T1637.001: Domain Generation Algorithms
Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.[1]
DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.
Analyst context for executives and security teams
Domain Generation Algorithms matter because they let mobile malware avoid relying on one fixed command-and-control or distribution domain. Instead of blocking a single hostname, defenders may face large numbers of procedurally generated domains that a compromised Android or iOS device can try over time. For leaders, this is a mobile resilience and visibility issue: if DNS and mobile network activity are not observable, takedown, blocking, and incident scoping become much harder.
Executive priority
Prioritize this where mobile devices access sensitive business systems, financial workflows, or regulated data. The decision point is whether the organization can see and control mobile DNS/network behavior well enough to detect unusual generated-domain patterns, support incident response, and provide audit evidence that mobile command-and-control risk is managed. This technique is especially relevant to Android based on related malware relationships, but the ATT&CK technique platform also includes iOS.
Technical view
Validate coverage for Android and iOS mobile network activity associated with Dynamic Resolution. Because ATT&CK provides no official detection text for this object, detection engineering should lean on the related detection strategy DET0669 and local telemetry: repeated lookups to many low-reputation or algorithmically patterned domains, failed DNS resolutions, bursts of newly observed domains, and mobile app network behavior inconsistent with expected use. Relationship context shows use by Rotexy, Mandrake, SharkBot, and FluBot, all Android software entries, so Android monitoring and mobile malware triage should be a near-term validation focus while not excluding iOS from platform coverage review.
Likely telemetry
- Mobile DNS query and response logs, including NXDOMAIN or failed resolution patterns
- Mobile device network connection metadata for outbound domains, IPs, ports, and timing
- Mobile threat defense, EDR, or device management events that identify suspicious app network behavior
- Secure web gateway, DNS security, resolver, or carrier/VPN logs for managed mobile traffic
- Application inventory and installation source evidence for mobile apps that may communicate with generated domains
Detection direction
- Confirm whether managed Android and iOS traffic actually traverses monitored DNS or network controls; unmanaged cellular paths are a common blind spot.
- Tune analytics for DGA-like behavior rather than single-domain indicators: high domain churn, unusual lexical features, repeated failed resolutions, and short-lived or newly seen domains.
- Use relationship context from Rotexy, Mandrake, SharkBot, and FluBot to inform mobile malware triage and threat-intel enrichment without assuming those families are present.
- Account for false positives from legitimate apps that use content delivery, telemetry, randomized hostnames, or anti-abuse infrastructure.
- Where DET0669 content is available in the local ATT&CK data set, compare it against current SOC detections and mobile telemetry sources.
Mitigation priorities
- First, establish visibility: require managed mobile DNS/network telemetry for devices that access business resources.
- Next, enforce mobile device management or equivalent controls for application inventory, app source governance, and device compliance before access to sensitive systems.
- Apply DNS and network security controls that can block or sinkhole suspicious generated-domain activity when confidence is sufficient.
- Integrate mobile alerts into incident response playbooks so suspicious DGA behavior triggers device isolation, app review, credential risk assessment, and scoping of related DNS activity.
- Use findings as compliance evidence for mobile threat monitoring, command-and-control prevention, and incident readiness where those controls are in scope.
Analyst notes and limits
This is a mobile ATT&CK sub-technique of Dynamic Resolution. The official object states that DGAs may be used for command-and-control communication or malicious application distribution and that they make blocking, tracking, or takeover harder because malware may check thousands of domains. The most concrete relationship evidence is Android software usage by Rotexy, Mandrake, SharkBot, and FluBot, plus a related detection strategy named Detection of Domain Generation Algorithms.
ATT&CK does not provide official detection text, tactics, or mitigation text for this object in the supplied fields. Specific analytics, thresholds, and response actions must be validated against local mobile management, DNS, resolver, VPN, carrier, and network telemetry. The supplied relationships support Android examples, while the technique platform field supports Android and iOS; no claim is made that any named malware is currently active in the reader’s environment.
Domain Generation Algorithms
Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.[1]
DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1637 | Dynamic Resolution | This object subtechnique of Dynamic Resolution. |
| Mobile | T1520 | Domain Generation Algorithms | Domain Generation Algorithms revoked by this object. |
Groups, software, and campaigns
S1067: FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.[1][2] An international law enforcement operation of 11 countries eventually disrupted the spread of FluBot.[3]
S1055: SharkBot
S0411: Rotexy
S0485: Mandrake
Mandrake is a sophisticated Android espionage platform that has been active in the wild since at least 2016. Mandrake is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.
Mandrake has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 424dad631846… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
securelist rotexy 2018
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
Open source URL -
[2]
Data Driven Security DGA
Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.
Open source URL -
[3]
mitre-attack T1637.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.