Malware Patrol recently partnered with Cisco’s SURGe Team to investigate how cybercriminals exploit newly registered domains (NRDs) for fraud during major geopolitical events. While we’ve offered NRD data for several years and know firsthand how powerful it is for uncovering malicious activity, the sheer volume of data – 200,000+ domains per day – makes it rather difficult to explore and manipulate it in meaningful ways without the right tooling and know-how. Thankfully, the knowledgeable SURGe team and Splunk Enterprise enabled us to slice and visualize a whopping two and a half years’ worth of newly registered domains in myriad ways, helping us surface patterns, trends, and supporting statistics that would have been hard to see otherwise. We’d like to express our appreciation to their team, namely: Lauren Stemler, Ryan Fetterman, James Hodgkinson and Vandita Anand.

In short, by retroactively aligning NRD activity with a timeline of key geopolitical events, we were able to validate that this data is extremely useful for spotting threats and cybercrime infrastructure. And while our analysis looked backward, the same logic applies going forward: using current newly registered domains data in near real time can help surface burgeoning campaigns and fraud as geopolitical events unfold. We hope this research helps security teams see new ways to make use of NRD data to protect against emerging threats, or at least underscores that the intersection of geopolitics and domain registrations is an important signal they shouldn’t ignore.

The original article appears on their site.

Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends

Events in the physical world influence the digital world. In the wake of major geopolitical events, attackers register new domains and infrastructure to support fraudulent activities. These domains come in many forms, for example, posing as a natural disaster relief fund to solicit donations, collecting interest in a crypto coin offering, or creating a fake auto insurance website. Large-scale newly registered domain (NRD) analysis reveals consistent patterns in this behavior, allowing us to predict attacker activity long before associated fraud becomes visible.

To demonstrate the relationship between these physical and digital events, Cisco’s SURGe Team and Malware Patrol analyzed more than 200 million historical NRD records in Splunk Enterprise. Since most cyber campaigns require supporting infrastructure, NRDs offer a useful signal of malicious intent. By examining domain registration patterns around key U.S. events from 2023 to mid 2025, specifically in cryptocurrency, natural disasters, and financial sectors, we aimed to identify trends that connect real-world disruption with spikes in suspicious digital activity. This work offers practical insights for defenders seeking to anticipate and analyze fraud tied to geopolitical developments.

Understanding the Link Between Headlines and Cyber Threats

We began our research effort by building a comprehensive list of major breaking news events from January 2023 through August 2025, then narrowed our focus to events with clear opportunities for financially motivated cybercrime, prioritizing situations where adversaries could exploit urgency or heightened interest to obtain money or sensitive information. This prioritization process led to three event categories where attackers create infrastructure in response to real-world developments: cryptocurrency, financial (non-crypto), and natural disasters.
After selecting these three categories, we expanded each into a detailed event timeline. For cryptocurrency, this included Bitcoin price milestones, regulatory shifts, and exchange-related news. For financial events, we incorporated interest rate decisions, market volatility, earnings reports, and tariff/policy announcements. For natural disasters, we tracked hurricanes, wildfires, tornado outbreaks, floods, and severe weather systems. Each event was assigned a time window to allow consistent comparison against NRD activity.

Inside the Dataset: What 213 Million New Domain Registrations Reveal

Our analysis relied on Malware Patrol’s global NRD dataset, which contains more than 213 million domain registrations for the selected period. Each record contains metadata including timestamp, Top-Level Domain (TLD), hosting information, and historical indicators that can be used towards fraud classification. To isolate patterns tied to geopolitical events, we developed custom keyword and regex-based classifiers to tag domains relevant to cryptocurrency, natural disasters, and financial markets.

Splunk Enterprise’s large-scale search and visualization capabilities allowed us to detect anomalies, compare category-level trends against global baselines, and identify moments where domain activity sharply diverged from normal behavior. NRD data does not capture all malicious infrastructure, but it can expose the earliest stages of fraud campaigns.

Detecting Event-Driven Patterns

With this dataset mapped and categorized, the next step was to determine whether meaningful patterns emerged around real-world events. To explore this idea, we used various types of data analysis, combining event volume, fraud rate, and applying Natural Language Processing techniques to intuit the meaning behind the data.

We generated time charts of domain registration activity within each category, and across the full timeframe, measuring activity to identify statistical anomalies using rolling sensitivity bands.

The peaks and valleys of our time charts were aligned with our documented timelines of significant events to look for co-occurrences where we can retroactively confirm significant fraud activity occurred.

Semantic Shift: How is keyword use changing over time?

The volumetric and fraud-rate analyses showed when unusual behavior occurred within a category of interest, but not what attackers were trying to exploit. To capture language-specific changes, we conducted a semantic shift analysis, which would reflect how the language of newly registered domains within a category of interest changed over time.

We parsed each domain into meaningful tokens removing TLDs and subdomains, splitting on punctuation, and digits, segmenting fused words, and removing boilerplate stop words (extremely common words like “a,” “the,” “is,” are filtered out because they have little semantic value on their own). Token counts were aggregated monthly to form a month-by-term frequency matrix. We then converted this matrix into TF-IDF vectors so that each month was represented by its characteristic vocabulary rather than raw frequency dominated by common terms.

To visualize how that vocabulary changed, we projected the monthly TF-IDF vectors into two dimensions using t-SNE. Plotting them chronologically produced a trajectory in which nearby points reflected similar keyword distributions, while long jumps indicated major shifts in attacker themes.

We interpreted these jumps by reviewing top-ranked terms each month and, when useful, examining cosine distances and keyword heatmaps. For example, between December 2024 and January 2025, in the natural disaster category, new terms such as “rebuild,” “wildfire,” “disaster,” “la,” and “firestorm” suddenly became dominant, with “supplies” and “emergency” rising sharply as well. This shift aligned precisely with the Palisades Fire (discussed below) and appeared clearly in the semantic trajectory even before drilling into individual domains.

This natural language analysis, combined with event tagging, anomaly detection, and fraud-rate modeling, helped reveal not only when domain activity spiked in response to real-world events, but how attacker intent and focus changed in measurable ways.

Key Finding #1 Real-world crises create immediate and measurable spikes in fraudulent domain activity

Natural disaster–related domains represent the smallest subset of the study’s tagged NRDs, averaging 313 domains per day. Despite the lower volume, some important insights can be gained from this category due to its event-driven fluctuations. Natural disasters offer one of the clearest demonstrations of how quickly attackers capitalize on real-world crises.

One event that clearly illustrates this pattern is The January 2025 Palisades Fire in Los Angeles County – one of the most destructive and costly wildfire events in recent U.S. history. Within hours of the first evacuation alerts, our data showed a sudden surge in newly registered domains referencing the fire, Los Angeles, relief efforts, or related humanitarian themes. As the fire intensified over the following days, malicious activity grew alongside it.

Attackers registered domains impersonating relief organizations, emergency resource hubs, and donation portals, rapidly deploying infrastructure to exploit public confusion and urgency.

Attackers also blended in more modern lures, including Solana-themed “wildfire relief” tokens and fake cryptocurrency airdrops. Several domain clusters were bulk-registered with identical landing pages designed to harvest email addresses for later phishing campaigns, an increasingly common pattern in crisis-driven fraud. For more information on the most common attack techniques being observed, please check out the Cisco Talos Year in Review Report.

The language embedded in these domains provided further evidence. Using our semantic-shift analysis, we observed a sudden rise in tokens such as “wildfire,” “firestorm,” “lafire,” “supplies,” “donate,” and “emergency”, terms that were largely absent from the dataset just one month prior. January 2025 became the clear high-water mark for natural disaster–related domain registrations in the entire two-year period, and a significant outlier compared to overall NRD activity and the baseline growth trends of other event categories.

