Hackers Exploit Zero-Day Vulnerability in cnPilot Routers to Launch AIRASHI DDoS Botnet

Threat actors are exploiting an unidentified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet, known as AIRASHI, for conducting distributed denial-of-service (DDoS) attacks.

According to QiAnXin XLab, the vulnerability has been actively exploited since June 2024. Specific details about the flaw remain undisclosed to prevent further exploitation.

The botnet also leverages several known vulnerabilities, including CVE-2013-3307, CVE-2016-20016, CVE-2017-5259, CVE-2018-14558, CVE-2020-25499, CVE-2020-8515, CVE-2022-3573, CVE-2022-40005, CVE-2022-44149, CVE-2023-28771, and others affecting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices.

“The AIRASHI operator has been sharing DDoS capability test results on Telegram,” XLab reported. “Historical data indicates the botnet maintains an attack capacity of 1-3 Tbps.”

Most compromised devices are located in Brazil, Russia, Vietnam, and Indonesia, with the botnet primarily targeting entities in China, the United States, Poland, and Russia.

AIRASHI, a derivative of the AISURU (also known as NAKOTNE) botnet, was previously linked to an August 2024 DDoS attack targeting Steam during the launch of the game Black Myth: Wukong. AIRASHI variants now include proxyware functionality, suggesting an expansion of services beyond DDoS attacks.

AISURU temporarily halted operations in September 2024, only to resurface in October with updated features (“kitty”) and again in late November as AIRASHI.

“The ‘kitty’ variant began spreading in early October 2024,” XLab noted. “It simplified the network protocol and adopted SOCKS5 proxies for C2 communication by the end of the month.”

AIRASHI exists in at least two forms:

1. AIRASHI-DDoS: Detected in late October 2024, this variant focuses on DDoS attacks, while also supporting arbitrary command execution and reverse shell access.
2. AIRASHI-Proxy: Detected in early December 2024, this is a modified version of AIRASHI-DDoS that incorporates proxy functionality.

Both variants utilize a new network protocol featuring HMAC-SHA256 and CHACHA20 encryption for communication. AIRASHI-DDoS supports 13 message types, while AIRASHI-Proxy supports five.

The findings highlight how attackers exploit IoT vulnerabilities to establish botnets capable of executing high-impact DDoS attacks.

In parallel, QiAnXin uncovered a cross-platform backdoor, alphatronBot, targeting Chinese government entities and enterprises since early 2023. This malware uses infected Windows and Linux systems to form a botnet and communicates via the open-source peer-to-peer (P2P) chat application PeerChat.

The decentralized P2P protocol allows attackers to issue commands from any compromised node, bypassing a central C2 server and increasing the botnet’s resilience.

“The 700+ P2P networks managed by alphatronBot consist of infected devices from over 80 countries,” XLab said. “The nodes include MikroTik routers, Hikvision cameras, VPS servers, DLink routers, and other CPE devices.”

In 2023, XLab also revealed a payload delivery framework named DarkCracks. It exploits compromised GLPI and WordPress sites to act as downloaders and C2 servers.

“DarkCracks primarily aims to exfiltrate sensitive data, maintain persistent access, and use infected high-performance devices as relay nodes for controlling other systems or delivering malware. This strategy effectively obfuscates the attacker’s footprint,” XLab explained.

Victims of DarkCracks include critical infrastructure systems such as school websites, public transportation platforms, and prison visitation systems.