OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms
OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms
AI Analysis
Technical Summary
The threat titled "OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms" refers to an open-source intelligence (OSINT) campaign analyzing the evolution and use of Randomized Domain Generation Algorithms (RDGAs). Domain Generation Algorithms (DGAs) are techniques used by malware to algorithmically generate a large number of domain names that can be used as rendezvous points for command and control (C2) servers. RDGAs represent an advancement in this technique, likely introducing more sophisticated randomness or evasion capabilities to avoid detection and blocking by traditional security controls. This campaign appears to focus on gathering intelligence and analyzing network data to understand these new RDGA patterns, rather than reporting an active exploit or vulnerability. The information is sourced from CIRCL, a reputable cybersecurity research organization, and is categorized under OSINT with a perpetual lifetime and moderate certainty (50%). No specific affected software versions or patches are identified, and there are no known exploits in the wild. The threat level is rated as low, indicating limited immediate risk. The campaign emphasizes skills in network data analysis, suggesting that defenders and analysts can leverage network telemetry to detect and mitigate RDGA-based threats. Overall, this campaign provides valuable insights into emerging DGA techniques that could be leveraged by threat actors in the future, but currently does not represent an active or critical security vulnerability.
Potential Impact
For European organizations, the direct impact of this OSINT campaign is currently low, as it does not describe an active exploit or vulnerability but rather an intelligence gathering and analysis effort. However, the evolution of RDGAs poses a latent risk: more advanced DGAs can enable malware to better evade detection by dynamically generating domains that are harder to predict and block. This can complicate network defense strategies, potentially leading to increased difficulty in identifying and disrupting malware C2 communications. European organizations with significant internet-facing infrastructure, especially those in sectors like finance, critical infrastructure, and telecommunications, could face challenges in maintaining effective domain-based threat detection. The campaign's focus on network data analysis skills highlights the importance of advanced monitoring and threat hunting capabilities to preemptively identify RDGA activity. While no immediate compromise or data loss is indicated, the sophistication of RDGAs could eventually impact confidentiality and availability if leveraged by threat actors in targeted attacks.
Mitigation Recommendations
Given the nature of this threat as an OSINT campaign rather than an active exploit, mitigation focuses on preparedness and detection: 1. Enhance Network Telemetry: Deploy and tune DNS monitoring tools to detect anomalous domain generation patterns indicative of RDGAs. 2. Threat Intelligence Integration: Incorporate emerging RDGA indicators and behavioral patterns into threat intelligence platforms to improve detection capabilities. 3. Advanced Analytics and Machine Learning: Utilize machine learning models trained to identify algorithmically generated domains, adapting to new RDGA variants. 4. Incident Response Readiness: Develop playbooks for investigating suspected RDGA activity, including domain sinkholing and traffic analysis. 5. Collaboration and Information Sharing: Engage with European cybersecurity communities and CERTs to share findings and detection strategies related to RDGAs. 6. User Awareness: While user interaction is not required for RDGA exploitation, educating staff on phishing and malware risks remains important as DGAs often support malware campaigns. These measures go beyond generic advice by emphasizing proactive network analysis, intelligence sharing, and advanced detection tailored to evolving RDGA techniques.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- domain: 6rnd9mitqt1rz82.top
