Phishing attackers have been exploiting various Top-Level Domains (TLDs) to conduct their malicious activities, with TLDs like .li, .es, and .dev being commonly abused. These domains are used to host phishing pages, fake login portals, and malware redirects, making it challenging for users to detect these threats.
Recent data from ANY.RUN has identified the top 20 TLDs that are frequently utilized in phishing campaigns. These domains play a crucial role in fake delivery scams, credential harvesting, and multi-stage redirect chains, highlighting the significance of domain names in cyber attacks.
One of the most abused TLDs identified by ANY.RUN in 2025 is .li, where a significant number of domains were flagged as malicious. Although .li domains may not directly host phishing content, they often serve as redirectors that lead users to fraudulent sites, such as fake login pages and malware downloads, evading traditional detection methods.
The deceptive nature of .li domains lies in their ability to quietly redirect users to malicious sites without raising suspicion. This redirection tactic makes it challenging to identify these threats, emphasizing the need for advanced tools like ANY.RUN to trace and analyze such activities in real-time.
Aside from .li, several other TLDs are frequently exploited by cybercriminals in phishing campaigns. For example, the .es domain is commonly used in credential phishing and fake delivery scams, preying on users by mimicking legitimate services and inducing them to disclose sensitive information.
Another TLD, .sbs, known for its affordability, is favored by attackers for hosting phishing pages aimed at stealing login details or financial data. Similarly, the .cfd domain often appears in phishing kits posing as legitimate platforms to deceive users into divulging corporate credentials.
Legitimate TLDs like .ru and .dev are also misused by hackers to add credibility to their malicious activities. While .ru is utilized to target users in or near Russia, .dev domains, commonly associated with Google services, are exploited to impersonate reputable SaaS platforms, making it harder for users to differentiate between genuine and fake sites.
Interactive sandboxes like ANY.RUN play a crucial role in combating phishing threats by allowing security teams to analyze suspicious URLs, monitor redirections, and extract indicators of compromise automatically. By leveraging behavior-based verdicts and real-time analysis, organizations can quickly identify and mitigate phishing attacks before they cause significant harm.
In conclusion, the abuse of TLDs in phishing attacks underscores the evolving tactics employed by cybercriminals to deceive users and compromise sensitive information. As the cybersecurity landscape continues to evolve, organizations must remain vigilant and adopt advanced detection mechanisms to combat these sophisticated threats effectively.
📰 Related Articles
- Industry Experts’ Guide to Launching Successful Top-Level Domains
- Victoria’s Secret Website Shutdown Highlights Cybersecurity Threats
- U.S. Army Innovates Counter-UAS Tech to Combat Cartel Drone Threats
- Top Registrars for .AI Domains: Choosing Your Ideal Partner
- Scientists Discover Hidden Black Holes Using Innovative Radio Signals