Threat Intelligence ( Compromised domain list ) via ZoneFiles

 

One of the main challenges for threat hunters is actively and proactively monitoring malicious domains. To be honest, tracking domains especially newly registered ones is both costly and time-consuming. But what about collecting lists of compromised domains (CDLs)?

I’ve found a great platform that helps track the latest compromised and malicious domain lists: zonefiles.io. Unfortunately, zonefiles.io is scheduled to shut down on August 15, 2025. However, the good news is that they haven't removed any details or free data, which is still available to use.

This data can help us monitor subdomains or related infrastructure of compromised domains and uncover additional clues. You can visit the site at zonefiles.io. To search for malware-related entries, press Ctrl+F in your browser and type malware it will highlight all relevant instances by default.

In addition, you can find the compromised domain list at the following link:
🔗 https://zonefiles.io/compromised-domain-list/

Below is a screenshot of the page from the URL I’ve shared for your reference:

You have two options for downloading the compromised domain lists. One includes domains that were compromised in the past, and the other shows domains that are currently compromised. As you can see from the previous screenshot, the latest update was made today it’s not from days or weeks ago, which shows the data is kept up to date.

I'm going to download the currently active list and check its contents. After that, we might be able to upload it to VirusTotal or web defacement trackers for further analysis. 

As you can see from the screenshot below, we’ve successfully downloaded the latest update of the compromised domains list:

              

So, let's check one of the domains on VirusTotal: