{
	"id": "d358c617-15b6-4573-9916-a4921d5acd36",
	"created_at": "2026-04-06T00:21:04.571877Z",
	"updated_at": "2026-04-10T03:35:21.467743Z",
	"deleted_at": null,
	"sha1_hash": "a543802c8ae4259ae5192130080fa15bb2a91cdd",
	"title": "Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1893257,
	"plain_text": "Strategically Aged Domain Detection: Capture APT Attacks With\r\nDNS Traffic Trends\r\nBy Zhanhao Chen, Daiping Liu, Wanjin Li, Jielong Xu\r\nPublished: 2021-12-29 · Archived: 2026-04-05 16:47:58 UTC\r\nExecutive Summary\r\nSince the SolarWinds supply chain attack (SUNBURST trojan) was disclosed in October 2020, Palo Alto\r\nNetworks has continuously investigated the campaign to expose any of its characteristics that could help detect\r\ngeneric advanced persistent threats (APTs). One of the interesting findings is that the attackers registered the\r\ncommand and control (C2) domain years before they launched intense penetration activities on the domain. This\r\nbehavior is typical for APT attacks because these actors often penetrate networks broadly and then focus more\r\neffort on high-value targets – their trojans usually stay dormant in victims' networks before the operators decide\r\non targets and exploit them actively. However, attackers gain a benefit from using strategically aged domains –\r\n domains registered in advance sometimes take longer to detect when they begin malicious activity because\r\nthey’ve developed a benign reputation over time. Other actors engaged in network abuses such as phishing and\r\nblack hat search engine optimization (SEO) can also deploy campaigns with aged domains to benefit from the\r\nreputation built by their long lifetime. Besides, attackers usually register multiple domains in advance so that they\r\ncan resume the malicious service to the backup domains quickly if the primary entry point is blocked.\r\nMalicious dormant domains will present abnormally sudden traffic increments when they are involved in active\r\ncampaigns. Therefore, we launched a cloud-based detector to monitor domains' activities and identify these\r\nstrategically aged domains. It extracted about 30,000 domains every day from fine-grained passive domain name\r\nsystem (DNS) data. These domains typically have limited traffic for months to years and then gain more than 10.3\r\ntimes the traffic increment within one day. Their malicious rate is more than three times higher than that of newly\r\nregistered domains (NRDs). And 22.27% of them are malicious, suspicious or not safe for work.\r\nDuring the SolarWinds supply chain attack, the trojan employed domain generation algorithms (DGA) to exfiltrate\r\nthe identities of target machines with subdomains. To uncover similar APT attacks, we scan all hostnames of\r\nstrategically aged domains and recognize those that activate with a significant amount of emerging DGA\r\nsubdomains as potential attacking domains. Each of these potential attacking domains generated about 161 DGA\r\nsubdomains to carry 43.19% of their burst traffic. As they are identified, these suspicious domains are released to\r\nPalo Alto Networks Next-Generation Firewall security subscriptions, including DNS Security. Here, we present\r\nseveral cases of various network abuses captured by our system.\r\nStrategically Aged Domain Detection\r\nIt's well known that NRDs are widely leveraged for various internet abuses. At Palo Alto Networks, we monitor\r\nDNS zone files and passive DNS data to detect NRDs. We advise our customers to block these domains for 32\r\ndays after their registration. Furthermore, we developed a proactive abuse detector to expose emerging malicious\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 1 of 8\n\ndomains before a patient zero web threat appears. However, it's not enough to focus on the threats behind NRDs\r\nonly.