Emerging Threats Intelligence: A Curated Signal with Predictive Power

Insights

The Value of Emerging Threats Intelligence

Threat campaigns often evolve too quickly for traditional defenses to catch them in time. Our Emergent Threats Domains feed is built to provide early visibility into domains that are likely to be used in malicious activity. By combining multiple data sources with advanced analysis techniques, we surface high-risk domains before they are operationalized in active campaigns. This allows security teams to move from reactive defense to proactive action, reducing exposure and improving response times.

Identifying Risk Before It’s Weaponized

To identify emerging threats, we combine several raw data sources, including newly registered domains (NRDs), newly observed domains (NODs) from DNS traffic and other signals from our global collection systems. On their own, these datasets are high-volume and unfiltered, but by applying multiple layers of analysis we can identify domains that are far more likely to be weaponized in malicious campaigns.

Each domain is scored based on the following (among other) criteria:

Structural analysis: Detecting randomness, entropy, and other patterns common in algorithmically generated domains (DGAs)

Infrastructure associations: Mapping connections to infrastructure from both current and previous malicious campaigns tracked in Malware Patrol’s extensive historical database, revealing reuse of attacker resources

Brand lookalikes: Spotting domains designed to impersonate trusted brands, a common precursor to phishing and fraud

TLD reputation: Factoring in the track record of top-level domains (for example, .xyz) that frequently appear in malicious campaigns

This combination of broad input data and layered analysis transforms raw domain activity into a curated feed of high-risk signals. Even though these domains may not yet appear on VirusTotal or in traditional intelligence feeds, they often carry subtle indicators of risk.

Key Benefits for Security Teams

By highlighting suspicious domains early, the feed gives defenders a head start. With emerging threats intelligence, security teams can:

  • Block high-risk domains before they are weaponized
  • Identify suspicious infrastructure earlier in the attack chain
  • Reduce attacker dwell time by acting faster
  • Strengthen DNS-layer defenses and detection systems with predictive data

Advantages and Limitations

Like any security solution, our Emergent Threats Domains feed has strengths and trade-offs that should be considered.

Advantages:

  • Pre-filtered and enriched, reducing noise and making it ready to deploy in firewalls, SIEMs, and DNS layers
  • Compact enough to work within the limits of tools that cannot process large blocklists
  • Includes enrichment and scoring, providing immediate context for faster decisions
  • Well-suited for smaller teams or those without capacity to build enrichment pipelines internally

Limitations:

  • Filtering and scoring are determined by vendor criteria, which may not fully align with every organization’s unique threat model
  • By design, not every domain is included, only those identified as suspicious, so some activity could be missed
  • Less flexible than raw feeds, making it less suitable for organizations that prefer to create custom detection logic

Comparison: Newly Registered Domains vs Emergent Threats Domains

Both NRDs and emerging threats intelligence provide valuable visibility, but they serve different needs as outlined in the table below.

Newly Registered Domains (NRDs) Emergent Threats Domains
Broad coverage of all new domains Focused coverage of domains flagged as suspicious
High volume and unfiltered Pre-filtered, enriched, and scored
Requires custom enrichment and filtering by the user Includes enrichment such as entropy, brand lookalikes, infrastructure ties, and TLD reputation
Useful for hunting, research, and building custom detections Useful for immediate blocking and SOC operations
May overwhelm tools or teams without filtering Compact size avoids overwhelming security tools
Best for mature SOCs and research teams Best for smaller teams or those prioritizing operational efficiency

In short, NRDs give maximum visibility and flexibility, while Emergent Threats Domains provides ready-to-use intelligence that reduces noise and speeds up action.

Try Malware Patrol’s Emergent Threats Domains With a Free Trial

Whether you want the flexibility of raw NRDs or the convenience of enriched Emergent Threats Domains, we can help you choose the right approach for your environment. We also offer free evaluations so you can see the data in action and decide which feed best fits your security needs.

Get started today and take the first step toward staying ahead of tomorrow’s threats. We’d be happy to discuss options and set up a free trial. Use this link to schedule time with us.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Newly Registered Domains: A Raw Signal with Real Value

Insights

Working with Newly Registered Domains

We provide a Newly Registered Domains (NRDs) feed, and one of the most common questions we receive is: “How can this data be used?”

It is a valid question. By their very nature, NRDs are high-volume and unfiltered, which can make them challenging to work with at first glance. But that rawness is also what makes them powerful: they provide one of the most comprehensive snapshots of Internet activity you can get. After all, every malicious domain begins life as an NRD. For defenders who know how to work with this telemetry, that makes NRDs an invaluable early-stage signal.

With the right enrichment and filtering, what first looks like overwhelming noise can quickly turn into actionable intelligence. Organizations that invest in detection engineering or custom hunting workflows can use NRDs to spot attacker infrastructure before it’s weaponized in campaigns, often long before it ever appears in curated threat feeds.

Before we dive into how organizations can put NRDs to work, let’s take a step back. When we say “NRD feed,” what exactly does that include? And why is this raw data so valuable?

What is an NRD Feed?

A Newly Registered Domains (NRD) feed is a daily snapshot of every domain registered on a given date. It captures everything, from legitimate business sites and personal projects to the very first traces of attacker infrastructure.

Threat intelligence providers may structure NRD intelligence in different ways, but the most common fields include the domain name, the registration date, and related DNS records. These basic elements make up the raw dataset.

Malware Patrol takes it a step further. In addition to listing new domains, we resolve each one through DNS and check the resulting IP addresses against our current and historical databases of malicious infrastructure. The output is a simple indicator, presented by threat type, showing whether a domain has ever resolved to an IP tied to malicious activity. This doesn’t turn NRDs into a curated threat feed, but it does provide valuable context to help security teams prioritize where to look first.

Example NRD Feed Entry (Simplified)

{
“DOMAIN”: “zzzzbetjogos.com”,
“REGISTRATIONDATE”: 20250928,
“A_RECORD”: [
{
“IP”: “104.21.18.168”,
“HOSTINGC2”: 0,
“HOSTEDC2”: 0,
“HOSTEDDGA”: 0,
“HOSTINGMALWARE”: 0,
“HOSTEDMALWARE”: 0
}
],
“AAAA_RECORD”: [
{ “ADDRESS”: “2606:4700:3035::6815:12a8” }
],
“NS_RECORD”: [
{ “HOST”: “lennon.ns.cloudflare.com” },
{ “HOST”: “nelly.ns.cloudflare.com” }
]
}

Why Should You Care About NRDs?

Attackers depend on newly registered domains as a foundation for their operations. Whether establishing fresh infrastructure for malware delivery or spinning up lookalike sites that mimic trusted brands, new domains give adversaries a clean slate. With no reputation history and no presence on blocklists, they’re the perfect launchpad for malicious activity.

Every day, threat actors register domains to:

  • Launch phishing and social engineering campaigns

  • Set up malware infrastructure like C2 servers and drop zones

  • Impersonate legitimate brands through typosquats and lookalikes

  • Avoid being caught by existing blocklists.

Of course, many newly registered domains are harmless, but the critical point is that every malicious domain starts as an NRD. This makes NRDs a powerful early-warning signal. By using them, security teams can detect attacker infrastructure before it’s weaponized in campaigns and long before it shows up in curated threat feeds.

Use Cases for Newly Registered Domains Feeds

Here’s what your team can do with this data:

  • Block NRDs for a fixed period (e.g., 3–7 days): Most legitimate sites aren’t operational immediately. Blocking during this window dramatically reduces exposure to phishing and malware campaigns.
  • Prioritize NRDs that resolve to suspicious infrastructure: Use Malware Patrol’s malicious-IP indicator as a filter to decide which domains may warrant closer inspection.
  • Monitor for brand impersonation or typo squatting: Detect lookalike domains before they appear in phishing emails.
  • Detect DGA or high-entropy domains: Flag domains likely generated by Domain Generation Algorithms. A DGA domain typically looks like a random string of characters, often unpronounceable, and statistically unlikely in natural language (e.g., xj3k9u2p.biz).
  • Retroactive incident analysis: Check which NRDs were queried during dwell time in an incident.
  • Security research: Track TTPs of threat actors by watching domain registration patterns. Investigate bulk registrations, suspicious registrars, or ASN patterns to spot attacker infrastructure.

NRDs: Raw Fuel for Custom Defenses

If you’re looking to enrich internal detection pipelines, protect your brand, or analyze emerging infrastructure at Internet scale, NRDs are where that work starts. While NRDs are not a plug-and-play threat feed, they empower organizations to hunt earlier, detect faster, and build detections tuned to their own threat models. (With our malicious-infrastructure correlations, subscribers also get a bit of extra context to help prioritize analysis!)

