Key Findings

  • Dataset: 11,894 domains observed in malware communication over a six-month period (Dec 1, 2024 – Jun 10, 2025).
  • Top-level domains (TLDs):
    • 88.2% of malware-associated domains used generic TLDs (gTLDs).
    • 11.8% used country-code TLDs (ccTLDs).
    • The only ccTLD in the top 10 most abused TLDs was .ru (for Russia), representing 4.1% of all abused domains and 35% of ccTLDs.
  • Registrars:
    • The top 10 registrars accounted for 54% of malicious domains, the top 100 accounted for > 90%.
    • 98% of malware-used domains were registered with one-year terms.
    • 43% of these expired or were sinkholed within one year.
  • Domain names:
    • 10% of domains impersonated known brands.
    • 15% used sector-related terms, without impersonating real organizations
    • 75% appeared randomly generated by domain generation algorithms (DGAs).
  • Malware types (most common):
    • Infostealers (45%) – top families: Lumma, FormBook
    • Botnets (11%) – top families: Amadey, Mirai
    • Downloaders (8%) – top families: SmokeLoader, Bumblebee

Mitigation recommendations

  • Prevent and detect communications with malicious domains:
    • Train customers and employees to identify and report suspicious domains.
    • Use network and endpoint controls to detect and block communications with malicious domains
    • Deploy DNS resolvers that filter known-malicious domains to prevent lookups and connections
  • Reduce risk from brand impersonation and typosquatting:
    • Register common variants of your primary domain name across relevant TLDs.
    • Pre-register domains for key products, services and campaigns that may be attractive to impersonate.
    • Use trusted registrars with strong security controls.
    • Audit DNS records regularly and monitor for external domain abuse.

The Domain Name System (DNS) is the internet’s address book. It translates human-readable names like forescout.com into numerical IP addresses that route users to content and applications.

Threat actors abuse domain names for malware distribution and command-and-control (C2) because domains are flexible and persuasive. Attackers can rotate backend IP infrastructure while keeping the same domain, frustrating law enforcement takedowns. They also entice victims with convincing names. A typosquatted domain, like “forescoutt.com” is more likely to be trusted and clicked than a raw IP address.

Domain name abuse remains a pressing risk. In April 2025, CISA and partners warned that DNS-based fast-flux techniques pose a national security threat, enabling resilient C2 and phishing infrastructure. In August, Health-ISAC reported a concerning spike in dangling DNS records in the health sector. “Dangling DNS” refers to a situation where a registered name points to a decommissioned resource that can be taken over by threat actors.

This report analyzes 11,894 domains registered between December 1, 2024 and June 10, 2025 that were observed in malware communication, primarily as C2 or distribution servers. From this dataset, we highlight how threat actors favor gTLDs, abuse popular registrars, and the types of domain names most commonly abused. We translate these findings into practical risk mitigation recommendations for defenders.

 

Malware Abuses Generic TLDs

DNS is hierarchical. At the top sit top-level domains (TLDs) overseen by the Internet Corporation for Assigned Names and Numbers (ICANN). Of the various TLD types, two matter most for domain abuse:

  • Country-code TLDs (ccTLDs): two-letter domains tied to specific countries, such as .nl (Netherlands) and .uk (United Kingdom). These are run by entities within each country called registries, such as SIDN in the Netherlands and Nominet in the UK.
  • Generic TLDs (gTLDs): not country-specific and often intended to signal purpose or community. The original set included .gov, .edu, .com, .mil, .org and .net. Today there are hundreds (for example .info, .shop, and .xyz) operated by private registry operators under contract with ICANN. The list of active registry operators is available online.

In our malicious domain dataset, we observed 238 TLDs in total: 137 gTLDs and 101 ccTLDs. 88.2% of malware-associated domains used gTLDs, while 11.8% used ccTLDs, indicating a clear preference for the gTLDs. This likely reflects lower registration costs, simpler policies without country-specific requirements, and the global familiarity of TLDs such as .com and .org.

