{ "type": "MD5", "indicator": "4e8ca1efff2e4b79fb7db95d3971caaa", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "4e8ca1efff2e4b79fb7db95d3971caaa", "validation": [], "base_indicator": { "id": 4066698636, "indicator": "4e8ca1efff2e4b79fb7db95d3971caaa", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "68d5096c02da6fff718c6c50", "name": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "description": "The AISURU botnet has emerged as a formidable threat, capable of launching massive DDoS attacks reaching 11.5 Tbps. First disclosed in 2024, it expanded significantly in 2025 by compromising a router firmware update server. The botnet, with approximately 300,000 nodes, is operated by a group of three key figures. It exploits various vulnerabilities, including 0-days, to propagate and has targeted multiple industries worldwide. AISURU employs sophisticated anti-analysis techniques, encryption methods, and a custom network protocol. Beyond DDoS attacks, it has expanded into proxy services, indicating a shift towards diversified cybercriminal activities. The botnet's scale and capabilities make it a significant concern for global cybersecurity.", "modified": "2025-10-25T09:03:29.853000", "created": "2025-09-25T09:20:44.067000", "tags": [ "cve-2017-5259", "encryption", "cve-2022-35733", "cve-2013-5948", "botnet", "vulnerabilities", "firmware", "aisuru", "cve-2013-1599", "cve-2023-28771", "airashi", "cve-2022-44149", "cve-2024-3721", "cybercrime", "cve-2013-3307", "proxy", "cve-2023-50381", "ddos", "router" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en" ], "public": 1, "adversary": "AISURU", "targeted_countries": [], "malware_families": [ { "id": "AISURU", "display_name": "AISURU", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null } ], "attack_ids": [ { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 2, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6947aab59d9ecdfe392a8878", "name": "Aisuru botnet: Early October attacks escalate into record-setting DDoS activity", "description": "The Aisuru botnet, a notably advanced Internet of Things (IoT)-based threat, has rapidly expanded to approximately 500,000 compromised devices, doubling in size within a month. The botnet employs a multifaceted infection strategy, which may include a firmware supply-chain compromise, to grow its network. By late October 2025, Aisuru had executed one of the largest and most sustained DDoS (Distributed Denial of Service) attacks on record, detected by Cloudflare. The attack involved a diverse array of devices, such as routers, DVRs, internet-connected cameras, and firewall appliances.\n\nCloudflare's analysis highlights a significant surge in hyper-volumetric DDoS attacks, primarily characterized by UDP (User Datagram Protocol) flood techniques. The DDoS attack record escalated dramatically from 4.2 Tbps in October 2024 to an unprecedented 29.7 Tbps just a year later-a staggering increase of 707%.", "modified": "2026-01-20T08:04:26.478000", "created": "2025-12-21T08:07:17.529000", "tags": [ "october", "cloudflare", "aisuru", "ddos", "tbps", "september", "ddos attack", "aisuru botnet", "http", "internet", "snow", "sha256 hash", "encryption key", "host artifact", "main", "domain", "initial c2", "rc4 key", "xor key", "c2 ips", "dns txt", "malware" ], "references": [ "https://www.cloudflare.com/en-au/threat-intelligence/research/report/aisuru-botnet/" ], "public": 1, "adversary": "Aisuru", "targeted_countries": [], "malware_families": [ { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [ "Telecommunications", "Information Technology", "Gaming" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 7, "hostname": 21, "URL": 1 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68d6557c3e90974f2364499f", "name": "IOC - The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "description": "", "modified": "2025-10-25T09:03:29.853000", "created": "2025-09-26T08:57:32.272000", "tags": [ "cve-2017-5259", "encryption", "cve-2022-35733", "cve-2013-5948", "botnet", "vulnerabilities", "firmware", "aisuru", "cve-2013-1599", "cve-2023-28771", "airashi", "cve-2022-44149", "cve-2024-3721", "cybercrime", "cve-2013-3307", "proxy", "cve-2023-50381", "ddos", "router" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en" ], "public": 