Cybersecurity researchers are warning that threat actors are increasingly abusing Dynamic DNS (DDNS) providers to create robust and evasive command-and-control (C2) infrastructure.
Once considered convenient services for hosting, these platforms have now become a favored tool for attackers.
Dynamic DNS providers “are effectively operating as mini-registrars” with none of the oversight or accountability of legitimate domain registrars,” researchers at Silent Push explained.
What is happening?
The exploitation of DDNS services highlights a troubling shift in attacker tactics.
Unlike traditional domain registrars, which are bound by ICANN and IANA regulations, DDNS providers impose few verification requirements, often allowing users to register subdomains anonymously. This means adversaries can rapidly establish malicious infrastructure that appears legitimate and persists even under scrutiny.
Silent Push threat analysts found that more than 70,000 domains currently offer subdomain rental services, representing a vast attack surface for enterprises.
These platforms have been linked to state-sponsored groups, including APT28, APT29, APT10, and APT33, as well as financially motivated actors such as Scattered Spider.
How the abuse works
The appeal of DDNS services lies in their ease of use, low cost, and weak enforcement mechanisms.
Attackers can rent subdomains under established parent domains and benefit from their perceived legitimacy. Because DNS records are often managed automatically by providers, attackers gain additional operational security by avoiding direct DNS management.
Technical analysis reveals that threat actors register multiple subdomains across various providers and use domain generation algorithms (DGAs) to dynamically rotate them. Many also pre-register dozens of subdomains and activate them on a timed schedule, creating redundancy and resilience.
Even if defenders block or take down one domain, others are ready to continue C2 communications.
For example, APT29 exclusively used DDNS domains for its QUIETEXIT operations, while APT28 leveraged these platforms in other campaigns. The abuse is not limited to espionage groups — malware such as DarkComet has been widely deployed through DDNS infrastructure.
Command and control at scale
The use of DDNS providers for C2 channels poses one of the most pressing challenges for defenders. By distributing infrastructure across multiple providers and regions, attackers create a complex network that traditional controls, such as domain blocklists, struggle to monitor effectively.
Silent Push’s research highlights this issue with the example of afraid[.]org, a DDNS provider with over 591,000 associated domains, many of which are utilized in malicious campaigns. Similar abuse has been documented across providers such as DuckDNS, No-IP, ChangeIP, and DynDNS, highlighting the pervasiveness of the issue.
Mitigation strategies to consider
While the regulatory environment allows DDNS providers to operate with little oversight, organizations are not powerless. Security teams should adopt the following strategies to mitigate risk.
- Monitor connections to DDNS domains: Implement logging and alerting for outbound connections to known DDNS services.
- Apply blocking where possible: High-risk organizations may choose to block entire providers outright, while others can apply selective blocking based on risk tolerance.
- Leverage threat intelligence feeds: Some security tools offer bulk data exports of DDNS domains, which can be integrated into SIEM and SOAR platforms.
- Implement file and network integrity monitoring: Detect abnormal persistence mechanisms that rely on DDNS C2 traffic.
- Consider broader security hygiene: Enforce least privilege access, network segmentation, and multi-factor authentication to contain potential compromises.
What this means for organizations
The growing abuse of DDNS providers highlights a broader trend in attacker innovation: leveraging legitimate services for illegitimate ends. Much like cloud platforms and content delivery networks have been weaponized in the past, DDNS services now represent another layer of “living off the land” tactics.
As supply chain risks and advanced persistent threats evolve, the persistence and adaptability afforded by DDNS services will likely remain attractive to attackers. Without stronger regulation or consistent enforcement from providers, enterprises must assume these services will continue to feature prominently in malicious campaigns.
The abuse of Dynamic DNS providers underscores the adaptability of cybercriminals and state-sponsored groups. By exploiting regulatory gaps and weak enforcement, attackers are building resilient infrastructure that frustrates traditional defenses.
Given how attackers exploit Dynamic DNS to persist, the next step for defenders is ensuring a strong incident response plan is in place to contain and recover from such threats.