Skip to main content
Back to Security Snacks
TLDs

Auto-Registering of Domains

Published on: 
September 6, 2023

Suspicious campaigns registering thousands of domains across cheaper TLDs

We observed multiple suspicious campaigns recently auto-registering thousands of domains across cheaper TLDs such as .cfd and .bond. While their purpose is not yet apparent, and the two sets of events appear unconnected, here's what we've observed so far:

More than 10k domains in 3 days across .cfd registered through Aceville Pte. Ltd. with higher-than-average Iris risk scores fitting several pseudorandom-looking/DGA patterns. Examples:

388aqo001[.]cfd
4qwljn001[.]cfd
8hgsxe001[.]cfd

adix348002[.]cfd
adpzfsn002[.]cfd
aerx7v9002[.]cfd

91-yongjiudizhi-f19q4x8j-dpq[.]cfd
91-yongjiudizhi-q8hkazxp-sij[.]cfd

And several thousand .bond domains newly registered through Key-Systems fitting one of the following patterns:

security-jobs-#####
cyber-security-degree-#####
cyber-security-jobs-#####
homeland-security-jobs-#####
cyber-security-#####
security-surveillance-cameras-#####
home-security-#####
password-manager-#####

Related Content

SecuritySnacks
Cybersecurity Reading List - Week of 2026-06-01
Commentary followed by links to cybersecurity articles and resources that caught our interest internally.
Learn More
SecuritySnacks
SecuritySnack - Hijacking Corporate Sessions
A sophisticated AiTM phishing kit bypassing traditional MFA to steal Microsoft 365 session cookies. Get the full breakdown and IOCs.
Learn More
SecuritySnacks
Cybersecurity Reading List - Week of 2026-05-04
Systems thinking, biolistics, and the danger of mop-up science in infosec — plus this month's reading on ransomware, RPKI exploits, cPanel, and LLM pollution.
Learn More

Heading

SecuritySnacks
Research
Newsletters
Podcast Episodes
About
No items found.