Threat Research

Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains

Securonix

Stockpiled domains are used by malicious actors to stockpile large numbers of domains and automate infrastructure setup, leaving traces in certificate transparency logs and passive DNS that defenders can detect with multi-source analysis. Palo Alto Networks describes a detector that fuses certificate, pDNS, and domain features to identify stockpiled domains earlier than traditional feeds, illustrated by campaigns such as USPS and puppy scams. #StockpiledDomains #CertificateTransparencyLogs

Keypoints

  • Malicious actors stockpile large numbers of domain names in parallel, often configuring DNS and certificates via automated scripts.
  • Detection relies on combining millions of certificate and passive DNS records with domain data to train a machine learning model.
  • A Random Forest classifier with 300+ features achieves high precision and detects stockpiled domains earlier than VirusTotal by ~34 days on average.
  • The detector identifies a wide range of campaigns (scams, phishing, malware distribution, C2) including high-profile targets like banks, retailers, and software companies.
  • Campaigns include a Malicious Redirection Campaign, European Postal Phishing, USPS Phishing, and High-Yield Investment scams, each using automation signals such as certificate fields and pDNS patterns.
  • Inline detection alone is insufficient; aggregating data from certificate logs and pDNS enhances coverage and early warning (patient-zero detections).
  • Palo Alto Networks integrates the detector across cloud-delivered services (DNS Security, Advanced URL Filtering) to protect customers.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure – Domain Registration – “This ongoing struggle involves criminals registering many domain names to make it harder for law enforcement to take down their botnets.”
  • [T1566.002] Phishing – Spearphishing Link – “the phishing page harvested victims’ login credentials.”
  • [T1071.001] Web Protocols – Web traffic to malicious sites – “In this campaign, victims are redirected to different websites before reaching a landing page…” and “redirects users to a malicious website.”

Indicators of Compromise

  • [Domain] Puppy Scam Campaign – Baronessabernesemountaindogpuppies[.]com
  • [Domain] Malicious Redirection Campaign – Whdytdof[.]tk, Pbyiyyht[.]gq
  • [Domain] Malicious Redirection Campaign – Rthgjwci[.]cf, Cgptvfjz[.]ml
  • [Domain] USPS/Postal Phishing Campaign – Delivery-usps[.]vip, Delivery-usps[.]wiki
  • [Domain] USPS/Postal Phishing Campaign – Delivery-usps[.]ren, Usps-redelivery[.]art
  • [Domain] USPS/Postal Phishing Campaign – Usps-redelivery[.]live
  • [Domain] High-Yield Investment Scam Campaign – Erinemailbiz[.]com, Makemoneygeorge[.]com
  • [Domain] High-Yield Investment Scam Campaign – Natashafitts[.]com, Julieyeoman[.]com
  • [Domain] High-Yield Investment Scam Campaign – Checkout.mytraffic[.]biz
  • [SHA-1 Fingerprint] USPS Campaign Certificates – 18:FF:07:F3:05:A7:6A:C2:7A:38:89:C5:06:FD:D7:B8:D9:06:88:AB
  • [SHA-1 Fingerprint] USPS Campaign Certificates – 89:29:97:5E:E9:F7:14:D9:95:16:9B:B3:74:33:0C:7B:D0:8F:98:30
  • [SHA-1 Fingerprint] USPS Campaign Certificates – B6:74:45:84:0C:FF:81:05:C2:28:0F:EF:91:23:D8:A0:E8:ED:3A:2E
  • [SHA-1 Fingerprint] USPS Campaign Certificates – 6A:21:31:8B:F4:0A:04:40:FA:37:46:15:A3:CE:1F:0A:C5:0A:93:C3

Read more: https://unit42.paloaltonetworks.com/detecting-malicious-stockpiled-domains/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint