Suspicious campaigns registering thousands of domains across cheaper TLDs
We observed multiple suspicious campaigns recently auto-registering thousands of domains across cheaper TLDs such as .cfd and .bond. While their purpose is not yet apparent, and the two sets of events appear unconnected, here's what we've observed so far:
More than 10k domains in 3 days across .cfd registered through Aceville Pte. Ltd. with higher-than-average Iris risk scores fitting several pseudorandom-looking/DGA patterns. Examples:
388aqo001[.]cfd
4qwljn001[.]cfd
8hgsxe001[.]cfd
adix348002[.]cfd
adpzfsn002[.]cfd
aerx7v9002[.]cfd
91-yongjiudizhi-f19q4x8j-dpq[.]cfd
91-yongjiudizhi-q8hkazxp-sij[.]cfd
And several thousand .bond domains newly registered through Key-Systems fitting one of the following patterns:
security-jobs-#####
cyber-security-degree-#####
cyber-security-jobs-#####
homeland-security-jobs-#####
cyber-security-#####
security-surveillance-cameras-#####
home-security-#####
password-manager-#####
