Home / News

Researchers Uncover Massive Underground Link-Shortening Service Used by Malicious Actors

The interaction between a shortened URL, DNS, and the URL shortening service, leading to the redirection of users to harmful content. Source: Infoblox

New research indicates that the .US top-level domain contains numerous domains linked to a malicious link-shortening service dubbed ‘Prolific Puma’ promoting malware and phishing. Infoblox has been monitoring this three-year-old service, which uses short domains hosted on uncooperative providers to disguise harmful landing pages.

Within a month, the actor has registered thousands of domains, predominantly on the U.S. top-level domain (usTLD), aiding in the dispersal of phishing, scams, and malware.

Six months ago, Infoblox detected Prolific Puma’s activities after observing a domain generation algorithm used for the malicious URL shortening service. However, they could trace the short links but not always the final landing page.

Inconsistencies in the short links suggest that several cybercriminals might be using Prolific Puma’s service, with text messages being a primary delivery method.

Prolific Puma has registered about 75,000 unique domain names since April 2022, with a significant spike in short domain names earlier in the year. The majority of recent domain registrations have been on the usTLD.

Despite policy restrictions, nearly 2,000 domains linked to Prolific Puma activity have been privately registered on the usTLD.

Typically, these domains are alphanumeric, varying in length, with the most common being three to four characters. To avoid detection, Prolific Puma “ages” its domains before activating them.

Over the past three years, the primary hosting service used was NameSilo, a domain registrar favored by cybercriminals. Domains, once activated, are transferred to bulletproof hosting providers.

While Prolific Puma seems to only provide the short link service, there’s no confirmation on whether they control the landing pages.

Despite not advertising on underground markets, Prolific Puma’s massive and dynamic operations, spread across various registrars, allow it to remain largely undetected.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign