BrianKrebsOct 29

New, by me: Aisuru Botnet Shifts from DDoS to Residential Proxies

Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users.

I included a section at the end mentioning that the latest Aisuru botnet code apparently tells infected systems to check in at the host fuckbriankrebs[.]com. When I heard this, I wondered what its use might be other than to just say what the domain says. But we also noticed the domain was unregistered....

Happily, the domain name was deftly snatched up last week by Philippe Caturegli, “chief hacking officer” for the security intelligence company Seralys.

Caturegli enabled a passive DNS server on that domain and within a few hours received more than 700,000 requests for unique subdomains on fuckbriankrebs[.]com.

But even with that visibility into Aisuru, it is difficult to use this domain check-in feature to measure its true size, Brundage said. After all, he said, the systems that are phoning home to the domain are only a small portion of the overall botnet.

“The bots are hardcoded to just spam lookups on the subdomains,” he said. “So anytime an infection occurs or it runs in the background, it will do one of those DNS queries.”

Read more:
https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/

Show threadBrianKrebsOct 29

I guess I can write about these guys till I'm blue in the face. These proxy/botnet stories have a lot of moving parts, so I get it when another big development makes everyone yawn. But don't take my word for it: If you look at Cloudflare Radar right now, you can see an Aisuru botnet C2 domain is the most popular domain in the world, more popular than Amazon, Apple, Google and Microsoft. That's fairly remarkable I think.

Sometimes a picture is worth more than a whole bunch of words.

https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/

Emilio 💻📲2d ago
Show threadBrianKrebs
So I guess Cloudflare is now at least filtering out the names of the domains used as control servers for the Aisuru botnet. The botnet has been using Cloudflare's 1.1.1.1 DNS and has radically affected these top domain results. When I looked yesterday I believe I saw (but failed to screenshot) three Aisuru C2s in the top 10. h/t @profdiggity
Nov 3 at 7:39pmWeb
Show threadBrianKrebs1d ago

I actually found some useful intel in re the Aisuru botnet on LinkedIn! https://www.linkedin.com/feed/update/urn:li:activity:7391258726848180224/

LOL at the "Forehead Too Large" server error response.

"Some quick wins obtained first via Shodan while pivoting on the IP address unveiled by Abuse.ch (45.156.87[.]37).

One can observe a fast increase of devices exposing port 2222 with this SSH fingerprint since April 2025, according to Shodan trends (https://lnkd.in/e_sk9_r3):

- 185[.]241[.]208[.]197 – AISURU botnet, port 9035, AS 210558 (1337 Services GmbH)
- 198[.]251[.]81[.]204 – Mirai C2, port 1337 (1337 refers to Leet or elite ;), AS 53667 (PONYNET)
- 209[.]141[.]38[.]239 – Mirai C2, port 1337, AS 210558 (1337 Services GmbH)
- 154[.]84[.]184[.]66 – AS 35916 (MULTA-ASN1)
- 194[.]46[.]59[.]169 – AISURU botnet, AS 204044 (Packet Star Networks Limited)
- 45[.]156[.]87[.]37 – AS 51396 (Pfcloud UG)
- 65[.]108[.]5[.]46 – AS 24940 (Hetzner Online GmbH)
- 136[.]175[.]8[.]50
- Port 25565 and several others show this peculiar body response:
'HTTP/1.1 413 “Forehead Too Large” (a funny server response!)'
'Content-Length: 14'
'cry krebs LOL!'
>>> 4 more servers, including:
- 136[.]175[.]8[.]53 (AS 210558, October 2025)
- 136[.]175[.]8[.]51 – AS 14315 (1GSERVERS)
- 206[.]168[.]191[.]205 1GSERVERS, LLC
- 136[.]175[.]8[.]51 AS 14315 ( 1GSERVERS )
- 176[.]65[.]132[.]17 AS 51396 ( Pfcloud UG )
SSH-2[.]0-Go
- 45[.]153[.]34[.]72 Mirai AS 51396 ( Pfcloud UG )
- 202[.]71[.]14[.]20 AS 43641 ( SOLLUTIUM EU Sp z.o.o. )
- pDNS hellopixormer[.]com

The script forces Cloudflare DNS resolution and xores your IP address with an eastern-egg key before encoding it to base64 so network traffic will be redirected to the hardcoded IP 45.156.87[.]37 thanks to altered firewall rules."

