Passive DNS (DNSDB) is nowadays a fundamental investigative tool that helps security researchers, malware analysts, and incident responders correlate between numerous indicators to identify attacks and track malicious activities on the internet. It is built by consolidating the authoritative DNS traffic into a persistent indexed historical database. In this talk, we present "Marauder", a novel threat detection system applied on our DNSDB as well as on the live streaming authoritative DNS traffic. The system allows for a rapid, parallel scanning of suspicious hotspots in the IP space and discovers new malicious domains and IPs. We will describe various attack domains detected by this system, such as trojan CnCs, Exploit kit domains, botnets, etc.