The AISURU Botnet: Powering the Largest DDoS Attack in History
The newly emerged AISURU botnet has powered the largest recorded DDoS assault to date, peaking at 11.5 Tb/s. This surge shattered the spring record of 5.8 Tb/s and underscored how rapidly threats tied to the compromise of network devices are escalating. QiAnXin XLab researchers estimate the botnet comprises roughly 300,000 routers worldwide.
AISURU was first profiled by XLab in summer 2024, yet in March 2025 their CTIA systems began to capture fresh malware variants. An internal source told investigators the operation is run by three operators: Snow, responsible for building the infrastructure; Tom, who hunts for vulnerabilities; and Forky, who handles the commercial side. In April 2025 Tom managed to inject a malicious script, t.sh, into a Totolink update server, triggering a mass infection that swelled the botnet to 100,000 nodes within weeks and later to some 300,000.
XLab obtained control-panel data showing, among other details, more than 30,000 infected devices in China. Correlating that telemetry with Cloudflare data confirmed AISURU’s role in the record-setting attacks. To amplify the traffic, the operators routed loads through GRE tunnels deployed on four command hubs, enabling the peak throughput of 11.5 Tb/s.
The botnet spreads by exploiting a broad catalogue of flaws in networking gear: CVE-2017-5259 in Cambium devices, CVE-2023-28771 in Zyxel equipment, CVE-2023-50381 in Realtek Jungle SDK, alongside numerous legacy vulnerabilities in DVRs and gateways. Moreover, operators continue to leverage a 0-day in Cambium cnPilot routers first observed in 2024. That arsenal has allowed them to compromise hundreds of thousands of home and enterprise routers worldwide.
According to XLab, AISURU conducts attacks daily, affecting organizations across China, the United States, Germany, the United Kingdom and Hong Kong. Targets appear random — there is no clear industry focus. The botnet produced a 5.8 Tb/s wave in spring and nearly doubled its capacity by autumn.
A technical review of AISURU’s second iteration reveals substantial investment in stealth. The malware detects analysis tools such as Wireshark and virtualized environments and halts execution if they are present. To persist with minimal resources, it disables the Linux OOM killer. The process disguises itself as libcow\.so and masquerades as routine system services — for example, telnetd or dhclient. Its communications employ a modified RC4 variant with a fixed key, “PJbiNbbeasddDfsc,” plus additional initialization steps that complicate decryption.
Command-and-control remains embedded in DNS: the botnet encodes instructions in TXT records, deciphers them via XOR, and splits the payload across subdomains. Recent builds add a Speedtest-check module so operators can select nodes with the greatest bandwidth for future assaults.
AISURU’s combination of rapid growth, multi-vector exploitation, and advanced concealment techniques makes it one of the most potent botnets on record. Researchers urge network administrators to promptly update router firmware, monitor for anomalous GRE-tunnel creation, and scrutinize unusual DNS TXT records to stem the spread of this threat.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
