Threat actors have been exploiting an unspecified zero-day vulnerability in Cambium Networks' cnPilot routers to deploy a variant of the AISURU botnet malware, now dubbed AIRASHI.
According to cybersecurity firm QiAnXin XLab, the attacks have been active since June 2024, using the vulnerability to infect vulnerable routers.
In addition to the cnPilot routers, the AIRASHI botnet has also been exploiting vulnerabilities in other network devices, including Zyxel firewalls, Drytek and Linksys routers, and various devices such as AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT products.
“The operator of AIRASHI has been posting their DDoS capability test results on Telegram,” said XLab. “From historical data, it’s clear that the botnet’s attack capacity remains stable, ranging between 1 and 3 Tbps.”
The AIRASHI botnet’s primary targets are China, the United States, Poland, and Russia, with compromised devices also spotted in Brazil, Vietnam, and Indonesia.
“There is no clear, strong targeting strategy. The botnet typically attacks several hundred targets each day,” the researchers wrote in the technical report.
AIRASHI is a variant of the AISURU botnet, also known as NAKOTNE, which was flagged by XLab in August 2024. Initially suspected to have suspended operations in September 2024, AISURU reemerged in October with updates and modifications as AIRASHI. The malware comes in two versions: DDoS and Proxyware.
AIRASHI-DDoS (first detected in late October 2024) is primarily focused on DDoS attacks, but it also supports arbitrary command execution and reverse shell access.
AIRASHI-Proxy (first detected in December 2024) is a more advanced variant that includes proxy functionality alongside its DDoS capabilities. This variant uses a new network protocol involving HMAC-SHA256 and CHACHA20 encryption algorithms for communication. AIRASHI-Proxy has five distinct message types, in contrast with AIRASHI-DDoS’s 13.