Infographic on AISURU botnet: timeline of 2025 DDoS records up to 11.5 Tbps, diagram of 300,000-node network from Totolink compromise, profiles of leaders Snow (dev), Tom (vulns), Forky (sales), social media leak screenshots, Easter egg icons, and warning

The AISURU botnet, first uncovered by XLab in August 2024 during DDoS attacks on the "Black Myth: Wukong" game platform, has fueled record-breaking global assaults peaking at 11.5 Tbps since early 2025. XLab's monitoring detected ongoing sample expansions, with the botnet now boasting around 300,000 nodes after a major April 2025 compromise of a Totolink router firmware update server, which distributed malicious scripts to infect updating devices. Some samples include ideological "Easter eggs," prompting XLab to share findings and rally the security community against this escalating threat.

Infographic on AISURU botnet: timeline of 2025 DDoS records up to 11.5 Tbps, diagram of 300,000-node network from Totolink compromise, profiles of leaders Snow (dev), Tom (vulns), Forky (sales), social media leak screenshots, Easter egg icons, and warningInfographic on AISURU botnet: timeline of 2025 DDoS records up to 11.5 Tbps, diagram of 300,000-node network from Totolink compromise, profiles of leaders Snow (dev), Tom (vulns), Forky (sales), social media leak screenshots, Easter egg icons, and warning

An anonymous source revealed AISURU's core trio—Snow (botnet development), Tom (vulnerability research, including 0-days), and Forky (sales)—who formed the group in 2022 after collaborations like the catddos botnet. Tom's breach of the Totolink server skyrocketed infections beyond 100,000 nodes, forcing rushed C2 configurations and GRE tunneling for traffic management. Despite the group's flamboyant, "fun"-driven attacks on ISPs and erratic behavior—mocked as "mentally unstable" in samples—they've drawn widespread enmity in the DDoS underworld.

Infographic on AISURU botnet: timeline of 2025 DDoS records up to 11.5 Tbps, diagram of 300,000-node network from Totolink compromise, profiles of leaders Snow (dev), Tom (vulns), Forky (sales), social media leak screenshots, Easter egg icons, and warningInfographic on AISURU botnet: timeline of 2025 DDoS records up to 11.5 Tbps, diagram of 300,000-node network from Totolink compromise, profiles of leaders Snow (dev), Tom (vulns), Forky (sales), social media leak screenshots, Easter egg icons, and warning

By late April 2025, rivals leaked evidence on social media, including a 340,000-node panel screenshot under a Cloudflare post about a 5.8 Tbps mitigation, tagging Totolink and Interpol to spur takedowns. Though the Totolink flaw is patched—AISURU quipped "RIP TOTOLINK 2025-2025"—the botnet persists at 300,000 nodes, testing attacks like one on journalist Brian Krebs' site before the September 12.1 Tbps record. XLab urges collaborative efforts to dismantle this powerful, ideologically tinged mega-botnet.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security