{
	"id": "522d178b-8c62-4a41-9919-d1d1f0318823",
	"created_at": "2026-04-06T02:12:35.66703Z",
	"updated_at": "2026-04-10T13:12:32.300944Z",
	"deleted_at": null,
	"sha1_hash": "f529ed05ba5fe30c98133273e2c727417e6d5b14",
	"title": "Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1217690,
	"plain_text": "Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime\r\nBy Janos Szurdi, Rebekah Houser, Daiping Liu\r\nPublished: 2022-09-21 · Archived: 2026-04-06 01:54:34 UTC\r\nExecutive Summary\r\nCybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various\r\nnefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of\r\nDNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised\r\ndomain names. Shadowed domains do not affect the normal operation of the compromised domains, making it hard for\r\nvictims to detect them. The inconspicuousness of these subdomains often allows perpetrators to take advantage of the\r\ncompromised domain’s benign reputation for a long time.\r\nCurrent threat research-based detection approaches are labor-intensive and slow as they rely on the discovery of malicious\r\ncampaigns that use shadowed domains before they can look for related domains in various data sets. To address these issues,\r\nwe designed and implemented an automated pipeline that can detect shadowed domains faster on a large scale for campaigns\r\nthat are not yet known. Our system processes terabytes of passive DNS logs every day to extract features about candidate\r\nshadowed domains. Building on these features, it uses a high-precision machine learning model to identify shadowed\r\ndomain names. Our model finds hundreds of shadowed domains created daily under dozens of compromised domain names.\r\nEmphasizing the difficulty of discovering shadowed domains, we found that only 200 domains were marked as malicious by\r\nvendors on VirusTotal out of 12,197 shadowed domains automatically detected by us between April 25 and June 27, 2022.\r\nAs an example, we give a detailed account of a phishing campaign leveraging 649 shadowed subdomains under 16\r\ncompromised domains such as bancobpmmavfhxcc.barwonbluff.com[.]au and carriernhoousvz.brisbanegateway[.]com. The\r\nperpetrators leveraged the benign reputation of these domains to spread fake login pages harvesting credentials. VT vendor\r\nperformance is much better for this specific campaign, marking as malicious 151 out of the 649 shadowed domains – but\r\nstill less than one quarter of all the domains.\r\nPalo Alto Networks provides protection against shadowed domains leveraging our automated classifier in multiple Palo Alto\r\nNetworks Next-Generation Firewall cloud-delivered security services, including DNS Security and Advanced URL\r\nFiltering. Additionally, customers can leverage Cortex XDR to alert on and respond to domain shadowing when used for C2\r\ncommunications.\r\nHow Domain Shadowing Works\r\nCybercriminals use domain names for various nefarious purposes, including communication with C2 servers, malware\r\ndistribution, scams and phishing. To help perpetrate these activities, crooks can either purchase domain names (malicious\r\nregistration) or compromise existing ones (DNS hijacking/compromise). Avenues for criminals to compromise a domain\r\nname include stealing the login credential of the domain owner at the registrar or DNS service provider, compromising the\r\nregistrar or DNS service provider, compromising the DNS server itself, or abusing dangling domains.