🚨 Some quick wins obtained first via Shodan while pivoting on the IP address unveiled by Abuse.ch (45.156.87[.]37). One can observe a fast increase of devices exposing port 2222 with this SSH… | julien dugay

🚨 Some quick wins obtained first via Shodan while pivoting on the IP address unveiled by Abuse.ch (45.156.87[.]37). One can observe a fast increase of devices exposing port 2222 with this SSH fingerprint since April 2025, according to Shodan trends (https://lnkd.in/e_sk9_r3): - 185[.]241[.]208[.]197 – AISURU botnet, port 9035, AS 210558 (1337 Services GmbH) - 198[.]251[.]81[.]204 – Mirai C2, port 1337 (1337 refers to Leet or elite ;), AS 53667 (PONYNET) - 209[.]141[.]38[.]239 – Mirai C2, port 1337, AS 210558 (1337 Services GmbH) - 154[.]84[.]184[.]66 – AS 35916 (MULTA-ASN1) - 194[.]46[.]59[.]169 – AISURU botnet, AS 204044 (Packet Star Networks Limited) - 45[.]156[.]87[.]37 – AS 51396 (Pfcloud UG) - 65[.]108[.]5[.]46 – AS 24940 (Hetzner Online GmbH) - 136[.]175[.]8[.]50   - Port 25565 and several others show this peculiar body response:     'HTTP/1.1 413 “Forehead Too Large” (a funny server response!)'     'Content-Length: 14'     'cry krebs LOL!'     >>> 4 more servers, including:       - 136[.]175[.]8[.]53 (AS 210558, October 2025)       - 136[.]175[.]8[.]51 – AS 14315 (1GSERVERS)       - 206[.]168[.]191[.]205 1GSERVERS, LLC - 136[.]175[.]8[.]51 AS 14315 ( 1GSERVERS ) - 176[.]65[.]132[.]17 AS 51396 ( Pfcloud UG )   SSH-2[.]0-Go     - 45[.]153[.]34[.]72 Mirai AS 51396 ( Pfcloud UG )     - 202[.]71[.]14[.]20 AS 43641 ( SOLLUTIUM EU Sp z.o.o. )       - pDNS hellopixormer[.]com The script forces Cloudflare DNS resolution and xores your IP address with an eastern-egg key before encoding it to base64 so network traffic will be redirected to the hardcoded IP 45.156.87[.]37 thanks to altered firewall rules.

Show threadDr. Christopher Kunz1d ago
@briankrebs Lots of German ASes in that list. 1337 services runs "rdp.sh", a vps provider. the others seem to be mostly vps hosters, too.
Show threadBrianKrebs1d ago

@christopherkunz now where have I seen that company name before? Oh yeah....

https://krebsonsecurity.com/2025/02/whos-behind-the-seized-forums-cracked-nulled/

Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’? – Krebs on Security

Show threadRob Ricci1d ago
@briankrebs I'm sure you are weeping, as the HTTP header demands
Show threadMemoryLeech1d ago

@briankrebs

Interesting use of hex to call down

https://www.joesandbox.com/analysis/1796725/0/html

Automated Malware Analysis Report for http://202.0x47.14.20/rx1/9x.py - Generated by Joe Sandbox

Deep Malware Analysis - Joe Sandbox Analysis Report

Show threadViss2d ago
@briankrebs @profdiggity oh boo so we cant pollute it either? so much for getting goatse.cx to the top. phooey
Show threadcR0w 🦃2d ago
@Viss @briankrebs @profdiggity No fun allowed. :-(
Show threadSimon Zerafa2d ago

@Viss @briankrebs @profdiggity

So much for my cunning plan to get a cyberslop domain near the top 😞

https://www.hover.com/domains/results?utf8=%E2%9C%93&q=cyberslop

Domain name search results - Hover

Find a great domain name and easily connect it to your website. Get outstanding Customer Support and Free Domain Privacy from Hover.

Show threadMathaetaes2d ago

@Viss @briankrebs @profdiggity That site has been down for at least a year.

Apparently it's easier to find memes about it than to find the original picture. I went looking a while ago to educate one of my neighbors who, being in his 30s, was too young to know about any of those original Internet horrors - tubgirl, lemonparty, goatse, etc.

They're all gone, but their legacy carries on in artistic re-renderings.

Best we can push to the top at this point is a rick roll...

Show threadViss2d ago
@mathaetaes @briankrebs @profdiggity yeah the way i understand that leaderboard, it doesnt matter if the site is up or down - its just a ranking of dns requests.
Show threadflowers2d ago
@briankrebs @profdiggity Holy shit! A .su in the wild!
Show threadJohn Kristoff2d ago

@briankrebs @profdiggity That .su was the #2 TLD between .com and .net last week tells you all you need to know.

https://radar.cloudflare.com/tlds?dateStart=2025-10-26&dateEnd=2025-11-01

Top-Level Domains | Cloudflare Radar

TLD trends and insights.

Show threadDuane Wessels2d ago

@jtk @briankrebs @profdiggity

What, that DNS magnitude is not always the most appropriate metric?

Show threadJohn Kristoff2d ago
@dw @briankrebs @profdiggity Why do I get this feeling you've just started an outline for your next OARC talk?