Rent-a-Domain: Report Details How APTs and Cybercriminals Abuse DDNS Services for Malicious Infrastructure

A new analysis from Silent Push Threat Analysts highlights the growing misuse of publicly rentable subdomain providers, also known as Dynamic DNS (DDNS) services, by cybercriminals and advanced persistent threat (APT) groups. These services, often marketed as flexible hosting solutions, have become hotbeds for command-and-control (C2) servers, phishing sites, and malware delivery infrastructure.

Silent Push explains, “Publicly rentable subdomain providers, also known as ‘Dynamic DNS providers,’ can be benign, but they are also frequently exploited by threat actors who take advantage of lower-quality, temporary hosting arrangements.”

Unlike traditional domain registrars bound by ICANN and IANA regulations, these services simply purchase a domain and sell subdomains with little to no oversight. Many also accept cryptocurrency payments and “openly advertise that they never need to share credentials or provide ‘Know Your Customer’ details.”

This anonymity makes them attractive to malicious actors, who can maintain infrastructure even when reported to abuse channels. As Silent Push notes, “Even though cybersecurity companies may be aware of a malicious subdomain, report it, and post it on numerous public systems and lists, a given subdomain could still remain active due to the lack of strong remediation options.”

Silent Push documents extensive abuse of DDNS providers across high-profile threat campaigns:

• Gamaredon has repeatedly used DDNS domains in espionage against Ukraine.
• Scattered Spider relied on a rentable domain in a January 2025 campaign.
• APT28 (Fancy Bear) and APT29 were both reported leveraging DDNS for C2 operations.
• APT33, Gallium, and APT10 have historically incorporated DDNS domains into attacks.
• Commodity malware like DarkComet has also been widely distributed using these infrastructures.

This pattern underscores how DDNS services blur the line between “legitimate” infrastructure and attacker-controlled ecosystems.

To counter this threat, Silent Push has built extensive monitoring datasets. The report states, “Silent Push has created a set of data export reports that monitor more than 70,000 domains renting subdomains to help enterprise organizations more closely monitor and alert—or block outright—the connections to these hosts, based on their risk tolerance.”

These exports combine data from:

• The Public Suffix List (PSL), which tracks some enterprise services like Blogspot and Cloudflare Pages.
• Large-scale providers such as afraid[.]org, DuckDNS, and NoIP.
• Stealth domains only discoverable via NameServer records, outside public listings.

Related Posts:

• DuckDNS Is Down: What Happened to the Free DDNS Service?
• Subdomain Takeovers: A Growing Supply Chain Threat
• TikTok Hit by Zero-Day Attack: High-Profile Accounts Compromised
• Report Exposes Cybercriminal Exploitation of High-Profile Events
• TikTok Hit by Zero-Day Attack: High-Profile Accounts Compromised

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy