Skip to main content
Announcement: Introducing Real-Time Threat Feeds
General Infosec

The Blueprint of Bad Actors: Mapping Infrastructure To Beat the Attack Cycle

Written by: 
Smiling man with short curly hair wearing a buttoned collar shirt outdoors with sky background.
Malachi Walker
Published on: 
Jun 22, 2026

What You’ll Learn

Adversaries leave a blueprint in DNS long before they launch their campaigns. In this post, we’ll use Formula 1 as a case study to show how to map composite objects and identify threats up to 6 months before they hit blocklists.

Using Composite Objects to Beat the Attack Cycle

Zooming out to see the entire big picture of the attack cycle and focusing on the composite objects that stick out can be a great way to beat the attack cycle. Still, with how vast and complex the cyber attack cycle can be, it can be overwhelming to decide where to start. Add the feeling if you’re in the SOC or conducting incident response that you have to be right and vigilant across your entire attack surface, and keeping up with threats can feel downright disheartening. 

Attending hacker conferences is an incredible way to connect with others in the same boat, workshop different approaches, and remind yourself that you’re not alone. The topics discussed may cause dread over threats you weren’t even thinking about, but in most cases you’ll leave these conferences inspired and with a better sense of community. 

Last October, our team at DomainTools attended and presented two talks at BSides NoVA. My colleague, Ian Campbell, presented on DNS and domain intelligence in investigative journalism and I presented on Formula 1 racing becoming a hotbed for cyber activity. In both cases our talks drew on DNS as the foundation for investigating online infrastructure which serve as an example that illustrate concepts of focusing on composite objects to beat the attack cycle. 

DNS: The Critical First Step in Every Attack

My talk began with an overview of the history of incidents relating to Formula 1. While the outlined examples cover the popular motorsport, the incidents discussed (data leaks, ransomware, phishing, email compromise) are applicable across any industry with an online footprint that’s in the crosshairs of a financially motivated actor. 

  • 2021 Williams App Hack: The Williams F1 car launch is disrupted after attackers access the back end of an app meant to show off its new vehicle 
  • 2023 Ferrari Breach: Ferrari discloses a ransomware attack that exposed customer information 
  • 2024 FIA Breach: FIA, the governing body of F1, discloses a data breach resulting from a phishing attack that compromised several FIA email accounts 
  • 2025 MathWorks ransomware attack: Matlab/Simulink developer and parent company MathWorks disclosed a ransomware attack in May 2025 that disrupted "some" systems, including online applications and internal resources. Early detection could have mitigated the impact of this event.

Proactive intelligence is essential to protecting against these threats, and if you want to find them or those behind them before it’s too late, DNS is essential. From the perspective of events and logs DNS will consist of IPs and domains, but once you get into a forensic motion of looking into a domain and start profiling threat actors, there are other record types that can be of interest as well. DNS is often the first signal of traffic to an attacker-controlled infrastructure and can enable investigators to analyze this infrastructure as composite objects that can be mapped for better understanding. 

Early Warning Signals: Analyzing the F1 Movie and Race-Themed Lures

At the time of the BSides NoVA presentation, there had been over one thousand suspicious looking domains or subdomains observed over a 4-month period. What was most common amongst them were ties to the F1 movie, upcoming races, and, of course, the cars themselves. 

Pictured above are active domains associated with the F1 movie which came out last year, none of them had been added to a blocklist at the time of the presentation. It isn’t until 6 months of history that we see a domain show up on a blocklist. 

New domains are often leveraged by bad actors for spam, malware distribution, or botnet activity within the first minutes of creation. Newly Observed Domains (NOD) provides real-time, actionable insights based on the newness of a domain. Leveraging more than 2 TB of daily real-time passive DNS data, NOD discovers newly configured domains when they are first used. This is a great contrast to the typical 17 hours after registration using other discovery methods such as TLD Zone File Access or WHOIS.

Beating the Attack Cycle: Quantifying Proximity to Known Maliciousness

The DomainTools Risk score predicts how likely a domain is to be malicious. The score comes from two distinct algorithms: Proximity to Known Maliciousness examines how closely connected a domain is to other known-bad domains, while Threat Profile leverages machine learning to model how closely the domain resembles others used for spam, phishing or malware. The strongest signal from either of those algorithms becomes the overall Risk Score and can often alert you to malicious domains before they have the chance to be weaponized. Access to this score is critical to see attacks earlier

The visualization panel from DomainTools Iris Investigate ties together the 500 domains (blue dots from the image below), 459 registrants (orange dots), and 50 IP addresses (pink dots) officially associated with Formula1. All of Formula1’s internet infrastructure is tied to the registrant organization (green dot in the middle) “Formula One Asset Management Limited”

See the Whole Picture with our Visualization Panel

With so many spoof domains in existence, there are still several suspicious domains that use “forumula1” and almost look official. Some interesting strings we discovered through our passive DNS insights included formula1admin.paypal.co[.]at, formula1[.]biz, and formulaoneportugal[.]com.

Analyzing the legitimate domains can be a great way to build out common characteristics of actual licensed F1 domains. A good rule of thumb is to stay away from domains that spell out “one,” as the official racing organization seems to always use the number 1 in the links they build, though even those could be used for malicious purposes if not tied to “Formula One Asset Management Limited” or if an actor is able to grab the domain while it’s inactive. 

