Newly Registered Domains: A Raw Signal with Real Value

Working with Newly Registered Domains

We provide a Newly Registered Domains (NRDs) feed, and one of the most common questions we receive is: “How can this data be used?”

It is a valid question. By their very nature, NRDs are high-volume and unfiltered, which can make them challenging to work with at first glance. But that rawness is also what makes them powerful: they provide one of the most comprehensive snapshots of Internet activity you can get. After all, every malicious domain begins life as an NRD. For defenders who know how to work with this telemetry, that makes NRDs an invaluable early-stage signal.

With the right enrichment and filtering, what first looks like overwhelming noise can quickly turn into actionable intelligence. Organizations that invest in detection engineering or custom hunting workflows can use NRDs to spot attacker infrastructure before it’s weaponized in campaigns, often long before it ever appears in curated threat feeds.

Before we dive into how organizations can put NRDs to work, let’s take a step back. When we say “NRD feed,” what exactly does that include? And why is this raw data so valuable?

What is an NRD Feed?

A Newly Registered Domains (NRD) feed is a daily snapshot of every domain registered on a given date. It captures everything, from legitimate business sites and personal projects to the very first traces of attacker infrastructure.

Threat intelligence providers may structure NRD intelligence in different ways, but the most common fields include the domain name, the registration date, and related DNS records. These basic elements make up the raw dataset.

Malware Patrol takes it a step further. In addition to listing new domains, we resolve each one through DNS and check the resulting IP addresses against our current and historical databases of malicious infrastructure. The output is a simple indicator, presented by threat type, showing whether a domain has ever resolved to an IP tied to malicious activity. This doesn’t turn NRDs into a curated threat feed, but it does provide valuable context to help security teams prioritize where to look first.

Example NRD Feed Entry (Simplified)

{
“DOMAIN”: “zzzzbetjogos.com”,
“REGISTRATIONDATE”: 20250928,
“A_RECORD”: [
{
“IP”: “104.21.18.168”,
“HOSTINGC2”: 0,
“HOSTEDC2”: 0,
“HOSTEDDGA”: 0,
“HOSTINGMALWARE”: 0,
“HOSTEDMALWARE”: 0
}
],
“AAAA_RECORD”: [
{ “ADDRESS”: “2606:4700:3035::6815:12a8” }
],
“NS_RECORD”: [
{ “HOST”: “lennon.ns.cloudflare.com” },
{ “HOST”: “nelly.ns.cloudflare.com” }
]
}

Why Should You Care About NRDs?

Attackers depend on newly registered domains as a foundation for their operations. Whether establishing fresh infrastructure for malware delivery or spinning up lookalike sites that mimic trusted brands, new domains give adversaries a clean slate. With no reputation history and no presence on blocklists, they’re the perfect launchpad for malicious activity.

Every day, threat actors register domains to:

• Launch phishing and social engineering campaigns

• Set up malware infrastructure like C2 servers and drop zones

• Impersonate legitimate brands through typosquats and lookalikes

• Avoid being caught by existing blocklists.

Of course, many newly registered domains are harmless, but the critical point is that every malicious domain starts as an NRD. This makes NRDs a powerful early-warning signal. By using them, security teams can detect attacker infrastructure before it’s weaponized in campaigns and long before it shows up in curated threat feeds.

Use Cases for Newly Registered Domains Feeds

Here’s what your team can do with this data:

• Block NRDs for a fixed period (e.g., 3–7 days): Most legitimate sites aren’t operational immediately. Blocking during this window dramatically reduces exposure to phishing and malware campaigns.
• Prioritize NRDs that resolve to suspicious infrastructure: Use Malware Patrol’s malicious-IP indicator as a filter to decide which domains may warrant closer inspection.
• Monitor for brand impersonation or typo squatting: Detect lookalike domains before they appear in phishing emails.
• Detect DGA or high-entropy domains: Flag domains likely generated by Domain Generation Algorithms. A DGA domain typically looks like a random string of characters, often unpronounceable, and statistically unlikely in natural language (e.g., xj3k9u2p.biz).
• Retroactive incident analysis: Check which NRDs were queried during dwell time in an incident.
• Security research: Track TTPs of threat actors by watching domain registration patterns. Investigate bulk registrations, suspicious registrars, or ASN patterns to spot attacker infrastructure.

NRDs: Raw Fuel for Custom Defenses

If you’re looking to enrich internal detection pipelines, protect your brand, or analyze emerging infrastructure at Internet scale, NRDs are where that work starts. While NRDs are not a plug-and-play threat feed, they empower organizations to hunt earlier, detect faster, and build detections tuned to their own threat models. (With our malicious-infrastructure correlations, subscribers also get a bit of extra context to help prioritize analysis!)

We understand that working with a raw NRD feed can be challenging, which is why we help our subscribers get the most out of it. Our team can customize the feed to align with your environment – at no cost – and provide guidance on setting internal parameters so you can filter, enrich, and prioritize domains in a way that fits your security goals.

And if your organization prefers not to manage this kind of data, we also offer an alternative: Emergent Threats Domains. This feed is informed in part by NRDs but is pre-filtered, enriched, and ready for immediate use in security controls.

Want to explore what your organization can do with NRDs? Let’s talk.