Threat Actors Exploit Top Domain Zones for Cyber Attacks

Threat actors are exploiting a diverse range of top-level domains (TLDs) for phishing campaigns, with the .li domain extension emerging as the most dangerous by ratio. 

According to recent analysis, an unprecedented 57.22% of observed .li domains have been flagged as malicious, making it the highest-risk TLD currently in active use by cybercriminals.

ANY.RUN reports twenty TLDs that pose the greatest threats to organizations and individuals, with domains like .es, .sbs, .dev, .cfd, and .ru frequently appearing in fake login pages, document delivery scams, and credential harvesting operations. 

This research underscores the evolving landscape of cyber threats and the critical need for enhanced domain monitoring across Security Operations Centers (SOCs).

.li Domain Emerges as Primary Phishing Vector 

While .li domains rank first by malicious ratio, researchers note that many of these domains don’t directly host phishing payloads. 

Instead, they function as sophisticated redirectors that guide victims through multi-stage attack chains toward malicious landing pages or malware downloads. 

This redirection technique makes .li domains particularly insidious, as they often slip through traditional detection pipelines that focus primarily on final payload hosting.

The redirector methodology represents a significant evolution in phishing tactics, allowing threat actors to maintain operational resilience even when primary phishing sites are discovered and blocked. 

By implementing PHP header() functions, JavaScript location.replace() methods, or HTML meta refresh tags, attackers can seamlessly reroute victims while maintaining the appearance of legitimacy.

Budget TLDs Enable Mass Phishing

The analysis reveals that budget-friendly TLDs including .sbs, .cfd, and .icu have become preferred choices for large-scale phishing operations due to their extremely low registration costs. 

Domain registration for .sbs costs as little as $1.54 for the first year, while .cfd domains are available for similar prices. 

These economical options enable threat actors to register hundreds or thousands of disposable domains for coordinated attacks.

Historical data from the Cybercrime Information Center shows that .sbs domains had 11,224 phishing registrations with a phishing domain score of 225.9, while .cfd domains recorded 5,558 malicious registrations. 

The .icu TLD, marketed with the phrase “I see you,” has also become increasingly popular among cybercriminals, with 3,171 phishing domains identified in recent quarters.

Perhaps most concerning is the abuse of legitimate hosting platforms, particularly Cloudflare’s pages.dev and workers.dev services. 

These platforms leverage Cloudflare’s trusted reputation and global infrastructure to create convincing phishing sites that appear legitimate to non-technical users. 

Recent studies indicate that phishing incidents on Pages.dev increased by 198% between 2023 and 2024, rising from 460 reported cases to 1,370 incidents.

The Tycoon 2FA phishing kit has been particularly active on these platforms, implementing sophisticated evasion mechanisms including browser fingerprinting, CAPTCHA challenges, and C2 domain triangulation using TLDs from the .ru, .es, .su, .com, .net, and .org pool. 

These attacks often begin with compromised Amazon Simple Email Service accounts and progress through complex redirect chains before presenting victims with credential theft pages.

Organizations must implement comprehensive TLD monitoring strategies and leverage interactive sandbox environments to analyze suspicious domains in real-time, extracting indicators of compromise (IOCs) to strengthen their defensive postures against these evolving threats.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.