← Back to context

Comment by 0points

18 hours ago

> https://github.com/Quad9DNS/quad9-domains-top500/blob/main/t...

{"position": 5, "domain_name": "kxulsrwcq.com", "date": "2025-07-10"}

What the

https://www.ipaddress.com/website/kxulsrwcq.com/

> Safety/Trust: Unknown

33 comments

0points

Reply
Matheus28  18 hours ago

Probably some sort of command and control for a botnet.

They calculate a random domain name based on the timestamp (so it’s constantly changing every X days in case it gets seized), and have some validation to make sure commands are signed (to prevent someone name squatting to control their botnet).

  • threeducks  18 hours ago

    Wow, that's smart. I was wondering whether there is a way for the bots to generate "unpredictable" domains such that security researchers could not predict them efficiently (even with source code), but the botnet controller can.

    Time-lock puzzles come close, but but it requires that the bots have computing power comparable to the security researchers.

    • orlp  17 hours ago

      > Wow, that's smart. I was wondering whether there is a way for the bots to generate "unpredictable" domains such that security researchers could not predict them efficiently (even with source code), but the botnet controller can.

      There is a fairly simple method which achieves the same advantage for a botnet controller.

      1. Use a hash of the current day to derive, for that day, an infinite stream of domain names. This could be something as simple as `to_human_readable_domain(sha256(daily_hash + i))`.

      2. A botnet slave attempts to access servers in a diagonal order over (days, domains), starting at the first domain for today and working backwards in days and forwards in domains. An image best describes what I mean by this: https://i.imgur.com/lcEbHwz.png

      3. So long as one of those domains is controlled by the botnet operator (which can be verified using a signed response from the server), they can control the botnet.

      This means that the botnet operator only needs to purchase one domain every couple of days to keep controlling their botnet, while someone trying to stop them will have to buy thousands and thousands every day.

      And when you successfully purchase a domain you can publish the new domain to any connected slaves, so this scheme is only necessary for recruitment into the network, not continued control.

      7 replies →

    • sim7c00  17 hours ago

      there are tools pretty good at detecting DGAs these days, but not often implemented.

      the best thing to do afaik is use services normal user shave access to, and communicate via those. its hard to tell for anyone who's extracting the data from the third party so the server is hidden. (e.g bot posts images to twitter, and server scrapes the images from twitter, this is also already old news but easier and more likely to sail through that next gen firewall -_-)

      i'd say having ur 'own' servers and domains is maybe even a bit dated ( though sadly still very effective!)

      2 replies →

    • bobmcnamara  16 hours ago

      Use a hash chain!

      Each time you resolve, the resulting IP can be part of the hash for predicting a future hostname.

0points  18 hours ago

More:

{"position": 26, "domain_name": "cmidphnvq.com", "date": "2025-07-10"}

{"position": 28, "domain_name": "xmqkychtb.com", "date": "2025-07-10"}

{"position": 37, "domain_name": "ezdrtpvsa.com", "date": "2025-07-10"}

{"position": 38, "domain_name": "wvdbozpfc.com", "date": "2025-07-10"}

{"position": 46, "domain_name": "bldrdoc.gov", "date": "2025-07-10"}

{"position": 52, "domain_name": "gadf99632rm.xyz", "date": "2025-07-10"}

miyuru  18 hours ago

google the domains and you will find subdomains that point to cachefly.

    hiwd.kxulsrwcq.com is pointing to vdd.cachefly.net

I am not sure, but my guess is they might be used by some kind of a streaming service.

  • danudey  18 hours ago

    Most likely something like an ad service to prevent their content being caught by domain blocklists. That would be similar to how a lot of websites started using randomized strings for attributes like id and class so that users couldn't block page elements based on CSS selectors.