\r\nDomain shadowing is a subcategory of DNS hijacking, where attackers attempt to stay unnoticed. First, cybercriminals\r\nstealthily insert subdomains under the compromised domain name. Second, they keep existing records to allow the normal\r\noperation of services such as websites, email servers and any other services using the compromised domain. By ensuring the\r\nundisturbed operation of existing services, the criminals make the compromise inconspicuous to the domain owners and the\r\ncleanup of malicious entries unlikely. As a result, domain shadowing provides attackers access to virtually unlimited\r\nsubdomains inheriting the compromised domain’s benign reputation.\r\nWhen attackers change the DNS records of existing domain names, they aim to target the owners or users of these domain\r\nnames. However, criminals often use shadowed domains as part of their infrastructure to support endeavors such as generic\r\nphishing campaigns or botnet operations. In the case of phishing, crooks can use shadowed domains as the initial domain in\r\na phishing email, as an intermediate node in a malicious redirection (e.g., in a malicious traffic distribution system), or as a\r\nlanding page hosting the phishing website. In the case of botnet operations, a shadowed domain can be used, for example, as\r\na proxy domain to conceal C2 communication.\r\nIn Table 1, we collect example shadowed domains used as part of a recent phishing campaign automatically discovered by\r\nour detector. The attackers compromised several domain names that have existed for many years and thus built up a good\r\nreputation. We can observe that the IP addresses of these domains (and IPs of their benign subdomains) are located in either\r\nAustralia (AU) or the United States (US). Suspiciously, all the shadowed domains have IP addresses located in Russia (RU)\r\n– a different country and autonomous system from the parent domains. Furthermore, all shadowed domains in this campaign\r\nuse an IP address from the same /24 IP subnet (the first three numbers are the same in the IP address). An additional\r\nindicator of malice we noticed is that all the malicious subdomains shown were activated around the same time and were\r\noperational for a relatively short period.\r\nhttps://unit42.paloaltonetworks.com/domain-shadowing/\r\nPage 1 of 5\n\nFQDN IP Address CC First Seen Last Seen\r\nTime\r\nActive*\r\nhalont.edu[.]au 103.152.248[.]148 AU\r\n2020-11-\r\n23\r\n2022-06-\r\n28\r\n~ 9 years\r\ntraining.halont.edu[.]au 103.152.248[.]148 AU\r\n2020-12-\r\n08\r\n2021-05-\r\n02\r\n~ 7 years\r\ntraining.halont.edu[.]au** 62.204.41[.]218 RU\r\n2022-04-\r\n17\r\n2022-05-\r\n06\r\n\u003c 1 month\r\nocwdvmjjj78krus.halont.edu[.]au 62.204.41[.]218 RU\r\n2022-04-\r\n04\r\n2022-04-\r\n04\r\n\u003c 1 day\r\nbaqrxmgfr39mfpp.halont.edu[.]au 62.204.41[.]218 RU\r\n2022-04-\r\n01\r\n2022-04-\r\n01\r\n\u003c 1 day\r\nbarwonbluff.com[.]au 27.131.74[.]5 AU\r\n2018-12-\r\n13\r\n2022-06-\r\n28\r\n~ 19 years\r\nbancobpmmavfhxcc.barwonbluff.com[.]au 62.204.41[.]247 RU\r\n2022-03-\r\n07\r\n2022-06-\r\n06\r\n~ 3 months\r\ntomsvprfudhd.barwonbluff.com[.]au 62.204.41[.]77 RU\r\n2022-03-\r\n07\r\n2022-03-\r\n07\r\n\u003c 1 day\r\nbrisbanegateway[.]com 101.0.112[.]230 AU\r\n2015-04-\r\n23\r\n2022-06-\r\n24\r\n~ 12 years\r\ncarriernhoousvz.brisbanegateway[.]com 62.204.41[.]218 RU\r\n2022-03-\r\n07\r\n2022-03-\r\n08\r\n~ 2 days\r\nvembanadhouse[.]com 162.215.253[.]110 US\r\n2019-09-\r\n04\r\n2022-06-\r\n28\r\n~ 17 years\r\nwiguhllnz43wxvq.vembanadhouse[.]com 62.204.41[.]218 RU\r\n2022-03-\r\n25\r\n2022-03-\r\n25\r\n\u003c 1 day\r\nTable 1. Example of compromised domains and their shadowed subdomains. *Time active column is based on the time first\r\nseen in pDNS, Whois, or archive.org. **It seems that the subdomain training.halont.edu[.]au was deactivated, and later the\r\nattacker accidentally hijacked it via DNS wildcarding. FQDN stands for Fully Qualified Domain Name and CC stands for\r\nthe country-code of the IP address.