Parked Domains Become Weapons with Direct Search Advertising

### Executive Summary — This report analyzes how parked and typosquat domains abused via “direct search”/zero-click parking are routinely funneled through traffic distribution systems to deliver scams, scareware, and malware (observed families include Tedy and Babar). It details three distinct domain-portfolio actors (a torresdns portfolio with ~3k lookalikes and active email collection, a double fast-flux operator including ic3.org with rapid name-server/IP rotation, and domaincntrol.com which abuses a GoDaddy-typo and selectively targets Cloudflare 1.1.1.1 users), explains profiling and redirection TTPs (fingerprinting, TDS chains, captchas, push-subscription lures), and lists indicators (domains, an IP, and SHA256 hashes) observed in active campaigns.