NordVPN Promotion

Home / Industry

New Year, Old Threats: What Does the DNS Reveal About 2025?

2025 is barely a few weeks old, but we’ve already heard reports of advanced phishing attacks leveraging generative artificial intelligence (AI). It’s scary but not exactly surprising. Threat actors are expectedly using more sophisticated and modern attack techniques and will likely continue to rely on domain names as phishing vehicles.

With that in mind, the WhoisXML API researchers sought to find out what domain threats the new year literally holds by studying 1,000 suspicious domains that contained the text string 2025 and were recently added to First Watch Malicious Domains Data Feed.

Our in-depth DNS investigation led to the discovery of:

  • 401 email-connected domains, one of which turned out malicious
  • 877 IP addresses, 311 of which turned out to be malicious
  • 4,808 IP-connected domains, one of which turned out malicious
  • 10,000 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the 2025 Domains

We began our investigation into the 2025-themed domain threats by looking into a sample of 1,000 suspicious domains containing the string 2025.

After querying them on Bulk WHOIS Lookup, we found that only 880 had current WHOIS records. Here are some of our specific findings.

  • The domains were administered by 95 different registrars led by GoDaddy, which accounted for 327 domains. The other leading registrars were Dynadot with 79 domains; Namecheap with 43; eNom with 37; IONOS with 28; Squarespace Domains with 27; Porkbun with 26; Wild West Domains with 24; Alibaba Cloud Computing with 17; and Wix with 16. A total of 256 domains were distributed among 85 other registrars, while 120 domains did not have current registrar information.
  • They were created between 2006 and 2024, although about more than half—553 domains to be exact—were created in 2024.

  • They were registered in 47 different countries, with the U.S. accounting for 520 domains. The rest of the top 10 registrant countries followed far behind, including China with 34 domains, Iceland with 25, Germany with 23, the U.K. with 17, Japan with 15, Spain with 12, Italy with 11, Russia with 10, and the Netherlands with 10. A total of 89 domains were registered in 37 other countries, while 234 did not have current registrant country data.

We then queried the 1,000 2025 domains on Screenshot API and found that 711 hosted or redirected to parked pages or live content. Many of the live domains hosted similar-looking content that sold concert or game tickets. We provided a few examples below.

We also queried the domains on DNS Chronicle API and found that 937 had 1—218 historical IP resolutions per domain. The domains had a total of 22,315 recorded events from 4 October 2019 to 2 January 2025. Take a look at five examples below.

DOMAINSTART DATELAST DATENUMBER OF IP RESOLUTIONS
ainiaiwo2025[.]com4 October 20199 November 202440
gagatour2025[.]com6 November 202230 August 202454
vegaskickoffclassic2025[.]com13 December 202321 December 202442
www222025[.]com29 December 20231 January 202511
theelection2025[.]com3 March 20249 November 202416

Uncovering 2025 Domain Connections

Having scrutinized the sample of 1,000 2025 domains aided by domain and DNS intelligence, we dove deeper to look for potentially connected artifacts.

Our bulk WHOIS lookup earlier provided 88 email addresses after duplicates were filtered out, six of which turned out to be public addresses. A Reverse WHOIS API query for the six public email addresses revealed that three could be owned by a domainer as they were used to register more than 300 domains each.

As a result, we were left with three high-confidence public email addresses that appeared in the WHOIS records of 401 email-connected domains after duplicates and the original domains from First Watch Malicious Domains Data Feed were removed.

We then queried the 1,000 2025 domains on DNS Lookup API and found that they currently resolved to 877 unique IP addresses. A Threat Intelligence API query for the 877 IP addresses revealed that 311 have already figured in various malicious activities.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion