Notably, the October 8 surge wasn’t an isolated episode. Ferguson’s earlier telemetry showed that Aisuru had already launched major assaults in mid-September, including a series of multi-terabit strikes targeting networks that serve popular online gaming communities, including Minecraft servers, Steam, and Riot games.
The September attacks likely served as warm-up runs for the massive wave that followed weeks later.
From Mirai roots to proxy sales
Aisuru is not new. Its foundations trace back to leaked code of the Mirai IoT botnet from 2016, which held “KrebsOnSecurity,” the investigative blog run by Krebs, offline for four days. “The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers,“ Krebs had said then.
This time, Aisuru’s operators seem to be monetizing and scaling their creation. The botnet is now believed to serve dual roles, acting as a DDoS engine while also functioning as a residential proxy network. These proxies allow cybercriminals to route attacks through “legitimate” US home devices, masking the true origin of malicious traffic. Krebs also cited security researchers who believe a compromise of router firmware distribution infrastructure, with one alleged breach at Totolink’s firmware server in April 2025, could have accelerated device enrollment into Aisuru’s ranks. The timing of the takedown of a rival botnet (Rapper Bot) in August 2025 may have also allowed Aisuru to absorb the abandoned infected devices, boosting its growth.
