Risky Bulletin: A tenth of all new domains last year were malicious

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Truffle Security, the makers of Trufflehog. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

One in every ten new domains registered in 2025 were linked to malicious activity and were eventually added to one or more cybersecurity blocklists.

A total of 84,961,989 domains were created last year and 8,496,811 were later added to a blocklist, according to an Interisle report published on Monday.

Researchers believe the actual number of malicious domains may be double that, at around 16.8 million, with new domains expected to be blacklisted once they are deployed in operations in the wild later on.

This is explained by a threat actor practice called "domain aging," where cybercrime groups purchase new domains and leave them unused for months or even years to avoid having them easily blacklisted due to the tendency of security tools to zap traffic to newly registered domains.

Most of the malicious domains purchased last year were bought in bulk from a handful of (known) shady registrars.

Five registrars alone accounted for half the blocklisted domains last year. If we expand this to eight registrars, these companies accounted for 92% of all blocklisted domains, showing just how much abuse is concentrated in a few hotspots of badness.

Three other registrars had more than 80% of all their 2025 domains added to a blocklist by the end of the year, which makes you wonder why they even exist in the first place besides selling domains to scammers and malware crews.

Continuing a trend spotted in previous years by many other security firms, Interisle says most of the malicious domains were registered for the new class of gTLDs, or global top-level domains. This is the class of custom domains that was added a decade ago to extend the standard .com, .net, and .org domains that were available at the time.

Roughly two-thirds of all new malicious domains last year were registered through one of these custom gTLDs, such as .top, .bond, .vip, .xyz, .shop, and many others.

Risky Business Podcasts

In this edition of Between Two Nerds, Tom Uren and The Grugq talk about the ways in which intelligence agencies are like cults.

Breaches, hacks, and security incidents

Major breach impacts ~100 Dutch hotels: Hackers appear to have stolen customer data from at least 100 Dutch hotels. The data has been used over the past weeks for fraud and phishing campaigns. Some hotels in Belgium and Ireland have also reported attacks against their customers. Dutch hospitality experts are still investigating the breach but they believe a shared hotel software provider might be the source of the stolen hotel data. [Tim Vissers LinkedIn post // NOS]

Dashlane brute-force attack: Users of the Dashlane password manager service have been locked out of their accounts following a brute-force attack. The account lockouts were the result of Dashlane's security systems engaging and stopping the attack. The company re-enabled the accounts a day after the attack but around 20 users had their encrypted password vaults stolen in the attack. [Dashlane]

DPRK finishes Kelp laundering: North Korean hackers have finished laundering all the funds stolen from the Kelp DAO cryptocurrency platform. Hackers have laundered $220 million in a record six weeks. Kelp only managed to freeze $71 million from the $293 million stolen in mid-April. The chances to recover the funds are now estimated to be near zero. [CoinTelegraph]

Hack exposes GTA V cheaters: Hackers have breached and leaked data from a GTA V cheating service. The details of 64,000 users of the Menu Atlas cheat provider was posted on GitHub last month. Leaked data included details such as usernames, emails, and IP addresses. [HIBP // TechCrunch]

Breach at the UN World Food Programme: Hackers have stolen the personal information of 600,000 Palestinians who registered for food and cash assistance through the UN World Food Programme. The breach took place on May 14 and the UN agency notified affected individuals last week. The agency said the hacked portal was only used in Palestine. [The New Humanitarian // WFP Telegram post]

Hackers hijack Instagram accounts with Meta's own AI: Hackers are hijacking high-profile Instagram accounts by abusing Meta's own AI support assistant. A pro-Iranian hacktivist group took credit for some of the hijacks in a Telegram post over the weekend. The exploit involved asking Meta's AI assistant to change the account's email address. The attacker needed to use a VPN with an IP address close to the target's normal location but no other verification was needed. Some of the victims include the accounts of the Obama White House team, metal band Korn, and Space Force officials. [KrebsOnSecurity]

In other news, a large number of security experts were among the thousands laid off by #Meta last month.

