The Shadow Internet: A New Report Exposes How Cybercriminals Exploit Subdomain Rental Services
Experts at Silent Push have released an in-depth study on subdomain rental services, often referred to in documentation and forums as Dynamic DNS. These platforms allow any user to acquire a third-level domain and host their own content with minimal oversight from domain owners. Such freedom inevitably attracts malicious actors: rented subdomains are frequently exploited for C2 traffic, phishing operations, and hosting malicious payloads. Silent Push reports that it is actively tracking around 70,000 domains offering subdomains for rent in real time.
The researchers describe three operational models. In the first, hosting control is absent and part of the content is pre-configured by the provider — similar to Blogspot, though templates can be partially concealed. In the second, hosting is still uncontrolled but content can be modified freely, as with pages.dev. The third model offers full DNS control and independent hosting, usually under paid plans, exemplified by afraid[.]org. In effect, these platforms act as “mini-registrars” without ICANN or IANA procedures: one simply purchases a domain, configures routing, and sets up billing. The picture is further complicated by cryptocurrency payments without KYC checks and weak abuse reporting channels, enabling malicious nodes to persist far longer than they otherwise might.
Silent Push emphasizes that monitoring such ecosystems is a non-trivial challenge. Some services appear under “Private Domains” in the Public Suffix List, which includes major providers like Blogspot and pages.dev. Yet the vast majority of “low-quality” rental hosts are absent from the PSL, which does not accept external submissions, forcing researchers to catalog them separately. A special focus is given to afraid[.]org, which manages tens of thousands of domains, some over 25 years old, with new additions each month. Beyond public domains, there are stealth variants visible only through NS records. A single NS query for afraid[.]org yielded more than 591,000 results, illustrating the immense scale of this ecosystem.
Alongside afraid[.]org, the team identifies other notable providers: ChangeIP, CloudDNS, DNSexit, DuckDNS, DuiaDNS, DynDNS, Dynu, NowDNS, YDNS, and NoIP. They also highlight AttractSoft, a smaller operator whose domains have been linked to attacks against Ukraine; Silent Push has prepared a specific fingerprint for it in private threat reports. According to the researchers, the subdomain rental market is sustained by shell companies and anonymous owners, with malicious use cases far outnumbering benign ones.
The history of abuse stretches back years, encompassing a wide spectrum of actors. Gamaredon has leveraged such domains in its campaigns; Scattered Spider exploited a rented subdomain in January 2025; TA406 made use of mygamesonline[.]org; and several APT groups have employed similar schemes in the past. As early as 2014, Microsoft was forced to intervene and seize a tranche of No-IP domains that were abused by attackers. Subdomain rental services remain attractive precisely because they allow threat infrastructure to persist online even after warnings and takedown requests.
For defenders, these services present numerous pitfalls. They sometimes appear on corporate allowlists, and employees may request access to specific resources, pressuring administrators into the risky step of granting amnesty to the entire apex domain. When providers ignore abuse complaints, their infrastructure becomes especially valuable for long-lived C2 channels. Unlike traditional domains, where registrars and hosting companies can be pressured into action, rented subdomains offer fewer points of enforcement, leaving even publicly exposed addresses active for months.
To mitigate risk, Silent Push has prepared Bulk Data Exports covering all tracked subdomain rental and Dynamic DNS providers, along with IOFA feeds for early identification of attack infrastructure. Recommendations vary — from outright blocking of connections to such domains, to deploying finely tuned alerts depending on organizational risk tolerance. The team will continue monitoring this sector throughout 2025 and urges defenders to weigh context carefully: one subdomain may be harmless, while its neighbor could be part of an active malware campaign. With the growing popularity of rental services and their weak accountability, caution remains the only prudent strategy.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
