{ "id": "97699fb2-6105-4e14-8d45-19505b5508ea", "created_at": "2026-04-06T00:22:03.156483Z", "updated_at": "2026-04-10T03:21:22.220715Z", "deleted_at": null, "sha1_hash": "fe4579c2aef364d4c55d4fef05b201b53a715ff4", "title": "Botnets never die | APNIC Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1451652, "plain_text": "Botnets never die | APNIC Blog\r\nPublished: 2025-03-12 · Archived: 2026-04-05 20:15:31 UTC\r\nThe post was co-authored by Daji, Alex.Turing, and Acey9.\r\nIn August 2024, we at XLab observed a premeditated large-scale DDoS attack targeting the distribution platforms\r\nof the Chinese game Black Myth: Wukong — Steam and Perfect World. The attack was strategically launched\r\nduring peak gaming hours across different time zones, lasting several hours each time, and impacted hundreds of\r\nservers across 13 global regions. The botnet used in the attack referred to itself as AISURU.\r\nAfter AISURU was exposed, it temporarily ceased activities in September 2024 but soon resurfaced for profit-driven motives, evolving into new variants, kitty in October and AIRASHI in late November 2024. The botnet\r\noperators have repeatedly left messages in the samples to interact with us. After previously claiming to have\r\nlearned to dance Macarena from XLab, they have now sent us an invitation to dance the Conga in the new\r\nvariants. The following analysis will focus on the new variants, kitty and AIRASHI. Let’s start ‘dancing’!\r\nThe current AIRASHI botnet has the following main characteristics:\r\nUses a zero-day (0day) vulnerability of cnPilot routers to spread samples.\r\nSample strings are encrypted with RC4, while the CNC communication protocol has added HMAC-SHA256 verification and uses ChaCha20 encryption.\r\nCNC domain names include keywords such as xlabresearch, xlabsecurity, and foxthreatnointel, mocking\r\nXLab and security researchers.\r\nStable T-level DDoS attack capabilities.\r\nRich IP resources for the Command and Control (CNC) end, with nearly 60 IPs resolved from domains,\r\ndistributed across different economies and service providers. This may be intended to accommodate more\r\nbot endpoints and increase the difficulty of dismantling the botnet. Figure 1 shows the Passive DNS\r\nrecords of AIRASHI CNC xlabsecurity.ru. It reveals that the CNC domain xlabsecurity.ru once\r\nresolved to 144 IPs distributed across 19 economies and 10 Autonomous System Numbers (ASNs).\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 1 of 14\n\nFigure 1 — xlabsecurity.ru Passive DNS records.\r\nExploitation details\r\nRelying on the capabilities of XLab’s large-scale threat awareness system, we observed that AIRASHI samples\r\nmainly spread through NDAY vulnerabilities and TELNET weak passwords, while also possessing the ability to\r\nexploit 0day vulnerabilities. Since June of last year, we have observed AIRASHI exploiting a 0day vulnerability in\r\ncnPilot routers to propagate its samples. Regarding this 0day vulnerability, we contacted the manufacturer in June\r\nof last year but received no response. To prevent its abuse, this article will withhold detailed information about the\r\nvulnerability.\r\nVulnerability\r\nAMTK Camera cmd.cgi Remote Code Execution\r\nGoogle Android ADB Debug Server – Remote Payload Execution\r\nAVTECH IP Camera / NVR / DVR Devices\r\ncve_2013_3307\r\ncve_2016_20016\r\ncve_2017_5259\r\ncve_2018_14558\r\ncve_2020_25499\r\ncve_2020_8515\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 2 of 14\n\ncve_2022_40005\r\ncve_2022_44149\r\ncve_2023_28771\r\nGargoyle Route run_commands.sh Remote Code Execution\r\nLILIN Digital Video Recorder Multiple Remote Code Execution\r\nCVE-2022-3573\r\ncnPilot 0DAY\r\nOptiLink ONT1GEW GPON 2.1.11_X101\r\nShenzhen TVT Digital Technology Co. Ltd \u0026 OEM {DVR/NVR/IPC} API RCE\r\nTable 1 — The vulnerabilities exploited by AIRASHI.