{
	"id": "82200ac5-df6f-4375-983e-58310e6637a3",
	"created_at": "2026-04-10T03:20:47.42238Z",
	"updated_at": "2026-04-10T03:22:18.467037Z",
	"deleted_at": null,
	"sha1_hash": "c7c2e57110f0afaff9382dae69f12739622c1811",
	"title": "Aisuru Botnet Shifts from DDoS to Residential Proxies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1190932,
	"plain_text": "Aisuru Botnet Shifts from DDoS to Residential Proxies\r\nBy Jon\r\nPublished: 2025-10-29 · Archived: 2026-04-10 03:07:11 UTC\r\nAisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this\r\nyear, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of\r\nthousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their\r\ntraffic. Experts says a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts\r\ntied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic\r\nthrough residential connections that appear to be regular Internet users.\r\nFirst identified in August 2024, Aisuru has spread to at least 700,000 IoT systems, such as poorly secured Internet\r\nrouters and security cameras. Aisuru’s overlords have used their massive botnet to clobber targets with headline-grabbing DDoS attacks, flooding targeted hosts with blasts of junk requests from all infected systems\r\nsimultaneously.\r\nIn June, Aisuru hit KrebsOnSecurity.com with a DDoS clocking at 6.3 terabits per second — the biggest attack\r\nthat Google had ever mitigated at the time. In the weeks and months that followed, Aisuru’s operators\r\ndemonstrated DDoS capabilities of nearly 30 terabits of data per second — well beyond the attack mitigation\r\ncapabilities of most Internet destinations.\r\nThese digital sieges have been particularly disruptive this year for U.S.-based Internet service providers (ISPs), in\r\npart because Aisuru recently succeeded in taking over a large number of IoT devices in the United States. And\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 1 of 11\n\nwhen Aisuru launches attacks, the volume of outgoing traffic from infected systems on these ISPs is often so high\r\nthat it can disrupt or degrade Internet service for adjacent (non-botted) customers of the ISPs.\r\n“Multiple broadband access network operators have experienced significant operational impact due to outbound\r\nDDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,”\r\nwrote Roland Dobbins, principal engineer at Netscout, in a recent executive summary on Aisuru.\r\n“Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE)\r\ndevices has caused significant disruption to wireline and wireless broadband access networks. High-throughput\r\nattacks have caused chassis-based router line card failures.”\r\nThe incessant attacks from Aisuru have caught the attention of federal authorities in the United States and Europe\r\n(many of Aisuru’s victims are customers of ISPs and hosting providers based in Europe). Quite recently, some of\r\nthe world’s largest ISPs have started informally sharing block lists identifying the rapidly shifting locations of the\r\nservers that the attackers use to control the activities of the botnet.\r\nExperts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be\r\nrented to so-called “residential proxy” providers. These proxy services allow paying customers to route their\r\nInternet communications through someone else’s device, providing anonymity and the ability to appear as a\r\nregular Internet user in almost any major city worldwide.\r\nFrom a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented\r\nresidential IP address, not from the proxy service customer. Proxy services can be used in a legitimate manner for\r\nseveral business purposes — such as price comparisons or sales intelligence. But they are massively abused for\r\nhiding cybercrime activity (think advertising fraud, credential stuffing) because they can make it difficult to trace\r\nmalicious traffic to its original source.\r\nAnd as we’ll see in a moment, this entire shadowy industry appears to be shifting its focus toward enabling\r\naggressive content scraping activity that continuously feeds raw data into large language models (LLMs) built to\r\nsupport various AI projects.\r\n‘INSANE’ GROWTH\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 2 of 11\n\nRiley Kilmer is co-founder of spur.us, a service that tracks proxy networks. Kilmer said all of the top proxy\r\nservices have grown exponentially over the past six months — with some adding between 10 to 200 times more\r\nproxies for rent.\r\n“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said. “That is\r\ninsane. That is so high of a number, it’s unheard of. These proxies are absolutely everywhere now.”\r\nTo put Kilmer’s comments in perspective, here was Spur’s view of the Top 10 proxy networks by approximate\r\ninstall base, circa May 2025:\r\nAUPROXIES_PROXY  66,097\r\nRAYOBYTE_PROXY    43,894\r\nOXYLABS_PROXY   43,008\r\nWEBSHARE_PROXY   39,800\r\nIPROYAL_PROXY    32,723\r\nPROXYCHEAP_PROXY    26,368\r\nIPIDEA_PROXY    26,202\r\nMYPRIVATEPROXY_PROXY  25,287\r\nHYPE_PROXY    18,185\r\nMASSIVE_PROXY    17,152\r\nToday, Spur says it is tracking an unprecedented spike in available proxies across all providers, including;\r\nLUMINATI_PROXY    11,856,421\r\nNETNUT_PROXY    10,982,458\r\nABCPROXY_PROXY    9,294,419\r\nOXYLABS_PROXY     6,754,790\r\nIPIDEA_PROXY     3,209,313\r\nEARNFM_PROXY    2,659,913\r\nNODEMAVEN_PROXY    2,627,851\r\nINFATICA_PROXY    2,335,194\r\nIPROYAL_PROXY    2,032,027\r\nYILU_PROXY    1,549,155\r\nReached for comment about the apparent rapid growth in their proxy network, Oxylabs (#4 on Spur’s list) said\r\nwhile their proxy pool did grow recently, it did so at nowhere near the rate cited by Spur.\r\n“We don’t systematically track other providers’ figures, and we’re not aware of any instances of 10× or 100×\r\ngrowth, especially when it comes to a few bigger companies that are legitimate businesses,” the company said in a\r\nwritten statement.\r\nBright Data was formerly known as Luminati Networks, the name that is currently at the top of Spur’s list of the\r\nbiggest residential proxy networks, with more than 11 million proxies. Bright Data likewise told KrebsOnSecurity\r\nthat Spur’s current estimates of its proxy network are dramatically overstated and inaccurate.\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 3 of 11\n\n“We did not actively initiate nor do we see any 10x or 100x expansion of our network, which leads me to believe\r\nthat someone might be presenting these IPs as Bright Data’s in some way,” said Rony Shalit, Bright Data’s chief\r\ncompliance and ethics officer. “In many cases in the past, due to us being the leading data collection proxy\r\nprovider, IPs were falsely tagged as being part of our network, or while being used by other proxy providers for\r\nmalicious activity.”\r\n“Our network is only sourced from verified IP providers and a robust opt-in only residential peers, which we work\r\nhard and in complete transparency to obtain,” Shalit continued. “Every DC, ISP or SDK partner is reviewed and\r\napproved, and every residential peer must actively opt in to be part of our network.”\r\nHK NETWORK\r\nEven Spur acknowledges that Luminati and Oxylabs are unlike most other proxy services on their top proxy\r\nproviders list, in that these providers actually adhere to “know-your-customer” policies, such as requiring video\r\ncalls with all customers, and strictly blocking customers from reselling access.\r\nBenjamin Brundage is founder of Synthient, a startup that helps companies detect proxy networks. Brundage\r\nsaid if there is increasing confusion around which proxy networks are the most worrisome, it’s because nearly all\r\nof these lesser-known proxy services have evolved into highly incestuous bandwidth resellers. What’s more, he\r\nsaid, some proxy providers do not appreciate being tracked and have been known to take aggressive steps to\r\nconfuse systems that scan the Internet for residential proxy nodes.\r\nBrundage said most proxy services today have created their own software development kit or SDK that other app\r\ndevelopers can bundle with their code to earn revenue. These SDKs quietly modify the user’s device so that some\r\nportion of their bandwidth can be used to forward traffic from proxy service customers.\r\n“Proxy providers have pools of constantly churning IP addresses,” he said. “These IP addresses are sourced\r\nthrough various means, such as bandwidth-sharing apps, botnets, Android SDKs, and more. These providers will\r\noften either directly approach resellers or offer a reseller program that allows users to resell bandwidth through\r\ntheir platform.”\r\nMany SDK providers say they require full consent before allowing their software to be installed on end-user\r\ndevices. Still, those opt-in agreements and consent checkboxes may be little more than a formality for\r\ncybercriminals like the Aisuru botmasters, who can earn a commission each time one of their infected devices is\r\nforced to install some SDK that enables one or more of these proxy services.\r\nDepending on its structure, a single provider may operate hundreds of different proxy pools at a time — all\r\nmaintained through other means, Brundage said.\r\n“Often, you’ll see resellers maintaining their own proxy pool in addition to an upstream provider,” he said. “It\r\nallows them to market a proxy pool to high-value clients and offer an unlimited bandwidth plan for cheap reduce\r\ntheir own costs.”\r\nSome proxy providers appear to be directly in league with botmasters. Brundage identified one proxy provider\r\nthat was aggressively advertising cheap and plentiful bandwidth to content scraping companies. After scanning\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 4 of 11\n\nthat provider’s pool of available proxies, Brundage said he found a one-to-one match with IP addresses he’d\r\npreviously mapped to the Aisuru botnet.\r\nBrundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network. IPidea is #5 on Spur’s Top 10, and Brundage said its brands include ABCProxy (#3),\r\nRoxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy. Spur’s\r\nKilmer said they also track Yilu Proxy (#10) as IPidea.