{
	"id": "08f4200a-5d3a-4fcb-9a25-ec880275c371",
	"created_at": "2026-04-06T01:29:04.745661Z",
	"updated_at": "2026-04-10T03:21:29.429439Z",
	"deleted_at": null,
	"sha1_hash": "1f25dd3f039ca2ee184648a116ea161f40348bd4",
	"title": "Cloudflare Scrubs Aisuru Botnet from Top Domains List",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 256595,
	"plain_text": "Cloudflare Scrubs Aisuru Botnet from Top Domains List\r\nPublished: 2025-11-06 · Archived: 2026-04-06 01:21:51 UTC\r\nFor the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple,\r\nGoogle and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Cloudflare\r\nresponded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says\r\nAisuru’s overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking\r\nthe company’s domain name system (DNS) service.\r\nThe #1 and #3 positions in this chart are Aisuru botnet controllers with their full domain names redacted. Source:\r\nradar.cloudflare.com.\r\nAisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices,\r\nsuch as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower\r\nsignificantly since its debut in 2024, demonstrating the ability to launch record distributed denial-of-service\r\n(DDoS) attacks nearing 30 terabits of data per second.\r\nUntil recently, Aisuru’s malicious code instructed all infected systems to use DNS servers from Google —\r\nspecifically, the servers at 8.8.8.8. But in early October, Aisuru switched to invoking Cloudflare’s main DNS\r\nhttps://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/\r\nPage 1 of 4\n\nserver — 1.1.1.1 — and over the past week domains used by Aisuru to control infected systems started populating\r\nCloudflare’s top domain rankings.\r\nAs screenshots of Aisuru domains claiming two of the Top 10 positions ping-ponged across social media, many\r\nfeared this was yet another sign that an already untamable botnet was running completely amok. One Aisuru\r\nbotnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts\r\nfollowed by “.com”. Other Aisuru domains mimicked those belonging to major cloud providers.\r\nCloudflare tried to address these security, brand confusion and privacy concerns by partially redacting the\r\nmalicious domains, and adding a warning at the top of its rankings:\r\n“Note that the top 100 domains and trending domains lists include domains with organic activity as well as\r\ndomains with emerging malicious behavior.”\r\nCloudflare CEO Matthew Prince told KrebsOnSecurity the company’s domain ranking system is fairly\r\nsimplistic, and that it merely measures the volume of DNS queries to 1.1.1.1.\r\n“The attacker is just generating a ton of requests, maybe to influence the ranking but also to attack our DNS\r\nservice,” Prince said, adding that Cloudflare has heard reports of other large public DNS services seeing similar\r\nuptick in attacks. “We’re fixing the ranking to make it smarter. And, in the meantime, redacting any sites we\r\nclassify as malware.”\r\nRenee Burton, vice president of threat intel at the DNS security firm Infoblox, said many people erroneously\r\nassumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were\r\nhttps://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/\r\nPage 2 of 4\n\nregular devices querying sites like Google and Apple and Microsoft.\r\n“Cloudflare’s documentation is clear — they know that when it comes to ranking domains you have to make\r\nchoices on how to normalize things,” Burton wrote on LinkedIn. “There are many aspects that are simply out of\r\nyour control. Why is it hard? Because reasons. TTL values, caching, prefetching, architecture, load balancing.\r\nThings that have shared control between the domain owner and everything in between.”\r\nAlex Greenland is CEO of the anti-phishing and security firm Epi. Greenland said he understands the technical\r\nreason why Aisuru botnet domains are showing up in Cloudflare’s rankings (those rankings are based on DNS\r\nquery volume, not actual web visits). But he said they’re still not meant to be there.\r\n“It’s a failure on Cloudflare’s part, and reveals a compromise of the trust and integrity of their rankings,” he said.\r\nGreenland said Cloudflare planned for its Domain Rankings to list the most popular domains as used by human\r\nusers, and it was never meant to be a raw calculation of query frequency or traffic volume going through their\r\n1.1.1.1 DNS resolver.\r\n“They spelled out how their popularity algorithm is designed to reflect real human use and exclude automated\r\ntraffic (they said they’re good at this),” Greenland wrote on LinkedIn. “So something has evidently gone wrong\r\ninternally. We should have two rankings: one representing trust and real human use, and another derived from raw\r\nDNS volume.”\r\nWhy might it be a good idea to wholly separate malicious domains from the list? Greenland notes that Cloudflare\r\nDomain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe\r\nbrowsing APIs and things like TRANCO.\r\n“TRANCO is a respected open source list of the top million domains, and Cloudflare Radar is one of their five\r\ndata providers,” he continued. “So there can be serious knock-on effects when a malicious domain features in\r\nCloudflare’s top 10/100/1000/million. To many people and systems, the top 10 and 100 are naively considered\r\nsafe and trusted, even though algorithmically-defined top-N lists will always be somewhat crude.”\r\nOver this past week, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains\r\nlist, leaving only their domain suffix visible. Sometime in the past 24 hours, Cloudflare appears to have begun\r\nhiding the malicious Aisuru domains entirely from the web version of that list. However, downloading a\r\nspreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.\r\nAccording to Cloudflare’s website, the majority of DNS queries to the top Aisuru domains — nearly 52 percent —\r\noriginated from the United States. This tracks with my reporting from early October, which found Aisuru was\r\ndrawing most of its firepower from IoT devices hosted on U.S. Internet providers like AT\u0026T, Comcast and\r\nVerizon.\r\nExperts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment\r\nat least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the\r\nformer Soviet Union (.su’s Wikipedia page says the TLD was created just 15 months before the fall of the Berlin\r\nwall).\r\nhttps://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/\r\nPage 3 of 4\n\nA Cloudflare blog post from October 27 found that .su had the highest “DNS magnitude” of any TLD, referring to\r\na metric estimating the popularity of a TLD based on the number of unique networks querying Cloudflare’s\r\n1.1.1.1 resolver. The report concluded that the top .su hostnames were associated with a popular online world-building game, and that more than half of the queries for that TLD came from the United States, Brazil and\r\nGermany [it’s worth noting that servers for the world-building game Minecraft were some of Aisuru’s most\r\nfrequent targets].\r\nA simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems\r\nattempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime\r\nforums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.\r\nSource: https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/\r\nhttps://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/"
	],
	"report_names": [
		"cloudflare-scrubs-aisuru-botnet-from-top-domains-list"
	],
	"threat_actors": [],
	"ts_created_at": 1775438944,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f25dd3f039ca2ee184648a116ea161f40348bd4.pdf",
		"text": "https://archive.orkl.eu/1f25dd3f039ca2ee184648a116ea161f40348bd4.txt",
		"img": "https://archive.orkl.eu/1f25dd3f039ca2ee184648a116ea161f40348bd4.jpg"
	}
}