Date: 2025-12-06 | Classification: TLP:CLEAR

Executive Summary

⚠️ Aisuru is a large, actively maintained IoT/router botnet responsible for multiple hyper-volumetric DDoS attacks in 2025, culminating in a record 29.7 Tbps UDP carpet-bombing event that lasted ~69 seconds and was mitigated by Cloudflare. The botnet combines Mirai-derived ELF payloads with supply-chain style propagation (compromised firmware update servers), DNS-based C2 obfuscation, anti-analysis features, and a monetization layer offering residential proxy services. The breadth and scale of Aisuru present a Critical threat to ISP backbone infrastructure and high-value internet services.

Cloud vendors (Cloudflare, Microsoft) and technical investigators (XLab, SecPod) converge on high-confidence indicators: domains under ilovegaysex[.]su, a downloader domain updatetoto[.]tw, and multiple ELF samples with Mirai-like characteristics. VirusTotal and Protos threat feed enrichment corroborate these findings.

Investigation Scope

• Objective: Deep-dive into Aisuru to answer: who/what it is, TTPs, infrastructure (C2, domains, IPs), observable IOCs, attribution, and mitigations.
• Timeframe: Activity since early 2025, focused on the Q3-Q4 2025 surge and the 29.7 Tbps incident.
• Sources: Cloudflare report, XLab (Qianxin), SecPod, KrebsOnSecurity, BleepingComputer, VirusTotal, Protos Threat Feed, Shodan/FOFA.

Key Findings

High Confidence

• AISURU Overview: Large IoT/router botnet using Mirai-like ELF payloads, estimated 300k–4M devices depending on source metrics; used for hyper-volumetric DDoS (peaks 29.7 Tbps, 14.1 Bpps). (Cloudflare; XLab; SecPod) [Confidence: HIGH]
• Supply-chain propagation: Operators abused a totolink firmware update server (updatetoto[.]tw) in April 2025 to distribute malicious scripts that rapidly expanded the botnet. (XLab) [Confidence: HIGH]
• C2 & DNS obfuscation: Aisuru uses domains under ilovegaysex[.]su (subdomains like coerece[.]ilovegaysex[.]su, approach[.]ilovegaysex[.]su) with DNS TXT records that decode to proxy/C2 IP lists. (XLab; Protos) [Confidence: HIGH]
• Malware characteristics: ELF ARM binaries show Mirai-family signatures (process masquerading, anti-debug checks). VirusTotal flagged multiple submitted hashes as Mirai variants. [Confidence: HIGH]

Medium Confidence

• Proxy monetization: Aisuru supports residential proxy capabilities, with node speed profiling and proxy relay C2s in multiple countries. This indicates a hybrid monetization model (DDoS-for-hire + proxy rental). (XLab; SecPod) [Confidence: MEDIUM]
• Proxy/relay infrastructure: Some reported relay IPs (e.g., 64[.]188[.]68[.]193) appear hosted in commercial data centers with services such as SSH open; others require further validation. [Confidence: MEDIUM]

Low Confidence

• Attribution to named individuals (Snow, Tom, Forky) is sourced from an anonymous tip reported by XLab and should be treated cautiously. [Confidence: LOW]
• Some long-form RU domains cited in reporting could not be matched in threat feeds and remain unverified. [Confidence: LOW]

Tactics, Techniques & Procedures (TTPs) 🔍

Infrastructure & IOCs (defanged) 🎯

High-confidence domains (block/monitor):

• ilovegaysex[.]su (parent domain) [Confidence: HIGH]
• coerece[.]ilovegaysex[.]su [Confidence: HIGH]
• approach[.]ilovegaysex[.]su [Confidence: HIGH]
• updatetoto[.]tw (firmware downloader) [Confidence: HIGH]

Sample file hashes (ELF/Mirai-like) [Confidence: HIGH]:

• 09894c3414b42addbf12527b0842ee7011e70cfd [Confidence: MEDIUM]
• 51d9a914b8d35bb26d37ff406a712f41d2075bc6 [Confidence: MEDIUM]
• 616a3bef8b0be85a3c2bc01bbb5fb4a5f98bf707 [Confidence: MEDIUM]
• ccf40dfe7ae44d5e6922a22beed710f9a1812725 [Confidence: MEDIUM]
• 26e9e38ec51d5a31a892e57908cb9727ab60cf88 [Confidence: MEDIUM]
• 08e9620a1b36678fe8406d1a231a436a752f5a5e [Confidence: MEDIUM]
• 053a0abe0600d16a91b822eb538987bca3f3ab55 [Confidence: MEDIUM]

