Infographic illustrating Dynamic DNS abuse: icons of subdomain rentals leading to C2 servers, threat actor groups (APT28, APT29, APT10) with arrows to obfuscated networks, 70,000 domains counter, and defensive barriers like monitoring tools and domain blo

Cybersecurity experts warn of a rising threat as malicious actors exploit Dynamic DNS providers to build resilient command-and-control (C2) infrastructure. These subdomain rental services, meant for legitimate hosting, allow attackers to evade traditional security and regulations with ease. Their minimal registration hurdles and lax oversight—unlike ICANN-bound domain registrars—enable rapid deployment of malicious setups without identity checks, fostering a low-risk environment for cybercriminals.

Infographic illustrating Dynamic DNS abuse: icons of subdomain rentals leading to C2 servers, threat actor groups (APT28, APT29, APT10) with arrows to obfuscated networks, 70,000 domains counter, and defensive barriers like monitoring tools and domain bloInfographic illustrating Dynamic DNS abuse: icons of subdomain rentals leading to C2 servers, threat actor groups (APT28, APT29, APT10) with arrows to obfuscated networks, 70,000 domains counter, and defensive barriers like monitoring tools and domain blo

Analysis shows threat actors abusing around 70,000 such domains, leveraging the legitimacy of parent domains to host malicious content while automating DNS management for added stealth. High-profile groups like Russia's APT28 (Fancy Bear) and APT29 have used them extensively for C2 in campaigns like QUIETEXIT. Chinese APTs, including APT10 and APT33, also integrate Dynamic DNS into operations, underscoring its global appeal for persistent threats across diverse actors.

Infographic illustrating Dynamic DNS abuse: icons of subdomain rentals leading to C2 servers, threat actor groups (APT28, APT29, APT10) with arrows to obfuscated networks, 70,000 domains counter, and defensive barriers like monitoring tools and domain bloInfographic illustrating Dynamic DNS abuse: icons of subdomain rentals leading to C2 servers, threat actor groups (APT28, APT29, APT10) with arrows to obfuscated networks, 70,000 domains counter, and defensive barriers like monitoring tools and domain blo

In C2 abuse, attackers create obfuscated, redundant networks by registering subdomains across providers, using domain generation algorithms for dynamic switching and time-based rotations to ensure continuity despite blocks. This distributed, automated approach minimizes detection, operational footprint, and costs, posing major challenges for defenders in monitoring and mitigating these evolving infrastructures.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security