\r\nThreat actors may register domains long before launching attacking campaigns on them. There are various\r\nmotivations for this strategy. First of all, the longer life of aged domains can help them evade some reputation-based detectors. Secondly, C2 domains belonging to APTs can sometimes be inactive for years. During the\r\ndormant period, APT trojans only send limited “heartbeat” traffic to their C2 servers. Once the attackers decide\r\nwhich targets are valuable to them and start active exploits, the C2 domain will receive significantly more\r\npenetration traffic. For example, the C2 domain of the SolarWinds supply chain attack, avsvmcloud[.]com, was\r\nregistered in 2018 and had stayed dormant for two years before carrying a high amount of attack traffic beginning\r\nin March 2020. We observed that its passive DNS traffic increased around 165 times after the attack started.\r\nTherefore, it's essential to keep monitoring domains' activities and digging for threats behind aged domains\r\nassociated with abnormal traffic increases.\r\nAt Palo Alto Networks, we have been collecting passive DNS data for more than 10 years. This dataset provides\r\nus visibility into a domain's activity based on its DNS traffic in our customers' networks as well as the global\r\nnetwork. We recently migrated our passive DNS system to a cloud platform, gaining scalable storage and\r\ncomputing resources. This enables us to generate fine-grained DNS trend data for each hostname. Based on this\r\ntrend data, we developed a detector identifying domains with trends of abnormally increasing traffic.\r\nOur system quantifies a domain's activity degree by the volume of its DNS traffic within a specific time window.\r\nWe use two thresholds to divide the activity index range into three groups: dormant domains (those below the 75th\r\npercentile of our activity index), standard domains (those between the 75th and 95th percentile) and highly active\r\ndomains (the top 5%).\r\nWhen a domain starts hosting a legitimate launched service, its traffic usually grows gradually. On the contrary,\r\nit's abnormal for a domain to stay in the dormant status for a long time and then suddenly get a large burst of\r\ntraffic. Based on this intuition, our system continuously monitors the traffic of dormant domains and captures\r\nthose that jump to highly active status within a short time as strategically aged domains.\r\nFigure 1. Number of daily strategically aged domains.\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 2 of 8\n\nFigure 2. Normalized DNS traffic of strategically aged domains.\r\nAs shown in Figure 1, our detector captured around 26,000 strategically aged domains every day in September\r\n2021. In Figure 2, we plot the average DNS traffic around the day strategically aged domains received burst\r\ntraffic. The trend data is normalized based on the activation day's traffic – i.e. the normalized DNS traffic of day\r\nzero is 1. On the activation day, these domains' activities have grown 11.3 times on average. After that, the\r\naverage daily traffic continues increasing and reaches more than six times higher. We observed about 1.3 million\r\ndaily DNS requests from our DNS security customers' networks to these domains every day after they were\r\nactivated.\r\nFigure 3. Category distribution of strategically aged domains.\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 3 of 8\n\nTo evaluate the threats these strategically aged domains presented, we retrieved information on how they are\r\ncategorized from Palo Alto Networks URL Filtering, as well as their VirusTotal scores. We split the domains into\r\nfour groups: malicious, suspicious, not safe for work and other. The malicious group includes domains that are\r\nmalware, command and control, grayware and phishing or have been detected by any VirusTotal vendor. For the\r\nsuspicious group, we include domains categorized as parked, questionable, insufficient content and high risk.\r\nNudity, adult, gambling and similar subjects are labeled as not safe for work. Those that don't fall into any of these\r\ngroups are tagged as “other.” 3.8% of strategically aged domains present malicious behaviors. This percentage is\r\nmore than three times higher than that of the NRDs, which is 1.27%. Not only that, 24.8% of strategically aged\r\ndomains are malicious, suspicious or not safe for work. For comparison, out of the Alexa Top 1,000 domains, only\r\n0.07% fall into these categories.