\r\nBrundage said all of these providers operate under a corporate umbrella known on the cybercrime forums as “HK\r\nNetwork.”\r\n“The way it works is there’s this whole reseller ecosystem, where IPidea will be incredibly aggressive and\r\napproach all these proxy providers with the offer, ‘Hey, if you guys buy bandwidth from us, we’ll give you these\r\namazing reseller prices,’” Brundage explained. “But they’re also very aggressive in recruiting resellers for their\r\napps.”\r\nA graphic depicting the relationship between proxy providers that Synthient found are white labeling IPidea\r\nproxies. Image: Synthient.com.\r\nThose apps include a range of low-cost and “free” virtual private networking (VPN) services that indeed allow\r\nusers to enjoy a free VPN, but which also turn the user’s device into a traffic relay that can be rented to\r\ncybercriminals, or else parceled out to countless other proxy networks.\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 5 of 11\n\n“They have all this bandwidth to offload,” Brundage said of IPidea and its sister networks. “And they can do it\r\nthrough their own platforms, or they go get resellers to do it for them by advertising on sketchy hacker forums to\r\nreach more people.”\r\nOne of IPidea’s core brands is 922S5Proxy, which is a not-so-subtle nod to the 911S5Proxy service that was\r\nhugely popular between 2015 and 2022. In July 2022, KrebsOnSecurity published a deep dive into 911S5Proxy’s\r\norigins and apparent owners in China. Less than a week later, 911S5Proxy announced it was closing down after\r\nthe company’s servers were massively hacked.\r\nThat 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy\r\nservice. In May 2024, the U.S. Department of Justice arrested Mr Wang, alleging that his network was used to\r\nsteal billions of dollars from financial institutions, credit card issuers, and federal lending programs. At the same\r\ntime, the U.S. Treasury Department announced sanctions against Wang and two other Chinese nationals for\r\noperating 911S5Proxy.\r\nThe website for 922Proxy.\r\nDATA SCRAPING FOR AI\r\nIn recent months, multiple experts who track botnet and proxy activity have shared that a great deal of content\r\nscraping which ultimate benefits AI companies is now leveraging these proxy networks to further obfuscate their\r\naggressive data-slurping activity. That’s because by routing it through residential IP addresses, content scraping\r\nfirms can make their traffic far trickier to filter out.\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 6 of 11\n\n“It’s really difficult to block, because there’s a risk of blocking real people,” Spur’s Kilmer said of the LLM\r\nscraping activity that is fed through individual residential IP addresses, which are often shared by multiple\r\ncustomers at once.\r\nKilmer says the AI industry has brought a veneer of legitimacy to residential proxy business, which has heretofore\r\nmostly been associated with sketchy affiliate money making programs, automated abuse, and unwanted Internet\r\ntraffic.\r\n“Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be\r\ncollected,” Kilmer said. “Everybody wanted to monetize their own data pots, and how they monetize that is\r\ndifferent across the board.”\r\nKilmer said many LLM-related scrapers rely on residential proxies in cases where the content provider has\r\nrestricted access to their platform in some way, such as forcing interaction through an app, or keeping all content\r\nbehind a login page with multi-factor authentication.\r\n“Where the cost of data is out of reach — there is some exclusivity or reason they can’t access the data — they’ll\r\nturn to residential proxies so they look like a real person accessing that data,” Kilmer said of the content scraping\r\nefforts.\r\nAggressive AI crawlers increasingly are overloading community-maintained infrastructure, causing what amounts\r\nto persistent DDoS attacks on vital public resources. A report earlier this year from LibreNews found some open-source projects now see as much as 97 percent of their traffic originating from AI company bots, dramatically\r\nincreasing bandwidth costs, service instability, and burdening already stretched-thin maintainers.\r\nCloudflare is now experimenting with tools that will allow content creators to charge a fee to AI crawlers to\r\nscrape their websites. The company’s “pay-per-crawl” feature is currently in a private beta, but it lets publishers\r\nset their own prices that bots must pay before scraping content.\r\nOn October 22, the social media and news network Reddit sued Oxylabs (PDF) and several other proxy\r\nproviders, alleging that their systems enabled the mass-scraping of Reddit user content even though Reddit had\r\ntaken steps to block such activity.\r\n“Recognizing that Reddit denies scrapers like them access to its site, Defendants scrape the data from Google’s\r\nsearch results instead,” the lawsuit alleges. “They do so by masking their identities, hiding their locations, and\r\ndisguising their web scrapers as regular people (among other techniques) to circumvent or bypass the security\r\nrestrictions meant to stop them.”