ZadeNor AI
Back to Blog
Cybersecurity

Cloudflare Scrubs Aisuru Botnet from Top Domains List

December 2, 2025
5 min
2,508 views
By ZadeNor AI Team
Cloudflare Scrubs Aisuru Botnet from Top Domains List

Cloudflare Scrubs Aisuru Botnet from Top Domains List

The Aisuru Botnet's Rise to Infamy: Cloudflare Scrubs Malicious Domains from Top Domains List

For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google, and Microsoft in Cloudflare's public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list, sparking a heated debate about the implications of this move and the potential consequences for online security.

The Aisuru Botnet: A Growing Threat

Aisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices, such as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower significantly since its debut in 2024, demonstrating the ability to launch record distributed denial-of-service (DDoS) attacks nearing 30 terabits of data per second.

Cloudflare's Response: Redacting Malicious Domains

Cloudflare CEO Matthew Prince told KrebsOnSecurity that the company's domain ranking system is fairly simplistic, and that it merely measures the volume of DNS queries to 1.1.1.1. Prince stated that the attacker is "just generating a ton of requests, maybe to influence the ranking but also to attack our DNS service." In response, Cloudflare has redacted Aisuru domain names from their top websites list, leaving only their domain suffix visible.

The Implications of Redacting Malicious Domains

Renee Burton, vice president of threat intel at the DNS security firm Infoblox, noted that many people erroneously assumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were regular devices querying sites like Google and Apple and Microsoft. Burton stated that Cloudflare's documentation is clear – they know that when it comes to ranking domains, you have to make choices on how to normalize things.

The Failure of Cloudflare's Rankings

Alex Greenland, CEO of the anti-phishing and security firm Epi, said that he understands the technical reason why Aisuru botnet domains are showing up in Cloudflare's rankings (those rankings are based on DNS query volume, not actual web visits). However, Greenland stated that they're still not meant to be there. He said that Cloudflare planned for its Domain Rankings to list the most popular domains as used by human users, and it was never meant to be a raw calculation of query frequency or traffic volume going through their 1.1.1.1 DNS resolver.

The Importance of Separating Malicious Domains

Greenland noted that Cloudflare Domain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe browsing APIs, and things like TRANCO. He stated that TRANCO is a respected open-source list of the top million domains, and Cloudflare Radar is one of their five data providers. Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list.

The Aisuru Botnet's Infrastructure

Experts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment at least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the former Soviet Union (.su's Wikipedia page says the TLD was created just 15 months before the fall of the Berlin wall).

Detecting Aisuru Bot Activity

A simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems attempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime forums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.

Conclusion

The Aisuru botnet's rise to infamy has highlighted the importance of online security and the need for robust measures to prevent and mitigate the impact of botnets. Cloudflare's response to the situation has sparked a heated debate about the implications of redacting malicious domains from their top websites list. As the situation continues to unfold, it is essential to remain vigilant and take proactive steps to protect against the growing threat of botnets.

Forward-Looking Thoughts

The Aisuru botnet's rise to infamy serves as a reminder of the importance of staying ahead of emerging threats and adapting to the ever-evolving landscape of online security. As the situation continues to unfold, it is essential to:

  • Continuously monitor and analyze the botnet's activity and infrastructure
  • Develop and implement effective measures to prevent and mitigate the impact of botnets
  • Collaborate with industry stakeholders and experts to share knowledge and best practices
  • Stay informed about emerging threats and adapt to the changing landscape of online security

By taking a proactive and collaborative approach, we can work together to prevent and mitigate the impact of botnets and ensure a safer online environment for all.

Source: https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/

Source: https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list/

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

419
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

411
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

589
5 min