Bulletin: DNS Abuse Campaign Exploiting "Subdomain Cloaking"

Summary

• In August 2025, NetBeacon MAP identified 2,227 unique domain names that appear to be part of a coordinated phishing campaign. The registrations are primarily concentrated in two registrar credentials: 90% (1994) in Aceville Pte. Ltd. (IANA ID 3858) and 10% (230) Dominet (HK) Limited (IANA ID 3775). 
• This campaign uses a specific abuse technique which employs subdomains to help confuse potential victims. We call this technique Subdomain Cloaking. It typically utilises one or more subdomains to create the deception of a legitimate domain name, often including the impersonation of a trusted TLD. An example of this attack is: gov.uk-[keyword][random letters].[TLD]
• If operators receive one report in isolation, it may not be clear that the entire second-level domain name is maliciously registered, further obscuring the malicious activity from mitigation. We encourage registrars and registries to investigate patterns like this, even if they only receive one report. 
• Registrars and registries should be aware of this trend and look out for "TLD-" combinations, for example: com-, uk-, gov-, de-, ca-, org-, pl-, etc. or -uk, -com, -gov,  etc. 

As a follow up to our recent blog on the concentration of malicious phishing, we are publishing this blog to raise awareness of a recently observed (and ongoing) campaign which involves a specific type of malicious registration. 

In August 2025 NetBeacon MAP observed over two thousand domains following a similar pattern and appearing to be part of a coordinated campaign targeting UK citizens by impersonating the UK government. 

The campaign impersonates an official UK government website and seeks to collect sensitive details, including credit/debit card numbers, from individuals who are eligible for a government subsidy to assist with payment for heating bills during winter, known as the "Winter Fuel Payment". The government payment is given to individuals who are UK residents, over 65 years of age, and earn below an income threshold. It’s typically automatically paid to eligible citizens in November or December. The official government website (gov.uk) has information on this scheme located at: https://www.gov.uk/winter-fuel-payment.

In August 2025, NetBeacon MAP identified 2,227 unique domain names that appear to be part of a coordinated phishing campaign. The registrations are primarily concentrated in two registrar credentials: 90% (1994) in Aceville Pte. Ltd. (IANA ID 3858) and 10% (230) Dominet (HK) Limited (IANA ID 3775). 

These domains are split across multiple TLDs, with the majority (45%, 998) in .cfd operated by Shortdot SA and .qpon (34%, 761) operated by DOTQPON LLC. The remainder (21%, 468) are spread among 33 different TLDs, as shown in the table below.

Attack Technique: Subdomain Cloaking

This campaign is characterized by a specific abuse technique which utilizes subdomains to confuse the target. We call this technique Subdomain Cloaking. The technique, which is not new, typically utilises one or more subdomains in combination to create the deception of a legitimate domain name. Subdomain(s) then combine with a combination of key words and/or random letters in the main (second-level) domain label, followed by any Top Level Domain (TLD). Elements of the expected domain name are placed into the whole string towards the left of the user’s field of view. 

An example of this attack is: gov.uk-[keyword][random letters].[TLD].

This Winter Fuel campaign uses a selection of key words: "winter", "fuel", "notification", "subsidy", "announcement", and "dwp" — the latter referring to the UK Government Department for Work and Pensions. An example of domains used in this particular attack is included below. In this case the pattern also utilizes a page path to further confuse the users. The pattern is as follows: 

[subdomain].[domain].[TLD][Page path]

[gov].[uk-winter+letters].[qpon][/uk]

Under examination, the full  URLs can be differentiated from the actual UK  government URL (https://www.gov.uk/winter-fuel-payment). However, when users access domains on mobile devices, the full domain is not consistently displayed and (in this example) the most convincing section of the domain (gov.uk) is prominent. Many users may not immediately differentiate the importance of the placement of "gov.uk" and the significance that text after a "/" is a page pathway, rather than a TLD. 

Campaign Status

This campaign may still be ongoing, though the volume of domains identified in October and November was substantially lower. We share evidenced abuse reports with registries, registrars, and web hosts through NetBeacon Reporter, our centralized abuse reporting conduit. Below is an example of the content located on one of these domains.  

