Aisuru
Aisuru is a Mirai-derivative IoT/Android botnet and DDoS-for-hire malware family associated with record-setting volumetric attacks and later use as a residential proxy network. Reporting in the provided content describes Aisuru as targeting compromised home routers, surveillance cameras, and other IoT systems, with related activity also affecting Android devices and Android TV/streaming boxes. Multiple sources in the content state that KimWolf is a variant of Aisuru or an Android variant linked to the same malware family; KimWolf primarily infected Android devices with exposed Android Debug Bridge (ADB), including streaming boxes, webcams, digital photo frames, and other IoT equipment. Aisuru/KimWolf infrastructure was attributed to some of the largest publicly reported DDoS attacks, including attacks cited at 29.7 Tbps, 31.4 Tbps, 15.72 Tbps, and 14.1 billion packets per second. The malware was also identified as a key tool in campaigns such as attacks against Italian infrastructure during the Milano Cortina 2026 Winter Games, and one report linked it to a record October 2025 Azure attack targeting a single edge device in Australia. The content further states that Aisuru evolved beyond DDoS into proxy monetization: researchers observed Aisuru pivoting to sell proxy access, and reporting says its bot count surged through exploitation of proxy services and abuse of residential-proxy networks. Lumen data cited in the content recorded 2,948,616 IPs associated with Aisuru in 2025, with Aisuru Proxies ranking first by average daily bot count at 129,487; another report says Aisuru’s bot count tripled in one week in September 2025 and that roughly 1.8 million bots were generated through exploitation of proxy services. The botnet is associated with a cybercrime-as-a-service model in which access to infected devices was rented to other criminals for DDoS and proxy use. In March 2026, authorities in the United States, Germany, and Canada seized command-and-control infrastructure linked to Aisuru along with KimWolf, JackSkid, and Mossad as part of a multinational disruption operation. High-confidence device and infrastructure details directly mentioned in the content include exploitation of vulnerable IoT devices, abuse of residential proxy networks, and use in large-scale DDoS campaigns against organizations, internet infrastructure, and event-related targets.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Microsoft disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps)... It originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, most of which are routers, security cameras, and DVR systems.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueПод контроль операторов попадали Android-приставки, стриминговые устройства, веб-камеры, цифровые фоторамки и другая IoT-техника... Владельцы ботнета продавали доступ к зараженным устройствам другим злоумышленникам по модели cybercrime-as-a-service.
Initial Access
4 techniquesAttackers gained access to these devices either by exploiting known security flaws or by logging in with default factory credentials that most users never change.
Prime targets included Android TVs and streaming devices with exposed Android Debug Bridge (ADB) services.
Late 2025 brought faster turnover... Investigators later found that its 1.8 million bots were generated through exploitation of proxy services.
Like other TurboMirai botnets, Aisuru incorporates additional dedicated DDoS attack capabilities and multi-use functions, enabling operators to carry out other illicit activities, including credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing.
Persistence
2 techniquesAttackers gained access to these devices either by exploiting known security flaws or by logging in with default factory credentials that most users never change.
Privilege Escalation
1 techniqueStealth
1 techniqueDiscovery
1 techniqueMirai was built to scan the internet for Internet of Things (IoT) devices running on ARC processors, which operate a stripped-down version of Linux.
Lateral Movement
1 techniqueKimwolf представлял собой вариант ботнета Aisuru и в основном заражал Android-устройства с открытым Android Debug Bridge (ADB).
Command and Control
5 techniquesThe arrest follows a broader March 2026 court-authorized operation that disrupted several high-impact IoT DDoS botnets, including Aisuru, KimWolf, JackSkid, and Mossad, by seizing their command-and-control (C2) infrastructure.
Beyond DDoS attacks, the botnets have been used to abuse residential proxy networks, routing attack traffic through IP addresses belonging to ordinary homeowners, making the activity far harder to trace.
When the malware receives a StartProxy command from the command-and-control (C2) server, it will begin listening on an attacker-controlled TCP port and operates as a SOCKS5 proxy.
The Kimwolf botnet, an Android variant of Aisuru, spread like wildfire after its operators figured out how to abuse residential-proxy networks for local control... Kimwolf exploited a novel attack vector: residential proxy networks.
These attacks are particularly difficult to stop because they “randomize packet characteristics” to hide from security tools
Impact
4 techniquesThe infected devices were enslaved by the botnet operators. The operators then used a “cybercrime as a service” model to sell access to the infected devices to other cyber criminals.
Kimwolf — DDoS-платформой, которую сдавали в аренду «по подписке» другим хакерам... ботнет использовался для проведения более чем 25 000 атак по всему миру... пиковая мощность отдельных атак достигала 31,4 Тбит/с.
Cloudflare’s Q3 2025 DDoS Threat Report highlights the unprecedented impact of the Aisuru botnet, a 1–4 million-device network launching hyper-volumetric attacks regularly above 1 Tbps and 1 Bpps.
On the HTTP side, 4% of attacks surpassed 1M requests per second.
IOCs tracked for this family
45 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
151 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A botnet whose proxy infrastructure was reported as being used to fuel large-scale AI data harvesting via residential/consumer-device proxies.
DDoS-ботнет, вариантом которого являлся Kimwolf. Его инфраструктура связывалась с одними из наиболее мощных DDoS-атак в истории; заражал Android- и IoT-устройства.
Named as one of several high-impact IoT DDoS botnets disrupted through seizure of command-and-control infrastructure.
An IoT botnet whose code family was borrowed by Kimwolf. It was part of a law-enforcement disruption targeting botnets used to launch large-scale DDoS attacks, and was used to launch over 200,000 attack commands.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.