Cybercriminals Exploit 19 New TLDs for Malicious Activities
Over the past year, 19 new top-level domains (TLDs) have been introduced, and a study conducted by Palo Alto Networks has revealed that these domains are being actively exploited for various cyberattacks. Among the identified threats are large-scale phishing campaigns, the distribution of potentially unwanted programs, torrent sites, and even projects associated with pranks and memes.
The Internet now encompasses over 1,000 generic top-level domains (gTLDs) registered in the Internet Assigned Numbers Authority (IANA) database. Each year, new domains are added to this number, creating more opportunities for malicious actors. Particularly concerning are TLDs that resemble popular file extensions, such as .zip, or specialized identifiers like .bot.
Popularity of the top 10 new TLDs at different points over the past year from our logs.
Researchers have discovered a clear correlation between the availability dates of new domains and their popularity. This indicates that various groups—both legitimate users and cybercriminals—closely monitor the launch of new TLDs to begin domain registration. While some use these domains for lawful purposes, others see them as a gateway for cyberattacks and fraud.
Notable attention has been drawn to domains such as .zip, .ing, and .bot. For instance, the .zip domain, which became available on May 10, 2023, immediately attracted cybercriminals. By May 16, there was a significant increase in traffic to .zip domains, indicating a mass registration of domains within this TLD. Similarly, the .ing domain, launched on December 5, 2023, garnered a substantial number of users and malicious actors on its very first day.
One example is a campaign involving traffic redirection to phishing sites. Within this campaign, 112 domains were registered in new TLDs, forming a closely linked phishing network. All domains redirected users to various URLs, indicating participation in a coordinated attack.
Another identified threat involves the use of .bot domains. Cybercriminals registered 92 domains with names resembling those of people, cities, or random words, and used them to redirect users to fake chat services. These services could be exploited for fraud, spam, or the collection of personal data.
Additionally, the use of .esq, .zip, and .foo domains for distributing torrent links was uncovered. This cluster of domains demonstrates the evolution of infrastructure that adapts to security system blocks, continuing to distribute content through new domains.
Moreover, researchers have observed that domains resembling file extensions are increasingly being used for trolling. For instance, .zip and .mov domains were found redirecting users to the popular Rickroll meme—Rick Astley’s “Never Gonna Give You Up” video.
The study has made it clear that the emergence of new top-level domains poses a serious threat to cybersecurity. To mitigate the risks, companies must closely monitor domain registrations in new TLDs and respond swiftly to suspicious activity. Experts emphasize the importance of implementing modern protective measures to detect and prevent attacks leveraging new top-level domains.