Viewed alongside earlier case studies, the Palisades Fire reinforces a broader pattern: real-world shocks produce immediate, measurable spikes in attacker infrastructure. Unlike crypto or financial events, which often generate longer-term waves of fraud, disaster-driven domain activity is sudden and closely tied to public attention cycles. The rapid registration of look-alike donation sites, emergency-aid portals, and geographically themed domains demonstrates how quickly threat actors mobilize when people are most vulnerable. For defenders, this means disaster-driven fraud often materializes before the public fully understands the scale of the event.

Key Finding #2: Crypto events produce the highest fraud volume and the longest-lasting impact.

While natural disasters trigger short-lived bursts of attacker activity, cryptocurrency events generate more persistent waves of fraud. Across the entire dataset, crypto-related domains represented the largest event-linked category and consistently showed the highest fraud prevalence. This pattern coincided with major market and regulatory milestones. One of the most significant upticks occurred in March 2024, when Bitcoin surpassed its previous all-time high. In the days surrounding this event, our dataset recorded one of the largest domain registration spikes in the two-year period, with newly created domains referencing Bitcoin, wallets, exchanges, investment platforms, and token names far exceeding upper sensitivity thresholds.

Unlike natural-disaster spikes, crypto activity didn’t return to baseline. Instead, March 2024 marked the beginning of a new elevated period that persisted throughout late 2024 and well into 2025. One of our hypotheses prior to starting analysis was that the recent positive changes in the regulatory environment in the U.S. would create more opportunities for crypto-related fraud. These events, for example include:

• January 10, 2024: the SEC approved the first 11 Bitcoin exchange-traded products (ETFs/ETPs) in the U.S. These ETFs provide investors with direct exposure to Bitcoin’s price movements without the need to buy, store, or manage Bitcoin personally.
• March 6, 2025: The U.S. signed an executive order establishing a strategic bitcoin reserve, specifically naming Bitcoin, Ethereum, XRP, Solana, and Cardano currencies.
• March 28, 2025: The U.S. FDIC rescinded its 2022 letter that required banks to notify and obtain prior approval for crypto activities. At this point, FDIC-supervised may engage in permissible crypto activities without prior approval.
• July 18, 2025: The U.S. approves the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS act). This legislation continued to signal the trend that cryptocurrencies would be regulated, including reserve rules and marketing standards.

These developments drew millions of new and inexperienced users into the market, widening the pool of potential victims. Attackers responded by registering domains that impersonated exchanges, mimicked customer dashboards, hosted fake wallet downloads, and advertised fraudulent staking or investment opportunities.

The rise in pig-butchering operations during this period further illustrates how attackers adapted to this influx of new users. These long-con social engineering schemes rely on building trust with victims over weeks or months before steering them toward fabricated crypto-investment platforms. Crypto fraud was not only quick-hit phishing attempts, but attackers were playing the long game of establishing trust between themselves and their victims.

Since crypto coin scams often involve multiple domains on shared infrastructure, we used known fraud IOCs to hunt for clusters of other probable fraud activity. Building on a list of initial IOCs we have created flexible categories for capturing common memecoin related themes, and then bucket the category count to give us a variety of sorting options for investigating the data:

The resulting output aggregates suspicious categories as a distinct count and can be used to review values of domain names sharing IP space with known fraud sites.

While U.S. regulation has helped legitimize cryptocurrencies in the past years, investors should consider any investment opportunities advertised in this realm with healthy skepticism and due diligence. The FBI cites increased risk of scam for companies that are not part of self-regulatory organizations like the National Futures Association or FINRA.

Key Finding #3: Economic Fears Supercharge Uncertainty & Cyber Crime

In the financial (non-crypto) category, one of the strongest domain registration surges occurred in March 2024, during a period of heavy U.S. news coverage about increased cost of living and rising insurance costs. As we examined the data, a clear pattern emerged: insurance-related keywords began increasing frequency as early as February and reached a peak in April.

From January through April 2024, U.S. national news outlets repeatedly highlighted double-digit increases in auto-insurance rates, numerous hospital and insurer contract disputes, as well as claims & prior-authorization denial controversies, were publicized. Additionally, Centers for Medicare & Medicaid Services (CMS) confirmed a 2025 premium increase (3.7%) for Medicare Advantage. This sustained narrative produced high consumer awareness and uncertainty, resulting in the kind of environment scammers reliably exploit to deploy convincing insurance-themed phishing, refund fraud, fake coverage notifications, eligibility-verification fraud, and fake insurer-comparison websites.

In the data, we observed a shift in the domains being registered during this period. Insurance-related terms such as “insurance,” “rate,” “car,” “Medicare,” “renew,” and “health” appeared with increasing frequency. We also observed clusters using commonly abused TLDs (.xyz, .site, .online, .buzz, .bond), consistent with disposable phishing infrastructure. Numerous domains were generic or service-oriented (e.g., “insurance,” “health insurance,” “getinsurance,” “ethical insurance”), typical of phishing, scam, or fraud-oriented lures targeting people seeking coverage.

March 2024 – Volume Precedes Focused Campaigns

The data from March mirrors the rise in general financial-services domain creation during ongoing tax-season fraud, refund scams, and credit-repair themes while also demonstrating a strong overlap with the insurance-related narratives that were entering peak national coverage.

• car-insurance-47993.bond (multiple sequential variants)
• health-insurance-19289.bond (multiple sequential variants)
• insuranceconcierge.expert, insuranceconcierge.guru (bulk-pattern cluster)
• betterinsurancerate.net
• insurebestrateusa.info
• auto-insurance-deals.shop
• autoinsurancefind.today
• plansmedicare.org
• fullycoveredinsurance.com

April 2024 – A Surge in Insurance-Specific Keywords

Despite March’s higher overall volume, April produced significantly more domains containing insurance-trigger keywords:
• autoinsuranceforseniors204203.life (multiple sequential variants)
• accident-insurance-15849.bond (multiple sequential variants)
• getinsurance.pro
• governmentmedicalinsurance.com
• gov-insurance-now-8.live
• cheapautoinsurancetip.top
• cheapcarinsurancenet.top
• health-insurance-12396.bond (multiple sequential variants)
• insuranceforseniorsite.com
• medical-insurance122.online (multiple sequential variants)
• middle-agedandelderlyinsurance991.online (multiple sequential variants)
• senior-car-insurance-20352.bond (multiple sequential variants)
• americanmedicarequote.com, americanmedicarequotes.com
• medicareformedicare.site, medicare-plans-help.today
• the-car-insurance030.site (multiple sequential variants)

As a point of interest, April’s activity showed more diverse insurance subcategories (auto, medical, Medicare, homeowners, cyber, senior, contractor), suggesting that the campaigns were directly “riding” the elevated media noise from the preceding months. There were also more bulk/cluster registration patterns in April’s data, a possible indication of heightened (or peak) malicious campaign activity.
Our analysis indicates that both the March 2024 financial-domain surge and the insurance-specific increase in April can likely be explained by the compounding effect of January to March news cycles. The steady stream of headlines created fertile ground for threat actors to exploit confusion around benefits, coverage options, and plan updates.

Cross-Category Comparison: How Each Event Type Behaves in the Data

Since the scale of each category of interest is different, for a direct side-by-side comparison, we instead tracked the relative growth of each category. Each line starts at 100 for the first month; rising to 150 means +50% vs its own baseline. The tight tracking of these lines shows how each category is still influenced by macro-level trends, and deviations from the cohort overall are more notable.

