Auto-Registering of Domains

Published on:

September 6, 2023

On This Page

Suspicious campaigns registering thousands of domains across cheaper TLDs

We observed multiple suspicious campaigns recently auto-registering thousands of domains across cheaper TLDs such as .cfd and .bond. While their purpose is not yet apparent, and the two sets of events appear unconnected, here's what we've observed so far:

More than 10k domains in 3 days across .cfd registered through Aceville Pte. Ltd. with higher-than-average Iris risk scores fitting several pseudorandom-looking/DGA patterns. Examples:

388aqo001[.]cfd
4qwljn001[.]cfd
8hgsxe001[.]cfd

adix348002[.]cfd
adpzfsn002[.]cfd
aerx7v9002[.]cfd

91-yongjiudizhi-f19q4x8j-dpq[.]cfd
91-yongjiudizhi-q8hkazxp-sij[.]cfd

And several thousand .bond domains newly registered through Key-Systems fitting one of the following patterns:

security-jobs-#####
cyber-security-degree-#####
cyber-security-jobs-#####
homeland-security-jobs-#####
cyber-security-#####
security-surveillance-cameras-#####
home-security-#####
password-manager-#####

Related Content

SecuritySnacks

Cybersecurity Reading List - Week of 2026-02-02

Commentary followed by links to cybersecurity articles and resources that caught our interest internally.

Learn More

SecuritySnacks

SecuritySnack: Phishing Interviews

Phishing campaign targets job seekers with fake career portals and interview invites, stealing ID.me credentials and deploying malware since August 2025.

Learn More

SecuritySnacks

Pay to Lose: Dubious Online Gambling Games

Be wary of "real money" games this New Year. This report uncovers hundreds of fake Android gambling apps using spoofed reviews, fake win declarations, and "waistcoat" shells to trick users into sideloading unregulated, predatory gambling software.

Learn More

Auto-Registering of Domains

Suspicious campaigns registering thousands of domains across cheaper TLDs

Heading