Domains

11,894 Malicious Domains Registered (Dec 2024 – Jun 2025)

91% .cc TLD Malicious Domain Rate

82% .ru TLD Fraud Rate

74% .us TLD Malicious Rate

Simulation, Domain Acquisition & Abuse

DOMAIN REGISTRATION MONITOR Live Monitoring Active

Typosquatting Detection

bankofamerica.com LEGITIMATE

bankofameriica.com TYPOSQUAT

linkedin.com LEGITIMATE

linked-in.com LOOKALIKE

WHOIS Lookup, Privacy Enabled

Domain: bankofameriica.com

Registrar: REDACTED

Registrant: PRIVACY PROTECT

Email: ********@proxy.net

Created: 2025-01-15T08:22:41Z

NS: ns1.malware-dns.cc

Expired Domain Repurposing

2019-03-12
techstartup-ai.com registered by legitimate startup

2024-08-01
Domain expires after company dissolution

2024-08-15
Domain dropped from registry, available for re-registration

2024-08-16
Re-registered by threat actor, existing backlinks bypass email filters

DGA-Generated Domains (Algorithmic Output)

xkrqmw7f.cc btdvn3p.xyz jqwpoe82.ru lzmnvck9.top asfmxj4k.info qwepoiru7.net znxbcvl3m.cc pytqwer88.xyz mnbvcxz12.ru lkjhgfds6.top poiuytrew5.cc asdfghjkl9.xyz

Top Fraudulent TLDs by Malicious Rate (2025)

.cc

91%

.ru

82%

.us

74%

.co

72%

.de

65%

Why It Matters

Massive Scale of Domain Abuse

Over 11,894 domains were registered between December 2024 and June 2025 that were observed communicating with malware infrastructure. Each domain represents a potential entry point for phishing, C2, or payload delivery.

11,894+ domains in 6 months

Certain TLDs Are Overwhelmingly Malicious

The .cc top-level domain has a staggering 91% malicious domain rate. The .ru TLD follows at 82%, meaning the vast majority of registrations on these extensions are used for fraud, malware, or phishing campaigns.

.cc: 91% | .ru: 82% malicious

Targeted Impersonation of Institutions

APT groups have registered domains imitating NATO, OSCE, major banks, venture capital firms, and enterprise platforms like LinkedIn, Office 365, and Facebook to deliver targeted attacks against employees and officials.

NATO, banks, LinkedIn impersonated

Expired Domains Exploit Established Trust

When legitimate companies let domains expire, adversaries re-register them to inherit existing backlinks, email sender reputation, and security allowlisting. This makes previously trusted domains vectors for malware delivery.

Re-registered C2 domains bypass filters

WHOIS Privacy Obscures Attribution

Private WHOIS registration services, which are now the default for many registrars, make it nearly impossible to identify who registered a malicious domain. This frustrates incident response, threat intelligence, and law enforcement investigations.

WHOIS privacy blocks attribution

AWS Route53 Enables Scalable Infrastructure

In cloud environments, adversaries leverage services like AWS Route53 to programmatically register and manage hundreds of domains for fast-flux networks, bulletproof hosting, and resilient C2 infrastructure at scale.

Cloud infrastructure accelerates abuse

CISA Cybersecurity Advisories NIST Cybersecurity MITRE ATT&CK T1583.001 Forescout Domain Report 2025

Key Terms & Concepts

Everyday Analogy

“Like buying a fake storefront sign that looks identical to a real store, tricking customers into walking into the wrong shop. The fake sign (domain) looks legitimate, the location (TLD) seems trustworthy, and the interior (website) is carefully crafted to look just like the real thing, but once inside, your wallet (credentials, data, access) is stolen.”

Definition: Acquiring domains for malicious use refers to the practice of purchasing or registering internet domain names that adversaries then weaponize for command-and-control (C2) communications, phishing campaigns, malware distribution, or social engineering operations. This is a foundational step in the Resource Development (TA0042) tactic of the MITRE ATT&CK framework.

Typosquatting

Registering domains with common misspellings of legitimate domains (e.g., “gogle.com” instead of “google.com”). Users who mistype URLs are directed to attacker-controlled sites. Also called URL hijacking or brandjacking.

