Recent reports have revealed a serious network security issue: hackers exploiting a zero-day vulnerability in Cambium Networks cnPilot routers to deploy the AIRASHI variant of the AISURU botnet. This botnet is being used to conduct large-scale DDoS attacks, leveraging a variety of vulnerabilities, including those in AVTECH IP cameras and LILIN DVRs.
According to the security researchers at QiAnXin XLab, the AIRASHI botnet has been active since June 2024, with a stable attack capacity of 1-3 Tbps. The botnet primarily compromises devices in Brazil, Russia, Vietnam, and Indonesia, while targeting its attacks towards China, the United States, Poland, and Russia.
AIRASHI is an evolved version of the AISURU botnet, incorporating proxyware functionality to extend its capabilities beyond DDoS attacks. The botnet has undergone multiple updates, with the latest versions, AIRASHI-DDoS and AIRASHI-Proxy, introducing new network protocols and enhanced communication methods. AIRASHI-DDoS focuses on DDoS attacks, supporting arbitrary command execution and reverse shell access, while AIRASHI-Proxy adds proxy functionality.
This development also aligns with QiAnXin’s discovery of alphatronBot, a cross-platform backdoor targeting Chinese government and enterprises. This malware uses a decentralized P2P protocol, enlisting infected systems into a botnet and making it resilient to takedowns. The P2P network comprises over 700 nodes from 80 countries, involving devices like MikroTik routers and Hikvision cameras.
Additionally, QiAnXin has detailed a stealthy payload delivery framework called DarkCracks, which exploits compromised GLPI and WordPress sites to function as downloaders and C2 servers. This framework aims to gather sensitive information, maintain long-term access, and use compromised devices as relay nodes, effectively concealing the attacker’s footprint.
About FastNetMon
FastNetMon delivers versatile DDoS detection software for companies at any scale. With extensive experience in the telecom, mobile, and cloud computing industries, we take pride in preventing DDoS attacks and protecting our customers’ networks to the highest standard.