As a grouped category, crypto-related domains had the highest fraud rate, of 26.86%, well above the global baseline of 23.10%. While the Natural Disaster category is much smaller in daily volume, it produces the sharpest short-term deviations and is easier to track trends without detailed keywords, compared to the financial categories. Fraud rates for Natural Disasters were also elevated to 24.26%. Financial (non-crypto) events tend to create modest increases in suspicious domain activity. Fraud rates for this category average 23.69%, slightly higher than the global baseline. Our categorization of ‘fraud’ for these purposes included any historical hosting of malware, domain generation algorithms, or command-and-control infrastructure. Since this reputation is IP-based, we expect the rate of fraud domains (many of which can be hosted on the same IP) to be potentially inflated and not representative of the true global rate of fraudulent domains.

Conclusions: Turning Event Awareness into Early Action

Attacker infrastructure frequently appears within hours or days of major real-world events, which means defenders benefit from treating external developments as operational signals. Incorporating event awareness into threat intelligence workflows begins with tracking high-impact geopolitical and economic activity and prioritizing the events most relevant to your sector or user base.

Once relevant events are identified, teams can determine which organizations or services attackers are most likely to impersonate. Converting those likely targets into keyword patterns makes NRD monitoring more effective, allowing clusters of newly registered domains to surface as early indicators of staging activity. Domains using unusual TLDs, typosquatting, or obfuscated permutations (for example, govuk-verify[.]info or unhcr-supp0rt[.]org) can then be evaluated against known threat-actor behaviors to assess whether they align with phishing kits or previously observed campaigns.

Adding contextual tags, such as the associated event, likely “spoofed entity”, or “suspected TTP”, helps SOC analysts and threat hunters pivot on related domains more effectively. Certificate metadata and sandboxing results provide additional signals to distinguish benign alerts from malicious activity. Feeding this enriched context into a SIEM or TIP allows detections to operate faster and with greater precision.

These findings highlight that NRD monitoring is a reliable early indicator of cybercrime taking shape. By pairing domain trends with current events, defenders can anticipate the kinds of lures and impersonation themes that are likely to emerge next. Building this context into threat intelligence programs helps teams detect malicious infrastructure earlier, prioritize investigations more effectively, and prepare for incoming campaigns rather than reacting after the fact. As cybercriminals align their operations with real-world disruptions, adopting event-driven threat intelligence is essential for staying ahead.

Credit to authors and collaborators: Lauren Stemler (Splunk / SURGe), Ryan Fetterman (Splunk / SURGe), James Hodgkinson (Splunk / SURGe) and Vandita Anand (Splunk / SURGe), Andre Correa (Malware Patrol), Leslie Dawn (Malware Patrol).

 

The Value of Emerging Threats Intelligence

Threat campaigns often evolve too quickly for traditional defenses to catch them in time. Our Emergent Threats Domains feed is built to provide early visibility into domains that are likely to be used in malicious activity. By combining multiple data sources with advanced analysis techniques, we surface high-risk domains before they are operationalized in active campaigns. This allows security teams to move from reactive defense to proactive action, reducing exposure and improving response times.

Identifying Risk Before It’s Weaponized

To identify emerging threats, we combine several raw data sources, including newly registered domains (NRDs), newly observed domains (NODs) from DNS traffic and other signals from our global collection systems. On their own, these datasets are high-volume and unfiltered, but by applying multiple layers of analysis we can identify domains that are far more likely to be weaponized in malicious campaigns.

Each domain is scored based on the following (among other) criteria:

Structural analysis: Detecting randomness, entropy, and other patterns common in algorithmically generated domains (DGAs)

Infrastructure associations: Mapping connections to infrastructure from both current and previous malicious campaigns tracked in Malware Patrol’s extensive historical database, revealing reuse of attacker resources

Brand lookalikes: Spotting domains designed to impersonate trusted brands, a common precursor to phishing and fraud

TLD reputation: Factoring in the track record of top-level domains (for example, .xyz) that frequently appear in malicious campaigns

This combination of broad input data and layered analysis transforms raw domain activity into a curated feed of high-risk signals. Even though these domains may not yet appear on VirusTotal or in traditional intelligence feeds, they often carry subtle indicators of risk.

Key Benefits for Security Teams

By highlighting suspicious domains early, the feed gives defenders a head start. With emerging threats intelligence, security teams can:

• Block high-risk domains before they are weaponized
• Identify suspicious infrastructure earlier in the attack chain
• Reduce attacker dwell time by acting faster
• Strengthen DNS-layer defenses and detection systems with predictive data

Advantages and Limitations

Like any security solution, our Emergent Threats Domains feed has strengths and trade-offs that should be considered.

Advantages:

• Pre-filtered and enriched, reducing noise and making it ready to deploy in firewalls, SIEMs, and DNS layers
• Compact enough to work within the limits of tools that cannot process large blocklists
• Includes enrichment and scoring, providing immediate context for faster decisions
• Well-suited for smaller teams or those without capacity to build enrichment pipelines internally

Limitations:

• Filtering and scoring are determined by vendor criteria, which may not fully align with every organization’s unique threat model
• By design, not every domain is included, only those identified as suspicious, so some activity could be missed
• Less flexible than raw feeds, making it less suitable for organizations that prefer to create custom detection logic

Comparison: Newly Registered Domains vs Emergent Threats Domains

Both NRDs and emerging threats intelligence provide valuable visibility, but they serve different needs as outlined in the table below.

Newly Registered Domains (NRDs)	Emergent Threats Domains
Broad coverage of all new domains	Focused coverage of domains flagged as suspicious
High volume and unfiltered	Pre-filtered, enriched, and scored
Requires custom enrichment and filtering by the user	Includes enrichment such as entropy, brand lookalikes, infrastructure ties, and TLD reputation
Useful for hunting, research, and building custom detections	Useful for immediate blocking and SOC operations
May overwhelm tools or teams without filtering	Compact size avoids overwhelming security tools
Best for mature SOCs and research teams	Best for smaller teams or those prioritizing operational efficiency

In short, NRDs give maximum visibility and flexibility, while Emergent Threats Domains provides ready-to-use intelligence that reduces noise and speeds up action.

Try Malware Patrol’s Emergent Threats Domains With a Free Trial

Whether you want the flexibility of raw NRDs or the convenience of enriched Emergent Threats Domains, we can help you choose the right approach for your environment. We also offer free evaluations so you can see the data in action and decide which feed best fits your security needs.

Get started today and take the first step toward staying ahead of tomorrow’s threats. We’d be happy to discuss options and set up a free trial. Use this link to schedule time with us.

Working with Newly Registered Domains

We provide a Newly Registered Domains (NRDs) feed, and one of the most common questions we receive is: “How can this data be used?”

It is a valid question. By their very nature, NRDs are high-volume and unfiltered, which can make them challenging to work with at first glance. But that rawness is also what makes them powerful: they provide one of the most comprehensive snapshots of Internet activity you can get. After all, every malicious domain begins life as an NRD. For defenders who know how to work with this telemetry, that makes NRDs an invaluable early-stage signal.

With the right enrichment and filtering, what first looks like overwhelming noise can quickly turn into actionable intelligence. Organizations that invest in detection engineering or custom hunting workflows can use NRDs to spot attacker infrastructure before it’s weaponized in campaigns, often long before it ever appears in curated threat feeds.

Before we dive into how organizations can put NRDs to work, let’s take a step back. When we say “NRD feed,” what exactly does that include? And why is this raw data so valuable?

What is an NRD Feed?

A Newly Registered Domains (NRD) feed is a daily snapshot of every domain registered on a given date. It captures everything, from legitimate business sites and personal projects to the very first traces of attacker infrastructure.

Threat intelligence providers may structure NRD intelligence in different ways, but the most common fields include the domain name, the registration date, and related DNS records. These basic elements make up the raw dataset.