Homoglyphs

Using visually similar characters from different character sets (e.g., Cyrillic “a” &acy; vs Latin “a”) to create domains that appear identical to legitimate ones at a glance. These internationalized domain names (IDNs) exploit human visual perception.

DGA (Domain Generation Algorithm)

An algorithm that dynamically generates hundreds or thousands of domain names using seed values like dates, words, or cryptographic hashes. Malware uses DGAs to produce unpredictable C2 domains, making blocklist-based defenses ineffective.

Expired Domains

Legitimate domains whose registrations have lapsed and been dropped. Adversaries monitor for expiring domains with existing inbound links, email sender reputation, or security allowlisting to repurpose them for malicious operations.

WHOIS Privacy

Services that replace registrant contact information in WHOIS records with proxy data, hiding the true domain owner. While legitimate for privacy, these services are routinely exploited by adversaries to prevent attribution and hinder investigations.

TLD (Top-Level Domain)

The last segment of a domain name (e.g., .com, .org, .cc, .ru). Certain ccTLDs (country-code TLDs) like .cc, .ru, and .us have disproportionately high rates of malicious registrations due to low cost and lax enforcement.

Homoglyph Character Examples

Latin Character	Cyrillic Lookalike	Example Fake Domain	Legitimate Domain
a (U+0061)	&acy; (U+0430)	p&acy;ypal.com	paypal.com
e (U+0065)	&cyree; (U+0435)	app&cyree;.com	apple.com
o (U+006F)	&ocy; (U+043E)	g&ocy;&ocy;gle.com	google.com
p (U+0070)	&rcy; (U+0440)	ay&rcy;al.com	paypal.com
x (U+0078)	&khcy; (U+0445)	&khcy;.com	x.com
c (U+0063)	&scy; (U+0441)	&scy;iti.com	citi.com

Real-World Scenario

Dmitri Volkov is a financially motivated threat actor operating from Eastern Europe. His objective: establish a phishing infrastructure capable of harvesting online banking credentials at scale. Dmitri begins by conducting open-source reconnaissance on major US financial institutions, noting their branding, email templates, and customer-facing domain structures.

Dmitri registers bankofameriica.com, note the extra “i”, through a privacy-protected registrar using cryptocurrency payment. He also monitors domain expiration feeds and acquires secure-trust-finance.net, a domain that belonged to a defunct financial services firm until it expired three weeks ago. Because this domain previously had legitimate SSL certificates and inbound links, it carries residual trust that helps Dmitri's phishing emails bypass spam filters.

Dmitri configures DNS records via a bulletproof hosting provider, setting up MX records for email and A records pointing to a compromised server in a neutral country. He deploys a pixel-perfect clone of the bank's login page, complete with a valid SSL certificate obtained through a lax certificate authority. Within the first 72 hours of his campaign, Dmitri harvests over 2,400 credentials from victims who received spear-phishing emails appearing to originate from the bank's legitimate domain.

Before, No Foothold

No infrastructure for credential theft
No domains registered under operational cover
No email capability for phishing delivery
No reputation or trust to exploit

After, Active Phishing Operation

2 typosquatted domains mimicking major banks
1 expired domain with inherited sender reputation
Pixel-perfect phishing pages with valid SSL
2,400+ credentials harvested in 72 hours
WHOIS privacy concealing all registrant data

Step-by-Step Guide, Domain Acquisition Lifecycle

Identify Target Domains DETECT

Research the target organization's domain portfolio, subdomains, and brand assets. Map out potential typosquatting variations and homoglyph substitutions.

Enumerate all official domains and subdomains using passive DNS tools (see T1590.001 Domain Properties)
Generate typosquatting permutations (character omission, insertion, substitution, transposition)
Identify homoglyph opportunities using IDN character mapping tables

Select Registration Strategy PREVENT

Choose between typosquatting, expired domain acquisition, DGA-generated domains, or lookalike domains with alternative TLDs based on operational requirements and target environment.

Evaluate TLD costs and registration requirements (see T1583.002 DNS Records for DNS implications)
Assess expired domain reputation and remaining backlink profile
Select registrars with lax KYC requirements and privacy protection

Register Domains Anonymously DETECT

Complete domain registration using privacy services, cryptocurrency payments, and operational aliases to prevent attribution. Use multiple registrars to distribute the registration footprint.

