Investigator Use
Hunting New Registered Domains is an open-source Python tool available on GitHub that automates the monitoring and analysis of newly registered domains for suspicious patterns, brand abuse, typosquatting, and phishing infrastructure. It retrieves daily newly registered domain feeds and applies detection rules to flag domains matching configured threat patterns.
For OSINT investigators and threat intelligence analysts, newly registered domain monitoring is a proactive intelligence capability — identifying malicious domains before they are weaponized, or immediately after deployment, provides a tactical advantage over reactive detection. Many phishing campaigns, brand impersonation attacks, and credential harvesting operations use domains registered within days of attack launch.
The tool's pattern matching capabilities allow investigators to monitor for: domains containing a target brand name or common misspellings (typosquatting), domains using lookalike characters in international alphabets (homograph attacks), domains following naming patterns consistent with known threat actor infrastructure, and domains registered in combinations suggesting fraudulent intent (company-name-login.com, company-name-verify.com patterns).
Daily monitoring of newly registered domains relevant to a protected brand allows brand protection teams to proactively identify and take down impersonating domains before victims reach them. For financial institutions, law firms, and other high-phishing-risk organizations, this proactive monitoring significantly reduces the harm from phishing campaigns.
The tool outputs discovered suspicious domains with registration timestamps, registrar data, and name servers, allowing investigators to prioritize domains for immediate investigation and potential takedown action.
Integration with threat intelligence platforms and security tooling is supported through its configurable output formats, enabling new domain alerts to automatically populate watchlists and detection rules.
Installation requires Python 3 and a source for newly registered domain feeds (several free sources are supported). Configure pattern rules based on protected brands and known threat actor naming conventions. Run daily against fresh domain registration feeds for continuous monitoring coverage.
Document all configuration rules, detection logic, and flagged domains with registration dates for case records.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.