1, "adversary": "AISURU", "targeted_countries": [], "malware_families": [ { "id": "AISURU", "display_name": "AISURU", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null } ], "attack_ids": [ { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "68d5096c02da6fff718c6c50", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 2, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68d4fd9f348de8b7b60b712c", "name": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "description": "AISURU is a massive botnet operating behind the scenes and is responsible for a record-breaking 11.5 Tbps DDoS attack, according to XLab, a leading security firm.", "modified": "2025-10-25T08:03:14.175000", "created": "2025-09-25T08:30:23.213000", "tags": [ "ddos", "en", "botnet", "aisuru", "april", "aisuru group", "xlab", "cyber threat", "insight", "analysis system", "snow", "forky", "rapperbot", "august", "june", "flex", "scale mega", "airashi", "fodcha" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" ], "public": 1, "adversary": "AISURU", "targeted_countries": [ "China", "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Hong Kong" ], "malware_families": [ { "id": "Scale Mega", "display_name": "Scale Mega", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null }, { "id": "Fodcha", "display_name": "Fodcha", "target": null }, { "id": "AISURU", "display_name": "AISURU", "target": null } ], "attack_ids": [ { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 1, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68cb975b89dda61b245d3084", "name": "IOC - The Strongest Ever? Unveiling the Inside Story of the 11.5T Ultra-Large Botnet AISURU (pulse by celestre)", "description": "Since 2025, global DDoS attack bandwidth peaks have continuously broken historical records, soaring from 3.12 Tbps at the beginning of the year to a staggering 11.5 Tbps recently. A botnet called AISURU has been observed operating behind numerous high-impact or record-breaking attacks. The AISURU botnet was first disclosed by XLab in August 2024 and was involved in DDoS attacks targeting the distribution platform of \"Black Myth: Wukong.\" Since March of this year, XLab's large-scale threat monitoring platform has continuously captured new samples of this botnet. Multiple sources indicate that the group behind it allegedly compromised a router firmware upgrade server in April and expanded the botnet by distributing malicious scripts. The current number of nodes is reportedly 300,000. (by celestre)", "modified": "2025-10-18T05:05:51.583000", "created": "2025-09-18T05:23:39.346000", "tags": [ "communications", "proxy relay", "limited", "ltd sample", "hlavni", "frombase64", "azaz09", "standard", "tohex", "changeipformat", "as206509|kcom", "relay", "relay c2" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Czechia" ], "malware_families": [ { "id": "AS206509|KCOM", "display_name": "AS206509|KCOM", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68caae78d3593b48aef360e1", "name": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet", "description": "The AISURU botnet has emerged as a significant player in the landscape of distributed denial-of-service (DDoS) attacks, achieving unprecedented bandwidth with peak operations reaching 11.5 Tbps. Since its inception, the botnet has been linked to numerous high-profile attacks, notably due to a coalition of key figures known only by codenames: Snow, Tom, and Forky. These individuals reportedly joined forces in 2022, exploiting each other\u2019s weaknesses to scale their operations.", "modified": "2025-10-17T12:19:24.678000", "created": "2025-09-17T12:50:00.783000", "tags": [ "en", "ddos", "botnet", "aisuru", "april", "aisuru group", "xlab", "cyber threat", "insight", "analysis system", "snow", "forky", "rapperbot", "august", "june", "flex", "scale mega", "airashi", "fodcha" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Hong Kong" ], "malware_families": [ { "id": "Scale Mega", "display_name": "Scale Mega", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null }, { "id": "Fodcha", "display_name": "Fodcha", "target": null }, { "id": "AISURU", "display_name": "AISURU", "target": null } ], "attack_ids": [ { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68c8ff7f04c964429d0c5bc7", "name": "IOC - \u53f2\u4e0a\u6700\u5f3a\uff1f\u63ed\u79d811.5T\u7ea7\u8d85\u5927\u89c4\u6a21\u50f5\u5c38\u7f51\u7edcAISURU\u7684\u5185\u5e55", "description": "2025\u5e74\u4ee5\u6765\uff0c\u5168\u7403DDoS\u653b\u51fb\u7684\u5e26\u5bbd\u5cf0\u503c\u4e0d\u65ad\u5237\u65b0\u5386\u53f2\u7eaa\u5f55\uff0c\u4ece\u5e74\u521d\u76843.12 Tbps\u4e00\u8def\u98d9\u5347\u81f3\u8fd1\u65e5\u60ca\u4eba\u768411.5 Tbps\u3002\u5728\u591a\u8d77\u5177\u6709\u9ad8\u5f71\u54cd\u529b\u6216\u6253\u7834\u6d41\u91cf\u7eaa\u5f55\u7684\u653b\u51fb\u4e8b\u4ef6\u4e2d\uff0c\u6211\u4eec\u5747\u76d1\u6d4b\u5230\u4e00\u4e2a\u540d\u4e3aAISURU\u7684\u50f5\u5c38\u7f51\u7edc\u5728\u5e55\u540e\u9891\u7e41\u6d3b\u52a8\u3002\nAISURU\u50f5\u5c38\u7f51\u7edc\u6700\u521d\u4e8e2024\u5e748\u6708\u7531XLab\u9996\u6b21\u62ab\u9732\uff0c\u66fe\u53c2\u4e0e\u9488\u5bf9\u300a\u9ed1\u795e\u8bdd\uff1a\u609f\u7a7a\u300b\u53d1\u884c\u5e73\u53f0\u7684DDoS\u653b\u51fb\u3002\u81ea\u4eca\u5e743\u6708\u4ee5\u6765\uff0cXLab\u5927\u7f51\u5a01\u80c1\u76d1\u6d4b\u5e73\u53f0\u6301\u7eed\u6355\u83b7\u5230\u8be5\u50f5\u5c38\u7f51\u7edc\u7684\u65b0\u6837\u672c\u3002\u591a\u65b9\u4fe1\u606f\u663e\u793a\uff0c\u5176\u80cc\u540e\u56e2\u4f19\u57284\u6708\u6d89\u5acc\u5165\u4fb5\u67d0\u54c1\u724c\u8def\u7531\u5668\u56fa\u4ef6\u5347\u7ea7\u670d\u52a1\u5668\uff0c\u901a\u8fc7\u4e0b\u53d1\u6076\u610f\u811a\u672c\u8fdb\u4e00\u6b65\u6269\u5c55\u50f5\u5c38\u7f51\u7edc\u89c4\u6a21\uff0c\u5f53\u524d\u8282\u70b9\u6570\u91cf\u636e\u79f0\u5df2\u8fbe30\u4e07\u3002", "modified": "2025-10-16T06:00:33.444000", "created": "2025-09-16T06:11:11.148000", "tags": [ "communications", "proxy relay", "limited", "hlavni", "ltd sample", "frombase64", "azaz09", "standard", "tohex", "changeipformat", "as206509|kcom", "relay c2" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Czechia" ], "malware_families": [ { "id": "AS206509|KCOM", "display_name": "AS206509|KCOM", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68c857f885d21054968a5343", "name": "The strongest in history? Revealing the inside story of AISURU, a super-large botnet in 11.5T", "description": "The AISURU botnet has emerged as a significant player in the landscape of DDoS attacks, showcasing a peak bandwidth of 11.5 Tbps in 2025, establishing a new record for such incidents. The botnet is believed to be orchestrated by a group known as the AISURU gang, comprising members codenamed Snow, Tom, and Forky, who have collaborated since 2022 on various underworld projects. Anonymous sources have provided valuable insights into the operations of this botnet, which, despite the difficulty in validating these claims, have been corroborated by advanced monitoring techniques employed by security analysts.\n\nThe AISURU gang has utilized a variety of attack vectors and malicious scripts, such as a downloader domain named http://updatetoto.tw, which significantly increased its global rank due to successful infections. One notable attack tracked involved a traffic hit of 11.5 Tbps targeting the IP address 185.211.78.117, showcasing the substantial capabilities of the botnet.", "modified": "2025-10-15T18:01:02.043000", "created": "2025-09-15T18:16:24.159000", "tags": [ "ddos", "botnet", "huge", "cn", "zyxel", "ilovegaysex", "aisuru", "aisuru3snow", "tunnel aisuru", "ispddos", "340k", "bot303", "welcome", "ethan", "flex", "killer", "communications", "proxy relay", "limited", "hlavni", "ltd sample" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "681bf4a692b47e56e45b7df1", "name": "ACTIVIDAD MALICIOSA | Relacionada con Mirai 07-05-2024", "description": "Mirai fue una botnet, una red de dispositivos conectados a internet, que se utiliz\u00f3 para llevar a cabo ataques masivos y disruptivos. Su principal enfoque estaba en dispositivos de Internet de las cosas (IoT), como c\u00e1maras de seguridad y enrutadores, que a menudo ten\u00edan