In its latest threat analysis, Palo Alto Networks' Unit 42 observed that domain shadowing, a fraudulent phishing technique, is becoming prevalent. Hackers are now focusing on utilizing domain shadowing for stealthier attacks, which in simple terms is a subset of DNS hijacking.

Diving into details

  • In this hijacking technique, attackers create their own malicious sub-domains under compromised domains to perform malicious activities.
  • The fake sub-domains are utilized to build malicious pages on the cybercriminals' servers.
  • The hijacked domains are used by attackers to evade security checks and conduct operations like C2 server communication, malware distribution, phishing, and fraud.

Shadow domains are difficult for the victims to detect because they do not interfere with the regular operations of the hacked domains.

Domain Shadowing is gaining prominence

Palo Alto Networks threat researchers discovered 12,197 fake domains between April and June, as a result of the domain shadowing.
  • Out of the total number of fake domains, only 200 were flagged by VirusTotal as dangerous.
  • Several VirusTotal detections (151) were connected to a single phishing campaign using 649 shadowed domains on 16 compromised websites network.

According to Unit 42, it is challenging to identify bogus domains without the aid of automated machine learning algorithms that can examine a significant volume of DNS logs. As a result, threat actors are becoming more familiar with the technique.


Hackers use shadowed domains to carry out phishing and botnet operations, and detecting them continues to be a challenge. Hence, enterprises are advised to adopt next-gen security solutions with advanced solutions, such as using connected threat intel platforms, to stay one step ahead of the attackers.
Cyware Publisher