediately patch all public-facing routers, firewalls, and network appliances (especially those known targets like Totolink, Zyxel, Cambium Networks cnPilot) to close N-day and 0-day exploitation windows.
4. For all routers, IP cameras, DVRs, and NVRs, immediately change the default administrative credentials to strong, unique passwords.
5. Routinely check for and apply firmware updates for all IoT devices, especially routers and cameras. Crucially, avoid automatic updates if the update server has a history of compromise (like the Totolink case).
6. If possible, block or monitor traffic from regions known for infected Aisuru nodes (e.g., China, HK).
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/00ad0f3ad52d65d2d2ad08537fa6bcfcee9c1cddb7e17308d70360e0f99b518d/iocs

Source:

• https://techcommunity.microsoft.com/blog/azureinfrastructureblog/defending-the-cloud-azure-neutralized-a-record-breaking-15-tbps-ddos-attack/4470422
• https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-new-record-breaking-222-tbps-ddos-attack/
• https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/
• https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.