contrase\u00f1as d\u00e9biles o predeterminadas. Mirai escaneaba la web en busca de estos dispositivos vulnerables y los incorporaba a su red, creando as\u00ed un ej\u00e9rcito de bots. Luego, los hackers que controlaban Mirai pod\u00edan utilizar esta red para lanzar ataques de denegaci\u00f3n de servicio distribuidos (DDoS), los cuales abrumaban los servidores y causaban interrupciones en servicios en l\u00ednea, sitios web y plataformas. Este incidente resalt\u00f3 la importancia de asegurar adecuadamente los dispositivos IoT para prevenir el abuso de botnets como Mirai.", "modified": "2025-05-08T00:02:46.191000", "created": "2025-05-08T00:02:46.191000", "tags": [ "ta0001", "ta0007", "ta0011", "command", "control", "ta0040", "t1010", "t1190", "exploit", "t1498", "service" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Mirai", "https://www.virustotal.com/graph/embed/g11570a1d01cb42d5aa0107b31f2874f9b269cb3939db45879748f1b89b2f7ba5?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5248, "FileHash-SHA1": 5248, "FileHash-SHA256": 5248 }, "indicator_count": 15744, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "388 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://www.cloudflare.com/en-au/threat-intelligence/research/report/aisuru-botnet/", "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/", "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/", "https://www.virustotal.com/graph/embed/g11570a1d01cb42d5aa0107b31f2874f9b269cb3939db45879748f1b89b2f7ba5?theme=light", "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en", "https://darfe.es/ciberwiki/index.php?title=Mirai" ], "related": { "alienvault": { "adversary": [ "AISURU" ], "malware_families": [ "Airashi", "Aisuru" ], "industries": [] }, "other": { "adversary": [ "AISURU", "Aisuru" ], "malware_families": [ "Fodcha", "Scale mega", "Mirai", "Airashi", "Aisuru", "As206509|kcom" ], "industries": [ "Gaming", "Telecommunications", "Information technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "68d5096c02da6fff718c6c50", "name": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "description": "The AISURU botnet has emerged as a formidable threat, capable of launching massive DDoS attacks reaching 11.5 Tbps. First disclosed in 2024, it expanded significantly in 2025 by compromising a router firmware update server. The botnet, with approximately 300,000 nodes, is operated by a group of three key figures. It exploits various vulnerabilities, including 0-days, to propagate and has targeted multiple industries worldwide. AISURU employs sophisticated anti-analysis techniques, encryption methods, and a custom network protocol. Beyond DDoS attacks, it has expanded into proxy services, indicating a shift towards diversified cybercriminal activities. The botnet's scale and capabilities make it a significant concern for global cybersecurity.", "modified": "2025-10-25T09:03:29.853000", "created": "2025-09-25T09:20:44.067000", "tags": [ "cve-2017-5259", "encryption", "cve-2022-35733", "cve-2013-5948", "botnet", "vulnerabilities", "firmware", "aisuru", "cve-2013-1599", "cve-2023-28771", "airashi", "cve-2022-44149", "cve-2024-3721", "cybercrime", "cve-2013-3307", "proxy", "cve-2023-50381", "ddos", "router" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en" ], "public": 1, "adversary": "AISURU", "targeted_countries": [], "malware_families": [ { "id": "AISURU", "display_name": "AISURU", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null } ], "attack_ids": [ { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 2, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6947aab59d9ecdfe392a8878", "name": "Aisuru botnet: Early October attacks escalate into record-setting DDoS activity", "description": "The Aisuru botnet, a notably advanced Internet of Things (IoT)-based threat, has rapidly expanded to approximately 500,000 compromised devices, doubling in size within a month. The botnet employs a multifaceted infection strategy, which may include a firmware supply-chain compromise, to grow its network. By late October 2025, Aisuru had executed one of the largest and most sustained DDoS (Distributed Denial of Service) attacks on record, detected by Cloudflare. The attack involved a diverse array of devices, such as routers, DVRs, internet-connected cameras, and firewall appliances.