Since early 2025, the cybersecurity community has witnessed an unprecedented surge in distributed denial-of-service (DDoS) bandwidth, culminating in a record-shattering 11.5 Tbps assault attributed to a botnet named AISURU.<\/p>\n
Emerging from XLab\u2019s continuous monitoring of global DDoS<\/a> incidents, this botnet leveraged compromised router firmware to amass approximately 300,000 active devices worldwide.<\/p>\n Researchers first detected unusual spikes of malicious traffic<\/a> targeting major infrastructure providers, prompting deeper investigation into the underlying threat.<\/p>\n XLab analysts noted striking similarities between AISURU\u2019s attack methodology and earlier campaigns, yet the scale and sophistication of this operation far surpassed previous benchmarks.<\/p>\n Propagation of AISURU began in April 2025 when threat actors exploited a vulnerability in Totolink router firmware update servers.<\/p>\n By altering the firmware URL to point to a malicious script, every device performing an automatic update became infected.<\/p>\n In a matter of weeks, the size of AISURU\u2019s network swelled to over 100,000 routers, and by September 2025, the botnet had consolidated around 300,000 nodes.<\/p>\n XLab researchers identified<\/a> the use of GRE tunneling to distribute traffic loads across multiple command-and-control (C2) servers, enabling the botnet to orchestrate a simultaneous flood of packets that overwhelmed target networks with ease.<\/p>\n The impact of the 11.5 Tbps attack was felt globally as service providers scrambled to mitigate the flood of SYN, UDP, and DNS amplification requests.<\/p>\n Affected organizations reported intermittent outages and service degradation, highlighting the potency of combining large-scale IoT compromise with advanced evasion techniques.<\/p>\n XLab analysts identified the rapid shift from traditional amplification vectors to custom-crafted packet sequences designed to bypass legacy mitigation tools, an innovation that allowed AISURU to set new world records in DDoS throughput.<\/p>\n While AISURU\u2019s distributed architecture and bandwidth capacity are staggering on their own, the malware\u2019s underlying behavior reveals a deeper level of technical refinement.<\/p>\n Its dual-version propagation engine demonstrates continuous evolution, integrating both zero-day exploits and known N-day vulnerabilities to expand its reach.<\/p>\n Equally concerning is its modular design, which facilitates swift updates to encryption, communication protocols, and attack commands without requiring a complete overhaul of the malware codebase.<\/p>\n Delving into AISURU\u2019s infection mechanism uncovers a deceptively simple yet devastating approach.<\/p>\n In April 2025, attackers breached Totolink\u2019s firmware update server, planting a shell script named Once executed, the script set up persistent execution by modifying The payload binary, renamed to Upon initialization, AISURU performs environment checks to terminate itself under virtualized or analysis environments by scanning for virtualization artifacts and debugging tools.<\/p>\n It then establishes a secure channel with C2 servers via a custom AES-XOR hybrid protocol, exchanging commands that range from DDoS instructions to residential proxy assignments.<\/p>\n One illustrative snippet of the persistence<\/a> routine follows:-<\/p>\n This mechanism underscores the threat actors\u2019 mastery over both traditional Linux administration and bespoke malware engineering<\/a>, enabling AISURU to maintain dominance in the DDoS ecosystem.<\/p>\n The post AISURU Botnet With 300,000 Hijacked Routers Behind The Recent Massive 11.5 Tbps DDoS Attack<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiswkUL3vn1-u91jX9bIP_tISZciJ213hemnEJhtjn9eEPQfjRU4jutUQXB6vS_wnQLC4-UbBkEbB0zwfUE_BPUWa_DtCfsB8su7EnoxYeWCbq64gYpSilYlNv-GVeqrMaWJBweD5PVrwvnGkvjMRe9UFi6n27747-_-thUIkM5gPD-o7JEw2yWWBKlqvM\/s16000\/Cloudflare%2520Mitigates%252011.5%2520Tbps%2520DDoS%2520Attack%2520%28Source%2520-%2520XLab%29.webp?ssl=1\")
Infection Mechanism: Firmware Update Hijacking<\/strong><\/h2>\n
t.sh<\/code> that redirected devices to download the AISURU payload.<\/p>\n\/etc\/rc.local<\/code> entries and disabling the Linux OOM Killer via \/proc\/self\/oom_score_adj<\/code>, ensuring the bot remained resident across reboots.<\/p>\nlibcow.so<\/code>, avoided detection by masquerading as a common system daemon such as telnetd<\/code> or dhclient<\/code>.<\/p>\n# Persistence setup in \/etc\/rc.local\necho \"\/usr\/lib\/libcow.so &\" >> \/etc\/rc.local\nchmod +x \/usr\/lib\/libcow.so<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiGbEb3aZtEWR_W0Us0-2fFvBgDMWo-OsS8YUwQZ6ecty7aGebf7t5F6VOekf_iNLP2c1DdutihIjK51FKTdNzaG21IMPYosOxqopuajmjUZ4CylESkZUktY9lYdeDp7mwax9gHRhcPfBrhVqg7duGzHL2kJRQQg4hmtlXSq3L8W4jQtnv4jbgCCdV0TfM\/s16000\/Malicious%2520script%2520%28Source%2520-%2520Xlab%29.webp?ssl=1\")
Free live\u00a0webinar\u00a0on new malware tactics from our analysts! Learn advanced detection techniques ->\u00a0Register for Free<\/a><\/code><\/strong><\/p>\n