\r\nDGA Subdomain Detection\r\nAfter identifying strategically aged domains, we move forward to uncover ongoing attacks based on their DNS\r\ntraffic profiles. We referred to the DNS characteristics of the SolarWinds supply chain attack in order to build a\r\ndetector that can capture similar APT attacks.\r\nDNS Characteristics of the SolarWinds Supply Chain Attack\r\nDuring the SolarWinds campaign's dormant stage, the SUNBURST trojan periodically contacted its C2 domain,\r\navsvmcloud[.]com, to report status and receive commands. This heartbeat communication was carried by static\r\nhostnames and the traffic volume was limited. However, when the C2 domain woke up from the incubation\r\nperiod, the majority of burst DNS requests were for new subdomains. The trojan dynamically constructed these\r\nhostnames with domain generation algorithms (DGAs) to exfiltrate data. Specifically, the subdomains were\r\ngenerated in the form DGAstring.appsync-api.region.avsvmcloud[.]com. The DGA strings were encoded victims'\r\nidentities, containing the infected organizations' domain names and security product statuses. When the attacker's\r\nDNS resolver received requests for these hostnames, it returned CNAME responses pointing to different C2\r\nservers based on the exfiltrated information. To sum up, the malware leveraged DGA subdomains to exfiltrate data\r\nand provided a proxy layer for the attacking infrastructure.\r\nApplying These DNS Insights\r\nTo capture similar C2 traffic, our DGA subdomain detector scans all subdomains of strategically aged domains. It\r\nlabels those with burst DNS requests to DGA subdomains as potential APT C2 domains. After that, we implement\r\nseveral filters to recognize legitimate services based on additional information such as WHOIS records and benign\r\nhostname patterns.\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 4 of 8\n\nFigure 4. Cumulative distribution figure (CDF) of detected domains’ DGA traffic rate.\r\nOn average, our DGA subdomain detector identified two suspicious domains every day. After the activation day,\r\neach strategically aged domain has about 2,443 newly observed subdomains, and 161 of them are DGA\r\nsubdomains. Figure 4 shows the CDF of their DGA traffic percentage after waking up. The DGA traffic rate is\r\nhigher than 36.76% for half of these domains.\r\nCase Studies\r\nAPT Spyware\r\nOur DGA subdomain detector captured the abnormal DNS traffic patterns of the Pegasus spying campaign.\r\nPegasus spyware can infect iOS and Android devices to collect credential information and track user behaviors\r\nincluding calls and geolocation history. The two detected C2 domains, permalinking[.]com and\r\nopposedarrangement[.]net, were registered in 2019 and awoke in July 2021 with a high percentage of DGA traffic.\r\nFigure 5. DNS traffic trend of Pegasus spyware C2 domains.\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 5 of 8\n\nAs shown in Figure 5, there were around 15 daily DNS requests to the campaign's domains before July 18, 2021.\r\nOn the activation day, the daily DNS traffic suddenly increased 56 times. The campaign used several DGA\r\nsubdomains, such as\r\nimgdsg4f35.permalinking[.]com\r\nand\r\nphp78mp9v.opposedarrangement[.]net\r\n, to carry C2 traffic. In general, the amount of DGA traffic increased following the overall traffic trend. However,\r\nthe percentage of DGA traffic has increased significantly during the campaign. The old percentage of DGA traffic\r\nwas 23.22% before July 18, compared to 42.04% later.\r\nPhishing\r\nFigure 6. Cloaking script of phishing gateway hosted on ui1io[.]cn. (URLs have been obscured).\r\nBesides C2 domains, our detector also exposes a phishing campaign producing DGA DNS traffic on a\r\nstrategically aged domain. In this phishing attack, the usage of the DGA subdomains is similar to that seen in the\r\nSolarWinds supply chain attack. DGA subdomains are used to provide a proxy layer before the actual malicious\r\nwebsites. For example, the script on one of the gateway hostnames,\r\njcxivnmqfqoiopdlvejvgucpmrfgmhwdlrkvzqyb.ui1io[.]cn,\r\n(Figure 6) forwards the visitor to another phishing DGA domain,\r\ngjahqfcyr[.]cn\r\n, when a specific parameter exists in the URL. Otherwise, it redirects to the legitimate bank website. Therefore,\r\nthis DGA subdomain is a cloaking layer that hides the actual phishing content from unwanted visitors and\r\ncrawlers. Our system observed an abnormal increment of traffic to the DGA subdomains of\r\nui1io[.]cn\r\non Oct. 2, 2021.