Ethical Hacking News
The Aisuru botnet has abandoned its traditional DDoS attacks in favor of renting infected IoT devices as residential proxies for cybercriminals, raising significant concerns about data scraping and AI-powered exploitation. As these networks continue to grow in influence, it's essential that we develop effective strategies to counter their impact on our digital infrastructure.
Aisuru botnet has abandoned traditional DDoS attacks and is now renting infected IoT devices as residential proxies for cybercriminals. The botnet has spread to at least 700,000 IoT systems, including poorly secured internet routers and security cameras. Aisuru launched a record-breaking DDoS attack on KrebsOnSecurity.com in June, clocking an astonishing 6.3 terabits per second. The botnet's operators have demonstrated capabilities of nearly 30 terabits of data per second, far beyond the mitigation capabilities of most Internet destinations. Residential proxy networks allow paying customers to route their internet communications through someone else's device, providing anonymity and avoiding detection. The rise of residential proxy networks has significant implications for the AI industry, which relies heavily on content scraping to collect data. Cybercriminals are using these proxy networks to overwhelm targeted hosts with junk requests from all compromised systems simultaneously. Cloudflare is experimenting with a "pay-per-crawl" feature to deter AI crawlers and provide an additional layer of security. Reddit has sued Oxylabs, several other proxy providers, for enabling the mass-scraping of user content despite efforts to block such activity.
In a significant shift in tactics, the notorious Aisuru botnet has abandoned its traditional approach of launching massive distributed denial-of-service (DDoS) attacks and instead turned to renting hundreds of thousands of infected Internet of Things (IoT) devices as residential proxies for cybercriminals. This new strategy has left security experts scrambling to adapt to the evolving threat landscape.
First identified in August 2024, Aisuru has managed to spread to at least 700,000 IoT systems, including poorly secured internet routers and security cameras. The botnet's operators have utilized their massive network of infected devices to overwhelm targeted hosts with bursts of junk requests from all compromised systems simultaneously, leaving a trail of destruction in its wake.
However, in June, Aisuru launched a DDoS attack on KrebsOnSecurity.com that clocked an astonishing 6.3 terabits per second – the largest attack ever mitigated by Google at the time. This formidable assault underscored the sheer power and menace of Aisuru's capabilities. The botnet's operators have continued to push the boundaries, demonstrating DDoS capabilities of nearly 30 terabits of data per second, far beyond the mitigation capabilities of most Internet destinations.
These digital sieges have had a particularly significant impact on U.S.-based internet service providers (ISPs), as Aisuru recently took over a large number of IoT devices in the United States. The volume of outgoing traffic from infected systems on these ISPs can disrupt or degrade internet services for adjacent non-botted customers, leaving many without access to essential online resources.
In recent months, experts have observed a marked increase in the use of residential proxies by content scrapers seeking to exploit AI projects. These proxy networks allow paying customers to route their internet communications through someone else's device, providing anonymity and the ability to appear as regular Internet users in almost any major city worldwide.
Benjamin Brundage, founder of Synthient, a startup that helps companies detect proxy networks, notes that nearly all lesser-known proxy services have evolved into highly incestuous bandwidth resellers. These providers offer SDKs that allow other app developers to bundle with their code and earn revenue from forwarding traffic from proxy service customers.
Brundage explains that these proxy providers operate under the corporate umbrella known as "HK Network," which includes brands such as IPidea, ABCProxy, Roxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy. IPidea is reportedly the world's largest residential proxy service.
"The way it works is that there's this whole reseller ecosystem, where IPidea will be incredibly aggressive and approach all these proxy providers with the offer, 'Hey, if you guys buy bandwidth from us, we'll give you these amazing reseller prices,'" Brundage notes. "But they're also very aggressive in recruiting resellers for their apps."
Synthient's research has revealed a complex web of relationships between these proxy providers, with some operating their own SDKs and others relying on third-party developers to forward traffic from customers.
One notable example is 922S5Proxy, which bears a striking resemblance to the now-defunct 911S5Proxy service. 911S5Proxy was once a popular choice among cybercriminals but ultimately ceased operations after its servers were hacked. The apparent owner and manager of 911S5Proxy at the time was Yunhe Wang from Beijing.
It appears that IPidea has taken over as the prominent player in this space, with Brundage identifying it as the world's largest residential proxy service. This network is comprised of numerous sub-brands, including ABCProxy, Roxlabs, LunaProxy, PIA S5 Proxy, PyProxy, 922Proxy, 360Proxy, IP2World, and Cherry Proxy.
The rise of these residential proxy networks has significant implications for the AI industry, which relies heavily on content scraping to collect data. By leveraging these proxy networks, content scrapers can make their traffic far more difficult to filter out, thereby increasing their chances of success in this competitive field.
A recent report from LibreNews highlighted the devastating impact of AI-powered scraping on community-maintained infrastructure. The study found that as much as 97 percent of open-source projects' traffic now originates from AI company bots, dramatically increasing bandwidth costs and service instability for maintainers.
To combat this growing threat, Cloudflare has begun experimenting with a "pay-per-crawl" feature that allows content creators to charge AI crawlers to scrape their websites. This innovative approach aims to provide an additional layer of security and deter the exploitation of these networks.
Meanwhile, Reddit has sued Oxylabs, several other proxy providers, and accused them of enabling the mass-scraping of user content despite efforts to block such activity.
In a related development, Denas Grybauskas, chief governance and strategy officer at Oxylabs, expressed shock and disappointment at being sued. He stated that his company was not aware of any plans to scrape user content from Reddit.
The use of residential proxies has become an increasingly important aspect of modern cybercrime, with the Aisuru botnet's shift towards this tactic marking a significant turning point in the evolution of these threats.
As we move forward in this rapidly changing landscape, it is essential that security experts and industry leaders collaborate to develop innovative solutions to counter the rise of residential proxy networks. By working together, we can protect our digital infrastructure from the growing threat of cybercrime.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Residential-Proxies-Aisuru-Botnets-Shift-from-DDoS-to-Anonymizing-Cybercrime-ehn.shtml
https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/
https://cybersixt.com/a/ZHjNNzKflHSiL9QyJFk5vo
https://securityaffairs.com/183969/malware/aisuru-botnet-is-behind-record-20tb-sec-ddos-attacks.html
https://gbhackers.com/aisuru-botnet/
https://www.independent.co.uk/tech/botnet-cyber-attack-google-aisuru-krebs-b2755072.html
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://medium.com/aardvark-infinity/in-depth-analysis-of-chinese-apt-groups-activities-impacts-and-techniques-21314afa78bd
https://attack.mitre.org/groups/
https://www.reddit.com/r/AskIreland/comments/15lur9e/email_scam_what_is_an_apt_hacking_group/
https://breach-hq.com/threat-actors
https://en.wikipedia.org/wiki/Advanced_persistent_threat
https://andreacristaldi.github.io/APTmap/
https://cybersecuritynews.com/chinese-apt-hackers-using-proxy-and-vpn/
Published: Wed Oct 29 10:33:21 2025 by llama3.2 3B Q4_K_M
