Skip to content(if available)orjump to list(if available)

Cloudflare Scrubs Aisuru Botnet from Top Domains List

Cloudflare Scrubs Aisuru Botnet from Top Domains List

7 comments

·November 8, 2025
Visit

arcfour

If an automated service is pulling the top 100 domains from CF and naively trusting them, why can't it also pull the categorization information that's right there and make sure none of the categories are "Malware"??? Who would write something like that? It's absolutely believable that the top 100 domains could contain malware domains...because of the nature of botnets and malware.

That's PEBCAK.

bradly

> We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.

Isn't identifying real humans an unsolved problem? I'm not sure efforts to hide the truth that these domain are actually the most requested domains does anyone any favors. Is there something using these rankings as an authoritative list or are they just vanity metrics similar to the Alexa Top Site rankings of yore? If they are authoritative, then Cloudflare defining "trusted" is going to be problematic as I would expect them to hide that logic to avoid gaming.

iamkonstantin

> Isn't identifying real humans an unsolved problem?

I'm not sure this was ever a problem to begin with. The obsession with "confirm you are human" has created a lot of "bureaucracy" on technical level without actually protecting websites from unauthorised use. Why not actually bite the bullet and allow automations to interact with web resources instead of bothering humans to solve puzzles 10 times per day?

> Cloudflare defining "trusted"

They would love to monetise the opportunity, no doubt

nickff

>"Why not actually bite the bullet and allow automations to interact with web resources instead of bothering humans to solve puzzles 10 times per day?"

This is a great idea if you've developed your 'full-stack', but if you're interfacing with others, it often doesn't work well. For example, if you use an external payment processor, and allow bots to constantly test stolen credit card data, you will eventually get booted from the service.

chrismorgan

> Aisuru switched to invoking Cloudflare’s main DNS server — 1.1.1.1

I don’t suppose they use DNS to find their command-and-control servers? It’d be funny if Cloudflare could steal the botnet that way. (For the public good. I know that actually doing such a thing would raise serious concerns. Never know, maybe there would be a revival of interest in DNSSEC.) I remember reading a case within the last few years of finding expired domains in some malware’s list of C2 servers, and registering them in order to administer disinfectant. Sadly, IoT nonsense probably can’t be properly fixed, so they could probably reinfect it even if you disinfected it.

Vespasian

I wonder whether by now the botnets moved on to authenticating C2 server and using fallbacks methods if the malware discovers an endpoint to be "compromised"

blibble

given the anti-user behaviour of modern Windows, shouldn't microsoft.com be down as malware too?

after yesterday's reveal[1]: facebook should certainly be down as "scams"

[1]: https://news.ycombinator.com/item?id=45845772