\n\nCloudflare's analysis highlights a significant surge in hyper-volumetric DDoS attacks, primarily characterized by UDP (User Datagram Protocol) flood techniques. The DDoS attack record escalated dramatically from 4.2 Tbps in October 2024 to an unprecedented 29.7 Tbps just a year later-a staggering increase of 707%.", "modified": "2026-01-20T08:04:26.478000", "created": "2025-12-21T08:07:17.529000", "tags": [ "october", "cloudflare", "aisuru", "ddos", "tbps", "september", "ddos attack", "aisuru botnet", "http", "internet", "snow", "sha256 hash", "encryption key", "host artifact", "main", "domain", "initial c2", "rc4 key", "xor key", "c2 ips", "dns txt", "malware" ], "references": [ "https://www.cloudflare.com/en-au/threat-intelligence/research/report/aisuru-botnet/" ], "public": 1, "adversary": "Aisuru", "targeted_countries": [], "malware_families": [ { "id": "Aisuru", "display_name": "Aisuru", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1498.001", "name": "Direct Network Flood", "display_name": "T1498.001 - Direct Network Flood" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [ "Telecommunications", "Information Technology", "Gaming" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "domain": 7, "hostname": 21, "URL": 1 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68d6557c3e90974f2364499f", "name": "IOC - The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "description": "", "modified": "2025-10-25T09:03:29.853000", "created": "2025-09-26T08:57:32.272000", "tags": [ "cve-2017-5259", "encryption", "cve-2022-35733", "cve-2013-5948", "botnet", "vulnerabilities", "firmware", "aisuru", "cve-2013-1599", "cve-2023-28771", "airashi", "cve-2022-44149", "cve-2024-3721", "cybercrime", "cve-2013-3307", "proxy", "cve-2023-50381", "ddos", "router" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en" ], "public": 1, "adversary": "AISURU", "targeted_countries": [], "malware_families": [ { "id": "AISURU", "display_name": "AISURU", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null } ], "attack_ids": [ { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": "68d5096c02da6fff718c6c50", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 2, "hostname": 1 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68d4fd9f348de8b7b60b712c", "name": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU", "description": "AISURU is a massive botnet operating behind the scenes and is responsible for a record-breaking 11.5 Tbps DDoS attack, according to XLab, a leading security firm.", "modified": "2025-10-25T08:03:14.175000", "created": "2025-09-25T08:30:23.213000", "tags": [ "ddos", "en", "botnet", "aisuru", "april", "aisuru group", "xlab", "cyber threat", "insight", "analysis system", "snow", "forky", "rapperbot", "august", "june", "flex", "scale mega", "airashi", "fodcha" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" ], "public": 1, "adversary": "AISURU", "targeted_countries": [ "China", "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Hong Kong" ], "malware_families": [ { "id": "Scale Mega", "display_name": "Scale Mega", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null }, { "id": "Fodcha", "display_name": "Fodcha", "target": null }, { "id": "AISURU", "display_name": "AISURU", "target": null } ], "attack_ids": [ { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 1, "hostname": 1 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 865, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68cb975b89dda61b245d3084", "name": "IOC - The Strongest Ever? Unveiling the Inside Story of the 11.5T Ultra-Large Botnet AISURU (pulse by celestre)", "description": "Since 2025, global DDoS attack bandwidth peaks have continuously broken historical records, soaring from 3.12 Tbps at the beginning of the year to a staggering 11.5 Tbps recently. A botnet called AISURU has been observed operating behind numerous high-impact or record-breaking attacks. The AISURU botnet was first disclosed by XLab in August 2024 and was involved in DDoS attacks targeting the distribution platform of \"Black Myth: Wukong.\" Since March of this year, XLab's large-scale threat monitoring platform has continuously captured new samples of this botnet. Multiple sources indicate that the group behind it allegedly compromised a router firmware upgrade server in April and expanded the botnet by distributing malicious scripts. The current number of nodes is reportedly 300,000. (by celestre)", "modified": "2025-10-18T05:05:51.583000", "created": "2025-09-18T05:23:39.346000", "tags": [ "communications", "proxy relay", "limited", "ltd sample", "hlavni", "frombase64", "azaz09", "standard", "tohex", "changeipformat", "as206509|kcom", "relay", "relay c2" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Czechia" ], "malware_families": [ { "id": "AS206509|KCOM", "display_name": "AS206509|KCOM", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68caae78d3593b48aef360e1", "name": "The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet", "description": "The AISURU botnet has emerged as a significant player in the landscape of distributed denial-of-service (DDoS) attacks, achieving unprecedented bandwidth with peak operations reaching 11.5 Tbps. Since its inception, the botnet has been linked to numerous high-profile attacks, notably due to a coalition of key figures known only by codenames: Snow, Tom, and Forky. These individuals reportedly joined forces in 2022, exploiting each other\u2019s weaknesses to scale their operations.", "modified": "2025-10-17T12:19:24.678000", "created": "2025-09-17T12:50:00.783000", "tags": [ "en", "ddos", "botnet", "aisuru", "april", "aisuru group", "xlab", "cyber threat", "insight", "analysis system", "snow", "forky", "rapperbot", "august", "june", "flex", "scale mega", "airashi", "fodcha" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Germany", "United Kingdom of Great Britain and Northern Ireland", "Hong Kong" ], "malware_families": [ { "id": "Scale Mega", "display_name": "Scale Mega", "target": null }, { "id": "AIRASHI", "display_name": "AIRASHI", "target": null }, { "id": "Fodcha", "display_name": "Fodcha", "target": null }, { "id": "AISURU", "display_name": "AISURU", "target": null } ], "attack_ids": [ { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68c8ff7f04c964429d0c5bc7", "name": "IOC - \u53f2\u4e0a\u6700\u5f3a\uff1f\u63ed\u79d811.5T\u7ea7\u8d85\u5927\u89c4\u6a21\u50f5\u5c38\u7f51\u7edcAISURU\u7684\u5185\u5e55", "description": "2025\u5e74\u4ee5\u6765\uff0c\u5168\u7403DDoS\u653b\u51fb\u7684\u5e26\u5bbd\u5cf0\u503c\u4e0d\u65ad\u5237\u65b0\u5386\u53f2\u7eaa\u5f55\uff0c\u4ece\u5e74\u521d\u76843.12 Tbps\u4e00\u8def\u98d9\u5347\u81f3\u8fd1\u65e5\u60ca\u4eba\u768411.5 Tbps\u3002\u5728\u591a\u8d77\u5177\u6709\u9ad8\u5f71\u54cd\u529b\u6216\u6253\u7834\u6d41\u91cf\u7eaa\u5f55\u7684\u653b\u51fb\u4e8b\u4ef6\u4e2d\uff0c\u6211\u4eec\u5747\u76d1\u6d4b\u5230\u4e00\u4e2a\u540d\u4e3aAISURU\u7684\u50f5\u5c38\u7f51\u7edc\u5728\u5e55\u540e\u9891\u7e41\u6d3b\u52a8\u3002\nAISURU\u50f5\u5c38\u7f51\u7edc\u6700\u521d\u4e8e2024\u5e748\u6708\u7531XLab\u9996\u6b21\u62ab\u9732\uff0c\u66fe\u53c2\u4e0e\u9488\u5bf9\u300a\u9ed1\u795e\u8bdd\uff1a\u609f\u7a7a\u300b\u53d1\u884c\u5e73\u53f0\u7684DDoS\u653b\u51fb\u3002\u81ea\u4eca\u5e743\u6708\u4ee5\u6765\uff0cXLab\u5927\u7f51\u5a01\u80c1\u76d1\u6d4b\u5e73\u53f0\u6301\u7eed\u6355\u83b7\u5230\u8be5\u50f5\u5c38\u7f51\u7edc\u7684\u65b0\u6837\u672c\u3002\u591a\u65b9\u4fe1\u606f\u663e\u793a\uff0c\u5176\u80cc\u540e\u56e2\u4f19\u57284\u6708\u6d89\u5acc\u5165\u4fb5\u67d0\u54c1\u724c\u8def\u7531\u5668\u56fa\u4ef6\u5347\u7ea7\u670d\u52a1\u5668\uff0c\u901a\u8fc7\u4e0b\u53d1\u6076\u610f\u811a\u672c\u8fdb\u4e00\u6b65\u6269\u5c55\u50f5\u5c38\u7f51\u7edc\u89c4\u6a21\uff0c\u5f53\u524d\u8282\u70b9\u6570\u91cf\u636e\u79f0\u5df2\u8fbe30\u4e07\u3002", "modified": "2025-10-16T06:00:33.444000", "created": "2025-09-16T06:11:11.148000", "tags": [ "communications", "proxy relay", "limited", "hlavni", "ltd sample", "frombase64", "azaz09", "standard", "tohex", "changeipformat", "as206509|kcom", "relay