Home / Industry

Analyzing Recently Discovered Windows 11-Themed Assets

The release of a new application or operating system (OS) is typically greeted by enthusiasm, diverse opinions, and potential threats. Windows 11’s case is no different as we identified various assets that could be misused on the Internet. This post provides an overview of those found assets—domains and subdomains—as well as some data enrichment, including the identification of likely dangerous properties.

Windows 11-Related Newly Registered Domains

We looked at newly registered domain data feeds from 26 May to 26 June 2021 to see how many have the strings “windows11,” “windows-11,” “win11,” and “win-11” in them. Our rationale is that while some of these can have nonmalicious purposes, such as the launch of related products and services by various companies, others may have been registered for nefarious reasons, such as phishing.

For our analysis, we exclusively used the newly registered domains with the “.com” extension. From these, we obtained a sample containing 125 domain names, even though including other major TLDs in the analysis would have significantly increased our sample size.

The strings of those 125 domains were broken down into:

  • 56% “windows11” domains
  • 41% “win11” domains
  • 2% “windows-11” domains
  • 1% “win-11” domains
Chart 1: Number of .com domains by string

Five of the 125 domains were dubbed “malicious” when queried on our threat intelligence platform. Of these five flagged properties, examples that could easily figure into phishing campaigns are windows11activator[.]com and windows11appstore[.]com.

Windows11activator[.]com could, for instance, be used to lure in users in search of ways to get around activating their OSs without paying for licenses. Windows11appstore[.]com, meanwhile, could be used to trick users into giving out personally identifiable information (PII) or shelling out money to pay for apps for their new OS.

Windows 11-Related Subdomains

We used a subdomain finder to look for subdomains containing the strings “windows11,” “windows-11,” “win11,” and “win-11” that were added to the subdomain database since 26 May 2021.

A sampled total of 23 subdomains were found broken down by string into:

  • 35% “windows11” subdomains
  • 9% “windows-11” subdomains
  • 52% “win11” subdomains
  • 4% “win-11” subdomains
Chart 2: Number of Windows 11-related subdomains by string

Deep Dive into the Domains

Combining the NRDs with the domains of the resulting subdomain searches gave us a list of 137 unique domains. None of them appeared to be owned by Microsoft based on the result of our bulk WHOIS lookup. They were also registered in 12 countries broken down into:

1% each were registered in Bangladesh, Canada, France, Hong Kong, Pakistan, and Yemen

  • 8% were registered in China
  • 37% were registered in Iceland
  • 4% were registered in India
  • 2% were registered in Japan
  • 3% were registered in Russia
  • 18% were registered in the U.S.
  • 23% did not indicate their registrant countries
Chart 3: Number of Windows 11-related domains by registrant country

Querying the domains on a DNS database provided us with a list of 92 unique IP addresses. Eleven of these were tagged “malicious” when run through a threat database.

Running them through a bulk IP geolocation tool revealed that a vast majority of them (75%) were geolocated in the U.S. They were scattered across 11 countries, namely, Australia, China, France, Germany, Hong Kong, Japan, the Netherlands, Singapore, Taiwan, the U.S., and Vietnam.

Chart 4: IP address distribution by country

A comparison of the domain registrant and IP geolocation countries shows huge disparities. Only four countries—China, France, Hong Kong, Japan, and the U.S.—appeared in both charts.

To find more potential threat artifacts, the 11 malicious IP addresses were queried through a passive DNS database. Two important notes should, however, be kept in mind. First, the results of every passive DNS query are limited to 300 domains per IP address. And second, all duplicates were removed from the resulting list. That said, a total of 1,037 unique domains were collected. Since they resolved to a malicious IP address at least once, some of them could be dangerous to access as well. Examples include:

  • 0047ol[.]top
  • 00504[.]cc
  • 01101110011001010111100001110100[.]xyz
  • 01q[.]xyz
  • 02g[.]xyz

A few weeks away from the Windows 11 release, many domains containing related strings started being registered, some of which have already been flagged as suspicious or malicious. Other related subdomains have also started appearing to the DNS and may require closer attention.

If you wish to get a copy of the domains and subdomains we obtained for this Windows 11 study to enhance your security monitoring, don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global