Reported proxy/relay IPs (defanged) [Confidence: MEDIUM]:

• 64[.]188[.]68[.]193 — observed in Shodan with SSH open; hosted by AS42831 (Ace Data Centers II) in UK [Confidence: MEDIUM]
• 194[.]46[.]59[.]169 — reported in SecPod (no Shodan hit in current query) [Confidence: LOW→MEDIUM]
• 104[.]171[.]170[.]241 — reported (no Shodan hit) [Confidence: LOW]
• 104[.]171[.]170[.]253 — reported (no Shodan hit) [Confidence: LOW]
• 107[.]173[.]196[.]189 — reported (no Shodan hit) [Confidence: LOW]
• 78[.]108[.]178[.]100 — reported (no Shodan hit) [Confidence: LOW]

Notes: Historical DNS may have been removed/takedown; WHOIS shows registrations on 2025-04-25 with Cloudflare name servers. Passive DNS is recommended to recover historical A/NS/TXT records.

Risk Assessment 🚨

Overall Risk: Critical

• Rationale: Aisuru has demonstrated the capability to generate terabit-scale volumetric attacks that can disrupt ISPs and cloud providers. The botnet’s scale, multi-vector capability, and monetization make it a persistent and high-impact threat. Short attack durations (seconds to minutes) increase the likelihood of severe service disruption before mitigations can be applied.

Recommendations — Actions for Defenders (prioritized)

1. Immediate (⏱️ Priority 1) — Detect & Block
   • Block or sinkhole connections to defanged IOCs at enterprise perimeter and DNS resolvers: ilovegaysex[.]su, coerece[.]ilovegaysex[.]su, approach[.]ilovegaysex[.]su, updatetoto[.]tw. Monitor for DNS TXT record queries and anomalous DNS activity. (TLP:CLEAR)
   • Implement upstream collaboration with CDNs and ISPs for BGP filtering and network-level scrubbing agreements.
2. Short-term (24–72h) — Patch & Harden
   • Immediately patch or isolate vulnerable network devices: apply vendor fixes for the CVEs listed in XLab/SecPod artifacts (prioritize CNPilot, Zyxel, Realtek-based devices, etc.).
   • Disable remote management on consumer routers where possible; enforce strong credentials and MFA for management consoles.
3. Medium-term (1–4 weeks) — Monitoring & Response
   • Enable and tune DDoS detection and rate-limiting (UDP rate caps, per-protocol thresholds). Configure automated scrubbing for hyper-volumetric patterns where available.
   • Monitor for signs of compromise: unusual outgoing UDP floods originating from internal networks, telnet scanning, unexpected reverse shells, or processes masquerading as system daemons on edge devices.
4. Strategic (Ongoing) — Resilience & Ecosystem Actions
   • Engage ISPs to coordinate takedowns and share passive DNS/telemetry. Advocate for vendor security posture improvements (secure firmware updates, code signing).
   • Enforce device supply-chain controls and network segmentation for IoT/OT devices.

Detection & Hunting Queries (recommended)

• Network: Alert on high-rate UDP flows with many destination ports and randomized packet attributes; watch for spikes in DNS TXT queries toward uncommon TLDs (.su) and to updatetoto[.]tw.
• Endpoint (edge appliances): Detect process names matching system utilities from non-trusted images (e.g., telnetd running from /tmp), unexpected outbound connections to defanged C2s, or presence of known ELF hashes.

Investigation Gaps & Recommended Analyst Actions

• Passive DNS history retrieval: Recover historical A and TXT records for ilovegaysex[.]su and updatetoto[.]tw to map past C2 IPs and expand IOC coverage.
• Telemetry correlation: Search internal logs (EDR, NIDS, NetFlow) for connections to defanged IOCs, telnet scanning behavior, and outbound UDP floods to identify local infections.
• Malware analysis: Obtain full ELF samples for static DA and YARA rule generation (note: we cannot perform sandbox execution here). Recommend sandbox analysis by your malware team.

‍

‍