\r\nDDoS capabilities and activity\r\nDDoS capabilities\r\nBotnet operators often showcase their attack capabilities through social media platforms such as Telegram,\r\nDiscord, or forums, intending to attract potential customers or intimidating competitors. To prove the attack\r\ncapabilities of their botnets, some operators use third-party botnet attack measurement services for validation.\r\nThey direct their botnets to attack servers provided by these measurement services. The measurement services\r\nthen collect and analyse information such as the size of attack traffic, packet rates, geographic locations of the\r\nattack sources, ASNs, and attack methods. After receiving these statistics, the botnet operators post them on their\r\nsocial media platforms to demonstrate the power of their botnets.\r\nThe AIRASHI botnet uses this exact method to prove its attack capabilities. Figure 2 shows one of their attack\r\ncapability demonstrations:\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 3 of 14\n\nFigure 2 — AISURU attack capabilities.\r\nThe statistics displayed on the image are as follows:\r\nCurrent attack peak: 3.11Tbps (270.52Mpps).\r\nTest user ID: 66XXXXXXXX (This ID corresponds to the Telegram channel administrator of the\r\nAIRASHI botnet).\r\nLast updated: 2025-01-13 20:20:04 UTC.\r\nAttack source: Brazil — 30.01%, Russian Federation — 24.51%, Viet Nam — 22.79%, Indonesia —\r\n22.7%.\r\nThe operator of AIRASHI has been posting their DDoS capability test results on Telegram. From historical data, it\r\ncan be observed that the attack capacity of the AIRASHI botnet remains stable at around 1-3Tbps.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 4 of 14\n\nFigure 3 — AISURU attack capacity.\r\nDDoS activities\r\nThe attack targets of the AIRASHI botnet are spread globally across various industries, with the primary targets\r\nlocated in regions such as China, the United States, Poland, and Russia. There is no clear, strong targeting strategy.\r\nThe botnet typically attacks several hundred targets each day.\r\nFigure 4 — Attack instruction trends.\r\nSample analysis\r\nThe AIRASHI botnet sample is frequently updated and has multiple versions. Some versions, in addition to\r\nsupporting the main DDoS functionality and operating system command execution, also support proxy services.\r\nThe following analysis focuses on kitty and AIRASHI, examining technical details of the botnet from aspects such\r\nas string decryption, C2 retrieval, communication protocols, and supported commands.\r\nPart 1: kitty-socks5\r\nThe kitty sample began spreading in early October 2024. Unlike previous AISURU samples, it features a\r\nsimplified network protocol. By the end of October, it started using SOCKS5 proxies to communicate with the C2\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 5 of 14\n\nserver, encoding 250 proxies and 55 C2 addresses in the string table.\r\n0x1: Decryption of strings\r\nThere are no significant changes in the string decoding method; it still uses xor_bytes. However, the key has been\r\nmodified to DEADBEEFCAFEBABE1234567890ABCDEF, and the number of entries in the string table has been\r\nreduced to 7.\r\nFigure 5 — kitty init table.\r\n0x2: How to get C2\r\nIn terms of C2 retrieval, the method of obtaining the C2 IP through HTTP was removed in early October 2024.