Thursday November 27, 2025

Aisuru Botnet Shifts from DDoS to Residential Proxies: Compromised IoT Devices Repurposed as Large-Scale Residential Proxy Pools

Advisory ID: NCC-CSIRT-2025-022

Summary: 

Security researchers report that the Aisuru botnet, a powerful Mirai/TurboMirai-class IoT botnet behind multiple record-scale DDoS attacks in 2025, has been retooled from covert DDoS operations into a profitable residential-proxy service model. Instead of solely launching volumetric attacks, Aisuru operators are now renting access to hundreds of thousands of compromised IoT devices as residential proxies, enabling customers (criminal and legitimate alike) to anonymize and route traffic through infected home devices. This pivot enhances the botnet’s longevity and profitability while making malicious traffic more difficult to attribute and block.

Damage/Probability: Critical/High

Product(s): 

  • Consumer and small-office/home (SOHO) routers and gateways
  • Internet of Things (IoT) devices (IP cameras, DVRs, home gateways, routers)
  • Residential broadband CPE and unmanaged devices

Version(s): 

Not version-specific, affects a wide range of unpatched/poorly secured IoT firmware and consumer router firmware versions.

Platform(s): 

  • Home and small-office networks
  • ISP access networks
  • Proxy resale marketplaces that can consume residential proxy capacity.

Description: 

Aisuru is a Mirai-family/TurboMirai-class botnet that has previously been observed launching record-breaking DDoS attacks by enlisting large numbers of insecure IoT devices. Recent telemetry and reporting indicate the operator(s) have added modules and management infrastructure to enable proxy services on infected devices. Compromised devices are exposed as SOCKS/HTTP proxies or otherwise configured to relay arbitrary traffic for paying customers. The botnet retains high-volume DDoS capabilities but now offers a lower-visibility revenue stream, residential proxy rentals, which is attractive to a broad range of cybercriminal activities, including credential stuffing, ad fraud, web scraping, and evading geofencing or content takedowns.

Technical indicators observed across vendor telemetry include unusual outbound connections on proxy ports to customer controllers, persistent processes or scripts on consumer CPE performing proxying, rotation of proxy endpoints to avoid IP blocks, and reuse of known Mirai-style infection vectors (default/weak credentials, exposed administrative interfaces). Netscout/ASERT and other industry teams reported significant outbound DDoS traffic originating from end-customer devices earlier in 2025 and have documented the observable shift in operator behaviour toward proxy monetization.

Impacts: 

  • Large, persistent pools of geographically diverse residential IPs for criminals to anonymize and scale malicious campaigns (fraud, credential stuffing, ad-fraud, scraping).
  • Increased difficulty for defenders and law enforcement to attribute malicious activity because traffic originates from legitimate residential IP addresses.
  • Continued capability to mount massive DDoS attacks when operators choose to, while also monetizing assets via proxy rentals.
  • Operational impact on ISPs and customers: bandwidth saturation, degraded service, and reputational exposure of affected subscribers.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

  • Monitor CPE for unusual outbound connections or proxy port activity (1080, 3128, 8080).
  • Detect abnormal high-volume upstream traffic and excessive concurrent sessions.
  • Use threat intelligence (e.g., Netscout ASERT, X-Lab) to identify Aisuru indicators.
  • Block or throttle connections to known C2 and proxy domains.
  • Push firmware updates and advise customers to secure or replace vulnerable IoT devices.
  • Enforce strong authentication (MFA, rate limits) and monitor for proxy-like traffic patterns.

References: