Skip to main content

Traffic to a destination TLD commonly associated with malware

ID:bad_tld
Data type:DNS, HTTP
Severity:
Informational
MITRE ATT&CK:TA0001:T1189

Description

AlphaSOC detected network traffic to a destination under a top-level domain (TLD) commonly associated with malware, phishing, or command and control (C2) communications.

Impact

Traffic to suspicious TLDs may indicate a successful malware infection or ongoing compromise attempts. Threat actors often leverage uncommon or newly introduced TLDs to host malicious infrastructure because these domains are typically cheaper and less scrutinized.

Severity

SeverityCondition
Informational
Traffic to a destination TLD commonly associated with malware

Investigation and Remediation

Inspect the domain that was flagged as a suspicious TLD and examine the associated traffic. If malware is confirmed, isolate the infected system, perform a malware scan, and block the domain at the network level.

Known False Positives

  • Traffic to a legitimate but less common TLD used by small countries or specific industries