Malware Patrol takes it a step further. In addition to listing new domains, we resolve each one through DNS and check the resulting IP addresses against our current and historical databases of malicious infrastructure. The output is a simple indicator, presented by threat type, showing whether a domain has ever resolved to an IP tied to malicious activity. This doesn’t turn NRDs into a curated threat feed, but it does provide valuable context to help security teams prioritize where to look first.

Example NRD Feed Entry (Simplified)

{
“DOMAIN”: “zzzzbetjogos.com”,
“REGISTRATIONDATE”: 20250928,
“A_RECORD”: [
{
“IP”: “104.21.18.168”,
“HOSTINGC2”: 0,
“HOSTEDC2”: 0,
“HOSTEDDGA”: 0,
“HOSTINGMALWARE”: 0,
“HOSTEDMALWARE”: 0
}
],
“AAAA_RECORD”: [
{ “ADDRESS”: “2606:4700:3035::6815:12a8” }
],
“NS_RECORD”: [
{ “HOST”: “lennon.ns.cloudflare.com” },
{ “HOST”: “nelly.ns.cloudflare.com” }
]
}

Why Should You Care About NRDs?

Attackers depend on newly registered domains as a foundation for their operations. Whether establishing fresh infrastructure for malware delivery or spinning up lookalike sites that mimic trusted brands, new domains give adversaries a clean slate. With no reputation history and no presence on blocklists, they’re the perfect launchpad for malicious activity.

Every day, threat actors register domains to:

• Launch phishing and social engineering campaigns

• Set up malware infrastructure like C2 servers and drop zones

• Impersonate legitimate brands through typosquats and lookalikes

• Avoid being caught by existing blocklists.

Of course, many newly registered domains are harmless, but the critical point is that every malicious domain starts as an NRD. This makes NRDs a powerful early-warning signal. By using them, security teams can detect attacker infrastructure before it’s weaponized in campaigns and long before it shows up in curated threat feeds.

Use Cases for Newly Registered Domains Feeds

Here’s what your team can do with this data:

• Block NRDs for a fixed period (e.g., 3–7 days): Most legitimate sites aren’t operational immediately. Blocking during this window dramatically reduces exposure to phishing and malware campaigns.
• Prioritize NRDs that resolve to suspicious infrastructure: Use Malware Patrol’s malicious-IP indicator as a filter to decide which domains may warrant closer inspection.
• Monitor for brand impersonation or typo squatting: Detect lookalike domains before they appear in phishing emails.
• Detect DGA or high-entropy domains: Flag domains likely generated by Domain Generation Algorithms. A DGA domain typically looks like a random string of characters, often unpronounceable, and statistically unlikely in natural language (e.g., xj3k9u2p.biz).
• Retroactive incident analysis: Check which NRDs were queried during dwell time in an incident.
• Security research: Track TTPs of threat actors by watching domain registration patterns. Investigate bulk registrations, suspicious registrars, or ASN patterns to spot attacker infrastructure.

NRDs: Raw Fuel for Custom Defenses

If you’re looking to enrich internal detection pipelines, protect your brand, or analyze emerging infrastructure at Internet scale, NRDs are where that work starts. While NRDs are not a plug-and-play threat feed, they empower organizations to hunt earlier, detect faster, and build detections tuned to their own threat models. (With our malicious-infrastructure correlations, subscribers also get a bit of extra context to help prioritize analysis!)

We understand that working with a raw NRD feed can be challenging, which is why we help our subscribers get the most out of it. Our team can customize the feed to align with your environment – at no cost – and provide guidance on setting internal parameters so you can filter, enrich, and prioritize domains in a way that fits your security goals.

And if your organization prefers not to manage this kind of data, we also offer an alternative: Emergent Threats Domains. This feed is informed in part by NRDs but is pre-filtered, enriched, and ready for immediate use in security controls.

Want to explore what your organization can do with NRDs? Let’s talk.

