The Aisuru botnet, a known threat targeting Internet of Things (IoT) devices, has undergone a significant operational transformation. Security researchers have reported that the malware, which historically focused on launching Distributed Denial-of-Service (DDoS) attacks, has been repurposed. The botnet’s operators have shifted their monetization strategy from attack-for-hire services to a new commercial offering. This evolution demonstrates a calculated pivot by cybercriminals to create more persistent and potentially lucrative revenue streams from their network of compromised devices.

A Strategic Pivot from DDoS to Proxies

The Aisuru botnet was first identified as a tool primarily used for DDoS attacks. By infecting a large number of poorly secured IoT devices, it could harness their collective bandwidth to launch powerful attacks that would overwhelm a target’s servers and infrastructure. This capability was sold as a service to other malicious actors. Recent analysis of the botnet’s command-and-control (C2) infrastructure and behavior, however, shows a clear change in its primary function. Instead of just receiving attack commands, the infected bots are now configured to function as nodes in a residential proxy network. This marks a strategic move from a disruptive, high-visibility attack model to a more covert, service-based one.

How the Illicit Proxy Service Functions

Under this new model, the Aisuru operators sell access to their network of compromised devices. Each infected IoT device, such as a home router or IP camera, serves as an exit node. Customers of this illicit service can route their internet traffic through these nodes, effectively borrowing the IP addresses of the victims’ homes and businesses. This technique allows malicious actors to conceal their true origin, making their activities appear to be from legitimate residential connections. Such services are valuable for conducting activities like ad fraud, web scraping, and credential stuffing attacks while bypassing security measures designed to block traffic from known data centers or malicious IP ranges. This shift provides the botnet operators with a steadier income compared to the sporadic nature of the DDoS-for-hire market.