2025 DNS Threat Intelligence: Uncovering Staged Attacks

Cybercrime has entered a new phase of industrialized preparation, where attacks are no longer isolated events, but rather carefully orchestrated cycles of staging and rapid execution. As outlined in the 2026 DNS Threat Intelligence report “The Era of Staged Attacks: How 2025 DNS Threat Intelligence Shapes 2026”, modern threats rely on pre-positioning large volumes of domain infrastructure that remain dormant for extended periods. What often appears as a sudden outbreak, whether malware, phishing, or infostealer activity, is typically the final step of a much longer process. By leveraging 2025 DNS Threat Intelligence, organizations gain early visibility into these preparation phases through signals exposed directly in DNS traffic, long before attacks fully activate.

2025 DNS Threat Intelligence Reveals a Rise of Industrialized, Staged Attacks in 2025

The 2025 DNS Threat Intelligence findings show that staged attacks are no longer isolated tactics but part of a broader industrialized operating model. Adversaries have moved away from single, visible attack launches toward large-scale preparation strategies. Rather than relying on on-demand execution, attackers assemble extensive domain infrastructure in advance, leave most of it inactive for long periods, and activate only a limited subset at carefully chosen moments to evade traditional, reactive defenses.

DNS analytics confirm how pervasive and structured this approach has become. Malicious activity is distributed across multiple threat categories rather than concentrated in a single technique. Phishing represents 30% of matched malicious DNS traffic, followed by suspicious domains (23%), which indicate activity not yet fully confirmed as malicious. Malware-related domains account for 11% of detections in DNS data, reflecting infrastructure used to host or distribute malicious software. Newly Registered Domains (11%) and Newly Observed Domains (8%) together form a significant portion of activity, particularly during the early stages of phishing campaigns, underscoring the continuous creation of fresh infrastructure.

Although DGA-related activity represents a smaller overall share, it remains consistently present throughout the year. This persistence reflects controlled infrastructure generation rather than high-volume execution. Large numbers of algorithmically generated domains are prepared in advance, while only a small subset is ever activated.

Across phishing, malware, and DGA-driven operations, DNS analysis throughout 2025 reveals a consistent operational pattern: infrastructure is built early, held dormant, and activated selectively. Centralized backend systems and short-lived communication windows allow campaigns to scale rapidly while limiting exposure. 

Together, these patterns demonstrate that staging is not an isolated tactic but the dominant attack model observed throughout the year, reinforcing DNS as a critical layer for understanding how modern cyber threats are structured and coordinated.

DGA as the Preparation Layer for Modern Malware

Domain Generation Algorithms (DGA) have evolved into a core component of modern attack preparation. By algorithmically generating vast numbers of potential domains, attackers create large command-and-control reserves that can be selectively activated and rapidly rotated. 

The majority of these domains are never used. Instead, they form dormant pools that provide resilience and operational flexibility.

In 2025, high volumes of algorithmically generated domain queries were observed every month in DNS data, with infected devices steadily increasing over time before stabilizing at higher levels, as shown on the graph below. 

Most of these domains never become operational. Rather than indicating failed campaigns, this pattern reflects deliberate preparation, where infrastructure is generated in advance and held in reserve until needed.

When activation occurs, it appears as sharp, isolated spikes of command-and-control activity rather than sustained communication, as shown in the graph below.

Domains are opened briefly for coordination, then quickly rotated or abandoned. This tightly controlled activation minimizes detection exposure while preserving operational flexibility. 

The BaitHook (EIP-443) campaign illustrates how this activation model operates at scale. During 2025, BaitHook generated approximately 580,000 potential command-and-control domains. However, only a small fraction were ever activated. The overwhelming majority remained dormant, reinforcing how DGA infrastructure is designed primarily for preparation and selective use rather than continuous operation.

As shown in the graph below, BaitHook-infected devices generating DGA queries increased steadily throughout 2025 before stabilizing at higher levels.

The BaitHook patterns highlight a broader shift: DGAs are no longer simply an evasion technique. They are a core preparation mechanism that allows attackers to build infrastructure at scale, hold it dormant, and activate only what is needed. This further reinforces the role of DNS security in detecting attack preparation early.

Malware Campaigns Built for Delayed Activation

Malware-related DNS activity in 2025 persisted throughout the year, with a clear escalation toward the end of the year, as shown in the graph below.

Modern malware campaigns increasingly separate staging from execution. In 2025, several infostealer operations demonstrated long periods of dormant domain activity followed by tightly coordinated activation windows.

Campaigns such as EconoMimics and variants related to ViperSoftX illustrated this model clearly. As shown in the graph above, DNS telemetry reveals several distinct operational peaks during the year. 

These peaks indicate periods when malware infrastructure becomes actively used, following quieter phases where activity remains comparatively low. This delay reflects deliberate staging rather than slow execution.

Some of these malware families leveraged DNS TXT record lookups to deliver small, encoded PowerShell fragments that executed entirely in memory. 

Because the payloads were fileless, traditional endpoint defenses had limited visibility. DNS behavior became the primary signal of malicious activity.

Malware-related DNS activity also showed strong structural concentration. A minority of infected devices generated a disproportionately large share of DNS queries, and rotating domains repeatedly resolved to the same backend infrastructure. These characteristics were consistently observed across multiple infostealer families, reinforcing the role of DNS as the most reliable indicator of staged malware activity.

Phishing as a Visible Outcome of Staged Infrastructure

While phishing is often the most visible element of a cyberattack, it represents the activation phase of staged infrastructure rather than the full story. In 2025, phishing accounts for approximately 30% of all malicious domains, a proportion that remains stable throughout the year, establishing phishing as a structural and persistent component of the threat landscape.

Phishing activity typically combines a continuous operational presence with opportunity-driven campaigns, as attackers time their strikes to align with revenue cycles and consumer behavior. 

As illustrated in the graph below, several notable peaks align with identifiable campaigns, including Bet365-themed phishing during major sports events early in the year, Netflix impersonation campaigns in the spring, Telegram impersonation spikes in late summer, and increased eBay and Amazon impersonation during the year-end shopping season.

DNS analytics show that phishing domains often become operational shortly after first appearing in DNS traffic, indicating rapid activation of infrastructure that was prepared in advance. What appears as a sudden phishing spike is often only the visible surface of earlier staging activity.

Newly Observed Domains Preceding Active Campaigns

Newly observed domains play a central role in attack staging. DNS analytics consistently show increases in new domain activity preceding both malware and phishing campaigns. These domains often appear quietly, generate limited traffic, and remain dormant before being activated briefly. 

The graph below visually reinforces these trends using normalized, log-scale values, enabling a direct comparison between phishing activity and newly observed domain (NOD) volumes across months.

While phishing appears as distinct, time-bound spikes, NOD activity is more sustained and consistently precedes those peaks. This gap highlights the preparation phase of staged attacks, where infrastructure is created and positioned well before campaigns become visible.

This pattern was visible in sector-focused campaigns such as those targeting bet365, where spikes in newly observed domains preceded coordinated phishing activity, as seen in the graph below. Rather than appearing spontaneously, these campaigns were supported by infrastructure that had been prepared in advance and activated at precisely timed moments.

Tracking newly observed domains allows defenders to identify emerging infrastructure before it is weaponized. 

In an environment where attackers rely on fresh, short-lived assets to evade reputation-based controls, this early visibility provides a meaningful advantage. 

DNS Threat Intelligence connects these early signals to downstream activity, revealing how preparation phases translate into active campaigns.

DNS Analytics as an Early Indicator Across the Attack Lifecycle

Across DGA, malware, and phishing activity, DNS consistently exposes signals that other security layers miss. Infrastructure preparation, activation timing, reuse, and teardown all leave traces in DNS traffic. 

When analyzed at scale, these signals reveal the full lifecycle of modern attacks, from planning and staging to execution and abandonment.

Unlike endpoint or network controls that focus on exploitation, DNS Threat Intelligence surfaces attacker behavior at its earliest stages. This is what makes DNS security uniquely valuable in the era of staged attacks. It provides visibility into intent and preparation, not just impact.

From Insight to Action with 2025 DNS Threat Intelligence

The scale and speed of modern attacks make manual analysis impossible. 2025 DNS Threat Intelligence became essential for identifying large-scale staged attacks and uncovering preparation activity hidden in DNS traffic. 

EfficientIP’s DNS Threat Intelligence platform plays a critical role, enabling security teams to see how malicious infrastructure is generated, staged, activated, and reused over time. 

The platform is made of a hybrid architecture that combines real-time DNS inspection at the network edge with large-scale cloud intelligence, correlating DNS anomalies with client and domain behavioral patterns, and with infrastructure analysis that evaluates the broader technical ecosystem surrounding a domain. 

Processing more than 150 billion DNS transactions and analyzing over 500,000 newly observed domains daily, it provides both immediate detection and long-term context to identify coordinated, staged campaigns at scale.

A unified detection pipeline integrates multiple AI models. Patented Tuple Clustering identifies DGA malware, Natural Language Processing (NLP) detects phishing and brand impersonation, computer vision flags deceptive sites, and behavioral analytics uncover tunneling and dormant infrastructure.

To improve detection accuracy and investigative depth, DNS signals are enriched with contextual data such as domain age, hosting providers, ASN ownership, SSL certificate metadata, device identity, and Newly Observed Domain intelligence. The platform analyzes approximately 500,000 new domains daily, many unseen in other threat intelligence feeds, enabling earlier identification of emerging phishing, DGA, and malware infrastructure.

To operationalize this intelligence, the platform aggregates its findings into a continuously updated DNS threat intelligence feed called DNS Threat Pulse (DTP), which delivers structured domain intelligence ready for enforcement by granular dns filtering policies.

Together, these capabilities move DNS Threat Intelligence from passive visibility to active defense. 

Instead of responding once campaigns are underway, organizations gain the ability to anticipate attacks during the preparation phase, when disrupting infrastructure has the greatest impact.

A 2026 Look Ahead

2025 DNS Threat Intelligence points to a clear shift in how attacks will unfold in 2026. As adversaries increasingly stage infrastructure well in advance and activate it selectively, preparation has become the defining phase of modern attacks. 

DNS Threat Intelligence offers the earliest visibility into this preparation, enabling organizations to anticipate how threats will evolve and reduce exposure before campaigns activate. Reading the full report provides deeper insight into these trends and helps organizations stay prepared for 2026.