Enable WHOIS privacy/redaction services at registration time
Pay with cryptocurrency to avoid financial trail linkage
Use different registrars for different operational domains to complicate correlation analysis

Configure DNS Records RESPOND

Set up DNS records to point domains to attacker-controlled infrastructure. Configure A, MX, NS, and TXT records. Consider using fast-flux DNS or DNS tunneling for resilience.

Point A records to proxy or compromised hosting infrastructure
Configure MX records if email-based phishing is part of the operation
Use cloud DNS services like AWS Route53 for scalability and automation

Deploy Malicious Content PREVENT

Host phishing pages, malware payloads, or C2 endpoints on the registered domains. Obtain SSL/TLS certificates to enable HTTPS and increase perceived legitimacy.

Deploy cloned login portals with SSL certificates (see T1596.003 Digital Certificates)
Configure web servers to mirror legitimate site appearance and behavior
Implement credential harvesting and exfiltration mechanisms

Rotate Domains Periodically DETECT

When domains are flagged or blocklisted, rotate to pre-registered backup domains. Maintain a pipeline of fresh domains to ensure operational continuity.

Pre-register batches of domains before campaigns launch to ensure immediate availability
Monitor blocklist feeds to detect when operational domains are flagged
Implement DGA-based domain generation for automated rotation without manual intervention (see T1583.006 Web Services)

Common Mistakes & Best Practices

Common Mistakes

Registering only a single domain per campaign, creating a single point of failure that ends operations when that domain is blocklisted or seized.

Using the same registrar and billing information across multiple malicious domains, enabling investigators to correlate seemingly unrelated operations.

Skipping WHOIS privacy protection, exposing registrant name, email, address, and phone number to open-source intelligence gathering.

Choosing typosquatting domains that are too dissimilar from the target, reducing the likelihood that victims will actually visit the malicious site.

Neglecting to obtain SSL certificates for phishing domains, causing browser security warnings that alert victims before credentials are entered.

Best Practices

Pre-register a pool of 10–50 domains before launching campaigns, ensuring rapid rotation capability when any single domain is detected or blocked.

Distribute registrations across multiple registrars, payment methods, and privacy services to prevent correlation and complicate attribution efforts.

Monitor your own organization's domain portfolio for newly registered typosquatting and homoglyph variants, and register defensive variants proactively.

Subscribe to domain monitoring services and certificate transparency log alerts to detect unauthorized certificates issued for your brand domains.

Implement DNS-based filtering and reputation scoring to block connections to newly registered, low-reputation, or high-risk TLD domains at the network perimeter.

Red Team vs Blue Team View

Red Team Perspective

How attackers acquire and weaponize domains

Domain Selection: Prioritize domains that closely resemble target brands, using character substitution, extra letters, or alternative TLDs that victims are unlikely to notice.
Privacy Services: Always enable WHOIS privacy at registration. Use registrars in privacy-friendly jurisdictions that do not cooperate with law enforcement requests.
DGA Implementation: Deploy domain generation algorithms seeded with dates or keywords to produce hundreds of potential C2 domains, only a few of which are actually activated on any given day.
Expired Domain Recon: Monitor domain drop lists daily using automated tools. Prioritize domains with high PageRank, existing SSL certificates, or inbound links from reputable sites.
Infrastructure Distribution: Use cloud providers like AWS Route53 for DNS management, leveraging API automation to rapidly provision and de-provision domains.

Blue Team Perspective

How defenders detect and neutralize domain threats

New Registration Monitoring: Deploy automated systems that alert on newly registered domains containing brand names, trademarks, or common typos of organizational domains.
Domain Reputation Services: Integrate threat intelligence feeds from providers like VirusTotal, Cisco Umbrella, and DomainTools to score and block suspicious domains in real time.
Typosquat Detection: Use tools like dnstwist and URLscan.io to proactively generate and monitor typosquatting variants of your organization's domains.
Certificate Transparency Logs: Monitor CT logs for unauthorized SSL certificates issued for your brand, which may indicate domain impersonation or infrastructure preparation.
DGA Detection: Deploy machine learning models and statistical analysis (e.g., entropy scoring, n-gram analysis) to identify algorithmically generated domain names in DNS query logs.

