Botnet Domains Top Global Charts

For over a week, domains associated with the powerful Aisuru IoT botnet managed to usurp tech giants like Google and Apple on Cloudflare’s public list of most-requested websites. The malicious domains, which serve as command-and-control servers for the botnet, appeared in the #1 and #3 spots, causing significant concern across the cybersecurity community.

The manipulation was achieved after the botnet’s operators switched its DNS resolver to Cloudflare’s 1.1.1.1 service. By directing hundreds of thousands of infected IoT devices to generate a massive volume of DNS queries, the botnet artificially inflated its domains’ rankings. Cloudflare CEO Matthew Prince confirmed this activity was an attempt to influence the rankings while simultaneously attacking their DNS infrastructure.

Cloudflare’s Response and Industry Fallout

In response, Cloudflare began by redacting the malicious domain names from its list and later removed them from the public web view entirely. However, security experts highlighted a significant risk, as Cloudflare’s rankings are used by other services, like the TRANCO top domains list, for trust and safety determinations. Alex Greenland, CEO of Epi, called the incident a “failure on Cloudflare’s part,” stating that the inclusion of malicious domains compromises the integrity of systems that rely on these lists to identify safe websites.

The Aisuru botnet continues to be a major threat, capable of launching DDoS attacks nearing 30 terabits per second. A significant portion of its firepower originates from compromised devices in the United States, and it heavily utilizes the .su (former Soviet Union) top-level domain for its control servers. Security professionals suggest that monitoring or blocking traffic to the .su TLD could be a simple, effective mitigation strategy.