Malicious domains are a foundational layer of threat intelligence and provide critical visibility into where attackers operate online. You can integrate domain-based intelligence across your security stack to: enhance prevention with DNS filtering and firewall rules, improve detection via IDS/IPS systems, guide SOAR-driven response playbooks, and support retrospective threat hunting. Their versatility makes them valuable for organizations of any size because they serve as both a frontline defense and an investigative asset.

Why Domains (Not Just IPs) Matter

Blocking domains offers a more precise and effective way to deny access to malicious infrastructure compared to blocking at the IP-level. Unlike IP addresses, which are often shared across many services and tenants (e.g., cloud providers), domains tend to be unique to the threat actor’s campaign or infrastructure. Blocking a malicious IP risks affecting legitimate services; blocking a malicious domain is more targeted and typically less prone to false positives.

Where to Get Domain Blocklists

There are several sources for malicious domain blocklists:

• Commercial Threat Intelligence Vendors – They offer curated, regularly updated feeds, often enriched with context like first-seen dates, associated malware families, or related indicators (IPs, hashes, etc.).
• Open Source Intelligence (OSINT) – Communities such as Abuse.ch, PhishTank, and threat-sharing platforms publish free lists. While useful, they can vary in accuracy, timeliness, and depth of context.
• Internal Sources – Your organization’s own detection systems (e.g., sandboxing, phishing reports) can be a powerful generator of high-confidence domains worth adding to local blocklists.

Of course, not all feeds are created equal. Freshness, coverage, and enrichment are key to determining how useful a feed is in real-world defensive operations.

The Importance of Freshness and Context

Threat actors continuously evolve their infrastructure. Domains can be registered and weaponized within minutes. That’s why static or infrequently updated lists are of limited use. A quality feed should not only be updated frequently, ideally hourly or daily, but also provide context: Why is this domain flagged? Is it linked to a specific malware family? Was it part of a known phishing kit? When was it first detected?

Rich metadata and context allow security teams to make informed decisions. For example, knowing a domain is associated with a known command-and-control server for a particular ransomware strain might justify more aggressive response actions than if it were merely flagged for spam.

How to Use Malicious Domain Feeds

You can integrate domain intelligence into your environment in several ways:

• Network Controls – Feed domains into firewalls, DNS security tools, or secure web gateways to block access in real time.
• IDS/IPS Systems – Tools like Suricata or Snort can inspect DNS traffic for requests to known bad domains and generate alerts or drop packets.
• SIEMs and SOARs – Enrich alerts with domain context to improve triage speed and accuracy.
• EDR and XDR – Use domain feeds to flag suspicious outbound connections from endpoints and correlate with other malicious activity.
• Threat Hunting – Historical DNS logs or proxy logs can be cross-referenced against the feed to identify prior compromise.

Best Practices for Operational Use

1. Use Multiple Feeds – Every source has limitations in coverage, geography, etc. Selecting feeds from multiple vendors and publicly available offers help to maximize coverage.
2. Automate Ingestion and Updates – Integrate feeds into your tech stack with automation tools or platforms.
3. Monitor for Overblocking – Even with domain-level granularity, verify false positives and build feedback loops to tune your blocklists.
4. Use Enriched Feeds for Decision Making – Context reduces alert fatigue and helps prioritize incident response.

Final Thoughts

Malicious domain feeds are a tried and true foundational element of threat prevention, detection, and response. From stopping phishing attempts to flagging command-and-control activity, domain-level intelligence provides a tactical advantage in defending against today’s fast-moving threats.

Malware Patrol offers domain intelligence designed to meet the needs of security teams who require both breadth and depth. We cover a wide range of threats, from phishing and malware to emerging threats, cryptomining, DGAs, and C2 infrastructure. Our feeds are also enriched with the metadata that helps turn alerts into action. For ease of use, we format the feeds for compatibility with the most popular security tools and platforms.

Ready to add precision and power to your defenses? Contact us to learn more or to request a free trial.