The Domain Name System [DNS] is like the internet’s address book. It translates everyday web addresses into numeric IPs, allowing people to connect to applications and content. Unfortunately, DNS is also a cybercriminal’s most reliable tool. Fraudsters rely on malicious domains to distribute malware, run command and control (C2) operations and trick victims with convincing domain names within phishing emails or smishing text messages.
A new analysis of 11,894 domains involved in malware communications between December 2024 and June 2025 shows how attackers are exploiting domain names at scale. This analysis carried out by Forescout Verdere Labs researchers found that attackers have a strong preference towards generic top-level domains (gTLDs), heavy concentration at a handful of registrars and a reliance on disposable often meaningless names.
Top findings:
Preference for generic domains: The vast majority of malicious activity (88%) leveraged generic top-level domains (TLDs). Russia’s .ru domain was the only country-code TLD to appear in the top 10, accounting for 4.1% of all malicious domains.
Short-lived domain lifecycles: Nearly all malicious domains (98%) were registered for just one year, and 43% were either allowed to expire or sinkholed within that period, reflecting the impact of industry and law enforcement interventions.
Brand impersonation: 10% of domains engaged in typosquatting, most often abusing the names of major technology companies (e.g., Adobe, Google, Microsoft, Proton VPN) and popular applications (e.g., nmap, TrueCrypt, WinRAR).
Sector-related keywords: 15% of domains contained industry terms—106 referencing technology (API, APK, CDN), 54 healthcare (medical, clinic, hospital), 40 financial (bank, crypto, finance), and 13 tied to malware (botnet, CNC).
Infostealers remain the leading threat: Infostealer malware accounted for 45% of observed activity—driven primarily by Lumma and FormBook—followed by botnets (11%) and downloaders (8%).
Top-level domains, or TLDs, are at the highest level of the DNS hierarchy. TLDs can take many forms but popular ones can be country code TLDs (ccTLD) like .uk or .usa or more generic TLDs (gTLDs) like .com or .net. In the analysis, 88.2% of malware-associated domains used gTLDs with .com and .net accounting for more than half of all cases, while just 11.8% used ccTLDs. The only ccTLD in the top ten most used TLDs was .ru for Russia, representing 4.1% of all malicious domains and accounting for more than a third of all ccTLD abuse.
Generally speaking, cost and ease of registration appear to be a major driving force of cybercriminals picking (their ways of approach). Generic TLDs are cheaper, more familiar to victims and often come with fewer restrictions than country-specific domains.
TLDs are managed by registries but registrars actively sell domain names to the public. The Forescout analysis unveiled that registrar level abuse was highly popular amongst attackers. Of the 440 registrars in the whole dataset, the top ten accounted for 54% of malicious domains and the top 100 accounted for more than 90%.
Well-known providers such as GoDaddy, Namecheap, and Tucows appear on the list alongside smaller names like Gname and Registrar.eu which all play a critical role in TLD exploitation. However, malicious domains are overwhelmingly short-lived. A vast majority were registered with one-year terms with nearly half becoming expired or sinkholed before the year was up. The term ‘sinkholing’ is when a malicious domain is redirected to a safe infrastructure, automatically cutting off its use by the attackers. Although this rapid churn may highlight the problem of low cost, easily disposable domains it also shows the success of takedown efforts.
What Malicious Domains Look Like
Malicious domains are sometimes difficult to spot but if TLDs and registrars set the stage, the domain names themselves provide the most immediate signal of abuse. Analysts grouped the dataset into three broad categories.
The largest category, accounting for about three-quarters of the dataset, consisted of random or algorithmically generated names. These often appeared meaningless, such as “gqwhyjh[.]com” or numeric-heavy names like “06626[.]net.” Domain generation algorithms, or DGAs, help malware avoid detection by producing endless new names.
Another significant category involved brand impersonation, which accounted for around 10 percent of the dataset. Attackers frequently mimicked major technology companies such as Google, Microsoft, and Adobe, or tools like Proton VPN and WinRAR. One campaign even impersonated Zoom updates with domains hosted on legitimate platforms like pages.dev and surge.sh.
The remaining 15 percent of domains used sector-related keywords without referencing specific organisations. Many names incorporated terms tied to technology, finance, or healthcare—words like “cdn,” “crypto,” and “clinic.” These sector terms increase the likelihood that users will trust the domain enough to click.
Malware Types Behind the Domains
For about a quarter of the dataset, researchers were able to tie domains to specific malware families. Infostealers dominated, making up 45 percent of cases. Families such as Lumma and FormBook were particularly common.
Botnets came next, accounting for 11 percent, with Amadey and Mirai leading the group. Downloaders followed at eight percent, led by SmokeLoader and Bumblebee. The prevalence of infostealers aligns with wider cybercrime trends. Stealing credentials and session tokens has become a profitable cornerstone of the underground economy, and these types of domains provide the infrastructure needed to keep such campaigns running.
Why It Matters
Malicious domain abuse is more than a technical nuisance. By rotating backend IP addresses while keeping the same domains, attackers frustrate takedown efforts and remain resilient. Typosquatted names such as “forescoutt[.]com” can trick even cautious users into clicking.
In recent months, national security agencies have raised alarms about these techniques. In April 2025, the Cybersecurity and Infrastructure Security Agency (CISA) warned that DNS fast-flux techniques enable resilient malware and phishing infrastructure. In August, the Health-ISAC reported that dangling DNS records—names that point to decommissioned resources—pose growing risks in the healthcare sector because they can be hijacked by attackers. DNS abuse sits at the heart of modern malware campaigns, making it a critical target for defenders.
Mitigation: What Defenders Can Do
The research highlights several practical steps organisations can take. The first is to block malicious lookups. Organisations can deploy DNS resolvers that filter known-bad domains and use endpoint controls to cut off suspicious connections.
Second, user education remains crucial. Staff and customers who can recognise suspicious domains and report them quickly are a critical line of defence. Third, organisations can reduce impersonation risks by pre-emptively registering common typos, variants, and campaign-related domains before attackers do. Finally, defenders should work only with registrars that enforce strong abuse controls and conduct regular audits of DNS records to identify potential vulnerabilities.
To conclude, malware operations thrive on cheap, disposable and convincing domains. From algorithmically generated names to brand impersonation, DNS remains one of the most abused parts of the internet’s infrastructure. Defenders who strengthen their DNS posture through filtering, vigilant registration, and proactive monitoring stand the best chance of cutting attackers off at their favourite entry point: the address book of the internet.