- domain: 7r7suw52ls00i20.top
- domain: 9w9ohb5vky5p3dz.top
- domain: bjbntaxmh09r09e.top
- domain: qcj4pirltkpqrcu.top
- domain: h87e1mbm0u5f85.xyz
- domain: n8j1nau3os4otr.xyz
- domain: xnnxr1jquyupjc.xyz
- domain: xqajkr8fbrdryp0.xyz
- domain: xryqcgcb2upb28k.xyz
- domain: arriveplanetsnow.buzz
- domain: coatthinkverb.buzz
- domain: debtgenepub.live
- domain: poemtrainsurprise.top
- domain: quarterneighbourforward.xyz
- domain: castrocountyjail.org
- domain: killeencityjail.org
- domain: lasalleparishjail.org
- domain: miamidadecountyjail.org
- domain: northcentralregionaljail.org
- domain: arenadiploma.com
- domain: area-diploman24.com
- domain: area-diplomans24.com
- domain: area-diploms24.com
- domain: area-diplomy24.com
- domain: areas-diplom.com
- domain: areas-diplom24.com
- domain: areas-diplomy24.com
- domain: arena-diplomsy24.com
- domain: arena-diplomy24.com
- domain: chopprousite.ru
- domain: patiennerrhe.com
- domain: thougolograrly.ru
- domain: dintretonid.com
- domain: dintretrewor.com
- domain: dintrolletone.com
- domain: dintromparsup.com
- domain: direnrolpar.ru
- domain: hadhecrecled.com
- domain: hadrecrolof.ru
- domain: hadsparmirat.com
- domain: hanparolhar.com
- domain: rofromandfor.ru
- domain: rowrorofrat.com
- domain: assisted-living-11607.bond
- domain: online-jobs-42681.bond
- domain: perfumes-76753.bond
- domain: security-surveillance-cameras-42345.bond
- domain: yoga-classes-35904.bond
- domain: ai-courses-12139.bond
- domain: ai-courses-13069.bond
- domain: ai-courses-14729.bond
- domain: ai-courses-16651.bond
- domain: ai-courses-17621.bond
- domain: app-software-development-training-52686.bond
- domain: app-software-development-training-54449.bond
- domain: app-software-development-training-55554.bond
- domain: app-software-development-training-57549.bond
- domain: ai-courses-2024-pe.bond
- domain: ai-courses-2024-pk.bond
- domain: ai-courses-2024sa.bond
- domain: ai-courses2023-in.bond
- domain: ai-courses2023in.bond
- domain: ai-courses2024in.bond
- domain: app-software-development-italy.bond
- domain: app-software-development-training-usa.bond
- domain: online-degrees-16099.bond
- domain: portable-air-conditioner-12322.bond
- domain: river-cruises-13890.bond
- domain: roofing-services-10175.bond
- domain: travel-insurance-43494.bond
- domain: usa-online-degree-29o.bond
- domain: bra-portable-air-conditioner-9o.bond
- domain: uk-river-cruises-8n.bond
- domain: rsa-roofing-services-8n.bond
- domain: col-travel-insurance-3n.bond
- domain: welding-machines-10120.bond
- domain: welding-machines-35450.bond
- domain: welding-machines-56397.bond
- domain: welding-machines-76813.bond
- domain: welding-machines-99146.bond
- domain: tires-book-robust.bond
- domain: laser-skin-treatment-19799.bond
- domain: pool-repair-35063.bond
- domain: apartments-for-rent-72254.bond
- domain: hemophilia-treatment-41433.bond
- link: https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/
- text: This trailblazing report explores a burgeoning technique that threat actors are using to covertly transform the DNS threat landscape with millions of new domains. You’ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), and more. We’ll unveil a new RDGA threat actor named Revolver Rabbit who’s associated with XLoader malware. We’ll also reveal how the notorious Hancitor malware used an RDGA to generate its C2 domains for years while most of the security industry remained oblivious to their methods. This blog discusses some of the highlights from our full research paper, which is available here. For nearly two decades, threat actors have used domain generation algorithms (DGAs) to distribute malware. In recent years, threat actors have been employing a technique we call registered domain generation algorithms (RDGAs), in which the actor uses an algorithm to register many domain names at one time. RDGAs are considerably harder to detect and defend against than traditional DGAs, and despite their prevalence on the internet, they have been woefully underreported by the security community. We originally described RDGAs in October 2023 and have published on the topic multiple times since then.