\r\nThe C2 string is still split using the | character, and as before, each domain is mapped to over 20 IP addresses. For\r\nexample:\r\ndvrhelpers.su|ipcamlover.ru|xlabresearch.ru|xlabsecurity.ru\r\nHowever, after the addition of SOCKS5 at the end of October 2024, the string table was updated to include proxy\r\nentries. Both the C2 and proxy entries are now encoded using multiple sets of IP-PORT byte sequences. For\r\nexample, \\x7f\\x00\\x00\\x01\\x00\\x50 represents 127.0.0.1:80.\r\n0x3: Network protocol\r\nIn terms of the network protocol, it still uses a switch-case structure for handling different stages, similar to the\r\nFodcha botnet.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 6 of 14\n\nFigure 6 — kitty net switch.\r\nHowever, the communication process has been simplified. The latest sample uses a SOCKS5 proxy (with\r\nauthentication) to access the C2 server.\r\nusername: jjktkegl\r\npassword: 2bd463maabw5\r\nThe original key exchange process has been removed, and the communication traffic is no longer encrypted. The\r\nstartup packet is replaced with Kitty-Kitty-Kitty, and every two minutes, a heartbeat packet cat is sent to the\r\nC2 server, which responds with meow!.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 7 of 14\n\nFigure 7 — kitty’s communication protocol modification.\r\nThe command types still focus primarily on DDoS, with the addition of a reverse shell functionality. The\r\ncommand format hasn’t changed significantly. It still follows the cmdtype+payload structure, but the value of\r\nCmdtype has been updated. Additionally, DDoS-related commands now include a new AttckID field.\r\nCmdtype Description\r\n0x13 reverse shell\r\n0x2c stop attack\r\n0x4b start attack\r\n0xaf exit\r\nTable 2 — Command type and description.\r\nPart 2: AIRASHI\r\nCurrently, three types of AIRASHI samples have been discovered:\r\n1. AIRASHI-DDoS: First identified in late October 2024, this sample primarily focuses on DDoS attacks but\r\nalso allows arbitrary command execution and reverse shell access.\r\n2. Go-Proxisdk: First discovered in late November 2024, this is a proxy tool based on muxado written in Go.\r\n3. AIRASHI-Proxy: First identified in early December 2024, this is a heavily modified version of the\r\nAIRASHI-DDoS source code, using a private protocol to implement proxy functionality.\r\nAIRASHI shares some similarities with AISURU. If kitty is a streamlined version of AISURU, then AIRASHI\r\nseems to be an upgraded version. Since October 2024, it has been continuously updated. After developing the\r\nsimple Go-Proxisdk, the custom protocol proxy tool AIRASHI-Proxy was developed, indicating an attempt to\r\nsurprise us with entirely new features.\r\n0x1: RC4\r\nAIRASHI and AISURU share some common characteristics in string decryption. Both continue to use a 16-byte\r\nkey, and the decryption algorithm employed is RC4. The output string is snow slide, and special strings are\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 8 of 14\n\nseparated using the | character. The decryption method is the same for both the Proxy and DDoS versions, but the\r\nProxy version contains significantly fewer strings.\r\nInterestingly, some unused strings in the code seem to reference our previous blog post. One of them includes a\r\nYouTube link to a conga dance track along with an invitation to dance. There’s also a message requesting XLab\r\nand foxnointel to name this variant “AIRASHI”.\r\n0 'snow slide'\r\n1 'telnetd|upnpc-static|udhcpc|/usr/bin/inetd|ntpclient|boa|lighttpd|httpd|goahead|mini_http|miniupnpd|dnsmasq|s\r\n2 '/dvrEncoder|/dvrRecorder|/dvrDecoder|/rtspd|/ptzcontrol|/dvrUpdater'\r\n3 'cve-2021-36260.ru'\r\n4 'honeybooterz.cve-2021-36260.ru'\r\n5 'stun.l.google.com:19302'\r\n6 '/proc/'\r\n7 '/proc/self/exe'\r\n8 '/proc/net/tcp'\r\n9 '/proc/mounts'\r\n10 '/cmdline'\r\n11 '/exe'\r\n12 '/status'\r\n13 '/fd/'\r\n14 'PPid:'\r\n15 '/bin/|/sbin/|/usr/|/snap/'\r\n16 'wget|curl|tftp|ftpget|reboot|chmod'\r\n17 '/bin/login'\r\n18 '/usr/bin/cat'\r\n19 'processor'\r\n20 '/proc/cpuinfo'\r\n21 '/bin/busybox echo AIRASHI \u003e /proc/sys/kernel/hostname'\r\n22 '/bin/busybox AIRASHI'\r\n23 'AIRASHI: applet not found'\r\n24 'abcdefghijklmnopqrstuvw012345678'\r\n25 'come on, shake your body xlab, do the conga'\r\n26 'i know you can't control yourself any longer'\r\n27 'https://www.youtube.com/watch?v=ODKTITUPusM'\r\n28 'dear researcher (xlab, foxnointel, ...), please refer to this malware as AIRASHI. thank you!'\r\n0x2: How to get C2\r\nAIRASHI uses three different methods to get C2:\r\n1. AIRASHI-DDoS (early development, late October 2024): The most basic method, using DNS servers to\r\nresolve the C2’s A record.\r\n2. AIRASHI-Proxy: Retrieves the C2’s TXT record from the DNS server and decodes the plaintext IP and\r\nport.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 9 of 14\n\n3. AIRASHI-DDoS (late November 2024): Uses DNS servers to retrieve the C2’s TXT record, then base64-\r\ndecrypts and decrypts 4 bytes of the IP using ChaCha20. The port is hardcoded in the sample.\r\nFigure 8 — AIRASHI C2 TXT record.\r\nDNS_TXT_CHACHA20_KEY: 8E12DF8893A638354D851BCB46B5B7DC451C6F52066305AC641DE60C80D11850\r\nDND_TXT_CHACHA20_NONCE: 941A247DDD53819F755FD59B\r\nIt is worth noting that on 3 December 2024, both the A and TXT records for C2 resolution existed simultaneously\r\nfor AIRASHI-DDoS, and there was a corresponding relationship after decryption. This may have been intended to\r\nmaintain compatibility with previous versions, but it makes encryption and encoding pointless.\r\n0x3: Network protocol\r\nAIRASHI uses a completely new network protocol that involves HMAC-SHA256 and CHACHA20 algorithms.\r\nHMAC is used to verify the integrity of the message, while the negotiated CHACHA20_KEY is used to encrypt\r\nand decrypt the message. In the proxy version, HMAC is not used for message verification in the protocol part,\r\nbut the rest of the protocol remains consistent with the DDoS version.\r\nCommunication with C2\r\nEach message is divided into two parts — a 32-byte HMAC checksum of the message and the message itself. As\r\nshown in Figure 9, the header part of the message is sent first to confirm the message type and length. If the\r\nmessage length is not zero, the Payload part is then sent.\r\nFigure 9 — AIRASHI message breakdown.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 10 of 14\n\nThe communication process, like before, is controlled by a switch-case structure using status codes, and it is\r\ndivided into four steps:\r\n1. Key negotiation — Obtain a 32-byte CHACHA20_KEY and a nonce. Subsequent messages are encrypted\r\nusing CHACHA20 and the CHACHA20_KEY is used as the key for HMAC-SHA256.\r\n2. Key confirmation — A message with type 1 is encrypted using CHACHA20 and sent. The returned\r\nmessage type is verified to ensure it is also type 1.\r\n3. Send startup packet — The architecture type is obtained by reading the ELF header. The structure of the\r\nstartup packet is c struct login{ uint8 uk1; uint8 uk2; uint8 uk3; uint32 stunIP; uint32\r\nbotid_len; char botid[botid_len]; uint16 cpu_core_num; uint16 arch_type; }\r\n4. Check-in confirmation — The C2 returns a message with type 2. The actual traffic generated is shown in\r\nFigure 10.