Full Report
Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.
Analysis Summary
# Tool/Technique: Abuse of Top-Level Domains (TLDs) in Phishing
## Overview
This summary details the observed abuse of specific Top-Level Domains (TLDs)—such as .li, .es, .sbs, .cfd, .ru, and .dev—by threat actors in 2025 to host phishing pages, facilitate credential harvesting, distribute malware, or serve as intermediary redirectors in multi-stage attack chains. The primary goal is to exploit the perceived legitimacy or low cost associated with certain TLDs to bypass traditional detection methods.
## Technical Details
- Type: Technique (Domain Abuse/Infrastructure)
- Platform: Web/Internet Infrastructure (Affecting users across all major operating systems)
- Capabilities: Domain registration for illicit purposes; redirection services; hosting deceptive login portals.
- First Seen: Ongoing, high-frequency observation noted in 2025 data.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link (Most relevant when TLD is used to host the link)
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Via HTTP/HTTPS used for hosting malicious content)
## Functionality
### Core Capabilities
- **Redirection:** TLDs like **.li** are heavily used as redirectors, masking the final malicious destination by acting as an innocuous middleman in multi-hop attack chains.
- **Credential Harvesting:** TLDs are used to host convincing fake login portals (e.g., Microsoft 365, banking sites) targeting users based on regional association (e.g., **.es** for Spanish-speaking users).
- **Low-Cost Infrastructure:** Cheap TLDs like **.sbs** are utilized due to their low registration barriers, enabling the rapid deployment of disposable phishing kits.
### Advanced Features
- **Trust Exploitation:** TLDs associated with trusted platforms (e.g., **.dev** via Google hosting services like pages.dev or workers.dev) are leveraged to benefit from inherent HTTPS certificates and clean interfaces, increasing perceived legitimacy.
- **Impersonation:** Domains are used to mimic official services like delivery scams, corporate portals, or government sites to elicit immediate action from victims.
## Indicators of Compromise
Since the report focuses on TLD usage rather than specific malware, IOCs are abstract based on TLD patterns:
- File Hashes: N/A (Focus is on domain infrastructure)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- High Volume of Malicious TLDs Observed in 2025 (Example categories): **.li**, **.es**, **.sbs**, **.cfd**, **.ru**, **.dev**.
- High Malicious Ratio: **.li** (57% flagged malicious by ratio).
- Behavioral Indicators:
- Immediate browser redirection upon loading a suspicious URL.
- Traffic flow involving multiple hops before landing on the final credential harvesting or malware payload site.
## Associated Threat Actors
- Unknown Threat Actors (Generic phishing campaigns leveraging infrastructure availability)
- Groups utilizing high-volume, low-cost infrastructure (Associated with **.sbs** and **.cfd** abuse).
## Detection Methods
- **Sandbox Analysis (ANY.RUN Focus):** Tracing the full, real-time redirection paths to uncover the final malicious landing page, which static blacklists often miss.
- **Behavioral Detection:** Monitoring for immediate, silent browser redirects following initial domain contact.
- **Domain Scoring/Reputation:** Analyzing the ratio of malicious-to-benign usage for specific TLDs (e.g., identifying high-risk TLDs like **.li**).
## Mitigation Strategies
- **Real-Time Traffic Monitoring:** Employ sandboxing technologies capable of executing and tracing multiple URL redirections to expose the entire attack chain.
- **User Education:** Increase vigilance regarding TLDs known for high abuse rates, especially when suspicious links come via email or SMS.
- **Infrastructure Monitoring:** For organizations, hardening internal DNS/proxy rules against communication with TLDs possessing a historically high malicious utilization rate.
## Related Tools/Techniques
- URL Shorteners (Similar technique used for link obfuscation)
- Domain Fronting (Used for infrastructure masking)
- Phishing Kits (Often deployed on compromised or newly registered domains like **.cfd** or **.sbs**)