- text: Blog
OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms
Description
OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms
AI-Powered Analysis
Technical Analysis
The threat titled "OSINT - RDGAs: The Next Chapter in Domain Generation Algorithms" refers to an open-source intelligence (OSINT) campaign analyzing the evolution and use of Randomized Domain Generation Algorithms (RDGAs). Domain Generation Algorithms (DGAs) are techniques used by malware to algorithmically generate a large number of domain names that can be used as rendezvous points for command and control (C2) servers. RDGAs represent an advancement in this technique, likely introducing more sophisticated randomness or evasion capabilities to avoid detection and blocking by traditional security controls. This campaign appears to focus on gathering intelligence and analyzing network data to understand these new RDGA patterns, rather than reporting an active exploit or vulnerability. The information is sourced from CIRCL, a reputable cybersecurity research organization, and is categorized under OSINT with a perpetual lifetime and moderate certainty (50%). No specific affected software versions or patches are identified, and there are no known exploits in the wild. The threat level is rated as low, indicating limited immediate risk. The campaign emphasizes skills in network data analysis, suggesting that defenders and analysts can leverage network telemetry to detect and mitigate RDGA-based threats. Overall, this campaign provides valuable insights into emerging DGA techniques that could be leveraged by threat actors in the future, but currently does not represent an active or critical security vulnerability.
Potential Impact
For European organizations, the direct impact of this OSINT campaign is currently low, as it does not describe an active exploit or vulnerability but rather an intelligence gathering and analysis effort. However, the evolution of RDGAs poses a latent risk: more advanced DGAs can enable malware to better evade detection by dynamically generating domains that are harder to predict and block. This can complicate network defense strategies, potentially leading to increased difficulty in identifying and disrupting malware C2 communications. European organizations with significant internet-facing infrastructure, especially those in sectors like finance, critical infrastructure, and telecommunications, could face challenges in maintaining effective domain-based threat detection. The campaign's focus on network data analysis skills highlights the importance of advanced monitoring and threat hunting capabilities to preemptively identify RDGA activity. While no immediate compromise or data loss is indicated, the sophistication of RDGAs could eventually impact confidentiality and availability if leveraged by threat actors in targeted attacks.
Mitigation Recommendations
Given the nature of this threat as an OSINT campaign rather than an active exploit, mitigation focuses on preparedness and detection: 1. Enhance Network Telemetry: Deploy and tune DNS monitoring tools to detect anomalous domain generation patterns indicative of RDGAs. 2. Threat Intelligence Integration: Incorporate emerging RDGA indicators and behavioral patterns into threat intelligence platforms to improve detection capabilities. 3. Advanced Analytics and Machine Learning: Utilize machine learning models trained to identify algorithmically generated domains, adapting to new RDGA variants. 4. Incident Response Readiness: Develop playbooks for investigating suspected RDGA activity, including domain sinkholing and traffic analysis. 5. Collaboration and Information Sharing: Engage with European cybersecurity communities and CERTs to share findings and detection strategies related to RDGAs. 6. User Awareness: While user interaction is not required for RDGA exploitation, educating staff on phishing and malware risks remains important as DGAs often support malware campaigns. These measures go beyond generic advice by emphasizing proactive network analysis, intelligence sharing, and advanced detection tailored to evolving RDGA techniques.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 2
