The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

AIRASHI Botnet

Jan 27, 2025 11:08:56 AM / by The Hivemind

AIRASHIRelated Families: AISURU

Executive Summary

AIRASHI is a variant of the AISURU botnet that has been active since at least late 2024. It is in active development and has the capability to conduct large-scale DDoS attacks.

Key Takeaways

  • AIRASHI is a variant of the AISURU botnet that has been active since at least late 2024.
  • AIRASHI uses a 0day vulnerability affecting cnPilot routers to spread itself.
  • AIRASHI’s infrastructure uses at least 60 different IP addresses, hosted in multiple countries, which may make it more difficult to dismantle the botnet. 
  • Since AIRASHI is still under active development and has the capability to conduct large-scale DDoS attacks, PolySwarm analysts consider AIRASHI to be an emerging and evolving threat. 

What is AIRASHI?

AIRASHI is a variant of the AISURU botnet that has been active since at least late 2024. QiAnXin XLab reported on AIRASHI.

AISURU botnet is known for a large-scale DDoS attack that occurred in August 2024. The attack targeted distribution platforms of the Chinese game Black Myth: Wukong. Targets included Steam and Perfect World. The attack occurred in four waves, aligning with peak gaming hours, to be as disruptive as possible. Following this attack, AISURU ceased activity in September 2024. An updated and streamlined version, dubbed kitty, was released in October 2024. In late 2024, the threat actors behind AISURU released the current version of AIRASHI, a new AISURU variant. 

AIRASHI uses a 0day vulnerability affecting cnPilot routers to spread itself. It also spreads via Nday vulnerabilities and weak Telnet passwords. Sample strings use RC4 encryption, and the C2 communication uses HMAC-SHA256 for verification and ChaCha20 for encryption. The names used for C2 domains (including xlabresearch, xlabsecurity, and foxthreatnointel) appear to be an attempt to mock security researchers. AIRASHI’s infrastructure uses at least 60 different IP addresses, hosted in multiple countries, which may make it more difficult to dismantle the botnet. 

AIRASHI is capable of stable T-level DDoS attacks, with a tested attack capacity of 1-3 Tbps. AIRASHI, which has been observed spreading to hundreds of machines per day, does not appear to target a particular vertical. However, a large number of targets have been located in China, Poland, Russia, and the US. AIRASHI is updated often and appears to be under active development. Like AISURU, it has the capability to conduct large-scale DDoS attacks. For these reasons, PolySwarm analysts consider AIRASHI to be an emerging and evolving threat. 

IOCs

PolySwarm has multiple samples of AIRASHI.

 

75a1199fbf8abd52bc957b07ff7574ddc98719272ad9f2f0d427178ac1c60967

ab67a6ae19b9d0fc79840894a257a2ece9110e13a027b7c19c8b3a99b88cdc49

371f9279bf5ef136fb6300eb0a26b38512a01b0b0d577954db67a823c789fa02

1576598bb6fa7163dd1d578639e6b1d0ef64ef82fbf5d2d34cfd22525187570c

 

You can use the following CLI command to search for all AIRASHI samples in our portal:

$ polyswarm link list -f AIRASHI

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

 

Topics: Threat Bulletin, DDoS, Botnet, Emerging Threat, Evolving Threat, AIRASHI

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More