Keypoints
- Researchers analyzed 21+ million newly registered domains added between 1 Jan and 31 Mar 2024.
- Overall NRD volume declined ~32% from Q4 2023; ccTLD registrations dropped 42.7%, gTLDs dropped 28.7%.
- .shop and .store remained among the most-used gTLDs for new registrations; major registrars included Squarespace and Alibaba.
- Threat feeds identified 3.2+ million unique domains as IoCs during Q1 2024.
- Malicious domains frequently used common gTLDs (.com, .org, .net) and ccTLDs (.ru, .cn); some ccTLDs showed far more malicious existing domains than new registrations.
- Example anomaly: 24,437 .to domains were flagged as malicious in Q1 while only 714 new .to registrations occurred in the same period.
MITRE Techniques
- [T1583.001] Domains – Adversaries register and use domains to build malicious infrastructure: ‘3.2+ million unique domains flagged as IoCs in Q1 as seen in the Threat Intelligence Data Feeds.’
- [T1583] Acquire Infrastructure – Use of popular gTLDs and ccTLDs to host malicious services and blend in: ‘popular TLDs like .com, .org, and .net were among the most used. The malicious domains were also seen sporting ccTLDs, including .ru and .cn.’
- [T1566] Phishing – Registered malicious domains are commonly leveraged for social-engineering and credential-harvesting operations (inferred from domains flagged as IoCs): ‘3.2+ million unique domains flagged as IoCs in Q1 as seen in the Threat Intelligence Data Feeds.’
Indicators of Compromise
- [TLD] Malicious TLD counts – .to (24,437 flagged malicious domains), .ru and .cn frequently observed among IoCs.
- [gTLD] Popular gTLDs used by IoCs – .com, .org, .net (examples noted as among the most used for malicious domains).
- [Registrar] Hosting/registration context – Squarespace, Alibaba (identified among top registrars for NRDs and associated with high-use gTLDs).
- [Dataset counts] Scale/context – 21+ million NRDs analyzed (Q1 2024), 3.2+ million domains flagged as IoCs (Threat Intelligence Data Feeds).
Researchers processed Newly Registered Domains Data Feeds for 1 January–31 March 2024 and cross-referenced those NRDs with Threat Intelligence Data Feeds to identify domains used for malicious activity. The technical analysis quantified registration volumes (21+ million NRDs) and measured quarter-over-quarter changes, finding an overall 32% decline and a sharper drop among ccTLDs (42.7%) versus gTLDs (28.7%). Registrar and TLD distribution were computed to highlight concentrations (for example, .shop/.store prevalence and Squarespace/Alibaba appearing among top registrars).
For IoC-focused analysis, 3.2+ million unique domains flagged in threat feeds were categorized by TLD to reveal which top-level domains hosted the most malicious domains; common gTLDs (.com, .org, .net) and ccTLDs (.ru, .cn, .to) were prominent. The report compared counts of existing malicious domains against newly registered domains per ccTLD to identify anomalies—most notably, 24,437 .to domains flagged as malicious compared with only 714 new .to registrations during Q1—suggesting heavy reuse or long-lived malicious registrations within certain ccTLDs.
These findings support using combined NRD and threat-intel feeds to detect suspicious registration patterns, prioritize monitoring of registrars and specific TLDs, and guide defensive actions (e.g., blocking known malicious TLDs in contextual controls, investigating registrant concentration at certain registrars, and tracking anomalous ratios of existing malicious domains vs. new registrations to find persistent threats).