Yeah, it depends on what you mean.

In many cases malware and phishing is hosted off other compromised sites. They build a list of Wordpress sites with vulnerabilities and host their files onto them. So for example “legitimate-medical-site.net.com” is a real site, so they’ll Chuck malicious files in there somewhere like “legitimate-medical-site. net. com/qwertasdf/invoice.pdf”.

If the site gets blocked or shutdown it’s no loss to them.

Another technique, especially phishing wise, they will have a semi-plausible domain name (e.g. youbank-security-server .con). But they will register heaps of these. There are tonnes of top level domains that do next to no checking again, these things cost a few bucks so having it taken down is not a problem.

The combination of burner sites and domains mean they have a window of opportunity to run their attacks and scams before other protections kick in.