Listen to this Post
Threat actors utilize phishing domains across various top-level domains (TLDs) to target organizations and individuals. Recent analyses highlight the following malicious TLDs:
- .es, .sbs, .dev, .cfd, .ru – Commonly used in fake logins, document scams, and credential harvesting.
- .li – Ranked 1 by malicious ratio (57% flagged domains), often used as a redirector to malicious payloads.
- Budget TLDs (.sbs, .cfd, .icu) – Cheap and disposable, enabling mass registration by attackers.
- .dev – Frequently abused via temporary hosting platforms (e.g., pages[.]dev, workers[.]dev) for deceptive phishing sites.
Key Analysis Sessions:
- .es phishing analysis
- .sbs phishing analysis
- .cfd phishing analysis
- .li redirector analysis
- .dev abuse analysis
You Should Know:
Detecting Phishing Domains with Linux/Windows Commands
1. WHOIS Lookup – Identify domain registration details:
whois example.com
2. Dig for DNS Records – Check suspicious domains:
dig A example.com +short
3. Curl for HTTP Headers – Analyze redirects:
curl -I "http://example.com"
4. Python Script to Extract IOCs – Scrape URLs for phishing indicators:
import requests
from bs4 import BeautifulSoup
url = "http://malicious.li"
response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')
print("Hidden Redirects:", [a['href'] for a in soup.find_all('a', href=True)])
5. Windows PowerShell – Check SSL Certificate
Test-NetConnection -ComputerName example.com -Port 443
ANY.RUN Sandbox Commands
- Detonate URLs safely:
curl -X POST "https://api.any.run/v1/analysis" -H "Authorization: Bearer API_KEY" -d '{"url":"http://malicious.cfd"}'
What Undercode Say:
Phishing domains exploit low-cost TLDs and trusted platforms (.dev) to evade detection. SOC teams must:
– Monitor DNS logs for .li, .sbs, `.cfd` domains.
– Automate IOC extraction using tools like theHarvester:
theHarvester -d example.com -b all
– Deploy YARA rules to detect phishing page patterns.
Expected Output:
Domain: malicious.li Status: Redirects to payload.com IOCs: [IP: 192.168.1.1, SHA256: abc123...]
Prediction:
Phishing campaigns will increasingly abuse decentralized hosting (e.g., Cloudflare Workers) and .zip TLDs for credibility.
Expected Output:
Trend: .zip domains rising in phishing (2024-2025). Mitigation: Block high-risk TLDs at firewall level.
IT/Security Reporter URL:
Reported By: Any Run – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
