|
2025 is barely a few weeks old, but we’ve already heard reports of advanced phishing attacks leveraging generative artificial intelligence (AI). It’s scary but not exactly surprising. Threat actors are expectedly using more sophisticated and modern attack techniques and will likely continue to rely on domain names as phishing vehicles.
With that in mind, the WhoisXML API researchers sought to find out what domain threats the new year literally holds by studying 1,000 suspicious domains that contained the text string 2025 and were recently added to First Watch Malicious Domains Data Feed.
Our in-depth DNS investigation led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our investigation into the 2025-themed domain threats by looking into a sample of 1,000 suspicious domains containing the string 2025.
After querying them on Bulk WHOIS Lookup, we found that only 880 had current WHOIS records. Here are some of our specific findings.
They were created between 2006 and 2024, although about more than half—553 domains to be exact—were created in 2024.
They were registered in 47 different countries, with the U.S. accounting for 520 domains. The rest of the top 10 registrant countries followed far behind, including China with 34 domains, Iceland with 25, Germany with 23, the U.K. with 17, Japan with 15, Spain with 12, Italy with 11, Russia with 10, and the Netherlands with 10. A total of 89 domains were registered in 37 other countries, while 234 did not have current registrant country data.
We then queried the 1,000 2025 domains on Screenshot API and found that 711 hosted or redirected to parked pages or live content. Many of the live domains hosted similar-looking content that sold concert or game tickets. We provided a few examples below.
We also queried the domains on DNS Chronicle API and found that 937 had 1—218 historical IP resolutions per domain. The domains had a total of 22,315 recorded events from 4 October 2019 to 2 January 2025. Take a look at five examples below.
DOMAIN | START DATE | LAST DATE | NUMBER OF IP RESOLUTIONS |
---|---|---|---|
ainiaiwo2025[.]com | 4 October 2019 | 9 November 2024 | 40 |
gagatour2025[.]com | 6 November 2022 | 30 August 2024 | 54 |
vegaskickoffclassic2025[.]com | 13 December 2023 | 21 December 2024 | 42 |
www222025[.]com | 29 December 2023 | 1 January 2025 | 11 |
theelection2025[.]com | 3 March 2024 | 9 November 2024 | 16 |
Having scrutinized the sample of 1,000 2025 domains aided by domain and DNS intelligence, we dove deeper to look for potentially connected artifacts.
Our bulk WHOIS lookup earlier provided 88 email addresses after duplicates were filtered out, six of which turned out to be public addresses. A Reverse WHOIS API query for the six public email addresses revealed that three could be owned by a domainer as they were used to register more than 300 domains each.
As a result, we were left with three high-confidence public email addresses that appeared in the WHOIS records of 401 email-connected domains after duplicates and the original domains from First Watch Malicious Domains Data Feed were removed.
We then queried the 1,000 2025 domains on DNS Lookup API and found that they currently resolved to 877 unique IP addresses. A Threat Intelligence API query for the 877 IP addresses revealed that 311 have already figured in various malicious activities.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API