In early 2025, the cybersecurity landscape was shaken by an unprecedented distributed denial-of-service (DDoS) attack, reaching a staggering 11.5 terabits per second (Tbps). This colossal assault was orchestrated by a botnet named AISURU, which had commandeered approximately 300,000 routers worldwide. The attack’s magnitude and sophistication underscored the evolving threats in the digital realm.
Emergence and Detection
The AISURU botnet came to light through XLab’s continuous monitoring of global DDoS incidents. Analysts observed unusual spikes in malicious traffic targeting major infrastructure providers, prompting a thorough investigation. While AISURU’s attack methods bore similarities to previous campaigns, its scale and complexity were unparalleled.
Propagation Mechanism
The botnet’s rapid expansion began in April 2025 when cybercriminals exploited a vulnerability in Totolink router firmware update servers. By redirecting the firmware update URL to a malicious script, every device performing an automatic update became infected. Within weeks, AISURU’s network grew to over 100,000 routers, and by September 2025, it had amassed around 300,000 compromised devices.
Technical Sophistication
AISURU’s architecture showcased advanced techniques. Researchers identified the use of Generic Routing Encapsulation (GRE) tunneling to distribute traffic loads across multiple command-and-control (C2) servers. This strategy enabled the botnet to orchestrate a simultaneous flood of packets, overwhelming target networks with unprecedented efficiency.
Impact of the 11.5 Tbps Attack
The 11.5 Tbps DDoS attack had a global impact. Service providers worldwide scrambled to mitigate the deluge of SYN, UDP, and DNS amplification requests. Affected organizations reported intermittent outages and service degradation, highlighting the potency of combining large-scale IoT compromises with advanced evasion techniques.
Innovative Evasion Techniques
AISURU’s operators demonstrated a rapid shift from traditional amplification vectors to custom-crafted packet sequences designed to bypass legacy mitigation tools. This innovation allowed the botnet to set new records in DDoS throughput, challenging existing defense mechanisms.
Malware Evolution and Design
Beyond its distributed architecture and bandwidth capacity, AISURU’s malware exhibited a high degree of technical refinement. Its dual-version propagation engine continuously evolved, integrating both zero-day exploits and known vulnerabilities to expand its reach. The modular design facilitated swift updates to encryption, communication protocols, and attack commands without requiring a complete overhaul of the malware codebase.
Infection Mechanism: Firmware Update Hijacking
Delving into AISURU’s infection mechanism reveals a deceptively simple yet devastating approach. In April 2025, attackers breached Totolink’s firmware update server, planting a shell script named `t.sh` that redirected devices to download the AISURU payload. Once executed, the script established persistence by modifying `/etc/rc.local` entries and disabling the Linux Out-Of-Memory (OOM) Killer via `/proc/self/oom_score_adj`, ensuring the bot remained resident across reboots.
Stealth and Persistence
The payload binary, renamed to `libcow.so`, evaded detection by masquerading as common system daemons such as `telnetd` or `dhclient`. Upon initialization, AISURU performed environment checks to terminate itself in virtualized or analysis environments by scanning for virtualization artifacts and debugging tools. It then established a secure channel with C2 servers via a custom AES-XOR hybrid protocol, exchanging commands ranging from DDoS instructions to residential proxy assignments.
Persistence Routine Example
An illustrative snippet of the persistence routine is as follows:
“`
# Persistence setup in /etc/rc.local
echo /usr/lib/libcow.so & >> /etc/rc.local
chmod +x /usr/lib/libcow.so
“`
This mechanism underscores the threat actors’ mastery over both traditional Linux administration and bespoke malware engineering, enabling AISURU to maintain dominance in the DDoS ecosystem.
Broader Implications
The AISURU botnet’s activities highlight the critical need for robust cybersecurity measures. The exploitation of router firmware vulnerabilities for large-scale attacks emphasizes the importance of timely firmware updates, vigilant network monitoring, and the implementation of advanced threat detection systems.
Conclusion
The AISURU botnet’s 11.5 Tbps DDoS attack serves as a stark reminder of the evolving threats in the digital landscape. Its sophisticated propagation methods, technical innovations, and massive scale underscore the necessity for continuous vigilance and proactive cybersecurity strategies to safeguard global digital infrastructure.
