Home / Industry

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Sinkholing May Not Spell the End for Malware Hosts and Botnets

Sinkholing has long been employed as an effective cybersecurity solution to curb the spread of dangerous malware. Remember the infamous WannaCry ransomware outbreak in 2019? Security teams put a stop to the threat through sinkholing.

More recently, Microsoft sinkholed the web properties associated with Strontium, a Russian threat actor group that has been targeting Ukrainian sites via various cyber attacks.

While the tactic undoubtedly works, some trends related to ongoing threats may remain unknown. We hope to change that with this analysis conducted by WhoisXML API threat researcher Dancho Danchev, which gives cybersecurity teams more insights into sinkholed domains. The know-how can clue them into more web properties that may need to be taken offline as well.

Our in-depth analysis revealed:

  • More than 13,000 malware and botnet hosts sinkholed recently
  • A huge majority of the sinkholed domains appeared to be created using domain generation algorithms (DGAs)
  • Most of the sinkholed domains used the .com top-level domain (TLD) extension
  • A majority of the sinkholed domains existed for at least five years prior to being taken down

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download Danchev’s report and related threat research materials here.

Analysis and Findings

We began our investigation by obtaining 24 email addresses that are known to have been used to sinkhole domains connected to ongoing malware and botnet operations.

Sinkholed Domains

Using these email addresses as reverse WHOIS search terms led to the discovery of 13,265 domains. Examples include:

  • lztorsixnikxicahclbrasqu[.]org
  • azslrhksyldb[.]org
  • bqkrtxgkmriwsiwcngtivpx[.]info
  • fkbpvfnbhfwedagussg[.]com
  • honeybot[.]us
  • quicklygood[.]gdn
  • gramblr[.]ca
  • empire-js[.]us
  • eitherplunge[.]gdn
  • ee0[.]us

The domain distribution per email address (which we partially redacted for privacy reasons) is shown below.

Several nonprofit organizations, big cybersecurity companies, and government agencies like the Shadowserver Foundation, the Federal Bureau of Investigation (FBI), Secureworks, Kaspersky, Check Point Software, and the Spamhaus Project appear to employ sinkholing based on the email addresses used.

A huge majority of the domains in our sample were sinkholed by what we could expect to be independent cybersecurity professionals.

Domains by Type

Looking more closely at the sinkholed domains, we discovered that a huge majority were DGA-created as they contained randomly chosen alphanumeric characters. The following chart shows their volume distribution.

Four types of domains were detected—DGA-created, composed of generic terms, brand-related domains, and those containing persons’ names. The table below shows examples of each type.

DGA-Created DomainsDomains Comprising Generic Term Combinations
Domains Containing Individuals’ NamesBrand-Related Domains

Given the mention of several brands, their device or service users may need to be wary of clicking suspicious links usually embedded in emails from unknown senders.

Domains by TLD

While it’s difficult to block all suspicious domains from servers, monitoring domains that fall under the four categories above can ease the process, especially if they sport the TLDs the threat actors used, such as .com, .net, and .xyz. All in all, the sinkholed domains were distributed across 27 TLDs.

Domains by Age

Finally, we looked at 5% of the total number of sinkholed domains and found that they were live for an average of 2,078 days or five years and eight months. The youngest domains were 495 days or one year and five months old. Examples include:

  • 00e43dd307d4[.]com
  • 02576d2be122[.]com
  • 07b77b06b3d4[.]com
  • 08763cfb0f47[.]com
  • 0f9f3cb6e5d4[.]com
  • 0fb4f4af4222[.]com
  • 1298b712ac47[.]com
  • 14870912fd47[.]com
  • 15989f77bf47[.]com
  • 17e617039847[.]com
  • 180a4b35d547[.]com

The oldest domain—2gambling[.]us—was 4,042 days or 11 years and one month old.

What Our Findings Mean for Cybersecurity Professionals

Given the results of our in-depth study, companies need to be wary of suspicious domains that fall under the four categories mentioned above, especially if they sport the TLDs the actors behind the ongoing campaigns seem to have a fondness for. Looking out for relatively old domains, given the average age of the sinkholed sites, may also ease the monitoring and blocking process.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


Commenting is not available in this channel entry.



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API