\r\nHow to Detect Domain Shadowing\r\nTo address issues with threat hunting-based approaches to detect shadowed domains – such as lack of coverage, delay in\r\ndetection and the need for human labor – we designed a detection pipeline leveraging passive DNS traffic logs (pDNS)\r\nbased on work by Liu et al. Building on observations similar to the ones discussed in Table 1, we extracted over 300 features\r\nthat could signal potential shadowed domains. Using these features, we trained a machine learning classifier that is the core\r\nof our detection pipeline.\r\nDesign Approach for the Machine Learning Classifier\r\nWe can arrange the features into three groups – those specific to the candidate shadowed domain itself, those related to the\r\ncandidate shadowed domain’s root domain and those related to the IP addresses of the candidate shadowed domain.\r\nThe first group is specific to the candidate shadowed domain itself. Examples of these FQDN-level features include:\r\nDeviation of the IP address from the root domain’s IP (and its country/autonomous system).\r\nDifference in the first seen date compared to the root domain’s first seen date.\r\nWhether the subdomain is popular.\r\nThe second feature group describes the candidate shadowed domain's root domain. Examples are:\r\nThe ratio of popular to all subdomains of the root.\r\nThe average IP deviation of subdomains.\r\nThe average number of days subdomains are active.\r\nThe third group of features is about the IP addresses of the candidate shadowed domain, for example:\r\nhttps://unit42.paloaltonetworks.com/domain-shadowing/\r\nPage 2 of 5\n\nThe apex domain to FQDN ratio on the IP.\r\nThe average IP country deviation of subdomains using that IP.\r\nAs we generate over 300 features – where many of them are highly correlated – we perform feature selection in order to use\r\nonly the features that will contribute most to the machine learning classifer’s performance. We use the Chi-squared test to\r\nfind the best features individually and mutual Pearson correlation to decrease the weight of highly correlated features.\r\nWe can select classifiers with different performance and complexity tradeoffs depending on the desired use case. Using a\r\nrandom forest classifier, we can achieve 99.99% accuracy, 99.92% precision and 99.87% recall using only the 64 best\r\nfeatures and allowing each of 200 trees in the random forest to use at most eight features and to have a maximum depth of\r\nfour. A simpler classifier – using only the top 32 features where each tree can only use at most four features and have a depth\r\nof two – can achieve 99.78% accuracy, 99.87% precision and 92.58% recall.\r\nDuring a two-month period, our classifier found 12,197 shadowed domains averaging a couple hundred detections every\r\nday. Looking at these domains in VirusTotal, we find that only 200 were marked as malicious by at least one vendor. We\r\nconclude from these results that domain shadowing is an active threat to the enterprise, and it is hard to detect without\r\nleveraging automated machine learning algorithms that can analyze large amounts of DNS logs.\r\nA Phishing Campaign Using Shadowed Domains\r\nNext, we dive deeper into the phishing campaign we used as an example in Table 1. Clustering – based on IP address and\r\nroot domains – the results from our detector, we found 649 shadowed domains created under 16 compromised domain\r\nnames for this campaign. Figure 1 is a screenshot of barwonbluff.com[.]au, one of the compromised domains. Even though\r\nit seems to operate normally, attackers have created many subdomains under it that they can use in phishing links such as\r\nhxxps[:]//snaitechbumxzzwt.barwonbluff[.]com.au/bumxzzwt/xxx.yyy@target.it.\r\nFigure 1. Screenshot of barwonbluff.com[.]au – an originally benign domain.