Botnet Beats Big Tech: Aisuru Overtakes Google in Cloudflare’s Popularity Ranking
Cloudflare has encountered an unexpected phenomenon: in its public ranking of the most popular domains, websites associated with the Aisuru botnet suddenly surged to the top, surpassing Amazon, Apple, Google, and Microsoft for an entire week. Following this anomaly, Cloudflare began concealing the names of these malicious domains from its list, and the company’s CEO admitted that Aisuru’s operators were using the botnet not only to manipulate rankings but also to attack Cloudflare’s DNS infrastructure.
Aisuru is a rapidly expanding botnet comprising hundreds of thousands of compromised Internet of Things devices—home routers, surveillance cameras, and other poorly secured electronics. Since its emergence in 2024, it has grown significantly, demonstrating the ability to conduct DDoS attacks reaching up to 30 terabits per second. Initially, infected devices communicated with Google’s DNS servers (8.8.8.8), but in October the botnet switched to Cloudflare’s (1.1.1.1). Soon after, the domains used by Aisuru to control its infected network began appearing en masse in Cloudflare Radar’s popularity rankings.
Screenshots showing these malicious sites at the top of the chart spread rapidly across social media, sparking fears that the botnet had spun completely out of control. One domain, which held the top spot for days, resembled a residential address in Massachusetts ending in “.com,” while others mimicked the names of major cloud service providers.
To prevent confusion and safeguard users, Cloudflare began partially obscuring such domain names and added warnings about their potentially malicious nature. According to CEO Matthew Prince, the ranking algorithm relies solely on the volume of DNS requests, and by overwhelming the system, attackers were simultaneously launching DNS-layer assaults against Cloudflare. The company has since pledged to revise its ranking methodology and temporarily hide all domains identified as malicious.
Analysts at Infoblox noted that many users misinterpreted the rankings, assuming that infected devices now outnumbered legitimate Cloudflare clients. In reality, the system does not account for numerous factors—such as caching and load balancing—making such distortions possible.
Alex Greenland, head of the anti-phishing firm Epi, argued that the current structure of the ranking undermines trust in Cloudflare, as it was originally meant to highlight domains popular among real users, not machine-generated traffic flows. He proposed dividing the ranking into two categories—one for human activity and another for raw DNS data—emphasizing the importance of this distinction, since Cloudflare’s lists are often used to assess website reputation in browsers, Safe Browsing APIs, and ranking systems like TRANCO. The inclusion of malicious domains in the top 100, he warned, could trigger a chain reaction of misclassifications in filtering systems.
Over the past week, Cloudflare has gradually purged all traces of Aisuru from its rankings, and as of now, the botnet’s presence on Radar has nearly vanished. However, data exports still show one Aisuru domain occupying the top position. According to Cloudflare’s statistics, more than half of all DNS requests to Aisuru-related domains originate from the United States, aligning with earlier findings that most infected IoT devices are hosted by AT&T, Comcast, and Verizon.
Researchers note that the botnet is managed through hundreds of servers, most of which are registered under the .su domain zone, a relic of the former Soviet Union. Cloudflare’s data shows that .su currently holds the highest “DNS weight”—a metric reflecting the zone’s popularity based on the number of networks querying 1.1.1.1. Although part of this traffic stems from gaming services like Minecraft, the domain has long been a favored haven for cybercriminals.
The simplest way to detect Aisuru’s presence on a network is to monitor any connections to .su domains. This domain extension is frequently used for malicious services, and blocking it rarely causes issues for legitimate users.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