The domain pictured above has no affiliation with “Formula One Asset Management Limited” but has all the characteristics and a convincing landing page of an affiliated domain. There was a clear attempt to sell fake tickets to an at the time upcoming race in Sao Paolo. By the time a blocklist picks this up, actors are usually able to  hit their victims, cover their tracks, and move on to the next campaign,

While we identified some legitimate domains that seemed to once belong to F1, some of them have been sitting expired for over 7 years. The domain pictured below was a former legitimate domain that was grabbed by a user unaffiliated with F1 who turned the link into a lure for Facebook login information.

Real-time information about domains that are reactivated on the Internet after a period of inactivity can prepare security teams to apply rules to firewalls and mail servers that block inbound and outbound connections  until more information is available. Newly Active Domains (NAD) is a real-time data feed of domains that have become inactive after a period of inactivity that leverages our Passive DNS sensor array and cross-references that data with our industry leading historical DNS database.

Beyond the Single Domain: Uncovering Hidden Connections with Passive DNS

Utilizing the Predictive Risk Score and Iris Investigate Platform from DomainTools can be a great way to find and discern the intent behind unknown domains. DNSDB can show how these threats evolve over time by building on these discoveries and revealing initial connections between domains, IPs, subdomains, and other Internet infrastructure.

Using regular expression (regex) and passive DNS searching in DNSDB Scout, I created a query for terms of interest to get a deeper understanding of data related to the findings from Iris Investigate. This search focused on Formula 1 but looked for subdomains specific to Brazil, sSao Paolo, Mercedes, McLaren, Ferrari, and the F1 movie.

Even when focusing only on A records, I’m left with over 5,000 results. Filtering the results reveals several Formula 1 subdomains associated with PayPal. Passive DNS informs on connections between domains, subdomains, and other infrastructure but won't judge whether the domain has malicious intent.  paypal[.]co[.]at is a legitimate domain to access paypal in Austria, but the addition of formula1 dot mail and the terms that follow is where the malicious activity becomes evident. Domains related to streaming the movie and the event itself are revealed, all tied to a hypothesized goal of extracting money from victims.

When pivoting off the RRdata for one subdomain of interest spoofing Mercedes Benz (not only a huge player in Formula 1 but a company vocal about their cybersecurity investments and partnership with CrowdStrike) and attempting to capitalize on their brand, we can see that in just one month of initially being seen, this subdomain has changed its IP address four times. Using Iris Investigate, you might see the first IP and think nothing of it because there’s nothing there anymore. But where are they now and what else is there?

Using DNSDB to pivot off the entire range reveals 5,000 domains and brings us a lot closer to finding the blueprint of bad actors–this helps defenders see the whole picture. Last mile efforts following this discovery include focusing on the young domains that may pose immediate threats and might not be picked up by traditional blocklists and Threat Intel feeds. 

At the time of the presentation, setting a passive DNS query for the last 6 hours, as shown above, reduces the 5,000 domains and subdomains to 500. Creating automated detection and turning relevant terms from the discovery below into query-ready strings and regex. These strings can also be leveraged in a SOAR using the DNSDB API and paired with Real-Time Threat Feeds focused on Newly Observed Domains (NOD) for continuous monitoring and automated response including:

  • Malware Obstruction: Blocking outbound connections to newly minted and used domains
  • Phishing Protection: Levering NOD Response Policy Zones on DNS Servers to block traffic of domains 48 hours or younger for periods of time
  • Spam Filtering: Filtering email from domains less than an hour old

Outmaneuver the Adversary: Using the DNS Blueprint to Win the Race

While these examples are from the world of motorsport, the blueprint - using spoofed domains for phishing and credential harvesting - is identical to the one used to target your industry every day. The DNS blueprint is most useful because it alerts to trouble before any damage occurs. A single day makes all the difference; consider the impact of finding a threat 60 days earlier, as shown with the MathWorks ransomware example. Following the DNS blueprint can turn the adversary's early actions into early-warning signals for the SOC.

Stop Chasing IOCs. Start Mapping the Blueprint.

DNS is the first signal of an attack, revealing the adversary's blueprint before it is weaponized. Don’t wait for traditional blocklists: download our Pivoting Methodology Guide to learn how to analyze network infrastructure as composite objects and outmaneuver the adversary with predictive science.

Identify Attack Infrastructure. Before the Attack

Read more from DomainTools

Blog
Blue polygonal spheres connected by thin lines on a dark background representing a network or molecules.
This is some text inside of a div block.
Start Your Engines: From Fal.Con to the Fast Lane
Start Your Engines: From Fal.Con to the Fast Lane
Learn More
Text Link
Text Link
Text Link
Blog
Abstract digital network with glowing blue nodes connected by lines on a dark background.
This is some text inside of a div block.
Finding Fast Flux Fully Qualified Domain Names Using the SIE DNS Changes Channel
Finding Fast Flux Fully Qualified Domain Names Using the SIE DNS Changes Channel
Learn More
Text Link
Text Link
Text Link
Blog
Abstract digital data network with blue and orange connecting lines and glowing particles on dark background.
This is some text inside of a div block.
How Domain Intelligence and Passive DNS Create A Fuller Domain Profile
How Domain Intelligence and Passive DNS Create A Fuller Domain Profile
Learn More
Text Link
Text Link
Text Link
No items found.
General Infosec
Malachi Walker