{"id":"https://openalex.org/W7126157822","doi":"https://doi.org/10.1109/raid67961.2025.00041","title":"From Concealment to Exposure: Understanding the Lifecycle and Infrastructure of APT Domains","display_name":"From Concealment to Exposure: Understanding the Lifecycle and Infrastructure of APT Domains","publication_year":2025,"publication_date":"2025-10-19","ids":{"openalex":"https://openalex.org/W7126157822","doi":"https://doi.org/10.1109/raid67961.2025.00041"},"language":null,"primary_location":{"id":"doi:10.1109/raid67961.2025.00041","is_oa":false,"landing_page_url":"https://doi.org/10.1109/raid67961.2025.00041","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5018746218","display_name":"Athanasios Avgetidis","orcid":"https://orcid.org/0000-0001-7717-5368"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Athanasios Avgetidis","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050993271","display_name":"Aaron Faulkenberry","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Aaron Faulkenberry","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5115729153","display_name":"Vinny Adjibi","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Vinny Adjibi","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040368820","display_name":"Tillson Galloway","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Tillson Galloway","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5031597177","display_name":"Panagiotis Kintis","orcid":"https://orcid.org/0000-0002-5617-7417"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Panagiotis Kintis","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5124370222","display_name":"Omar Alrawi","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Omar Alrawi","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5087894470","display_name":"Zane Ma","orcid":"https://orcid.org/0000-0003-4501-066X"},"institutions":[{"id":"https://openalex.org/I131249849","display_name":"Oregon State University","ror":"https://ror.org/00ysfqy60","country_code":"US","type":"education","lineage":["https://openalex.org/I131249849"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zane Ma","raw_affiliation_strings":["Oregon State University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Oregon State University","institution_ids":["https://openalex.org/I131249849"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5069862528","display_name":"Fabian Monrose","orcid":"https://orcid.org/0000-0002-9805-2217"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Fabian Monrose","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5023057383","display_name":"Angelos D. Keromytis","orcid":"https://orcid.org/0000-0003-3815-5932"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Angelos D. Keromytis","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071832270","display_name":"Roberto Perdisci","orcid":"https://orcid.org/0000-0002-7339-0041"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Roberto Perdisci","raw_affiliation_strings":["University of Georgia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Georgia","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5067105657","display_name":"Manos Antonakakis","orcid":"https://orcid.org/0000-0003-1578-8307"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Manos Antonakakis","raw_affiliation_strings":["Georgia Institute of Technology"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":11,"corresponding_author_ids":["https://openalex.org/A5018746218"],"corresponding_institution_ids":["https://openalex.org/I130701444"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.69917314,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"488","last_page":"505"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.4973999857902527,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.4973999857902527,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.25459998846054077,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.050700001418590546,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/order","display_name":"Order (exchange)","score":0.5422000288963318},{"id":"https://openalex.org/keywords/domain","display_name":"Domain (mathematical analysis)","score":0.4950000047683716},{"id":"https://openalex.org/keywords/critical-infrastructure","display_name":"Critical