Figure 1 shows the distribution of TLDs used in malware campaigns. The top chart ranks the 10 most common TLDs overall. The two lower charts break the data out by TLD type (gTLDs vs ccTLDs). Well-known gTLDs .com and .net together account for more than half of the dataset, followed by .top at just under 5%. Notably, in July 2024 ICANN issued a notice of breach to the .top registry for DNS abuse-mitigation noncompliance, which was only remediated by June 2025 – a year after the notification.

Nine of the ten most abused TLDs are gTLDs. The only ccTLD in the overall top ten is .ru (Russia), representing 4.1% of all abused domains and 35% of ccTLDs. Among abused ccTLDs more broadly, user-perceived gTLDs, such as .cc (Cocos Islands), .in (India), and .ws (Samoa) also appear.

Figure 1 – Distribution of TLDs, ccTLDs and gTLDs abused by malware

Malware Abuse Concentrates in Small Set of Registrars, and They Are Pushing Back

In the DNS hierarchy, registries manage TLDs, while registrars sell domain names to the public for fixed terms.

Abuse is far more concentrated at the registrar layer than at the registry layer. Our dataset includes 440 registrars. The top 10 account for 54.1% of malware-associated domains, and the top 100 account for more than 90%.

Figure 2 ranks the most frequently abused registrars. This distribution does not mirror overall market share. Some of the largest providers – GoDaddy, Namecheap and Tucows – appear among the most abused, but there are also outliers, such as Gname, Registrar.eu and Onamae that rank high for abuse despite smaller overall popularity.

Figure 2 – Registrars most frequently abused by malware

When a domain name is registered, it is valid for a set period. Figure 3 shows that nearly all domains in our malware dataset were registered for one year.

Figure 3 – Distribution of domain name validity for malware

Many of those domains do not remain active for the full term. Coordinated efforts by registrars, cybersecurity companies, law enforcement, and other ecosystem partners resulted in 43% of domains in our dataset to expiring or being sinkholed in less than one year. Sinkholing redirects a domain to benign infrastructure to neutralize ongoing misuse.

 

Malware Often Relies on Meaningless Domain Names

After TLDs, registries and registrars, the final lever in DNS abuse is the label, the domain name itself. In malware operations, domain names are typically used in two ways:

  • Static, hard-coded names inside the malware sample. These may be meaningless strings or crafted to look legitimate via typosquatting or brand impersonation.
  • DGA-derived names generated on the fly by a domain generation algorithm (DGA). DGAs output large numbers of names (for example, xuoiwer12398241[.]com, or dictionary mashups like carcaffejohntwo[.]com), complicating analysis, blocking, and takedown.

Classifying whether a domain “looks random” is non-trivial without reversing the malware or observing the DGA. To triage at scale, we used a lightweight Large Language Model (LLM) to help to classify abused domain names, then applied human review. In the examples below, we prompted Mistral 7B v0.3 to label sample domains as RANDOM or NOT RANDOM with a confidence score. Analysts used these outputs to guide manual labeling and excluded and questionable LLM rationale.

Domain LLM Classification LLM Confidence LLM Explanation
launcher.detynetwork[.]xyz RANDOM 0.95 The domain is long and has a random sequence of characters, ‘launcher’ does not seem to have any meaning in relation to ‘detynetwork’. The TLD xyz is typically used for unknown or new domains.
wayangslot[.]net NOT RANDOM 0.7 The domain consists of two common words in English (‘wayang’ and ‘slot’) which are not often found together but do exist, indicating it might be a legitimate domain name rather than a random one.
jasbellyfusion[.]com RANDOM 0.95 The domain ‘jasbellyfusion’ consists of three unrelated words concatenated with no obvious meaning. It also contains a long sequence of characters, which is characteristic of DGA domains.
allactivationkey[.]com NOT RANDOM 0.9 The domain name consists of words related to a product (activation key) and a generic top-level domain (.com). However, the length could be considered slightly long for a legitimate domain.
075641cm.nyashvibe[.]ru RANDOM 0.9 The domain contains a long random sequence of characters and unrelated words (075641cm and nyashvibe), which are common traits for DGA domains.
calgarymusictutor[.]ca NOT RANDOM 1 The domain is short, meaningful, and related to a specific location (Calgary) and activity (music tutor). No random sequences of characters were observed.
hissbringer[.]click NOT RANDOM 0.7 The domain name ‘hissbringer’ is short and contains words that might be unrelated at first glance, but it is a valid English phrase which makes it less likely to be a random DGA domain. However, the lack of a well-known brand or product associated with it reduces its certainty.
amoiz[.]com NOT RANDOM 0.9 The domain is short, meaningful, and does not contain a concatenation of unrelated words.
www.9exrm7hq8l1gye[.]xyz RANDOM 0.95 The domain contains a long random sequence of characters with no apparent meaning.
ogcmo[.]com NOT RANDOM 0.8 The domain name is short (4 characters) and meaningful, which is a characteristic of legitimate domains.

Using LLM hints, we manually labelled 1,418 domains (~12% of the dataset) into one or more categories:

  • Typosquatting or brand impersonation: 136 domains (10%). Most frequently abused brands included large technology providers (for example, Adobe, Google, Microsoft, Proton VPN) and well-known tools and applications (for example, Nmap, TrueCrypt, WinRAR).
  • Sector-referencing terms: 215 domains (15%) that used industry keywords without impersonating real organizations:
    • 106 technology terms (for example, api, apk, cdn)
    • 54 healthcare terms (for example, medical, clinic, hospital)
    • 40 finance terms (for example, bank, finance, crypto)
    • 13 malware-related terms (for example, botnet, ‘cnc’)
  • DGA-like: 1,067 domains (75%) that appeared algorithmically generated, including numeric strings (for example 06626[.]net), letter jumbles (for example gqwhyjh[.]com), and multi-label constructs (for example, iti7iuguiugguiguuig.externalpoweringphones[.]life). We also observed pattern families such as series resembling one1[.]top, two2[.]top and so on.

The remaining 10,476 domains (~88%) of the overall dataset did not show clear lexical signals of brand impersonation or sector terms and often appeared meaningless (for example 0server[.].com, 1-luck[.]info). Many of these could be DGA-derived or static gibberish, but we could not determine this without deeper malware analysis or network telemetry.

 

Infostealers Remain the Top Malware Type

For just over 3,000 malicious domains (~25% of the dataset), we identified the associated malware family and type. Figure 4 shows that infostealers, botnets and downloaders are the most common categories within this classified subset, with infostealers alone accounting for about half. This trend is consistent with our 2024 Threat Roundup and subsequent analysis, which found infostealers have become a cornerstone of cybercrime.

Figure 4 – Top malware types associated with abused domains

Figure 5 highlights the most frequently observed malware families. Among infostealers, Lumma and FormBook dominate. For botnets Amadey and Mirai are most common.

Figure 5 – Top malware families associated with abused domains

Example Campaign – Malware Distribution Via Zoom Impersonation

Among the brand-impersonating domains in our dataset, we observed a cluster delivering malware while masquerading as zoom updates, The campaign used subdomains on legitimate front-end hosting platforms:

  • ous05webzoomworkspace-live-rervations-invitation-fch0k9-8q-pages[.]dev
  • zoomhdens.surge[.]sh
  • zoomdensla4ljk13eo6wq8s1cnot.surge[.]sh
  • zoom016.pages[.]dev.

These names sit beneath legitimate providers (surge.sh and pages.dev). We will cover the broader rise in abuse of such platforms in a separate publication.

The landing page for the first domain (screenshot below) loads a legitimate favicon from st1.zoom.us/zoom.ico, displays a fake address bar showing the benign URL zoom.us/workspace/update and simulates a Zoom update flow.

When a victim clicks ‘Manually Download Update Now’, a malicious file named Zoom.Workspace.Update 5.16.2.exe is downloaded from https://www.dropbox[.]com/scl/fi/h1vymfwi3lww98botkwsb/Zoom.Workspace.Update-5.16.2.exe?rlkey=92fsgff8el2fomiw2h2dmbf5c&st=scpdbutr&dl=.

