Silent Push has identified over 70,000 domains providing subdomain rental services that threat actors increasingly exploit for malicious operations, highlighting a growing cybersecurity concern that enterprise organizations must address through enhanced monitoring and defensive strategies.
Dynamic DNS (DDNS) providers, also known as publicly rentable subdomain services, allow users to register subdomains and host content with minimal oversight compared to traditional domain registrars.
These services operate with varying levels of control, from platforms like Blogger (formerly Blogspot), which restrict IP configuration, to services like afraid[.]org, which offer complete hosting and content control under paid plans.
Exploitation by Advanced Persistent Threat Groups
Multiple sophisticated threat actors have leveraged dynamic DNS infrastructure for command and control communications and attack staging.
APT29 exclusively used dynamic DNS domains for their QUIETEXIT C2 operations in 2022, while APT28 (Fancy Bear) heavily utilized these services according to a 2024 FBI report.
The Gamaredon group and Scattered Spider have also incorporated dynamic DNS domains into recent campaigns targeting various sectors.
TA406 demonstrated the tactical advantage of these services by using AttractSoft dynamic DNS provider domains in attacks against Ukrainian entities, while APT33 combined custom domains with dynamic DNS infrastructure for operational flexibility.
The DDGroup threat actor has maintained long-term command and control (C2) communications through dynamic DNS platforms, demonstrating their reliability for sustained operations.
Chinese APT10 and APT Group Gallium have similarly adopted dynamic DNS services. In 2014, Microsoft led takedown efforts against No-IP domains due to widespread criminal abuse.
The deployment of DarkComet malware through a dynamic DNS infrastructure further demonstrates the versatility of these platforms for malware distribution.
Security Challenges and Defensive Gaps
Dynamic DNS providers present unique security challenges due to their operational characteristics.
Many services accept cryptocurrency payments and advertise anonymous registration, often without Know Your Customer (KYC) requirements, creating attractive options for threat actors seeking operational security.
Unlike traditional domain registrars subject to ICANN oversight, subdomain rental services operate with minimal regulatory constraints.
The absence of standardized abuse reporting mechanisms compounds the problem. While some providers, like afraid[.]org, maintain abuse channels, response times remain untracked publicly, allowing non-responsive services to harbor malicious infrastructure indefinitely.
This contrasts with traditional domains, where both registrars and hosting providers can be contacted for takedown requests.
Silent Push’s research reveals that tracking these services requires complex methodologies beyond the Public Suffix List, which covers only enterprise-grade providers.
The company monitors afraid[.]org’s tens of thousands of domains, including “stealth” domains discoverable only through NameServer records, alongside major providers like ChangeIP, CloudDNS, DuckDNS, and NoIP.
![Source: https://freedns[.]afraid[.]org/](https://cyberpress.org/wp-content/uploads/2025/09/image-334.png)
Enterprise organizations should implement risk-based approaches to dynamic DNS domains, ranging from complete blocking to enhanced alerting based on organizational risk tolerance.
The persistent nature of subdomain rental schemes and their growing popularity among threat actors necessitate proactive defensive measures and continuous monitoring of this evolving threat landscape.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
