New research indicates that the .US top-level domain contains numerous domains linked to a malicious link-shortening service dubbed ‘Prolific Puma’ promoting malware and phishing. Infoblox has been monitoring this three-year-old service, which uses short domains hosted on uncooperative providers to disguise harmful landing pages.

Within a month, the actor has registered thousands of domains, predominantly on the U.S. top-level domain (usTLD), aiding in the dispersal of phishing, scams, and malware.

Six months ago, Infoblox detected Prolific Puma’s activities after observing a domain generation algorithm used for the malicious URL shortening service. However, they could trace the short links but not always the final landing page.

Inconsistencies in the short links suggest that several cybercriminals might be using Prolific Puma’s service, with text messages being a primary delivery method.

Prolific Puma has registered about 75,000 unique domain names since April 2022, with a significant spike in short domain names earlier in the year. The majority of recent domain registrations have been on the usTLD.

Despite policy restrictions, nearly 2,000 domains linked to Prolific Puma activity have been privately registered on the usTLD.

Typically, these domains are alphanumeric, varying in length, with the most common being three to four characters. To avoid detection, Prolific Puma “ages” its domains before activating them.

Over the past three years, the primary hosting service used was NameSilo, a domain registrar favored by cybercriminals. Domains, once activated, are transferred to bulletproof hosting providers.

While Prolific Puma seems to only provide the short link service, there’s no confirmation on whether they control the landing pages.

Despite not advertising on underground markets, Prolific Puma’s massive and dynamic operations, spread across various registrars, allow it to remain largely undetected.