The Aisuru botnet, responsible for multiple record-breaking DDoS attacks this year, has reportedly altered its operations to supply infected IoT devices for use as residential proxies. This marks a shift from high-volume, short-term attacks toward a more sustainable, revenue-generating model.
First identified in August 2024, Aisuru has infected by now at least 700,000 IoT devices, including routers and security cameras. Earlier this year, it executed DDoS attacks exceeding 6 terabits per second, with some campaigns reportedly reaching close to 30 terabits per second, overwhelming targeted networks and, in some cases, disrupting ISP services. Multiple broadband operators experienced significant operational impact due to outbound DDoS traffic exceeding 1.5 Tb/sec from infected devices.
As reported in KrebsOnSecurity, Aisuru’s operators recently updated the botnet’s malware to allow compromised devices to be rented to residential proxy providers. These services route Internet traffic through infected devices, making connections appear as though they originate from legitimate residential IP addresses. Experts note that this shift has coincided with a dramatic increase in residential proxies, which are being used for large-scale content scraping and data collection activities, including feeding AI and large language model projects.
Residential proxies are often resold through a complex ecosystem. Proxy providers operate reseller programs and software development kits (SDKs) that allow other apps and developers to turn end-user devices into traffic relays. Some proxy networks are white-labeled, creating multiple layers between the original compromised devices and the end customer. Notable providers cited in industry research include Luminati (Bright Data), Oxylabs, and IPidea, along with several of IPidea’s associated brands, which collectively manage millions of residential IPs.
The trend of repurposing IoT botnets for residential proxies is not unique to Aisuru. Other malware families, such as Badbox 2.0, have similarly infected millions of smart devices—including TVs, projectors, and vehicle infotainment systems—to enable proxy or other persistent operations. Experts say that the increasing availability of residential IPs has facilitated aggressive content scraping campaigns, which can be difficult to detect because traffic appears to originate from legitimate home users.
The operational impact of the botnet extends beyond DDoS. Even when not used to flood targets, infected devices contribute to network congestion for ISPs, potentially overloading line cards or degrading service for other customers. Analysts say that Aisuru now functions as both a proxy infrastructure provider and a latent DDoS platform, capable of returning to high-throughput attacks if needed.
While Aisuru continues to operate as a considerable IoT threat, its focus on proxy services represents a notable evolution from the headline-grabbing DDoS campaigns that defined the botnet earlier in 2025. FastNetMon is actively monitoring the situation and will continue reporting updates as new developments emerge.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com