A note on Subdomain Service Abuse 
Subdomain Cloaking should not be confused with Subdomain Service Abuse. Subdomain Service Abuse occurs when there is a legitimate domain name that provides subdomains to users, and one of those users registers a subdomain and uses it maliciously. In such a circumstance, the registry and registrar should work with the legitimate domain registrant to tackle the abuse rather than suspend the domain name as this could cause significant collateral damage to other legitimate subdomain users. Suspending the domain could easily suspend thousands or millions of crucial and legitimate subdomains underpinning use of the internet and connected systems. Subdomain Cloaking occurs when the domain registrant is acting maliciously, but they are further obscuring their activities by using subdomains to make the second level domain appear to be exploited or compromised, rather than a part of a malicious campaign. 

An Attack Trend

This trend is concerning because if a registry or registrar receives one subdomain report in isolation, it will very likely not be clear that the entire second-level domain name is maliciously registered. We are writing this blog to raise awareness of this technique and encourage registrars and registries to investigate patterns like this, even if they only receive one report. In addition, it’s become clear to us that these types of malicious registrations are sometimes reported without all the necessary information, most commonly the subdomain is missing, or the URL is incomplete. This makes measurement, evidence collection and disruption of harm even more challenging. We know many of these domains went un-reported because of a lack of evidence due to missing subdomains.

This technique is similar to what we have seen previously with the US-focused toll road scams which utilized Subdomain Cloaking to obscure their malicious intent. It nestled the real domain name "driveezmd.com" into a larger subdomain driveezmd.com-[keyword/randomwords].[TLD]. 

Related Winter Fuel Campaign in .UK 
There appears to have been a  similar Winter Fuel campaign attempted in the .uk TLD. Since August 2025 Nominet UK, who operates the .uk registry, has suspended nearly 100 domains that were registered to take advantage of those seeking the Winter Fuel Payment. Nominet was able to identify these domains at the point of registration using its proprietary machine learning tool, Domain Watch. These were then reviewed and suspended by Nominet’s analysts as abusive registrations. The keywords in the domain names were very similar, but in this case, the TLD impersonation was at the domain level. 

Examples of suspended domains include:

winter-subsidy-gov[.]uk
apply-subsidy-gov[.]uk
fuel-subsidy-gov[.]uk
winter-apply-gov[.]uk
subsidies-payment-gov[.]uk

Why It Matters

Subdomain Cloaking represents an important trend in domain-based phishing abuse.

These are intentionally registered to deceive both users and analysts. When viewed in isolation, a single subdomain may seem benign, but at scale, the pattern reveals coordinated abuse.

As the domain registration industry becomes more proactive with respect to this type of campaign we can anticipate that attackers will quickly shift between TLDs and/or registrars. Registrars and registries should be aware of this trend and look out for "TLD-" combinations, for example: com-, uk-, gov-, de-, ca-, org-, pl-, etc. or -uk, -com, -gov,  etc. Importance of Complete Reports – researchers, law enforcement, security professionals, and threat feeds should pay particular attention to making sure reports of malicious domains include the full URL, including subdomains and page path. Otherwise, situations that involve Subdomain Cloaking could be overlooked in analysis. A complete URL helps NetBeacon Reporter pass on actionable evidence to industry, and means NetBeacon MAP can accurately measure mitigation.

¹ Analysis of previous months found a similar pattern in July 2025 with a smaller number of domains (1,337). These were primarily concentrated in two registrar credentials: Aceville Pte. Ltd. (IANA ID 3858), 76% and Dominet (HK) Limited (IANA 3775) and two TLDs: .cfd (43%) and .icu (31%). Previous months indicated only a smaller number (less than 100 domains) of potential matching patterns.

² Domain names are read by computers from right to left, the Top Level Domain (TLD) is on the right hand side, this is followed by a dot “.” and the Domain Name. This is referred to as the ‘second level’. In some cases there will be another registration to the left of another dot “.” – this is called a subdomain, or a third level registration. In general, the structure of a domain name is as follows: subdomain.domain.TLD or thirdlevel.secondlevel.toplevel.

³ The letters and numbers included in a domain name after the slash “/” are not part of the domain structure, they indicate a page path which helps browsers navigate the website the domain name is pointing to.

⁴ Virginia Department of Transportation; EZPass Virginia Service Center, “Active Smishing Scam,” https://www.ezpassva.com/news-resources/news/2025/active-smishing-scam.html ; Federal Bureau of Investigation, “Smishing Scam Regarding Debt for Road Toll Services,” 12 April 2024, https://www.ic3.gov/PSA/2024/PSA240412.