Analysis indicates this installer is a maliciously packaged copy of ConnectWise ScreenConnect, a legitimate remote management tool frequently abused by attackers to obtain remote control of compromised machines.

Mitigation Recommendations

Domain name abuse is entrenched in malware distribution and will persist. Organizations should take a two-pronged approach that both blocks malicious communications and protects their own brand and namespace.

  • Detect and prevent communications with malicious domains:
    • Educate and enable reporting. Train customers and employees about domain name abuse and how to spot risky (randomness/DGA-like strings, suspicious TLDs, typosquats and abusive subdomains), and to report them through a simple tracked workflow integrated with SOC tooling
    • Enforce DNS egress policy. Route all queries through enterprise resolvers; block direct use of external resolvers and unmanaged DNS over HTTPS (DoH) or DNS over TLS (DoT).
    • Filter at the resolver. Use resolvers with DNS abuse filtering and support for policies such as Response Policy Zones (RPZ) or equivalent deny/allow lists (for example, Quad9 or commercial alternatives).
    • Detect on network and endpoint. Use NDR/IDS and EDR to flag and block outbound DNS, SNI, and Host header requests to known-malicious or newly observed domains.
    • Apply age and reputation controls. Treat newly registered domains and newly observed domains as higher risk; alert or quarantine until vetted.
    • Centralize telemetry. Send DNS logs to the SIEM, enrich with WHOIS, passive DNS, and certificate transparency data to track domain age, eTLD+1 (the registrable base domain) groupings, and reuse across campaigns.
  • Prevent and detect brand impersonation and typosquatting against your domain
    • Defensive registrations. Register common variants of primary domains across relevant TLDs and high-risk TLDs (e.g., .com, .net, .org). Pre-register names for key products, services and campaigns likely to be impersonated.
    • Harden registrar posture. Use trusted registrars, enable REGISTRAR-LOCK and, where available, REGISTRY LOCK; require strong MFA and change-approval workflows for DNS updates and transfers
    • Audit and clean up DNS. Review records on a schedule. Eliminate dangling DNS to prevent subdomain takeovers when cloud resources are decommissioned.
    • Continuously monitor lookalikes. Regularly scan for typosquats and homoglyph/IDN lookalikes. Use tools like dnstwist and DNSrazzle, zone-file monitoring, passive DNS, and certificate-transparency alerts.
    • Protect email identity. Enforce SPF, DKIM, and DMARC to reduce domain misuse in phishing tied to lookalike web properties.

IoCs

Handle IoCs only in a controlled analysis environment. The full, continuously updated list is available on the Forescout Research – Vedere Labs threat feed. The items below are those explicitly mentioned in this report:

  • xuoiwer12398241[.]com
  • carcaffejohntwo[.]com
  • launcher.detynetwork[.]xyz
  • wayangslot[.]net
  • jasbellyfusion[.]com
  • allactivationkey[.]com
  • 075641cm.nyashvibe[.]ru
  • calgarymusictutor[.]ca
  • hissbringer[.]click
  • amoiz[.]com
  • www.9exrm7hq8l1gye[.]xyz
  • Ogcmo[.]com
  • 06626[.]net
  • gqwhyjh[.]com
  • iti7iuguiugguiguuig.externalpoweringphones[.]life
  • 0server[.].com
  • 1-luck[.]info
  • ous05webzoomworkspace-live-rervations-invitation-fch0k9-8q-pages[.]dev
  • zoomhdens.surge[.]sh
  • zoomdensla4ljk13eo6wq8s1cnot.surge[.]sh
  • zoom016.pages[.]dev
  • https://www.dropbox[.]com/scl/fi/h1vymfwi3lww98botkwsb/Zoom.Workspace.Update-5.16.2.exe?rlkey=92fsgff8el2fomiw2h2dmbf5c&st=scpdbutr&dl=.
  • Zoom.Workspace.Update 5.16.2.exe
  • (sha256: 7ebecf59c83a66042b59298d6036178fa102bfb8356f9c717e3a26f4dc88273e)

Want to stay on top of the latest threats? Sign up for the Vedere Labs Threat Feed and get the full context of these threats in our monthly newsletter.