Underground URL Shortening Service Used by Cybercriminals Discovered

The Prolific Puma group has been providing a URL shortening service to other cybercriminals for at least the past four years. In just the last year and a half, hackers have registered up to 75,000 unique domain names, primarily by abusing the NameSilo registrar’s API.

Analysts from Infoblox, a company specializing in DNS threats, report that Prolific Puma creates domain names using an RDGA (Registered Domain Generation Algorithm) and uses these domains to offer link-shortening services to other malicious actors. This helps them evade detection when distributing phishing, scam, and malware campaigns.

Hackers often use link shorteners for phishing attacks, making Prolific Puma a key player in the cybercriminal supply chain. Researchers estimate that from April 2022 to the present, attackers have registered between 35,000 and 75,000 unique domain names—up to 800 domains per day.

Abuse of NameSilo Registrar

Experts note that a distinctive feature of this group’s activity is the abuse of the American domain registrar and hosting provider NameSilo. NameSilo is particularly suitable for Prolific Puma’s purposes due to its API, which makes mass registration easier. In general, this registrar is frequently abused by cybercriminals.

Although the group’s domains are spread across 13 different domain zones, since May 2023, they have registered thousands of American top-level domains (usTLD), repeatedly using an email address referencing the song “OCT 33” by Black Pumas: blackpumaoct33@ukr[.]net.

Domain Aging and Hosting Tactics

The group deliberately “ages” registered domains by parking them for several weeks before use. During this period, hackers make several DNS requests to build up reputation. Once ready, they transfer these domains to a “bulletproof” hosting provider, pay for services in Bitcoin, and receive a VPS with a dedicated IP address.

“Typically, Prolific Puma domains look like alphanumeric, pseudo-random addresses of variable length (usually 3 or 4 characters), but we have also observed SLD-labels up to 7 characters long,” the researchers write.

Service Promotion and Attack Methods

Researchers emphasize that Prolific Puma does not advertise its URL shortening services on hacker forums. The methods for delivering malicious links vary—they can be distributed via social networks or advertising—but researchers believe text messages are the main distribution channel.

Attribution and Attack Examples

Nothing is currently known about the origin or attribution of Prolific Puma. However, available data shows that many cybercriminals use the group’s services to redirect victims to phishing and scam sites, or even to other shortened links created by similar services.

For example, in one phishing attack documented by Infoblox, victims who clicked a shortened link were taken to a landing page where they were prompted to provide personal information, make a payment, and ultimately infect their system with a malicious browser plugin.