c2" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Czechia" ], "malware_families": [ { "id": "AS206509|KCOM", "display_name": "AS206509|KCOM", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "68c857f885d21054968a5343", "name": "The strongest in history? Revealing the inside story of AISURU, a super-large botnet in 11.5T", "description": "The AISURU botnet has emerged as a significant player in the landscape of DDoS attacks, showcasing a peak bandwidth of 11.5 Tbps in 2025, establishing a new record for such incidents. The botnet is believed to be orchestrated by a group known as the AISURU gang, comprising members codenamed Snow, Tom, and Forky, who have collaborated since 2022 on various underworld projects. Anonymous sources have provided valuable insights into the operations of this botnet, which, despite the difficulty in validating these claims, have been corroborated by advanced monitoring techniques employed by security analysts.\n\nThe AISURU gang has utilized a variety of attack vectors and malicious scripts, such as a downloader domain named http://updatetoto.tw, which significantly increased its global rank due to successful infections. One notable attack tracked involved a traffic hit of 11.5 Tbps targeting the IP address 185.211.78.117, showcasing the substantial capabilities of the botnet.", "modified": "2025-10-15T18:01:02.043000", "created": "2025-09-15T18:16:24.159000", "tags": [ "ddos", "botnet", "huge", "cn", "zyxel", "ilovegaysex", "aisuru", "aisuru3snow", "tunnel aisuru", "ispddos", "340k", "bot303", "welcome", "ethan", "flex", "killer", "communications", "proxy relay", "limited", "hlavni", "ltd sample" ], "references": [ "https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "FileHash-MD5": 4, "FileHash-SHA1": 7, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "681bf4a692b47e56e45b7df1", "name": "ACTIVIDAD MALICIOSA | Relacionada con Mirai 07-05-2024", "description": "Mirai fue una botnet, una red de dispositivos conectados a internet, que se utiliz\u00f3 para llevar a cabo ataques masivos y disruptivos. Su principal enfoque estaba en dispositivos de Internet de las cosas (IoT), como c\u00e1maras de seguridad y enrutadores, que a menudo ten\u00edan contrase\u00f1as d\u00e9biles o predeterminadas. Mirai escaneaba la web en busca de estos dispositivos vulnerables y los incorporaba a su red, creando as\u00ed un ej\u00e9rcito de bots. Luego, los hackers que controlaban Mirai pod\u00edan utilizar esta red para lanzar ataques de denegaci\u00f3n de servicio distribuidos (DDoS), los cuales abrumaban los servidores y causaban interrupciones en servicios en l\u00ednea, sitios web y plataformas. Este incidente resalt\u00f3 la importancia de asegurar adecuadamente los dispositivos IoT para prevenir el abuso de botnets como Mirai.", "modified": "2025-05-08T00:02:46.191000", "created": "2025-05-08T00:02:46.191000", "tags": [ "ta0001", "ta0007", "ta0011", "command", "control", "ta0040", "t1010", "t1190", "exploit", "t1498", "service" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Mirai", "https://www.virustotal.com/graph/embed/g11570a1d01cb42d5aa0107b31f2874f9b269cb3939db45879748f1b89b2f7ba5?theme=light" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5248, "FileHash-SHA1": 5248, "FileHash-SHA256": 5248 }, "indicator_count": 15744, "is_author": false, "is_subscribing": null, "subscriber_count": 268, "modified_text": "388 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "4e8ca1efff2e4b79fb7db95d3971caaa", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "4e8ca1efff2e4b79fb7db95d3971caaa", "found": true, "verdict": "malicious", "file_type": "elf", "file_size": "125572", "md5": "4e8ca1efff2e4b79fb7db95d3971caaa", "sha256": "201d872e05f45062f3b18f1cb2bca7d5fe3811e7e6d4b8616d565a011fba091d", "signature": "Mirai", "first_seen": "2025-04-17", "last_seen": "2025-04-18", "url_count": "2", "urls": [ { "url": "http://103.188.82.240/arm7", "status": "offline", "threat": "", "date_added": "", "tags": [] }, { "url": "http://95.215.108.183/skid.armv7l", "status": "offline", "threat": "", "date_added": "", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780206334.5385096 }