infrastructure","score":0.4456000030040741},{"id":"https://openalex.org/keywords/point","display_name":"Point (geometry)","score":0.41269999742507935},{"id":"https://openalex.org/keywords/public-domain","display_name":"Public domain","score":0.3799000084400177},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.32739999890327454},{"id":"https://openalex.org/keywords/data-breach","display_name":"Data breach","score":0.32089999318122864},{"id":"https://openalex.org/keywords/measure","display_name":"Measure (data warehouse)","score":0.29190000891685486}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5827999711036682},{"id":"https://openalex.org/C182306322","wikidata":"https://www.wikidata.org/wiki/Q1779371","display_name":"Order (exchange)","level":2,"score":0.5422000288963318},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5397999882698059},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.4950000047683716},{"id":"https://openalex.org/C29852176","wikidata":"https://www.wikidata.org/wiki/Q373338","display_name":"Critical infrastructure","level":2,"score":0.4456000030040741},{"id":"https://openalex.org/C28719098","wikidata":"https://www.wikidata.org/wiki/Q44946","display_name":"Point (geometry)","level":2,"score":0.41269999742507935},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.39250001311302185},{"id":"https://openalex.org/C512654426","wikidata":"https://www.wikidata.org/wiki/Q19652","display_name":"Public domain","level":2,"score":0.3799000084400177},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.32739999890327454},{"id":"https://openalex.org/C165609540","wikidata":"https://www.wikidata.org/wiki/Q1172486","display_name":"Data breach","level":2,"score":0.32089999318122864},{"id":"https://openalex.org/C2780009758","wikidata":"https://www.wikidata.org/wiki/Q6804172","display_name":"Measure (data warehouse)","level":2,"score":0.29190000891685486},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.2912999987602234},{"id":"https://openalex.org/C2776330005","wikidata":"https://www.wikidata.org/wiki/Q7257917","display_name":"Public infrastructure","level":2,"score":0.28299999237060547},{"id":"https://openalex.org/C3018725008","wikidata":"https://www.wikidata.org/wiki/Q4071928","display_name":"Cyber threats","level":2,"score":0.28209999203681946},{"id":"https://openalex.org/C105002631","wikidata":"https://www.wikidata.org/wiki/Q4833645","display_name":"Subject-matter expert","level":3,"score":0.28189998865127563},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2770000100135803},{"id":"https://openalex.org/C2779439359","wikidata":"https://www.wikidata.org/wiki/Q317088","display_name":"Commodity","level":2,"score":0.2750999927520752},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.27399998903274536},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.2712000012397766},{"id":"https://openalex.org/C75684735","wikidata":"https://www.wikidata.org/wiki/Q858810","display_name":"Big data","level":2,"score":0.2669999897480011},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2662999927997589},{"id":"https://openalex.org/C143299363","wikidata":"https://www.wikidata.org/wiki/Q900584","display_name":"Attribution","level":2,"score":0.25110000371932983}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/raid67961.2025.00041","is_oa":false,"landing_page_url":"https://doi.org/10.1109/raid67961.2025.00041","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Industry, innovation and infrastructure","id":"https://metadata.un.org/sdg/9","score":0.6381591558456421}],"awards":[],"funders":[{"id":"https://openalex.org/F4320332180","display_name":"Defense Advanced Research Projects