AIRASHI Botnet Risks for DDoS and Residential Proxies

At IPQS, a large part of our work involves watching proxy networks from the defender’s side. Our scoring systems, feeds, and device intelligence give us a close view of how proxy services source their traffic and how that traffic is used. While monitoring a large residential proxy provider, IPQS analysts identified patterns that align with malware activity rather than those typically associated with an opt-in proxy program. These signs suggest that this provider’s footprint is built on infected devices, not volunteers, and that the underlying engine is the same botnet family now known as AIRASHI.

Terabit-scale DDoS attacks used to be rare outliers. Over the last two years, they have become part of everyday incident response for major platforms, content delivery providers, and security teams. One of the most important drivers behind that shift is a fast-growing IoT botnet family currently known as AIRASHI. If you’re already familiar with AIRASHI’s history and want to skip straight to the residential proxy findings and fraud impact, you can jump ahead to the section on why AIRASHI matters to IPQS customers.

From Steam Attacks to a Rapidly Growing Botnet

AIRASHI evolved from early experiments into a powerful service for both DDoS and residential proxy traffic. In its early iterations, it was named AISURU. XLab’s researchers first saw early samples linked to the AISURU botnet in October 2023. Those initial builds were short-lived, which usually indicates active development and debugging rather than fully operational criminal campaigns.

By August 2024, AISURU’s operators had moved far beyond testing. XLab documented a coordinated DDoS campaign that targeted the Steam platform and its Chinese publishing partner during the launch window of the hit game “Black Myth: Wukong.” The operation hit 107 server IPs across 13 regions, with peak attack traffic around 1.3 Tbps generated by roughly 30,000 infected devices.

Soon after the Steam incident, the botnet paused attacks, then resurfaced in 2024 under new names such as NAKOTNE and AISURA, with a burst of new exploits and infrastructure. This pattern of temporary quiet followed by stronger activity is a recurring theme for the group.

AISURU, NAKOTNE, AISURA, and AIRASHI: One Codebase, Many Names

Across multiple XLab reports, the same malware family appears under several labels: AISURU, NAKOTNE, AISURA, kitty, and finally AIRASHI. The naming reflects visible milestones in the codebase rather than entirely separate projects.

During 2024, samples associated with NAKOTNE and AISURA began exploiting more than a dozen router and IoT vulnerabilities, including an undisclosed cnPilot router issue from Cambium Networks. These exploits allowed the operators to pull more devices into their botnet and expand beyond the original 30,000-node network.

By late 2024, XLab identified a heavily reworked variant they called “kitty”, as well as a rebranded botnet cluster named AIRASHI. AIRASHI variants introduced more structured C2 logic, more reliable DDoS routines, and dedicated code paths for proxy functionality, all while borrowing heavily from earlier design patterns of AISURU and a botnet that came before it in 2022 named Fodcha.

From the defender’s point of view, it is most practical to treat these names as versions of the same threat actor toolset rather than unrelated botnets.

Technical Traits That Make AIRASHI So Dangerous

XLab’s technical analysis highlights several properties that help AIRASHI stand out among IoT botnets:

• Aggressive exploitation strategy. Recent AISURU and AIRASHI samples chain together at least 18 known and unknown vulnerabilities across routers, cameras, DVRs, and other embedded devices. At one point, the operators even abused a router firmware update server to push malicious scripts to new victims.

• Resilient C2 infrastructure. Earlier variants mapped each C2 domain to dozens of IP addresses, with later AIRASHI builds spreading a small set of domains across roughly 144 IPs. This structure makes simple IP-based blocking less effective.

• Layered encryption and integrity checks. AIRASHI samples encrypt configuration strings, protect C2 communications with custom RC4 variations plus HMAC-SHA256, and use ChaCha20-based flows for additional confidentiality.

• Built-in proxy logic. The malware’s message protocol includes explicit support for proxy commands, and newer builds perform bandwidth tests to earmark high-throughput nodes for proxy use.

As a result, AIRASHI functions as both a DDoS weapon and a flexible access layer for other criminal activity.

Record DDoS Attacks Against Gaming, CDNs, and Security Sites

AIRASHI’s growth is clear in public attack reports. GlobalSecureLayer recorded a 3.15 billion packet-per-second DDoS event against a gaming client in August 2024, with nearly 850 Gbps of traffic. XLab then tied the AISURU botnet to multi-wave attacks on Steam and its regional partners later that same month, with sustained terabit-scale throughput.

In 2025, the numbers escalated. XLab describes AISURU-linked attacks climbing into the double-digit terabit range, including an 11.5 Tbps event against a European target. Around the same period, KrebsOnSecurity reported a 6.3 Tbps assault against its own site, with Google’s Project Shield and Cloudflare engineers noting substantial overlap between that event and a roughly 6.5 Tbps attack on Cloudflare just weeks earlier. XLab’s tracing of C2 commands ties these events back to the same AISURU infrastructure that underpins AIRASHI.

When a single threat actor can repeatedly field traffic at this scale, DDoS protection can no longer be treated as a rare contingency. It becomes a routine operational requirement for gaming platforms, CDNs, and high-visibility security sites.

From DDoS Cannon to Residential Proxy Supply Chain

Early AISURU and AIRASHI variants were overwhelmingly focused on DDoS capacity. Over time, the operators recognized that their collection of compromised routers and IoT devices could be monetized in quieter ways.

AIRASHI’s operators now treat their DDoS fleet as a rentable resource. The same infected routers and IoT devices that once overwhelmed targets with junk traffic are packaged as residential proxy capacity, giving paying customers large-scale access to consumer IP space. Command messages include explicit instructions for proxy mode and built-in bandwidth checks, so the controller can single out the fastest bots and reserve them for high-volume proxy work.

Internal IPQS telemetry shows the same trend from a different angle. Over a recent 24-hour window, we observed about 1.28 million distinct IPs flowing through a single commercial residential proxy network. Based on how those IPs map to known AIRASHI infrastructure and related malware activity, we believe this provider’s entire footprint is built on compromised devices rather than willing participants. Because of this, AIRASHI traffic often reaches targets disguised as “regular” proxy users rather than as obvious botnet nodes.

For our customers, that shift is at least as important as the headline DDoS figures. AIRASHI is no longer only a volumetric attack tool. It also powers a residential proxy network on a scale rivaling paid providers. Compared with roughly 4.3 million IPs for PYPROXY and about 8 million IPs for Bright Data, AIRASHI places among the largest residential proxy services in the world. The key difference is none of these devices are there by choice, since every device in AIRASHI’s pool has been hijacked and resold to threat actors for credential stuffing, payment fraud, account takeover, scraping, and ad fraud.

Why AIRASHI Matters for IPQS Customers

From an IPQS customer’s perspective, AIRASHI brings together three patterns that are particularly challenging to defend against:

1. Commodity access to extreme traffic volumes. DDoS-for-hire services built on AIRASHI make it trivial for relatively unsophisticated actors to order terabit-scale attacks against marketplaces, game publishers, and fintech products.

2. High-entropy IP churn. Continuous exploitation of embedded devices and router vulnerabilities means the IP set behind AIRASHI changes quickly. Attack traffic today may come from a different mix of ASNs, countries, and ISPs than traffic yesterday.

3. Residential proxy reuse. Once the same devices are routed through commercial residential proxy services, AIRASHI’s footprint blends into the broader proxy ecosystem. Attackers can then reuse the same infrastructure for targeted fraud and abusive automation rather than simply flooding bandwidth.

These trends directly affect the reliability of IP-based controls, chargeback rates, player experience for gaming platforms, and even the stability of critical security tools that rely on continuous uptime. The good news is that AIRASHI’s growth also generates patterns that IPQS is uniquely positioned to observe and score.

Detecting AIRASHI Traffic with IP Reputation

IPQS maintains a continuously refreshed proxy detection database that tracks high-risk IP addresses across proxies, VPNs, Tor, hosting providers, data centers, botnets, and residential proxies.

Because AIRASHI relies on a broad mix of embedded devices, consumer routers, and proxy exit nodes, many of its IPs already fall into categories that IPQS scores as risky. When AIRASHI participates in a DDoS incident or a wave of credential stuffing, those IPs accumulate negative history and quickly become recognizable as part of coordinated abuse.

IPQS customers can use the Proxy Detection API and related data feeds to:

• Flag connections from IPs linked to botnets or abnormal traffic patterns

• Identify high-risk IPs tied to previous abuse incidents

• Filter out traffic from known data centers and open proxies so that residential proxy signals stand out more clearly

In practice, this means that even if an attacker routes requests through residential IPs that were once part of AIRASHI-led DDoS events, those sessions can still inherit elevated risk scores.

Catching AIRASHI-Backed Proxies with Residential Proxy Detection

As AIRASHI invests more in proxy features, defenders need better tools to distinguish legitimate household traffic from compromised devices that have been turned into exit nodes. 

The IPQS Residential Proxy Detection Feed is designed for this exact challenge. It focuses on residential and mobile connections with abuse history and downplays noise from data centers and infrastructure IP ranges. That focus makes it easier for customers to see when a “normal” subscriber line suddenly starts relaying suspicious volumes of login attempts or checkout activity.

For organizations that already consume IPQS proxy data, adding the residential proxy feed improves coverage against:

• Compromised routers and IoT devices rented out as residential proxies

• Botnet nodes that pivot from DDoS campaigns into lower-volume, high-value fraud

• Collections of residential IPs that show coordinated behavior across many merchants

Because AIRASHI is increasingly intertwined with commercial proxy networks, this level of visibility is essential for keeping risk scores meaningful.

Device Fingerprinting That Follows Botnets Across IPs

AIRASHI’s operators work hard to rotate IPs and exploit new devices. What they cannot easily change is the behavior of the software running on infected nodes and the traits of the devices and browsers that interact with your application.

IPQS device fingerprinting analyzes hundreds of data points from web and mobile devices to produce stable device identifiers and behavior-based risk scores. Combined with IP reputation, this lets customers:

• Spot duplicate accounts and shared devices behind many “unique” IPs.

• Detect emulators, headless browsers, and scripted automation.

• Correlate login attempts and payments that originate from different IPs, but the same underlying device setup.

If a threat actor uses AIRASHI-powered residential proxies to constantly shift IPs during credential stuffing or card testing, device fingerprinting can still connect those events and highlight them to your fraud rules.

For gaming customers, the Unity Fraud Detection SDK and mobile fingerprinting SDKs extend these capabilities to native game clients. That makes it harder for operations built on AIRASHI to hide behind spoofed clients or rapidly recycled accounts.

Practical Steps for Staying Ahead of AIRASHI and Similar Botnets

AIRASHI is likely to keep evolving, changing names, and adding new capabilities as its operators search for more profit. While defenders cannot control that development, they can make their own environments much harder to abuse.

For IPQS customers, that starts with three concrete steps:

1. Treat DDoS and fraud as connected problems. When a botnet moves from overwhelming bandwidth to renting out nodes as residential proxies, it is still the same underlying infrastructure. Patterns learned from one phase should inform controls in the other.

2. Adopt layered signals, not single-point checks. Combine IP reputation, residential proxy detection, and device fingerprinting so that AIRASHI traffic has to evade multiple independent scoring mechanisms before it reaches sensitive actions such as login, registration, or payment.

3. Feed intelligence back into your rules. As you see new pockets of abuse, send those IPs, devices, and behavior patterns into IPQS blocklists and custom rules. Over time, this turns each attempted AIRASHI campaign against your property into a source of better data for the next one.

Botnets never truly disappear. They morph, rebrand, and resurface under new names. With the right IPQS data products in place, AIRASHI’s size and flexibility become a liability for its operators rather than a permanent advantage, because every attack and proxy campaign leaves fingerprints that your defenses can learn from.