\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 6 of 8\n\nApart from gateway hostnames, phishing campaigns could use DGA strings to generate levelsquatting hostnames.\r\nThese strings could separate the deceptive sections and the root domains. For example, the domain\r\nmailingmarketing[.]net was created in 2020. Our system identified it as a strategically aged domain on Sept. 23,\r\n2021, at which time it had 47 new DGA subdomains such as uk.id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.fd685e42f1d69c71708ff549fea71274.mailingmarketing[.]net.\r\nThese subdomains hosted a fake virus scanning page. They are so long that victims may only notice the front\r\nsections and think they’re legitimate encrypted login services, neglecting to check the root domain in the end. This\r\nis especially likely for mobile users – mobile browsers will fail to display the fully qualified domain name\r\n(FQDN) in the address bar, but instead only show the truncated string in the beginning.\r\nWildcard DNS Abuse\r\nFigure 7. Randomly generated website hosted on fiorichiari[.]com.\r\nOur system also captured several cases in which gray services leverage DGA subdomains to build their\r\ninfrastructure. For example,\r\nfiorichiari[.]com\r\nhas a wildcard DNS record to point all of its subdomains to the same IP address. The service operator registered\r\nthe domain on July 27, 2021. We observed burst DNS requests for its DGA subdomains since Sept. 29, 2021.\r\nThese hostnames serve randomly generated websites that fill out some website templates with random strings\r\n(Figure 7). They could be used for black hat SEO. Specifically, these web pages link to each other to obtain a high\r\nrank from search engine crawlers without providing valuable information.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 7 of 8\n\nThreat actors can register domains long before using them for attacking campaigns. For example, APT malware\r\ncan stay dormant for years and then suddenly activate and produce a large amount of exploiting traffic through\r\ntheir C2 domains. Our advanced cloud-based passive DNS system enables us to identify domains presenting\r\nabnormal traffic increment patterns as strategically aged domains. These domains have a higher malicious\r\npercentage compared to NRDs. We also developed a detector to recognize malicious strategically aged domains\r\nbased on their traffic distribution and subdomains' characteristics. These suspicious domains could leverage DGA\r\nto exfiltrate data through DNS traffic, provide proxy layers ahead of the attacking services and create\r\nlevelsquatting hostnames.\r\nAt Palo Alto Networks, our strategically aged domain and DGA subdomain detection system monitors passive\r\nDNS trend data to expose potential attacks. To protect our customers, the system releases the detection results with\r\nthe grayware category to Palo Alto Networks Next-Generation Firewall security subscriptions in real time.\r\nIndicators of Compromise\r\navsvmcloud[.]com\r\nfiorichiari[.]com\r\ngjahqfcyr[.]cn\r\nimgdsg4f35.permalinking[.]com\r\njcxivnmqfqoiopdlvejvgucpmrfgmhwdlrkvzqyb.ui1io[.]cn\r\nmailingmarketing[.]net\r\nopposedarrangement[.]net\r\npermalinking[.]com\r\nphp78mp9v.opposedarrangement[.]net\r\nui1io[.]cn\r\nuk.id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.fd685e42f1d69c71708ff549fea71274.mailingmarketing[.]net\r\nSource: https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nhttps://unit42.paloaltonetworks.com/strategically-aged-domain-detection/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"
	],
	"report_names": [
		"strategically-aged-domain-detection"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a543802c8ae4259ae5192130080fa15bb2a91cdd.pdf",
		"text": "https://archive.orkl.eu/a543802c8ae4259ae5192130080fa15bb2a91cdd.txt",
		"img": "https://archive.orkl.eu/a543802c8ae4259ae5192130080fa15bb2a91cdd.jpg"
	}
}