We understand that working with a raw NRD feed can be challenging, which is why we help our subscribers get the most out of it. Our team can customize the feed to align with your environment – at no cost – and provide guidance on setting internal parameters so you can filter, enrich, and prioritize domains in a way that fits your security goals.

And if your organization prefers not to manage this kind of data, we also offer an alternative: Emergent Threats Domains. This feed is informed in part by NRDs but is pre-filtered, enriched, and ready for immediate use in security controls.

Want to explore what your organization can do with NRDs? Let’s talk.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Malicious Domains: A Cybersec Foundation

Insights

Malicious domains are a foundational layer of threat intelligence and provide critical visibility into where attackers operate online. You can integrate domain-based intelligence across your security stack to: enhance prevention with DNS filtering and firewall rules, improve detection via IDS/IPS systems, guide SOAR-driven response playbooks, and support retrospective threat hunting. Their versatility makes them valuable for organizations of any size because they serve as both a frontline defense and an investigative asset.

Why Domains (Not Just IPs) Matter

Blocking domains offers a more precise and effective way to deny access to malicious infrastructure compared to blocking at the IP-level. Unlike IP addresses, which are often shared across many services and tenants (e.g., cloud providers), domains tend to be unique to the threat actor’s campaign or infrastructure. Blocking a malicious IP risks affecting legitimate services; blocking a malicious domain is more targeted and typically less prone to false positives.

Where to Get Domain Blocklists

There are several sources for malicious domain blocklists:

  • Commercial Threat Intelligence Vendors – They offer curated, regularly updated feeds, often enriched with context like first-seen dates, associated malware families, or related indicators (IPs, hashes, etc.).
  • Open Source Intelligence (OSINT) – Communities such as Abuse.ch, PhishTank, and threat-sharing platforms publish free lists. While useful, they can vary in accuracy, timeliness, and depth of context.
  • Internal Sources – Your organization’s own detection systems (e.g., sandboxing, phishing reports) can be a powerful generator of high-confidence domains worth adding to local blocklists.

Of course, not all feeds are created equal. Freshness, coverage, and enrichment are key to determining how useful a feed is in real-world defensive operations.

The Importance of Freshness and Context

Threat actors continuously evolve their infrastructure. Domains can be registered and weaponized within minutes. That’s why static or infrequently updated lists are of limited use. A quality feed should not only be updated frequently, ideally hourly or daily, but also provide context: Why is this domain flagged? Is it linked to a specific malware family? Was it part of a known phishing kit? When was it first detected?

Rich metadata and context allow security teams to make informed decisions. For example, knowing a domain is associated with a known command-and-control server for a particular ransomware strain might justify more aggressive response actions than if it were merely flagged for spam.

How to Use Malicious Domain Feeds

You can integrate domain intelligence into your environment in several ways:

  • Network Controls – Feed domains into firewalls, DNS security tools, or secure web gateways to block access in real time.
  • IDS/IPS Systems – Tools like Suricata or Snort can inspect DNS traffic for requests to known bad domains and generate alerts or drop packets.
  • SIEMs and SOARs – Enrich alerts with domain context to improve triage speed and accuracy.
  • EDR and XDR – Use domain feeds to flag suspicious outbound connections from endpoints and correlate with other malicious activity.
  • Threat Hunting – Historical DNS logs or proxy logs can be cross-referenced against the feed to identify prior compromise.
Best Practices for Operational Use
  1. Use Multiple Feeds – Every source has limitations in coverage, geography, etc. Selecting feeds from multiple vendors and publicly available offers help to maximize coverage.
  2. Automate Ingestion and Updates – Integrate feeds into your tech stack with automation tools or platforms.
  3. Monitor for Overblocking – Even with domain-level granularity, verify false positives and build feedback loops to tune your blocklists.
  4. Use Enriched Feeds for Decision Making – Context reduces alert fatigue and helps prioritize incident response.

Final Thoughts

Malicious domain feeds are a tried and true foundational element of threat prevention, detection, and response. From stopping phishing attempts to flagging command-and-control activity, domain-level intelligence provides a tactical advantage in defending against today’s fast-moving threats.

Malware Patrol offers domain intelligence designed to meet the needs of security teams who require both breadth and depth. We cover a wide range of threats, from phishing and malware to emerging threats, cryptomining, DGAs, and C2 infrastructure. Our feeds are also enriched with the metadata that helps turn alerts into action. For ease of use, we format the feeds for compatibility with the most popular security tools and platforms.

