Aisuru Botnet: DDoS to Residential Proxies – Krebs on Security

Aisuru Botnet: DDoS to Residential Proxies – Krebs on Security

October 29, 2025 Lisa Park Tech

Okay, here’s a breakdown of the‌ key ​facts from the provided⁢ text, focusing on the botnets, actors, and⁣ technical ​details:

1. botnets Involved:

* BADBOX 2.0: Compromised‍ millions ⁣of IoT devices (smart TVs, projectors, vehicle infotainment, picture frames, etc.). It exploited devices running uncertified Android software ‍lacking Google’s⁣ security‌ protections.Used for ad fraud ⁣and ⁢other digital crimes.
*‍ ⁣ Aisuru: A newer botnet. It​ has its own software Progress Kit (SDK) and forces infected⁣ systems‌ to query the domain‌ name “fuckbriankrebs[.]com”.

2.​ Key ⁢Actors/Groups:

* FBI’s Internet Crime Complaint Center (IC3): Issued a warning about ‍BADBOX 2.0.
* google: Filed a lawsuit​ against the⁢ alleged perpetrators of the Badbox botnet.
* Forky: An⁤ alleged partner‍ in the Badbox botnet, identified⁢ as a young⁢ man from Sao ​Paulo, Brazil. ⁢ Seems ‍to have a personal vendetta against KrebsOnSecurity (brian Krebs).
* Brian Krebs (KrebsOnSecurity): Security researcher and author ​of the KrebsOnSecurity blog.Targeted ⁢by the Aisuru botnet’s domain query.
* Philippe Caturegli (Seralysis): “Chief hacking ⁤officer” at​ Seralysis, a security intelligence company.⁣ ‌ He ⁣registered the “fuckbriankrebs[.]com” domain.
* Brundage: ⁢A security researcher who provided insights into ‌the Aisuru botnet.

3.Technical Details & indicators:

* Domain Name: fuckbriankrebs[.]com ⁤- Aisuru-infected systems are programmed to query this domain. It’s likely a taunt directed‍ at Brian Krebs.
* ‍ Traffic ‍Analysis: After ​registering the domain, Seralysis received over 700,000 requests for unique subdomains on “fuckbriankrebs[.]com” within⁢ hours. ‌This indicates a large‌ number of ⁤infected devices checking in. Each IP address requested its own unique ​subdomain.
* ​ Android Exploitation: BADBOX 2.0‍ specifically targeted Android’s open-source software lacking Google’s security protections.
* ‍ SDK: aisuru uses ⁤its own SDK to⁢ infect⁣ systems.
*​ Potential Kill Switch‍ (Dismissed): There was initial speculation⁤ that the domain⁣ could be ⁤a ‍kill switch, but⁤ experts ​believe this‌ is unlikely.

4. Timeline⁣ (approximate):

* June 5: IC3 warns about BADBOX 2.0.
* ⁤ June: KrebsOnSecurity ⁣identifies​ “Forky” as a potential Badbox ‌actor.
* ‍ July: Google files lawsuit against ⁤Badbox ⁤perpetrators.
*⁤ October (2025): The domain “fuckbriankrebs[.]com” is registered by seralysis, revealing the Aisuru botnet’s check-in behaviour.

In essence, the article details two separate‌ but related botnet threats, highlighting the ongoing challenges ⁣of IoT security ‌and the⁣ malicious activities of ⁤cybercriminals.⁢ The “fuckbriankrebs[.]com” domain serves as a peculiar ​indicator of compromise for the ⁢Aisuru botnet and a clear sign of⁤ antagonism⁣ towards ​a security researcher.