Agency","ror":"https://ror.org/02caytj08"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":36,"referenced_works":["https://openalex.org/W1919179112","https://openalex.org/W1976658129","https://openalex.org/W2092681734","https://openalex.org/W2164373098","https://openalex.org/W2295598076","https://openalex.org/W2510523362","https://openalex.org/W2518248186","https://openalex.org/W2620741116","https://openalex.org/W2621121979","https://openalex.org/W2760313715","https://openalex.org/W2770572064","https://openalex.org/W2902942389","https://openalex.org/W2930110112","https://openalex.org/W2946898425","https://openalex.org/W2953684237","https://openalex.org/W2962703433","https://openalex.org/W2963883458","https://openalex.org/W2986944522","https://openalex.org/W2998038410","https://openalex.org/W3008443984","https://openalex.org/W3085485950","https://openalex.org/W3094043420","https://openalex.org/W3157552928","https://openalex.org/W3185502221","https://openalex.org/W4225697716","https://openalex.org/W4280511617","https://openalex.org/W4311165740","https://openalex.org/W4311165867","https://openalex.org/W4385412492","https://openalex.org/W4389279191","https://openalex.org/W4402263680","https://openalex.org/W4402264131","https://openalex.org/W4402265033","https://openalex.org/W4402957848","https://openalex.org/W4404575173","https://openalex.org/W4407792200"],"related_works":[],"abstract_inverted_index":{"Advanced":[0],"Persistent":[1],"Threats":[2],"(APTs)":[3],"are":[4,10,180,231,295],"sophisticated":[5],"and":[6,22,83,98,103,135,202,218,288,304],"long-lived":[7],"attacks":[8,236],"that":[9,81,110,121,146,152,179,200,230,272],"often":[11],"backed":[12],"by":[13,51,60],"nationstates.":[14],"Despite":[15],"the":[16,53,64,108,117,176,183,193],"security":[17,203],"community\u2019s":[18],"efforts":[19],"to":[20,26,94,158,189,206,213,234,239,247,252,283],"design":[21],"deploy":[23,278],"specialized":[24],"systems":[25],"combat":[27],"them,":[28],"APTs":[29],"have":[30,147,253,260],"remained":[31],"prevalent":[32],"while":[33],"persisting":[34],"undetected":[35],"for":[36,243],"significantly":[37],"more":[38,101,216,232,291],"time":[39,194],"than":[40,107],"commodity":[41],"cyber":[42],"threats.":[43],"In":[44],"this":[45,49,72],"paper,":[46],"we":[47,74,124,269],"measure":[48],"difference":[50],"conducting":[52],"first":[54,196],"longitudinal":[55],"analysis":[56],"of":[57,66,88,143,175,182,195,256,264],"APT":[58,89,127,153,177,235,266,273,279],"infrastructure":[59,105,119,145,185,281],"shedding":[61],"light":[62],"on":[63,164],"lifecycle":[65,97],"their":[67,96,141,156,159,190,284],"domain":[68,90,160],"names.":[69],"To":[70],"enable":[71],"study,":[73],"build":[75],"Atropos,":[76],"a":[77,100,130,133,215,262],"novel":[78,138],"measurement":[79],"methodology":[80],"automatically":[82],"accurately":[84],"labels":[85],"DNS":[86,209],"records":[87],"names,":[91],"enabling":[92],"us":[93],"understand":[95],"gain":[99],"comprehensive":[102,118,217],"contextualized":[104],"picture":[106,220],"one":[109],"is":[111,169],"shared":[112],"in":[113,211,250],"public":[114,197],"reports.":[115],"Using":[116],"view":[120],"Atropos":[122],"provides,":[123],"study":[125],"405":[126],"actors":[128,154,274],"over":[129],"period":[131],"spanning":[132],"decade":[134],"unveil":[136],"several":[137],"findings":[139,294],"regarding":[140],"utilization":[142],"network":[144,223,241,280],"practical":[148],"implications.":[149],"We":[150],"find":[151],"provision":[155],"IPs":[157,178],"names":[161],"317":[162],"days":[163],"average":[165],"before":[166],"an":[167,265],"attack":[168,184,286],"publicly":[170],"reported.":[171],"Furthermore,":[172],"$73.6":[173],"\\%$":[174],"part":[181],"no":[186],"longer":[187],"point":[188],"domains":[191],"at":[192,244],"disclosure,":[198],"highlighting":[199],"researchers":[201],"practitioners":[204],"need":[205,238],"consider":[207],"historic":[208],"data":[210],"order":[212,251],"get":[214],"accurate":[219],"when":[221],"training":[222],"detection,":[224],"investigation,":[225],"or":[226],"attribution":[227,305],"systems.":[228],"Organizations":[229],"sensitive":[233],"will":[237],"retain":[240],"logs":[242],"least":[245],"19":[246],"25":[248],"months":[249],"higher":[254],"probabilities":[255],"discovering":[257],"whether":[258],"they":[259,298],"been":[261],"target":[263],"attack.":[267],"Finally,":[268],"provide":[270],"evidence":[271],"re-use":[275],"hosting":[276],"providers,":[277],"close":[282],"intended":[285],"targets,":[287],"increasingly":[289],"utilize":[290],"cloud-fronting.":[292],"These":[293],"important":[296],"because":[297],"can":[299],"guide":[300],"future":[301],"threat":[302],"detection":[303],"works.":[306]},"counts_by_year":[],"updated_date":"2026-05-03T08:25:01.440150","created_date":"2026-02-01T00:00:00"}