Authorities on Thursday disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.

The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.

“The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 

Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.

Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police. 

The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown. 

Proofpoint, which also participated in the disruption, described Evil Corp as one of the most prominent cybercrime groups in operation and the “grandfather” of a threat type that compromises websites and uses TDS to redirect users to malware.

Following the takedown, the FBI issued a public service announcement warning about cybercriminals using TDS to break into victim networks for ransomware or other financial scams. 

Cybercriminals redirect traffic from sites to bypass firewalls, obscure their activity, identify potential victims and send them to phishing pages to steal credentials, initiate financial scams, access networks, deliver other malware, and sell access to other cybercriminals, officials said.

The law enforcement action was part of Operation Endgame, a multinational effort targeting cybercrime since 2024, and more narrowly for the FBI part of Operation Riptide, an ongoing campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud.

The post Authorities disrupt Evil Corp’s SocGholish botnet appeared first on CyberScoop.

Congress wants answers from the Cybersecurity and Infrastructure Security Agency about the reported public exposure of sensitive agency credential data on GitHub in an incident that the security researcher who discovered it called one of the worst leaks he’s ever seen.

Other security professionals also voiced concern Tuesday about the leak and the potential for abuse by any malicious parties who got a hold of the information.

Security firm GitGuardian said it discovered a public GitHub repository last week that exposed credentials for privileged AWS GovCloud accounts and internal CISA systems dating back to November. The repository, apparently maintained by a contractor, was named “Private-CISA.” 

Krebs on Security first reported the incident.

“My main fear … is that a state actor will get the data and might be able to do bad stuff,” GitGuardian security researcher Guillaume Valadon told CyberScoop that he thought to himself upon discovering the leak, after concluding it was real; he initially thought it looked fake.

State-based attackers who obtained the credentials “might be able to gain persistence,” Valadon said, “so for me it’s even worse than an attacker destroying everything, having someone in a governmental system — it’s really, really bad.”

A House Homeland Security Committee aide said the panel is seeking a staff-level briefing from CISA on the matter.

Mississippi Rep. Bennie Thompson, the top Democrat on the Homeland Security Committee, and Delia Ramirez, the top Democrat on the panel’s cyber subcommittee, had separately demanded a briefing Tuesday in a letter to CISA’s acting director, Nick Andersen. 

They said they wanted to learn “how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future.”

Sen. Maggie Hassan, D-N.H., also sent a letter Tuesday to Andersen, seeking a classified briefing to answer questions about which systems were exposed, what forensic work CISA did to evaluate potential damage and what corrective action it has taken.

“This reported incident raises serious questions about how such a security lapse could occur at the very agency charged with helping to prevent cyber breaches,” Hassan wrote in the missive first reported by Axios, particularly “regarding CISA’s internal policies and procedures at a time of significant cybersecurity threats against U.S. critical infrastructure.”

Both letters pointed to personnel and budget cutbacks at the agency as a potential contributor to the incident.

CISA said it was looking into what happened.

“The Cybersecurity and Infrastructure Security Agency is aware of the reported exposure and is continuing to investigate the situation,” a spokesperson said. “Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences.” 

The repository was reportedly maintained by a contractor at Nightwing. A Nightwing spokesperson referred questions to CISA.

The kind of exposure that happened for CISA “is an unfortunately painful, but common and repeated, if not relentless, way that we see organizations inadvertently leak very sensitive credentials to the wider web,” said Ben Harris, founder of WatchTowr, a company that helps organizations detect such exposures.

Harris told CyberScoop he didn’t want to speculate on what attackers who obtained the credentials might be able to do with it, but he said that it would be “terrifying” if the contractor was transferring information from work to home, as one researcher theorized.

Dave Mitchell, senior director of threat intelligence at Infoblox, told CyberScoop the incident showed the importance of teams having controls and audits in place across their repositories.

“Of all the things that keep me up at night, misconfigurations in GitHub are a recurring nightmare. It’s critical for so many organizations — all it takes is one accidental upload or misconfiguration and you’ve signed yourself up for a major incident,” he said in a written statement. “No need for a threat actor to use advanced techniques to compromise you if the keys are already sitting on the counter.”

Travis Rosiek, public sector chief technology officer at Rubrik, noted that the timing of the issue aligned with the government shutdown that only recently resolved for DHS. He said the incident showed the federal government needs to prioritize resilience.

“A persistent shortage of cybersecurity talent, combined with funding lapses, high workforce turnover, and an increasingly complex threat landscape, created the perfect storm for this scenario,” he said in a written statement to CyberScoop. “No organization is immune, and we must ensure that the federal government, which is responsible for helping protect the nation’s critical infrastructure and enhancing our cybersecurity posture, remains fully operational 24-7, 365 days a year.”

Without minimizing the severity of the incident, some researchers who have looked at the leak said there are mitigating circumstances that make elements of it defensible or, at least, understandable.

CISA acted very swiftly to remove the repository, Valadon said, once he alerted them to the leak.

And even if CISA has the right policies in place, human error still can make it difficult to entirely avoid incidents like this, Harris said.

“The reality is this happens every single day to different organizations, including cybersecurity companies,” he said, noting it would be different if it was a pattern. “This is not exclusive to CISA. I don’t really think it reflects well if we saw this every single day with CISA. … It’s not ideal that it’s even happened once, but the reality is that cybersecurity is people, process, technology.”

CISA has had other security incidents in the past, including recently. The former acting director of the agency endured criticism for uploading sensitive contract data to ChatGPT last year. In 2024 the agency notified Congress of a breach of a chemical plant security tool.

Updated 5/20/26: to include more information on a House Homeland Security Committee briefing request.

The post CISA credential leak raises alarms, and Capitol Hill demands answers appeared first on CyberScoop.

Authorities seized infrastructure powering four botnets that hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively, the Justice Department said Thursday.

The botnets — Aisuru, Kimwolf, JackSkid and Mossad — enabled operators to sell access to the infected devices for various cybercrimes. The aftermath spanned thousands of attacks, including some demanding extortion payments from victims, officials said.

The globally coordinated operation, aided by law enforcement actions targeting the botnets’ operators in Canada and Germany, disrupted the command-and-control infrastructure for all four botnets. Two of the botnets set records before the takedown, attracting widespread attention from security researchers and vendors.

The Kimwolf botnet, an Android variant of Aisuru, spread like wildfire after its operators figured out how to abuse residential-proxy networks for local control, according to Sythient. It eventually took over more than 2 million Android TV devices by January. In September, just as Kimwolf was forming, Cloudflare clocked the Aisuru botnet hitting a record-breaking 29.7 terabits-per-second DDoS attack that lasted 69 seconds.

Officials ultimately attributed roughly 200,000 DDoS attacks to Aisuru, 90,000 to JackSkid, 25,000 to Kimwolf and about 1,000 DDoS attack commands to the Mossad botnet. Yet, DDoS attacks from financially-motivated attackers are typically a distraction or misdirection.

“Oftentimes a DDoS attack is just advertising for the size of an operator’s botnet,” Zach Edwards, staff threat researcher at Infoblox, told CyberScoop. Botnet operators cash out by renting these controlled devices to cybercriminals for account abuse, password reset attacks, ad fraud schemes and residential proxy nodes, he added.

Devices infected by the four botnets include digital video recorders, web cameras, Wi-Fi routers and TV boxes. Hundreds of thousands of these devices are located in the United States, federal prosecutors said. 

Authorities did not name the people involved or formally announce any arrests. Yet, they describe the operation in nearly conclusive terms, claiming the action disrupted the botnets’ communications infrastructure — domains, virtual servers and other systems — to prevent further infection and limit or eliminate the botnets’ ability to launch future attacks.

“Cybercriminals infiltrate infrastructure beyond physical borders and Defense Criminal Investigative Service participates in international operations to help safeguard the Department’s global footprint,” Kenneth DeChellis, special agent in charge at the Defense Department’s DCIS cyber field office, said in a statement. Some of the DDoS attacks attributed to these botnets reached IP’s owned by the Department of Defense Information Network.

Botnets often compete for devices to infect and opportunities to scale. As Kimwolf spread and hit those objectives, it captured sweeping interest from researchers, authorities and vendors in a position to help stop it. 

Kimwolf was the largest DDoS botnet ever detected, according to Tom Scholl, vice president at Amazon Web Services, which assisted the operation. “The scale of this botnet is staggering,” he said in a LinkedIn post. 

“Kimwolf represented a fundamental shift in how botnets operate and scale,” Scholl added. “Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a novel attack vector: residential proxy networks.”

Under this mechanism, any organization with vulnerable devices connected to the internet could unwittingly have those devices turned into a node for a botnet or a foothold for a targeted attack.

“This isn’t just some problem that your cousin has because he bought some cheap TV box that promised him free TV channels,” Edwards said. Infoblox previously said nearly 25% of customers had at least one endpoint device in a residential proxy service targeted by Kimwolf.

While it’s intellectually interesting whenever a botnet scales to extraordinary size, it’s also a “sad reminder that oftentimes security takes a back seat to convenience and cost,” Edwards said. 

“The botnets are growing because more and more people are buying weird internet-connected stuff,” he added. “Nothing in this world is free.”

The takedowns mark a continuation of a consistent, ongoing crackdown targeting large-scale botnets, cybercrime marketplaces, malware, infostealers and other cybercrime tools. Some of the malicious networks hampered or rendered nonoperational by disruptions and arrests during the past year include: DanaBot, Rapper Bot, Lumma Stealer, AVCheck and SocksEscort.

More than 20 companies and organizations assisted with the coordinated disruption, including law enforcement from the Netherlands and Europol. Efforts to stop botnets will continue as these malicious networks proliferate in new places and new ways. 

“We’re living in a device-compromise–DDOS-botnet-merry-go-round and while many of us wish something could slow it down, the challenges continue to grow,” Edwards said. “This is still a bad day for serious threat actors, and any day like that is something we should all celebrate.”

The post Justice Department disrupts botnet networks that hijacked 3 million devices appeared first on CyberScoop.

A new Internet-of-Things (IoT) botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints. Residential proxies are sold as a way to anonymize and localize one’s Web traffic to a specific region, and the biggest of these services allow customers to route their Internet activity through devices in virtually any country or city around the globe.

The malware that turns one’s Internet connection into a proxy node is often quietly bundled with various mobile apps and games, and it typically forces the infected device to relay malicious and abusive traffic — including ad fraud, account takeover attempts, and mass content-scraping.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week. The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Most of the systems compromised through Kimwolf’s local network scanning have been unofficial Android TV streaming boxes. These are typically Android Open Source Project devices — not Android TV OS devices or Play Protect certified Android devices — and they are generally marketed as a way to watch unlimited (read:pirated) video content from popular subscription streaming services for a one-time fee.

However, a great many of these TV boxes ship to consumers with residential proxy software pre-installed. What’s more, they have no real security or authentication built-in: If you can communicate directly with the TV box, you can also easily compromise it with malware.

While IPIDEA and other affected proxy providers recently have taken steps to block threats like Kimwolf from going upstream into their endpoints (reportedly with varying degrees of success), the Kimwolf malware remains on millions of infected devices.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corporate networks. However, the security firm Infoblox said a recent review of its customer traffic found nearly 25 percent of them made a query to a Kimwolf-related domain name since October 1, 2025, when the botnet first showed signs of life.

Infoblox found the affected customers are based all over the world and in a wide range of industry verticals, from education and healthcare to government and finance.

“To be clear, this suggests that nearly 25% of customers had at least one device that was an endpoint in a residential proxy service targeted by Kimwolf operators,” Infoblox explained. “Such a device, maybe a phone or a laptop, was essentially co-opted by the threat actor to probe the local network for vulnerable devices. A query means a scan was made, not that new devices were compromised. Lateral movement would fail if there were no vulnerable devices to be found or if the DNS resolution was blocked.”

Synthient, a startup that tracks proxy services and was the first to disclose on January 2 the unique methods Kimwolf uses to spread, found proxy endpoints from IPIDEA were present in alarming numbers at government and academic institutions worldwide. Synthient said it spied at least 33,000 affected Internet addresses at universities and colleges, and nearly 8,000 IPIDEA proxies within various U.S. and foreign government networks.

In a webinar on January 16, experts at the proxy tracking service Spur profiled Internet addresses associated with IPIDEA and 10 other proxy services that were thought to be vulnerable to Kimwolf’s tricks. Spur found residential proxies in nearly 300 government owned and operated networks, 318 utility companies, 166 healthcare companies or hospitals, and 141 companies in banking and finance.

“I looked at the 298 [government] owned and operated [networks], and so many of them were DoD [U.S. Department of Defense], which is kind of terrifying that DoD has IPIDEA and these other proxy services located inside of it,” Spur Co-Founder Riley Kilmer said. “I don’t know how these enterprises have these networks set up. It could be that [infected devices] are segregated on the network, that even if you had local access it doesn’t really mean much. However, it’s something to be aware of. If a device goes in, anything that device has access to the proxy would have access to.”

Kilmer said Kimwolf demonstrates how a single residential proxy infection can quickly lead to bigger problems for organizations that are harboring unsecured devices behind their firewalls, noting that proxy services present a potentially simple way for attackers to probe other devices on the local network of a targeted organization.

“If you know you have [proxy] infections that are located in a company, you can chose that [network] to come out of and then locally pivot,” Kilmer said. “If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that.”

This is the third story in our series on the Kimwolf botnet. Next week, we’ll shed light on the myriad China-based individuals and companies connected to the Badbox 2.0 botnet, the collective name given to a vast number of Android TV streaming box models that ship with no discernible security or authentication built-in, and with residential proxy malware pre-installed.

Further reading:

The Kimwolf Botnet is Stalking Your Local Network

Who Benefitted from the Aisuru and Kimwolf Botnets?

A Broken System Fueling Botnets (Synthient).

Direct navigation — the act of visiting a website by manually typing a domain name in a web browser — has never been riskier: A new study finds the vast majority of “parked” domains — mostly expired or dormant domain names, or common misspellings of popular websites — are now configured to redirect visitors to sites that foist scams and malware.

When Internet users try to visit expired domain names or accidentally navigate to a lookalike “typosquatting” domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown.

A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.

But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites.

“In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party,” Infoblox researchers wrote in a paper published today.

Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address. For example, Scotiabank.com customers who accidentally mistype the domain as scotaibank[.]com will see a normal parking page if they’re using a VPN, but will be redirected to a site that tries to foist scams, malware or other unwanted content if coming from a residential IP address. Again, this redirect happens just by visiting the misspelled domain with a mobile device or desktop computer that is using a residential IP address.

According to Infoblox, the person or entity that owns scotaibank[.]com has a portfolio of nearly 3,000 lookalike domains, including gmai[.]com, which demonstrably has been configured with its own mail server for accepting incoming email messages. Meaning, if you send an email to a Gmail user and accidentally omit the “l” from “gmail.com,” that missive doesn’t just disappear into the ether or produce a bounce reply: It goes straight to these scammers. The report notices this domain also has been leveraged in multiple recent business email compromise campaigns, using a lure indicating a failed payment with trojan malware attached.

Infoblox found this particular domain holder (betrayed by a common DNS server — torresdns[.]com) has set up typosquatting domains targeting dozens of top Internet destinations, including Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).

David Brunsdon, a threat researcher at Infoblox, said the parked pages send visitors through a chain of redirects, all while profiling the visitor’s system using IP geolocation, device fingerprinting, and cookies to determine where to redirect domain visitors.

“It was often a chain of redirects — one or two domains outside the parking company — before threat arrives,” Brunsdon said. “Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting.”

Brunsdon said domain parking services claim the search results they return on parked pages are designed to be relevant to their parked domains, but that almost none of this displayed content was related to the lookalike domain names they tested.

Infoblox said a different threat actor who owns domaincntrol[.]com — a domain that differs from GoDaddy’s name servers by a single character — has long taken advantage of typos in DNS configurations to drive users to malicious websites. In recent months, however, Infoblox discovered the malicious redirect only happens when the query for the misconfigured domain comes from a visitor who is using Cloudflare’s DNS resolvers (1.1.1.1), and that all other visitors will get a page that refuses to load.

The researchers found that even variations on well-known government domains are being targeted by malicious ad networks.

“When one of our researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3[.]org instead of ic3[.]gov,” the report notes. “Their phone was quickly redirected to a false ‘Drive Subscription Expired’ page. They were lucky to receive a scam; based on what we’ve learnt, they could just as easily receive an information stealer or trojan malware.”

The Infoblox report emphasizes that the malicious activity they tracked is not attributed to any known party, noting that the domain parking or advertising platforms named in the study were not implicated in the malvertising they documented.

However, the report concludes that while the parking companies claim to only work with top advertisers, the traffic to these domains was frequently sold to affiliate networks, who often resold the traffic to the point where the final advertiser had no business relationship with the parking companies.

Infoblox also pointed out that recent policy changes by Google may have inadvertently increased the risk to users from direct search abuse. Brunsdon said Google Adsense previously defaulted to allowing their ads to be placed on parked pages, but that in early 2025 Google implemented a default setting that had their customers opt-out by default on presenting ads on parked domains — requiring the person running the ad to voluntarily go into their settings and turn on parking as a location.