\r\nFigure 10 — AIRASHI network protocol.\r\nMessage type\r\nAIRASHI-DDoS supports a total of 13 message types, and the corresponding handling functions are stored in an\r\narray within the bot’s code. Some of the handling functions for certain message types are still incomplete,\r\nsuggesting that they may still be under development.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 11 of 14\n\nFigure 11 — AIRASHI message handler.\r\nAIRASHI DDoS supports the following 13 message types, with some reserved for future development:\r\nMSG_type Description\r\n0 Get Net Key\r\n1 Confirm Net Key\r\n2 Confirm Login\r\n3 Heartbeat\r\n4 Start Attack\r\n5 Exit\r\n6 Killer Report\r\n7 unknown\r\n8 unknown\r\n9 Disable Killer\r\n10 Enable killer\r\n11 Exec Command\r\n12 Reverse Shell\r\nTable 3 — AIRASHI DDoS message types.\r\nOn the other hand, AIRASHI proxy supports only five message types, with the first four types being identical to\r\nthose in AIRASHI DDoS.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 12 of 14\n\nMSG_type Description\r\n0 Get Net Key\r\n1 Confirm Net Key\r\n2 Confirm Login\r\n3 Heartbeat\r\n4 Unknown\r\n5 Prxoy\r\nTable 4 — AIRASHI proxy message types.\r\nDetection\r\nDue to the active exploitation of the cnPilot router 0day vulnerability, we are unable to provide further details.\r\nHowever, we are providing Snort rules to assist defenders in identifying vulnerability attempts and potential\r\ninfections in their environment.\r\nalert tcp any any -\u003e any any (msg:\"0DAY exploit #1 attempt\"; content:\"execute_script\"; content:\"sys_list\"; cont\r\nReaders are always welcome to reach us on X.\r\nWang Hao is a security researcher at XLab.\r\nAdapted from the original post on XLab.\r\nIndicators of Compromise (IOCs)\r\nC2\r\nxlabresearch.ru\r\nxlabsecurity.ru\r\nfoxthreatnointel.africa\r\nSHA1\r\n3c33aa8d1b962ec6a107897d80d34a5d0b99899e\r\n0339415f8f3e2b1eb6b24ed08c3a311210893a6e\r\n95c8073cc4d8b80ceddb8384977ddc7bbcb30d8c\r\n12fda6d480166d8e98294745de1cfdcf52dbfa41\r\n08b30f5ffa490e15fb3735d69545c67392ea24e9\r\nc8b8bd5384eff0fe3a3a0af82c378f620b7dc625\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 13 of 14\n\nDownloader\r\n190.123.46.21 Panama|Panama|Panama AS52284|Panamaserver.com\r\n190.123.46.55 Panama|Panama|Panama AS52284|Panamaserver.com\r\n95.214.52.167 Poland|Mazowieckie|Warsaw AS201814|MEVSPACE sp. z o.o.\r\n162.220.163.14 United States|New Jersey|Secaucus AS19318|Interserver, Inc\r\nThe views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC.\r\nPlease note a Code of Conduct applies to this blog.\r\nSource: https://blog.apnic.net/2025/03/13/botnets-never-die/\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nPage 14 of 14\n\nbot endpoints records and of AIRASHI increase the difficulty CNC xlabsecurity.ru. of dismantling It reveals the botnet. Figure that the CNC 1 shows the domain xlabsecurity.ru Passive DNS once\nresolved to 144 IPs distributed across 19 economies and 10 Autonomous System Numbers (ASNs).\n Page 1 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.apnic.net/2025/03/13/botnets-never-die/" ], "report_names": [ "botnets-never-die" ], "threat_actors": [], "ts_created_at": 1775434923, "ts_updated_at": 1775791282, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe4579c2aef364d4c55d4fef05b201b53a715ff4.pdf", "text": "https://archive.orkl.eu/fe4579c2aef364d4c55d4fef05b201b53a715ff4.txt", "img": "https://archive.orkl.eu/fe4579c2aef364d4c55d4fef05b201b53a715ff4.jpg" } }