[image or embed]

— Joseph Menn (@joemenn.bsky.social) June 1, 2026 at 9:13 PM

General tech and privacy

Nvidia CPUs to power Windows PCs: Nvidia has released a CPU named the RTX Spark. The new processor will power several Windows-based PCs and laptops set to release this fall. This will include devices from Asus, Dell, HP, Lenovo, Microsoft, MSI, Acer, and Gigabyte. [ArsTechnica]

Rust bans LLM-generated code: The Rust programming language will ban contributors from submitting AI-generated code. Rust developers will be allowed to use AI for assistance but not to write the actual code. The move comes after the Zig programming language and several Linux distros also banned the use of AI to submit code contributions. [Socket Security // Rust policies]

Anthropic expands Mythos access: AI company Anthropic is expanding access to its top-tier cybersecurity model Mythos. Around 150 new organizations were granted access to the model this week, up from the original 50. The orgs are based in 15 countries. One of the first to be identified was ENISA, the EU's cybersecurity agency. [Anthropic // Bloomberg]

Government, politics, and policy

Russia uncovers spyware plot: Russia's FSB intelligence service claims it uncovered a foreign operation to install spyware on the phones of senior officials. Retired FSB officials hinted at US and UK involvement in comments to local media. A criminal case has also been opened. [FSB // TASS]

The FSB says it found a Western spyware op targeting Russian officials and a Kaspersky exec is going around giving interviews about malware infecting iPhones via an "invisible" iMessage Hmmm... hmmm... www.rbc.ru/rbcfreenews/...

— Catalin Cimpanu (@campuscodi.risky.biz) June 2, 2026 at 10:30 PM

EU ditches Google Search: The European Parliament will switch to Qwant as the default search engine on all EU in-house government devices. Qwant will replace Google Search on Thursday, June 4. Officials cited privacy concerns over how Google handles search data. This is the last in many other moves EU countries have made to detach themselves from American tech over the past year. [Politico Europe]

Midterms domains pop up: More than 4,000 domains related to the US elections have been registered this year, ahead of the Midterm election cycle later this fall. [Check Point // CyberScoop]

Trump signs AI cybersecurity EO: The Trump administration has signed an executive order that introduces security and safety requirements for AI models. The executive order is a scaled-back version of the same one that Donald Trump wanted to sign last month. The EO asks some of the larger AI companies to voluntarily submit new models for a government review for possible harms up to 30 days before release. The abandoned version of the EO called for an audit 90 days before release, which the AI industry pushed against. [White House // Politico // CybersecurityDive]

Breaking: President Trump has signed his AI security executive order: www.whitehouse.gov/presidential... It's virtually the same as the draft he scrapped earlier, except the voluntary government review of AI models would be up to 30 days before release, not up to 90.

[image or embed]

— Eric Geller (@ericjgeller.com) June 2, 2026 at 7:28 PM

Sponsor section

In this Risky Business sponsor interview, Casey Ellis chats with Truffle Security’s founder and CEO Dylan Ayrey about the recent CISA secrets leak. Days after Brian Krebs ran the story, plenty of the exposed credentials were still live, including an admin-level GitHub app key with full rights over CISA’s org.

Arrests, cybercrime, and threat intel

Spain arrests government doxxer: Spanish police have arrested an individual who published the personal data of multiple government workers. The suspect allegedly doxxed employees of Spain's police, national security council, the country's cybersecurity agency, prosecutors, and other government employees. They posted details like names, phone numbers, home addresses, and emails. They were arrested on Saturday in the province of Granada. [Spain's National Police]

Johnny Depp hacker arrested in Hungary: Hungarian police have arrested a Jordanian national for stealing Johnny Depp's credit card information. The suspect allegedly used the card for more than 300 transactions worth nearly $700,000. A US bank noticed the suspicious transactions and notified authorities last year. [Daily Mail]

BEC scammers charged: US prosecutors have charged two New Jersey men for their involvement with a major BEC scheme. Jason McNeill and Ryan Telesford are accused of laundering proceeds from a $7.7 million property transaction that was hijacked by hackers. The incident took place in December and the two allegedly facilitated the movement and concealment of the stolen funds. [BCPO]

Red Hat npm packages compromised: More than 30 Red Hat cloud-related npm packages have been compromised in a new supply chain attack on Monday. The malicious packages shipped with malware that stole CI/CD secrets and cloud access tokens. They also included a worm component to spread itself to a victim's own packages. [Aikido Security // JFrog // SafeDep // Semgrep // Snyk // Socket Security // Step Security // Wiz]

