1.5 Million Malicious Domains Flooded by Attackers via Concentrated Registrars and Cloudflare Hosting
What Happened – Researchers identified ~1.5 M malicious domains registered between Jan‑May 2026, most created by threat actors and activated within weeks. Activity is heavily concentrated in a handful of registrars, .com/.top/.cc/.xyz TLDs, and Cloudflare‑hosted IPs.
Why It Matters for TPRM –
- Large‑scale domain abuse can be leveraged for phishing, malware delivery, and credential harvesting against your vendors and customers.
- Concentration at a few registrars and hosting providers creates a single‑point‑of‑failure risk; compromised or lax registrars can expose many downstream partners.
- Early detection windows are narrow (median 2 months, many within 1 day), limiting remediation time for third‑party services.
Who Is Affected – Technology SaaS providers, cloud hosting services (especially those using shared reverse‑proxy networks like Cloudflare), domain registrars, and any downstream organizations that trust URLs from these domains.
Recommended Actions –
- Review contracts and security controls with domain registrars and hosting providers used by your vendors.
- Implement real‑time URL reputation filtering and automated takedown monitoring.
- Require vendors to maintain anti‑abuse policies and rapid response SLAs for malicious domain takedowns.
Technical Notes – Attackers exploit the low‑cost, high‑volume registration process and shared hosting infrastructure. No specific CVE; the vector is bulk domain registration and rapid DNS propagation via third‑party registrars and Cloudflare’s reverse‑proxy network. Source: Help Net Security