The operators of the Aisuru botnet have altered their core monetization strategy, pivoting from its initial function as a Distributed Denial-of-Service (DDoS) attack platform. Security researchers have identified a significant change in the botnet’s functionality and purpose, marking a strategic evolution in its operation.

Previously known for leveraging a network of compromised devices to launch large-scale DDoS attacks for hire, the botnet’s infrastructure and malware components have been repurposed.

Shift to a Residential Proxy Network

Analysis of the Aisuru botnet’s current activity confirms it is now operating as a residential proxy service. This service enables paying customers to route their internet traffic through the thousands of infected computers and devices under the botnet’s control. By using these compromised residential IP addresses, clients of the service can effectively mask the true origin of their web traffic.

The botnet leverages the geographic and network diversity of its infected nodes to offer a service that makes malicious activities appear as legitimate, residential user traffic. This change represents a move from a direct-attack model to a service-based anonymization and obfuscation model.

Technical Evidence of the Pivot

The operational shift was identified through technical analysis of updated Aisuru malware samples. Researchers observed that the modules responsible for executing DDoS attacks have been removed or deprecated in the latest versions. In their place, new components have been added that are specifically designed to manage and route network traffic, consistent with the functionality of a proxy server.

The command-and-control (C2) infrastructure has also been updated to support the new proxy service, managing the network of infected nodes as exit points for customer traffic. This allows malicious actors to use the network for activities such as credential stuffing, web scraping, and ad fraud under the guise of being ordinary internet users.