Ready to add precision and power to your defenses? Contact us to learn more or to request a free trial.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Why choose Malware Patrol over a free DNS protection service?

Insights

??

Customers and prospects have approached us recently with questions similar to this: why should we choose Malware Patrol instead of a free DNS protection service? The question is fair, especially in a market that counts with, at least, 93 different offers of free DNS, including big players like Cloudflare, Cisco and Quad9.

We want to provide the facts so you can decide for yourself. These services present themselves as something like a “DNS platform that provides end users robust security protections, high-performance, and privacy”. Although the idea of consolidating multiple threat data sources and providing a protection service is very appealing, there are many aspects to take into account before you change your DNS settings.

First of all, remember that nothing is really free in life. The saying ‘if you’re not paying for the product, you are the product’ is true more than ever. In this case, it means you are giving away data about everything you do online.

Every time you visit a web site, use a social media app, read emails, watch a movie or do pretty much anything online, your device makes DNS queries to determine the IP addresses of the various services it needs to access. Although some of these DNS service providers say they don’t log your IP address, they do log queries and a lot of data can be derived from that. The byproducts range from “passive DNS” collection to usage patterns and present a threat to privacy.

Everybody wants your DNS queries. The service providers created complex infrastructures that use anycast and servers hosted in multiple locations, but who pays for that all? Most likely the data you passively provide when using their services.

Second, what do they protect you from, really? Many of these services mention you are protected from malware and phishing, but there is no word on the threat data sources, amount of data, how it is validated, how it is aged, and so on. You are protected, but don’t know from what. Is this really the protection you need? Does it cover the most recent malicious campaigns, the ones that affect your country and language? There is no way to know.

Third, these service providers mention they white list legitimate domains. How does that work? Who says a domain is legitimate and assures it will never host a malware? The recent years proved that no website is totally immune to attacks and been tagged as legitimate is no guarantee it won’t be invaded and used to distribute malware. In fact, the more a website is considered benign, the bigger a price it becomes to hackers who want to distribute badness.

And finally, why do companies share their threat data for free with these service providers when they sell the same data for big bucks? Thinking about that, one can clearly see a conflict of interest there. These companies either don’t share the most up-to-date data or are monetizing from the information received from the service providers, also known as your DNS queries.

At Malware Patrol, we have a different approach. We have been monitoring malicious campaigns since 2005 and that is what we do as our core business. Apart from collecting data on malware and ransomware activities, we validate the data to make sure campaigns are active. We don’t age data, entries are only removed from our feeds once we know for a fact that the threat isn’t available anymore.

Our customers can use this threat data in most industry security software/platforms, including DNS servers. For DNS, we let them download zone files that are updated every hour, or automatically and in real time synchronize zones using the RPZ mechanism, providing a reliable DNS Firewall solution. This way, customers retain total control of their DNS infrastructure and their privacy. We don’t resolve queries, we provide the data your servers need to block them. And, on top of not leaking any data from your company, you can configure a “walled garden”, redirecting employees or customers to an informative and educative website under your control, every time they try to reach a blocked address.

DNS privacyTo further customize their security, we allow customers to control what they want to block. The threat data is divided into 4 different zones and each can be used separately:

1) domains hosting malware and ransomware

2) C2s domains

3) DGAs (domains generated via algorithms) used by malware and ransomware

4) cryptominers – domains that abuse visitor’s CPU to mine crypto currencies.

Through all these years, we have seen so many “legitimate domains” hacked to host badness and ones that simply allow users to freely upload malware to their accounts. For example, is ‘dropbox.com’ legitimate? Sure, it is. Does it host malware? Yes, and very often. Should a DNS service provider block ‘dropbox.com’? For us, it depends.

Our approach is to provide customers the complete information, informing them that ‘dropbox.com’ is hosting bad stuff. Then, they can make an informed decision about whether or not to white list it, based on their understanding of the threat as well as their internal policies. Customers can easily white list domains they don’t want blocked, even those hosting malware. We understand that sometimes it is not practical to block a very popular domain.

We believe in the idea of providing security through DNS. Most of the service providers out there are doing a good job, aligned to their proposed missions. But these services are better suited to regular Internet users who simply want some protection for themselves. On the other hand, small businesses, service providers and enterprises require more flexibility and transparency and are more than ever concerned about privacy. The solutions provided by Malware Patrol are better suited for these companies.

Please contact us to set up an evaluation period, during which you can test our DNS RPZ services.

Andre Correa

Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.

?