Threat Hunter's Eye

Proactive Domain Registration Monitoring

Set up automated alerts for newly registered domains matching your brand names, trademarks, executive names, or common typos. Services like DomainTools, RiskIQ (Microsoft), and brand monitoring platforms can provide real-time notifications. Respond within hours of detection to minimize the window of exploitation.

HIGH PRIORITY

domain.name contains "yourbrand" AND domain.age < 30 days

Certificate Transparency Log Analysis

Monitor CT logs for new SSL/TLS certificates issued for domains similar to your organization's. Adversaries must obtain certificates to serve HTTPS phishing pages, and CT logs provide an early indicator of domain impersonation campaigns before phishing emails are sent.

HIGH PRIORITY

ct_log query: certificate.subject contains "yourcompany" AND issuer NOT IN trusted_CAs

Expired Domain Tracking

Monitor your organization's domain portfolio for expiring domains and auto-renew critical domains. Additionally, track domains of acquired companies, dissolved partners, and former subsidiaries that may be repurposed by adversaries seeking inherited trust.

MEDIUM PRIORITY

domain.portfolio.expiry < 30 days OR domain.former_partner.status = "dissolved"

DGA Detection via Entropy Analysis

Analyze DNS query logs for domains with high character entropy (random-looking strings), unusual length distributions, and low lexical frequency. DGA domains typically have Shannon entropy above 3.5 and lack common English syllables or words.

HIGH PRIORITY

dns.query.entropy > 3.5 AND dns.query.length BETWEEN 8 AND 25 AND dns.query NXDOMAIN

High-Risk TLD Blocking Policies

Implement DNS filtering policies that restrict or deeply inspect connections to TLDs with high malicious registration rates (.cc, .ru, .tk, .ml, .ga). While not all domains on these TLDs are malicious, the signal-to-noise ratio justifies aggressive monitoring.

MEDIUM PRIORITY

dns.query.tld IN [".cc", ".ru", ".tk", ".ml", ".ga"] AND dns.response.ip NOT IN allowed_ranges

Passive DNS Correlation

Use passive DNS databases to identify domains that share IP addresses, name servers, or registrant information with known malicious domains. This “guilt by association” approach can reveal newly registered domains before they appear on threat feeds.

MEDIUM PRIORITY

passive_dns.shared_ns WITH known_malicious_domains OR passive_dns.shared_ip WITH c2_infrastructure

Continue Exploring

Domain Acquisition is Just the Beginning

T1583.001 covers the foundational step of acquiring domain infrastructure. Once domains are secured, adversaries move to configure DNS records, obtain email accounts, set up web services, and ultimately launch reconnaissance against their targets. Understanding the full lifecycle of infrastructure acquisition is critical for building effective defenses.

View T1583 on MITRE ATT&CK CISA Domain Security

Related MITRE ATT&CK Techniques

CISA Advisories NIST Cybersecurity MITRE T1583.001

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Domains DET0892

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
April 7, 2026
No Comments

Simulation, Domain Acquisition & Abuse

Why It Matters

Massive Scale of Domain Abuse

Certain TLDs Are Overwhelmingly Malicious

Targeted Impersonation of Institutions

Expired Domains Exploit Established Trust

WHOIS Privacy Obscures Attribution

AWS Route53 Enables Scalable Infrastructure

Key Terms & Concepts

Homoglyph Character Examples

Real-World Scenario

Before, No Foothold

After, Active Phishing Operation

Step-by-Step Guide, Domain Acquisition Lifecycle

Identify Target Domains DETECT

Select Registration Strategy PREVENT

Register Domains Anonymously DETECT

Configure DNS Records RESPOND

Deploy Malicious Content PREVENT

Rotate Domains Periodically DETECT

Common Mistakes & Best Practices

Common Mistakes

Best Practices

Red Team vs Blue Team View

Red Team Perspective

Blue Team Perspective

Threat Hunter's Eye

Proactive Domain Registration Monitoring

Certificate Transparency Log Analysis

Expired Domain Tracking

DGA Detection via Entropy Analysis

High-Risk TLD Blocking Policies

Passive DNS Correlation

Continue Exploring

Domain Acquisition is Just the Beginning

Related MITRE ATT&CK Techniques

Domains

DONATE · SUPPORT

Leave a Comment Cancel reply

Accelerate Cyber Pulse Academy