\r\nWhen users click on the above phishing URL, they are redirected to a landing page, as shown in Figure 2. The phishing page\r\non\r\nlogin.elitepackagingblog[.]com\r\nwants to steal Microsoft user credentials. To avoid falling for similar phishing attacks, users need to check the domain name\r\nof the website they are visiting and the lock icon next to the URL bar before entering their credentials.\r\nhttps://unit42.paloaltonetworks.com/domain-shadowing/\r\nPage 3 of 5\n\nFigure 2. Screenshot of the phishing landing page on elitepackagingblog[.]com, where victims are redirected\r\nfrom the snaitechbumxzzwt.barwonbluff[.]com.au shadowed domain. Source: Joe Sandbox.\r\nFigure 3 is a screenshot of\r\nhalont.edu[.]au\r\nafter the website owners found out that their domain name was compromised. Unfortunately, we observed many shadowed\r\ndomains created under this domain name before the owners realized it was hacked. These cases further emphasize the\r\nnecessity to automatically detect these domains because it is hard for domain owners to discover that they are compromised.\r\nFigure 3. Screenshot of halont.edu[.]au, an originally benign domain that is being rebuilt after compromise.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/domain-shadowing/\r\nPage 4 of 5\n\nCybercriminals use shadowed domains for various illicit ventures, including phishing and botnet operations. We observe that\r\nit is challenging to detect shadowed domains as vendors on VirusTotal cover less than 2% of these domains. As traditional\r\napproaches based on threat research are too slow and fail to uncover the majority of shadowed domains, we turn to an\r\nautomated detection system based on pDNS data. Our high-precision machine learning-based detector processes terabytes of\r\nDNS logs and discovers hundreds of shadowed domains daily. Palo Alto Networks offers multiple security subscriptions –\r\nincluding DNS Security and Advanced URL Filtering – that leverage our detector to protect against shadowed domains.\r\nAdditionally, customers can leverage Cortex XDR to alert on and respond to domain shadowing when used for command\r\nand control communications.\r\nAcknowledgements\r\nWe want to thank Wei Wang and Erica Naone for their invaluable input on this blog post.\r\nIndicators of Compromise\r\nhalont.edu[.]au\r\ntraining.halont.edu[.]au\r\nocwdvmjjj78krus.halont.edu[.]au\r\nbaqrxmgfr39mfpp.halont.edu[.]au\r\nbarwonbluff.com[.]au\r\nbancobpmmavfhxcc.barwonbluff.com[.]au\r\nsnaitechbumxzzwt.barwonbluff[.]com.au\r\nsnaitechbumxzzwt.barwonbluff.com[.]au/bumxzzwt/xxx.yyy@target.it\r\ntomsvprfudhd.barwonbluff.com[.]au\r\nbrisbanegateway[.]com\r\ncarriernhoousvz.brisbanegateway[.]com\r\nvembanadhouse[.]com\r\nwiguhllnz43wxvq.vembanadhouse[.]com\r\nlogin.elitepackagingblog[.]com\r\nlogin.elitepackagingblog[.]com/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-\r\n1d93765276ca\u0026redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2\u0026response_type=code%20id_token\u0026scope=openid%20profile%20https%\r\nUS\u0026mkt=en-US\u0026state=q81i2V5Z572r5P2TuEfGYg0HZLgy9vMW3HMxjfeMMm60rJIlPgKe4SKR8D86gIjkNlgD6cd8jK754mEWDiHZtRQ1pzeGpqaVJOCkSmAU\r\n0vZ4vPVToJ7Nwqlf6BHPz7zPQ\u0026x-client-SKU=ID_NETSTANDARD2_0\u0026x-client-ver=6.12.1.0\u0026sso_reload=true#ODQuMTccGFvbGEucGVsbGVnYXRhQHNuYWl0ZWNoLml0=\r\nSource: https://unit42.paloaltonetworks.com/domain-shadowing/\r\nhttps://unit42.paloaltonetworks.com/domain-shadowing/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/domain-shadowing/"
	],
	"report_names": [
		"domain-shadowing"
	],
	"threat_actors": [],
	"ts_created_at": 1775441555,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f529ed05ba5fe30c98133273e2c727417e6d5b14.pdf",
		"text": "https://archive.orkl.eu/f529ed05ba5fe30c98133273e2c727417e6d5b14.txt",
		"img": "https://archive.orkl.eu/f529ed05ba5fe30c98133273e2c727417e6d5b14.jpg"
	}
}