For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisuru’s overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the company’s domain name system (DNS) service.

Aisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices, such as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower significantly since its debut in 2024, demonstrating the ability to launch record distributed denial-of-service (DDoS) attacks nearing 30 terabits of data per second.

Until recently, Aisuru’s malicious code instructed all infected systems to use DNS servers from Google — specifically, the servers at 8.8.8.8. But in early October, Aisuru switched to invoking Cloudflare’s main DNS server — 1.1.1.1 — and over the past week domains used by Aisuru to control infected systems started populating Cloudflare’s top domain rankings.

As screenshots of Aisuru domains claiming two of the Top 10 positions ping-ponged across social media, many feared this was yet another sign that an already untamable botnet was running completely amok. One Aisuru botnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts followed by “.com”. Other Aisuru domains mimicked those belonging to major cloud providers.

Cloudflare tried to address these security, brand confusion and privacy concerns by partially redacting the malicious domains, and adding a warning at the top of its rankings:

“Note that the top 100 domains and trending domains lists include domains with organic activity as well as domains with emerging malicious behavior.”

Cloudflare CEO Matthew Prince told KrebsOnSecurity the company’s domain ranking system is fairly simplistic, and that it merely measures the volume of DNS queries to 1.1.1.1.

“The attacker is just generating a ton of requests, maybe to influence the ranking but also to attack our DNS service,” Prince said, adding that Cloudflare has heard reports of other large public DNS services seeing similar uptick in attacks. “We’re fixing the ranking to make it smarter. And, in the meantime, redacting any sites we classify as malware.”

Renee Burton, vice president of threat intel at the DNS security firm Infoblox, said many people erroneously assumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were regular devices querying sites like Google and Apple and Microsoft.

“Cloudflare’s documentation is clear — they know that when it comes to ranking domains you have to make choices on how to normalize things,” Burton wrote on LinkedIn. “There are many aspects that are simply out of your control. Why is it hard? Because reasons. TTL values, caching, prefetching, architecture, load balancing. Things that have shared control between the domain owner and everything in between.”

Alex Greenland is CEO of the anti-phishing and security firm Epi. Greenland said he understands the technical reason why Aisuru botnet domains are showing up in Cloudflare’s rankings (those rankings are based on DNS query volume, not actual web visits). But he said they’re still not meant to be there.

“It’s a failure on Cloudflare’s part, and reveals a compromise of the trust and integrity of their rankings,” he said.

Greenland said Cloudflare planned for its Domain Rankings to list the most popular domains as used by human users, and it was never meant to be a raw calculation of query frequency or traffic volume going through their 1.1.1.1 DNS resolver.

“They spelled out how their popularity algorithm is designed to reflect real human use and exclude automated traffic (they said they’re good at this),” Greenland wrote on LinkedIn. “So something has evidently gone wrong internally. We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.”

Why might it be a good idea to wholly separate malicious domains from the list? Greenland notes that Cloudflare Domain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe browsing APIs and things like TRANCO.

“TRANCO is a respected open source list of the top million domains, and Cloudflare Radar is one of their five data providers,” he continued. “So there can be serious knock-on effects when a malicious domain features in Cloudflare’s top 10/100/1000/million. To many people and systems, the top 10 and 100 are naively considered safe and trusted, even though algorithmically-defined top-N lists will always be somewhat crude.”

Over this past week, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains list, leaving only their domain suffix visible. Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list. However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.

According to Cloudflare’s website, the majority of DNS queries to the top Aisuru domains — nearly 52 percent — originated from the United States. This tracks with my reporting from early October, which found Aisuru was drawing most of its firepower from IoT devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon.

Experts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment at least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the former Soviet Union (.su’s Wikipedia page says the TLD was created just 15 months before the fall of the Berlin wall).

A Cloudflare blog post from October 27 found that .su had the highest “DNS magnitude” of any TLD, referring to a metric estimating the popularity of a TLD based on the number of unique networks querying Cloudflare’s 1.1.1.1 resolver. The report concluded that the top .su hostnames were associated with a popular online world-building game, and that more than half of the queries for that TLD came from the United States, Brazil and Germany [it’s worth noting that servers for the world-building game Minecraft were some of Aisuru’s most frequent targets].

A simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems attempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime forums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.