Aisuru IoT Botnet - Cloudflare DNS Rankings Manipulated

Aisuru botnet domains overtook Amazon, Apple, Google, and Microsoft in Cloudflare's public ranking of most frequently requested websites after the botnet's operators switched hundreds of thousands of infected IoT devices from Google's 8.8.8.8 DNS to Cloudflare's 1.1.1.1 resolver. The massive distributed denial-of-service platform, comprising compromised routers and security cameras, demonstrates attack capacity nearing 30 terabits per second. Cloudflare CEO Matthew Prince confirmed Aisuru's overlords are using the botnet both to boost malicious domain rankings and to simultaneously attack the company's DNS service. What's nasty: the surge in automated DNS queries pushed Aisuru command-and-control domains into Cloudflare Radar's top-ranked websites list, at times placing them above the world's largest tech companies. This polluted data feeds into broader ecosystems like TRANCO and safe browsing lists used by browsers, resolvers, and security products. Researchers at Infoblox and Epi warn that because rankings like Cloudflare Radar inform trust systems, botnet-generated noise can inadvertently promote malicious domains into "trusted" sets, indirectly weakening defenses for organizations that rely on popularity-based allowlists. Most Aisuru control servers are registered in the .su top-level domain—assigned to the former Soviet Union and created just 15 months before the fall of the Berlin Wall. According to Cloudflare's website, nearly 52 percent of DNS queries to top Aisuru domains originated from the United States, drawing most firepower from IoT devices hosted on U.S. Internet providers like AT&T, Comcast, and Verizon. The botnet relies on well more than a hundred control servers, exploiting simplistic ranking algorithms that equate query volume with popularity.