Rising cyber threats fuel surge in malicious domain activity in Q2

DNSFilter has released its latest quarterly security report, highlighting the ongoing use of new domains and certain island nation domains in malicious online activity.

The report, which analysed threat traffic between April and June 2025, identifies a continued trend of bad actors leveraging fresh domains, as well as an increased use of country code Top Level Domains (ccTLDs) from smaller island nations in attempts to evade detection.

Increase in malicious activity

According to the report, DNSFilter processed billions more DNS queries in the second quarter of 2025 compared to the previous quarter. June marked the highest volume of DNS traffic for the period. Almost 4% of this traffic was blocked, the highest proportion recorded by the company to date. While not all blocked queries were confirmed as malicious, the data suggests users are increasingly using DNS filtering to prevent access to both potential cyber threats and content considered time-wasting or inappropriate.

The analysis found that malware and phishing attempts continue to rise. Malware accounted for the second most trafficked threat category on the network, indicating a persistent and growing threat environment.

Role of new domains in threat campaigns

Newly registered domains remain a significant challenge for security professionals. The report found that nearly 40% of requests associated with malicious activity targeted new domains. While this figure shows a slight decrease from the previous quarter, such domains still represent the main tactic for threat actors, who seek to exploit the period before these sites are identified and added to block lists.

The report stated, "When domains are new, they've not yet had time to appear on block lists, which gives bad actors time for exploitation."

Phishing trends

After a temporary reduction in activity, phishing and deception accounted for 31.6% of malicious traffic observed on DNSFilter's network in the quarter. This translated to over 750 million queries, attributed in part to more sophisticated Phishing-as-a-Service offerings, including Tycoon 2FA. These tools and techniques provide attackers with the means to bypass security controls and target victims with convincing fraudulent schemes.

Island nations' domains under scrutiny

A notable trend identified in the report is the increased use of domains linked to island nations by threat actors. Of the five ccTLDs most likely to be associated with malicious activity, four belonged to small island territories. Domains associated with the Faroe Islands (.fo) topped the list, with 27% of traffic from these domains deemed malicious. Also prominent were domains from Grenada, Mayotte, and Wallis and Futuna.

The report noted that "Threat actors adopt new TLDs for use in their campaigns and often choose TLDs and registries that are cheaper or even free in some cases, allowing them to quickly move on from domains and register new ones without cost concerns."

Response from DNSFilter

Ken Carnesi, CEO and Co-founder at DNSFilter, said: "Bad actors are agile, and the volume and variation of threats we saw in Q2 underscore that defenders must move as quickly and flexibly as attackers. Blocking new domains, which continue to drive threat traffic, remains a key defensive approach that can mitigate risk from emerging domains that bad actors are trying to weaponize quickly. We're seeing a structural shift in how modern attacks are launched and sustained and defenders must take notice."