Spike in NetScaler attacks: Security firm Fortinet has reported a spike in attacks targeting Citrix NetScaler ADC and Gateway appliances. The attacks are targeting a bug that can leak the devices' memory (CVE-2026-3055). The bug had come under active exploitation days after it was patched back in March. [Fortinet]

AI coding tools used for EDR evasion: Security firm Sophos has spotted a Russian-speaking malware dev using an AI coding IDE to test and develop EDR-bypass tools. [Sophos]

Cryptomus rebrands: The Cryptomus cryptocurrency exchange has rebranded after receiving a record fine from the Canadian government. The platform now goes by the name of Heleket. The company was fined by the Canadian government CAD$177 million last year for failing to follow anti-money laundering regulations. A Brian Krebs investigation found that Cryptomus acted as a "payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services." [The IJF // KrebsOnSecurity] [h/t Alex Rudolph]

US tells orgs to review ATG controls: Multiple US government agencies have told organizations to review the security controls on automatic tank gauge (ATG) systems. Orgs have been told to take systems off the internet, use hardened passwords, patch products, and deploy monitoring solutions. The joint alert comes after Iranian hackers gained access and defaced ATG systems across the US last month. [CISA]

Handala is recruiting for physical attacks: An Iranian hacktivist group has launched a campaign to recruit individuals for physical attacks, espionage, sabotage, and assassinations. According to Recorded Future, the Handala group is behind four new online personas that recruit people for attacks in Israel and the US. The group has promised rewards of up to $500,000 for attacks on selected individuals. Previous reporting has linked the Handala group to Iran's MOIS intelligence agency. [Recorded Future]

Malware technical reports

New FlutterShell backdoor: A malvertising campaign targeting Apple users is spreading a new macOS backdoor named FlutterShell. Google has taken down the malicious ads spreading the backdoor after an abuse report. Researchers linked the operation to the same e-crime group behind the JSCoreRunner malware last year. [Palo Alto Networks]

Sponsor section

In this edition of the Snake Oilers podcast, Truffle Security founder Dylan Ayrey joins Risky Business to talk through the latest bells and whistles in Trufflehog, a security tool that searches for exposed secrets and validates them. The Truffle team has done a lot of work on the remediation part of their product over the last few years, and Dylan tells us all about it!

APTs, cyber-espionage, and info-ops

AI is turbocharging Iran's cyber ops: Iran is using Western AI services to help with phishing campaigns, malware development, and military research. Iranian cyber units have also used AI to scan the internet for vulnerabilities and disinformation campaigns. They have abused ChatGPT, Gemini, and other western AI, but they are also building their own models. Work on these national models started in March at the Sharif University of Technology. According to analysts, AI has helped Iran turbocharge its cyber operations since the onset of the US-Israeli war. [The Financial Times // Implicator.ai] [h/t Ghara67]

Iran's digital repression: The Miaan Group has published a report on the cyber campaigns that targeted Iranian protesters over the past year, as well as some campaigns targeting dissidents who fled the country. [The Miaan Group]

 WorkTitans takedown disrupted Iranian APT ops: The takedown of a bulletproof hosting provider in the Netherlands last month has disrupted the operations of at least three Iranian APTs. Groups like Agrius, MuddyWater, and Nimbus Manticore had used servers rented from WorkTitans. Dutch authorities seized WorkTitans servers on May 22 for hosting server infrastructure for Russian hackers and disinformation operations. [Check Point]

Gamareddon's malware arsenal: Sekoia has published the first report in a three-part series on the malware arsenal of Russian APT group Gamareddon. The first report covers GammaPhish and GammaWorm. [Sekoia]

New mysterious APT targets Russia: A new unidentified APT group has been targeting Russian politicians, hydrotechnic universities, energy and financial companies for the past two years. [Kaspersky]

HazyBeacon (CL-STA-1020) profile: A suspected APT group named HazyBeacon is abusing AWS Lambda infrastructure as a C2 channel and proxy relays for attacks against Southeast Asian government networks. [Qualys]

Vulnerabilities, security research, and bug bounty

Security updates: Android, Apache Solr, Apple, Ivanti, HP.

Microsoft will report misbehaving security researchers to law enforcement: In a blog post last week, Microsoft's security team hinted it may take legal action against a security researcher who has been releasing Windows zero-day exploits. The post got a lot of backlash, so much so that Microsoft had to make a second post on Twitter on Monday. While the company says it has "no intention" to pursue legal actions against security researchers, it did say it will report them to law enforcement when they break the law, hinting that Nightmare Eclipse might have done something shady. [MSRC tweet // Last week's blog post]

Another researcher drops a Microsoft zero-day: In the meantime, another security researcher has dropped a zero-day in Microsoft products without any prior disclosure. Ammar Askar published on Monday a one-click exploit that can steal GitHub tokens via the Visual Studio Code editor. Askar says previous Microsoft bug reports were played down and fixed without any rewards or credit. [Ammar Askar // GitHub PoC]

Google patches Android zero-day: Google has patched a zero-day in the Android mobile operating system. Tracked as CVE-2025-48595, the zero-day can let attackers elevate privileges on a compromised device. Google said the bug was spotted in limited, targeted attacks. It was one of 124 Android bugs patched this month. [Android June 2026 security updates]

New Oracle WebLogic bug exploited: CISA says a 2024 bug in Oracle WebLogic middleware is now being exploited in the wild. [CISA // CVE-2024-21182]

Windows Netlogon RCE exploited in the wild: Hackers are exploiting a major vulnerability in the Windows Netlogon authentication service. The vulnerability allows attackers to run malicious code on Windows Servers that work as domain controllers. The bug was patched in Microsoft's May security updates. The first attacks were reported last week by Belgium's cybersecurity agency. [CCB // CVE-2026-41089]

UniFi detection tool: Security firm BishopFox has released a write-up and detection tool for CVE-2026-22557, an unauth path traversal bug in Ubiquiti UniFi-based devices.

HP VoIP phone bugs: HP has released firmware patches for its VVX series of VoIP phones to fix a major security issue. The bug can allow remote attackers to run malicious code on the phones without needing to authenticate. Only devices where the Interactive Connectivity Establishment feature can be exploited. [Rapid7 // CVE-2026-0826]

NIST found guilty for NVD backlog: A US government audit has found NIST guilty for the vulnerability backlog at the NVD database. The Department of Commerce Inspector General says NIST lacked "strategic planning and decisive action" in dealing with an increasing number of unprocessed vulnerabilities submitted to NVD systems. The office estimated that an investment of only $800,000 would have covered the cost of the backlog. The audit was ordered in May of last year. Since then, NIST has given up on the NVD database and plans to only enrich a small number of important bugs. [Department of Commerce OIG]

Infosec industry

Threat/trend reports: Interisle and the Ural Center for Security Systems have recently published reports and summaries covering various threats and infosec industry trends.

Acquisition news: OT security giant Dragos has acquired Phosphorus, a platform for managing IoT technologies. [Dragos]

HIBP milestone: The Have I Been Pwned service has now indexed data from more than 1,000 breaches in what's a sad milestone for the internet. [Troy Hunt]

MITRE donates Caldera to ASF: Cybersecurity company MITRE has transferred ownership of the Caldera platform to the Apache Software Foundation. MITRE developed and open-sourced the platform in the 2010s to allow cybersecurity teams to emulate adversaries, run red-team exercises, and automate incident response. [MITRE press release // Apache Caldera // MITRE Caldera]

New tool—Coreutils for Windows: Microsoft has open-sourced a port of the GNU Coreutils for Windows.

New tool—Pyro Caml: Security firm Semgrep has open-sourced Pyro Caml, a continuous profiler for OCaml code.

fwd:cloudsec NA 2026: Live streams from the fwd:cloudsec 2026 North America security conference, which took place this week, are available on YouTube.

BSides Prague 2026 videos: Talks from the BSides Prague 2026 security conference, which took place in April, are available on YouTube.  

Risky Business podcasts

In this episode of Risky Business Features, James Wilson takes a detailed look at the evolution and tactical prowess of the TeamPCP hacking group.