- Uuid
- 636cabbd-4bde-4fb2-bc6b-6b2c05fafcd5
- Original Timestamp
- 1721827141
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain6rnd9mitqt1rz82.top | SocGholish/TA569 affiliate traditional DGA domains | |
domain7r7suw52ls00i20.top | SocGholish/TA569 affiliate traditional DGA domains | |
domain9w9ohb5vky5p3dz.top | SocGholish/TA569 affiliate traditional DGA domains | |
domainbjbntaxmh09r09e.top | SocGholish/TA569 affiliate traditional DGA domains | |
domainqcj4pirltkpqrcu.top | SocGholish/TA569 affiliate traditional DGA domains | |
domainh87e1mbm0u5f85.xyz | Weight loss pill scam RDGA domains | |
domainn8j1nau3os4otr.xyz | Weight loss pill scam RDGA domains | |
domainxnnxr1jquyupjc.xyz | Weight loss pill scam RDGA domains | |
domainxqajkr8fbrdryp0.xyz | Weight loss pill scam RDGA domains | |
domainxryqcgcb2upb28k.xyz | Weight loss pill scam RDGA domains | |
domainarriveplanetsnow.buzz | VexTrio Viper RDGA domains | |
domaincoatthinkverb.buzz | VexTrio Viper RDGA domains | |
domaindebtgenepub.live | VexTrio Viper RDGA domains | |
domainpoemtrainsurprise.top | VexTrio Viper RDGA domains | |
domainquarterneighbourforward.xyz | VexTrio Viper RDGA domains | |
domaincastrocountyjail.org | Regional jail RDGA domains | |
domainkilleencityjail.org | Regional jail RDGA domains | |
domainlasalleparishjail.org | Regional jail RDGA domains | |
domainmiamidadecountyjail.org | Regional jail RDGA domains | |
domainnorthcentralregionaljail.org | Regional jail RDGA domains | |
domainarenadiploma.com | Russian diploma scam RDGA domains | |
domainarea-diploman24.com | Russian diploma scam RDGA domains | |
domainarea-diplomans24.com | Russian diploma scam RDGA domains | |
domainarea-diploms24.com | Russian diploma scam RDGA domains | |
domainarea-diplomy24.com | Russian diploma scam RDGA domains | |
domainareas-diplom.com | Russian diploma scam RDGA domains | |
domainareas-diplom24.com | Russian diploma scam RDGA domains | |
domainareas-diplomy24.com | Russian diploma scam RDGA domains | |
domainarena-diplomsy24.com | Russian diploma scam RDGA domains | |
domainarena-diplomy24.com | Russian diploma scam RDGA domains | |
domainchopprousite.ru | Hancitor C2 RDGA domains | |
domainpatiennerrhe.com | Hancitor C2 RDGA domains | |
domainthougolograrly.ru | Hancitor C2 RDGA domains | |
domaindintretonid.com | Hancitor C2 RDGA domains | |
domaindintretrewor.com | Hancitor C2 RDGA domains | |
domaindintrolletone.com | Hancitor C2 RDGA domains | |
domaindintromparsup.com | Hancitor C2 RDGA domains | |
domaindirenrolpar.ru | Hancitor C2 RDGA domains | |
domainhadhecrecled.com | Hancitor C2 RDGA domains | |
domainhadrecrolof.ru | Hancitor C2 RDGA domains | |
domainhadsparmirat.com | Hancitor C2 RDGA domains | |
domainhanparolhar.com | Hancitor C2 RDGA domains | |
domainrofromandfor.ru | Hancitor C2 RDGA domains | |
domainrowrorofrat.com | Hancitor C2 RDGA domains | |
domainassisted-living-11607.bond | Revolver Rabbit RDGA domains | |
domainonline-jobs-42681.bond | Revolver Rabbit RDGA domains | |
domainperfumes-76753.bond | Revolver Rabbit RDGA domains | |
domainsecurity-surveillance-cameras-42345.bond | Revolver Rabbit RDGA domains | |
domainyoga-classes-35904.bond | Revolver Rabbit RDGA domains | |
domainai-courses-12139.bond | Revolver Rabbit RDGA domains | |
domainai-courses-13069.bond | Revolver Rabbit RDGA domains | |
domainai-courses-14729.bond | Revolver Rabbit RDGA domains | |
domainai-courses-16651.bond | Revolver Rabbit RDGA domains | |
domainai-courses-17621.bond | Revolver Rabbit RDGA domains | |
domainapp-software-development-training-52686.bond | Revolver Rabbit RDGA domains | |