\r\nDenas Grybauskas, chief governance and strategy officer at Oxylabs, said the company was shocked and\r\ndisappointed by the lawsuit.\r\n“Reddit has made no attempt to speak with us directly or communicate any potential concerns,” Grybauskas said\r\nin a written statement. “Oxylabs has always been and will continue to be a pioneer and an industry leader in public\r\ndata collection, and it will not hesitate to defend itself against these allegations. Oxylabs’ position is that no\r\ncompany should claim ownership of public data that does not belong to them. It is possible that it is just an\r\nattempt to sell the same public data at an inflated price.”\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 7 of 11\n\nAs big and powerful as Aisuru may be, it is hardly the only botnet that is contributing to the overall broad\r\navailability of residential proxies. For example, on June 5 the FBI’s Internet Crime Complaint Center warned\r\nthat an IoT malware threat dubbed BADBOX 2.0 had compromised millions of smart-TV boxes, digital\r\nprojectors, vehicle infotainment units, picture frames, and other IoT devices.\r\nIn July 2025, Google filed a lawsuit in New York federal court against the Badbox botnet’s alleged perpetrators.\r\nGoogle said the Badbox 2.0 botnet “compromised more than 10 million uncertified devices running Android’s\r\nopen-source software, which lacks Google’s security protections. Cybercriminals infected these devices with pre-installed malware and exploited them to conduct large-scale ad fraud and other digital crimes.”\r\nA FAMILIAR DOMAIN NAME\r\nBrundage said the Aisuru botmasters have their own SDK, and for some reason part of its code tells many newly-infected systems to query the domain name fuckbriankrebs[.]com. This may be little more than an elaborate\r\n“screw you” to this site’s author: One of the botnet’s alleged partners goes by the handle “Forky,” and was\r\nidentified in June by KrebsOnSecurity as a young man from Sao Paulo, Brazil.\r\nBrundage noted that only systems infected with Aisuru’s Android SDK will be forced to resolve the domain.\r\nInitially, there was some discussion about whether the domain might have some utility as a “kill switch” capable\r\nof disrupting the botnet’s operations, although Brundage and others interviewed for this story say that is unlikely.\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 8 of 11\n\nA tiny sample of the traffic after a DNS server was enabled on the newly registered domain fuckbriankrebs dot\r\ncom. Each unique IP address requested its own unique subdomain. Image: Seralys.\r\nFor one thing, they said, if the domain was somehow critical to the operation of the botnet, why was it still\r\nunregistered and actively for-sale? Why indeed, we asked. Happily, the domain name was deftly snatched up last\r\nweek by Philippe Caturegli, “chief hacking officer” for the security intelligence company Seralys.\r\nCaturegli enabled a passive DNS server on that domain and within a few hours received more than 700,000\r\nrequests for unique subdomains on fuckbriankrebs[.]com.\r\nBut even with that visibility into Aisuru, it is difficult to use this domain check-in feature to measure its true size,\r\nBrundage said. After all, he said, the systems that are phoning home to the domain are only a small portion of the\r\noverall botnet.\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 9 of 11\n\n“The bots are hardcoded to just spam lookups on the subdomains,” he said. “So anytime an infection occurs or it\r\nruns in the background, it will do one of those DNS queries.”\r\nCaturegli briefly configured all subdomains on fuckbriankrebs dot com to display this ASCII art image to visiting\r\nsystems today.\r\nThe domain fuckbriankrebs[.]com has a storied history. On its initial launch in 2009, it was used to spread\r\nmalicious software by the Cutwail spam botnet. In 2011, the domain was involved in a notable DDoS against this\r\nwebsite from a botnet powered by Russkill (a.k.a. “Dirt Jumper”).\r\nDomaintools.com finds that in 2015, fuckbriankrebs[.]com was registered to an email address attributed to David\r\n“Abdilo” Crees, a 26-year-old Australian man sentenced in May 2025 to time served for cybercrime convictions.\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 10 of 11\n\nAbdilo operated Lizard Stresser, a DDoS-for-hire service run by the Lizard Squad hacking group that was used\r\nin multiple attacks against this website between 2015 and 2016.\r\nSource: https://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nhttps://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyberch.com/posts/aisuru-botnet-shifts-from-ddos-to-residential-proxies/"
	],
	"report_names": [
		"aisuru-botnet-shifts-from-ddos-to-residential-proxies"
	],
	"threat_actors": [],
	"ts_created_at": 1775791247,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7c2e57110f0afaff9382dae69f12739622c1811.pdf",
		"text": "https://archive.orkl.eu/c7c2e57110f0afaff9382dae69f12739622c1811.txt",
		"img": "https://archive.orkl.eu/c7c2e57110f0afaff9382dae69f12739622c1811.jpg"
	}
}