Cybersecurity researchers have identified a growing trend where threat actors are increasingly exploiting Dynamic DNS providers to host malicious infrastructure, posing significant risks to enterprise organizations worldwide.
Dynamic DNS providers, also known as publicly rentable subdomain providers, have become attractive targets for malicious actors due to their accessibility and limited regulatory oversight.
These services essentially function as “mini domain registrars” without the same level of scrutiny that legitimate domain registrars face.
Unlike traditional domain registration, which requires compliance with ICANN and IANA processes, Dynamic DNS providers need only purchase a domain and establish their own routing infrastructure.
Silent Push’s latest research reveals that over 70,000 domains are currently renting subdomains through these services, many of which operate with minimal oversight and lax security controls.
The appeal for threat actors lies in several key factors. Many providers accept cryptocurrency payments and advertise anonymous registration without requiring “Know Your Customer” details.
This combination of anonymity and minimal verification creates an ideal environment for malicious actors to establish command and control infrastructure while evading detection.
Types of Subdomain Rental Services
The Dynamic DNS ecosystem encompasses various service models, each presenting different security challenges:
Limited Control Services: These providers restrict DNS A record configuration while allowing some content control. Services like Blogspot fall into this category, though methods exist to circumvent default content restrictions.
Content-Only Control: Platforms such as pages.dev allow users to freely set content while maintaining control over DNS records and IP addresses.
Full Control Services: Premium offerings like afraid.org provide complete hosting and content control, typically available through paid plans. These services present the highest risk as they offer threat actors maximum flexibility for malicious activities.
Silent Push’s threat intelligence team has developed sophisticated monitoring capabilities to track the Dynamic DNS ecosystem.
Their research methodology combines multiple data sources to provide comprehensive coverage of potential threats.
The tracking system incorporates data from the Public Suffix List, focusing on the “Private Domains” subsection that includes both enterprise services and lower-quality providers.
The team has devoted particular attention to afraid.org, which operates tens of thousands of domains renting subdomains, with some dating back approximately 25 years.
PADNS lookups for related NS records can be performed in our platform, such as the following example:
The complexity of tracking these services is illustrated by afraid.org’s “stealth” domains, which aren’t publicly listed and can only be identified through NameServer record analysis.
Silent Push’s platform has identified over 591,000 results through NameServer DNS searches for afraid.org alone.
Major Threat Actor Campaigns
High-profile threat groups have extensively leveraged Dynamic DNS services for malicious operations. APT29 was documented exclusively using Dynamic DNS domains for their QUIETEXIT command and control communications in 2022.
The Gamaredon group has been observed utilizing these services in campaigns targeting Ukrainian entities, while Scattered Spider incorporated publicly rentable domains in their January 2025 operations.
TitanHQ cybersecurity dashboard showing today’s web traffic, request summaries, and category-based filtering statistics
APT28 (Fancy Bear) received specific mention in a 2024 FBI report for heavy utilization of Dynamic DNS domains. The widespread adoption of these services by advanced persistent threat groups demonstrates their effectiveness in evading traditional security measures.
Additional notable cases include APT33’s use of custom and Dynamic DNS domains, the DDGroup threat actor’s heavy reliance on these services for C2 communications, and APT Group Gallium’s documented usage in 2022.
The historical precedent extends back to 2014 when Microsoft led efforts to take over No-IP Dynamic DNS domains that were heavily used in ongoing attacks.
The security implications of Dynamic DNS abuse extend beyond simple domain hosting. These services can inadvertently appear on enterprise allow lists, creating potential security gaps when employees request access to blocked content.
When threat actors control subdomains on services that don’t respond to abuse complaints, the infrastructure becomes highly attractive for command and control communications.
Unlike traditional domains where both registrars and hosting providers can be contacted for takedown requests, Dynamic DNS services often present limited remediation options.
The persistence of malicious subdomains represents a significant concern. Even when cybersecurity companies identify and report malicious activity, subdomains may remain active due to unresponsive providers or inadequate abuse handling procedures.
Mitigations
Silent Push recommends that enterprise organizations implement proactive monitoring and blocking strategies for publicly rentable domains. Their Bulk Data Exports provide comprehensive coverage of tracked domains that rent subdomains and offer Dynamic DNS services.
Organizations should establish risk-based policies for handling connections to these domains. Some enterprises may require complete blocking of all connections unless users manually request specific exclusions. Others may find that alerting mechanisms provide sufficient visibility while maintaining operational flexibility.
The key principle for defenders is recognizing that individual subdomains within these services can vary dramatically in legitimacy.
While one subdomain may serve legitimate purposes, another on the same service could host malicious infrastructure. This diversity creates unique defensive challenges that require nuanced security approaches.
The Dynamic DNS threat landscape continues evolving as these services gain popularity among both legitimate users and threat actors. Many providers operate as shell companies or entities with documented histories of ignoring abuse reports.
The business sector supporting subdomain rental schemes shows more malicious efforts than benign ones, with some enterprise solutions experiencing heavy exploitation by serious threat actors.
Silent Push’s ongoing monitoring efforts throughout 2025 will track new developments in this space, including identification of additional repositories of publicly rentable domains and emerging Dynamic DNS providers.
The cybersecurity community’s collaborative approach to identifying and tracking these services remains essential for maintaining effective defensive postures against this growing threat vector.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
