Aisuru Botnet Shifts from DDoS to Residential Proxies (krebsonsecurity.com)

Aisuru — the IoT botnet behind record-shattering DDoS blasts earlier this year — has been retooled from blunt-force denial-of-service attacks into a marketplace asset: hundreds of thousands of compromised routers and cameras are now being repurposed as “residential proxies” for hire. The botnet has infected at least 700,000 consumer devices and previously produced attacks up to tens of terabits/sec (6.3 Tbps against KrebsOnSecurity, later near 30 Tbps), causing ISP outages and hardware failures. Operators updated the malware to make infected customer-premises equipment (CPE) available to proxy resellers and SDK-based bandwidth-sharing schemes; these proxies are then sold or chained through reseller ecosystems (notably groups tied to IPidea/HK Network) to content-scraping customers. Industry trackers report an unprecedented spike in available residential IPs (Spur cited hundreds of millions recently), though large commercial providers like Bright Data and Oxylabs dispute those figures. For AI/ML, the shift is consequential: cheap, rotating residential IPs let large-scale scrapers blend in with ordinary user traffic, skirting rate limits and bot-detection and enabling massive, hard-to-trace data harvesting pipelines that feed LLM training and other AI projects. The change also complicates mitigation and attribution — blocking risks collateral damage to real users — while expanding the attack surface (infected CPEs) and monetization paths for cybercriminals. ISPs and defenders are sharing blocklists and tracking proxy pools, but the mix of botnets, shady resellers, and embedded SDKs makes detection and enforcement harder, raising legal, ethical and security challenges for data sourcing in AI.