Home / Industry

Dissecting 1M+ Malicious Domains Under the DNS Lens

Threat actors continue to abuse the DNS by weaponizing domain names. On 13 April 2023, through our recently launched Threat Intelligence Data Feeds (TIDF), we identified more than 1 million suspicious and malicious domains that figured in phishing, malware distribution, spam, and other cyber attacks, such as brute-force and distributed denial-of-service (DDoS) attacks.

WhoisXML API researchers reviewed those suspicious and malicious domains and probed them using our WHOIS, IP, and DNS intelligence to provide additional value to threat and adversary contextualization, investigation, prediction, and disruption efforts. Our study revealed the following:

  • A total of 46% of the malicious domains were classified as command-and-control (C&C) servers, while 18.7% were involved in phishing attacks.
  • .com was the most common TLD used, followed by .net, .org, .biz, .info, and .xyz.
  • The U.S. was the top registrant and IP geolocation country.
  • About 3% of the malicious domains targeted some of the most-impersonated brands.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Malicious Domains by Threat Type

The chart below shows the distribution of malicious domains by threat type.

Nearly half of the malicious domains studied were flagged as C&C servers and about 18% figured in phishing campaigns. Interestingly, a screenshot analysis of a sample of these domains still showed live login and signup pages.

About 13% were involved in malware distribution. While such a campaign can be launched in several ways, app downloads like the one shown below could be another tactic.

A few domains (0.6%) meanwhile were linked to suspicious activities, such as hosts possibly involved in sending large volumes of queries. An example is paypaypay[.]org whose screenshot is shown below.

On the other hand, a little over a dozen domains were classified as spammers, while around 21% were indicators of compromise (IoCs) involved in generic malicious campaigns.

TLD Usage of the Malicious Domains

The malicious domains were distributed among more than 700 TLDs, with .com accounting for the majority (45.5%). There’s a nonnegligible gap between .com and the rest of the top TLDs—.net with 13.6%, .org with 12.1%, .biz with 6.5%, .info with 4.4%, .xyz with 2.8%, .top with 2.4%, .site with 0.8%, .tickets with 0.7%, and .blackfriday with 0.7%.

The chart below shows the top 20 TLDs used by the malicious domains.

Zooming in on the Most-Impersonated Brands

The malicious domains were also analyzed based on Cloudflare’s list of the most-impersonated brands. We sought to determine the percentage of malicious domains on the specific data feed that seemingly attempted to imitate the companies. That is detailed in the table below.

Company NamePercentage of Domains FoundCompany NamePercentage of Domains Found
Facebook8.1%eBay, Inc.1.2%
Amazon7.6%ING Group0.9%
Apple5.7%Internal Revenue Service0.8%
WhatsApp (Meta)5.6%Coinbase Global, Inc.0.7%
Office365 (Microsoft)4.8%HSBC Holdings plc0.5%
The Bank of America Corporation4.4%Caixa Econômica Federal0.4%
Deutscher Paketdienst3.8%American Express Company0.3%
PayPal3.7%National Police Agency Japan0.3%
Microsoft3.2%LinkedIn (Microsoft)0.2%
United States Postal Service2.7%FedEx0.2%
Allegro2.4%Banco Bradesco S.A.0.2%
Adobe2.3%Chase Bank0.1%
Steam2.3%Bank Millennium SA0.1%
Instagram (Meta)1.9%Swisscom AG0.1%
Netflix Inc1.6%East Japan Railway Company0.1%
Sumitomo Mitsui Banking Corporation1.5%Swiss Post0.1%
Orange S.A.1.4%KDDI0.1%
Wells Fargo & Company1.4%Alphabet0.1%
JCB Co., Ltd.1.3%Verizon0.1%

Overall, about 3% of the data feed were possible cybersquatting domains targeting these most-impersonated brands.

Administering Organizations

Next, we sought to determine the organizations with administrative control over the malicious domains. To do that, we used Bulk WHOIS Lookup to retrieve the WHOIS information of a sample of the malicious indicators, comprising 16,382 domains. Bulk IP Lookup was also used to obtain their IP geolocation details.

Among the top registrars were GoDaddy (16.4%), Namecheap (8.1%), Hostinger (6.6%), Mark Monitor (6.3%), REGRU-RU (4.9%), PDR Ltd., (3.9%), NOM-IQ (3.1%), Amazon (1.7%), RU-CENTER-RU (1.5%), and REG.RU, LLC (1.4%). The rest of the malicious domains were divided among 376 other registrars.

Some of the registrars in the top 10 were also the top ISPs. For instance, Amazon led the list with 22.7% of the resolving domains. Hostinger was also in the top 10 ISPs, accounting for 2.3% of the resolutions. The other ISPs on the list were Cloudflare (15.8%), Google (6.2%), Akamai (2.5%), Servers.com (1.8%), Fastly (1.8%), 24 Shells (1.6%%), Trellian Pty. Limited (1.3%), and Microsoft (1.3%).

Top Locations of the Malicious Domains

WHOIS and IP geolocation details obtained from the previous analysis helped us determine the top locations of the sample malicious domains.

The U.S. consistently ranked first in both areas, accounting for 72.4% of the IP resolutions and 56.4% of the domain registrations. Iceland was the second top registrant country, with 8.8%, mostly for domains with redacted WHOIS records. It was followed by Cyprus with 8.1%, China with 2.7%, and the U.K. with 2.4%. The rest of the top 10 are found in the list below.

For IP geolocation, Canada came in second with 4.3%, followed by Germany with 3.5%, the Netherlands with 3.3%, and China with 2.7%. The chart below shows the rest of the top IP geolocation countries.

The insights gleaned from this study were based on suspicious and malicious domains detected on 13 April 2023. Given the dynamic threat landscape, these may change daily. This reality further highlights the need for constant DNS monitoring and analysis for proactive threat detection, prevention, mitigation, and disruption.

Interested in accessing our Threat Intelligence Data Feeds? Request a demo now or download file samples.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign