The Challenge of Short-Lived Domains in Malware Research
Published on March 11, 2025

Short-lived domains are a major headache for malware researchers. Cybercriminals use a variety of tactics to make these domains difficult to track and analyze. Techniques like altering or deleting NS delegation records and leveraging Fast-Flux DNS allow attackers to stay one step ahead of detection systems. Registrars that permit short-term domain registrations, lasting only a few days, further facilitate these schemes. Compounding the issue, GDPR regulations have redacted WHOIS information, making it even harder to trace domain ownership and hold bad actors accountable.
One particularly deceptive evasion technique involves pre-analyzing domains on platforms like VirusTotal. Attackers keep their domains “clean” during the scan phase to achieve a zero-detection score. When individuals check these links — often embedded in suspicious emails — they see “all green” results, creating a false sense of security. Once trust is established, cybercriminals activate their malicious campaigns, whether through phishing, malware distribution, or other harmful activities.
It’s no surprise, then, that large-scale analysis of NS records frequently reveals a significant proportion of “parked” domains with obscured ownership. Many such domains are dormant, used only for short bursts of activity before being abandoned to avoid detection.
Planisys’ Analysis of Malicious Domains
In a recent review conducted by Planisys (www.planisys.net), over 1 million domains identified as malicious or suspicious were analyzed. Many of these domains lacked delegation entirely, while others were parked with registrars known for leniency.
The pattern is clear: domains are registered with low-cost registrars, analyzed on VirusTotal to appear harmless, then weaponized for malicious activities like phishing campaigns, spam, or malicious ads. Within days, these domains are deactivated, leaving researchers scrambling to connect the dots.
Below, we share a ranking of NS records gathered from a subset of several thousand domains. This analysis includes domains that either lacked NS records or were previously flagged as Indicators of Compromise (IOCs). Many continue to be flagged as Suspicious, Spam, Malware, or Phishing on platforms like VirusTotal.
This article provides valuable insights into the evolving tactics used by cybercriminals and highlights the importance of advanced tools and methodologies to counter these threats. The accompanying image helps contextualize the findings, showcasing the most frequently observed NS records in the dataset.