This Google Threat Intelligence search query is designed to identify newly created, algorithmically generated domains (DGA) with multiple positive detections, which were registered through a registrar frequently abused by threat actors.
entity:domain p:5+ tag:dga registrar:"NICENIC INTERNATIONAL GROUP CO., LIMITED" creation_date:5d+
Query Breakdown: The query combines entity filters, behavioral tags, reputation data, and creation metadata to precisely define the target domains.
Summary of Intent: The overall goal of this search is to identify fresh DGA infrastructure before it becomes widely known, by combining behavioral tags with creation metadata and reputation.
The search looks for:
- Entity Type: Records must be domains (entity:domain).
- Behavioral Flag: The domain must be flagged as DGA (tag:dga).
- High Confidence: It requires a consensus of at least 5 detections (p:5+) to ensure the domain is malicious.
- Suspicious Registration: It focuses on a known abused registrar (registrar: "NICENIC INTERNATIONAL GROUP CO., LIMITED").
- Persistence/Recency: It filters for domains that have been established for at least 5 days (creation_date:5d+), highlighting newly deployed infrastructure.
Author’s Note & Citation: The above Info-graphics are provided by both the VirusTotal team along with the use of NotebookLM for the summary graphic. Additional analysis and details of this search query written by the amazing
