Cybercriminals are increasingly leveraging newly registered domains as key tools in DNS-based attacks, marking a shift in threat patterns observed during the first quarter of 2025. According to DNSFilter’s Q1 security report, “new domains” have overtaken phishing and malware to become the most trafficked threat category on the network, signaling an alarming rise in their use for malicious purposes.
Sharp Rise in New Domain Activity
DNSFilter observed a 140% increase in new domain activity compared to the final quarter of 2024. By early April 2025, nearly 19% of these domains were flagged as potentially malicious, though not all new domains inherently pose a threat.
This trend reflects a strategic shift: rather than a sheer increase in the number of new domains, threat actors are now using them more intensively and tactically. Blocking such domains—particularly those that have yet to be categorized—can be an effective preventive measure against emerging threats.
Why Attackers Prefer New Domains
New domains provide cybercriminals with several tactical advantages:
- Bypass blocklists: Fresh domains are not immediately listed on security blacklists, giving attackers a window of opportunity.
- Custom branding: Threat actors can tailor domain names to mirror trending topics or legitimate services.
- Rapid execution: Attacks can begin minutes after domain registration, with many phishing domains taken offline within hours.
The Rise of Fast Flux Techniques
One of the most concerning developments is the increased use of fast flux DNS techniques. This approach allows attackers to:
- Rapidly rotate IP addresses linked to a domain (single flux)
- Rotate both IPs and DNS name servers (double flux)
These methods obscure the origin of malicious traffic and increase the resilience of attacker infrastructure, often used in command-and-control (C2) systems and malware delivery networks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that many organizations are still underprepared for fast flux tactics. Mitigation measures include employing DNS and IP blocklists, firewall rules, and non-routable DNS responses.
Additional Q1 Observations
- The most blocked Top-Level Domain (TLD) in Q1 was .pw, commonly misused in place of .com for malicious purposes.
- Despite the rise of new domains, traditional threats persist. Malware and phishing attacks still made up 46% of all threats, underscoring their continued relevance.
Strategic Blocking Yields Tangible Benefits
DNSFilter recommends organizations implement category-based blocking, especially targeting new domains. This strategy can:
- Reduce false alerts and alleviate SOC workloads
- Lower SEIM storage requirements
- Cut investigation time and alert fatigue
- Result in cost savings and improved ROI
As threat actors continue to innovate, proactive DNS filtering remains a powerful line of defense. Blocking new domains—though not a silver bullet—can be a high-leverage move to reduce exposure to fast-moving threats in an evolving cybersecurity landscape.
News Source:circleid,This article does not represent our position.