domainapp-software-development-training-54449.bond | Revolver Rabbit RDGA domains | |
domainapp-software-development-training-55554.bond | Revolver Rabbit RDGA domains | |
domainapp-software-development-training-57549.bond | Revolver Rabbit RDGA domains | |
domainai-courses-2024-pe.bond | Revolver Rabbit RDGA domains | |
domainai-courses-2024-pk.bond | Revolver Rabbit RDGA domains | |
domainai-courses-2024sa.bond | Revolver Rabbit RDGA domains | |
domainai-courses2023-in.bond | Revolver Rabbit RDGA domains | |
domainai-courses2023in.bond | Revolver Rabbit RDGA domains | |
domainai-courses2024in.bond | Revolver Rabbit RDGA domains | |
domainapp-software-development-italy.bond | Revolver Rabbit RDGA domains | |
domainapp-software-development-training-usa.bond | Revolver Rabbit RDGA domains | |
domainonline-degrees-16099.bond | Revolver Rabbit RDGA domains | |
domainportable-air-conditioner-12322.bond | Revolver Rabbit RDGA domains | |
domainriver-cruises-13890.bond | Revolver Rabbit RDGA domains | |
domainroofing-services-10175.bond | Revolver Rabbit RDGA domains | |
domaintravel-insurance-43494.bond | Revolver Rabbit RDGA domains | |
domainusa-online-degree-29o.bond | Revolver Rabbit RDGA domains | |
domainbra-portable-air-conditioner-9o.bond | Revolver Rabbit RDGA domains | |
domainuk-river-cruises-8n.bond | Revolver Rabbit RDGA domains | |
domainrsa-roofing-services-8n.bond | Revolver Rabbit RDGA domains | |
domaincol-travel-insurance-3n.bond | Revolver Rabbit RDGA domains | |
domainwelding-machines-10120.bond | Revolver Rabbit RDGA domains | |
domainwelding-machines-35450.bond | Revolver Rabbit RDGA domains | |
domainwelding-machines-56397.bond | Revolver Rabbit RDGA domains | |
domainwelding-machines-76813.bond | Revolver Rabbit RDGA domains | |
domainwelding-machines-99146.bond | Revolver Rabbit RDGA domains | |
domaintires-book-robust.bond | Revolver Rabbit RDGA domains used as C2 / decoy domains for XLoader malware | |
domainlaser-skin-treatment-19799.bond | Revolver Rabbit RDGA domains used as C2 / decoy domains for XLoader malware | |
domainpool-repair-35063.bond | Revolver Rabbit RDGA domains used as C2 / decoy domains for XLoader malware | |
domainapartments-for-rent-72254.bond | Revolver Rabbit RDGA domains used as C2 / decoy domains for XLoader malware | |
domainhemophilia-treatment-41433.bond | Revolver Rabbit RDGA domains used as C2 / decoy domains for XLoader malware |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textThis trailblazing report explores a burgeoning technique that threat actors are using to covertly transform the DNS threat landscape with millions of new domains. You’ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), and more. We’ll unveil a new RDGA threat actor named Revolver Rabbit who’s associated with XLoader malware. We’ll also reveal how the notorious Hancitor malware used an RDGA to generate its C2 domains for years while most of the security industry remained oblivious to their methods. This blog discusses some of the highlights from our full research paper, which is available here.
For nearly two decades, threat actors have used domain generation algorithms (DGAs) to distribute malware. In recent years, threat actors have been employing a technique we call registered domain generation algorithms (RDGAs), in which the actor uses an algorithm to register many domain names at one time. RDGAs are considerably harder to detect and defend against than traditional DGAs, and despite their prevalence on the internet, they have been woefully underreported by the security community. We originally described RDGAs in October 2023 and have published on the topic multiple times since then. | — | |
textBlog | — |
Threat ID: 682c7adbe3e6de8ceb777e45
Added to database: 5/20/2025, 12:51:39 PM
Last enriched: 6/19/2025, 2:17:53 PM
Last updated: 8/11/2025, 2:30:33 AM
Views: 19
Related Threats
Actions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.