Top 10 Malware of Q4 2025: A DNS Deep Dive

Home / Industry

Top 10 Malware of Q4 2025: A DNS Deep Dive

	By WhoisXML API (Sponsored Post) A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider
	March 02, 2026 Views: 228

The Center for Internet Security (CIS) named the top 10 malware of Q4 2025 on 29 January 2026. They also identified network IoCs for seven of the top 10 malware—SocGholish, CoinMiner, Agent Tesla, Calendaromatic, ZPHP, VenomRAT, and ACR Stealer. Take a look at more details about the top 10 malware below.

RANK	MALWARE	DESCRIPTION	NUMBER OF ORIGINAL IoCs	NUMBER OF IoCs ANALYZED
1	SocGholish	JS downloader distributed via malicious or compromised sites as fake browser updates	22(12 domains; 10 subdomains)	17(7 domains; 10 subdomains)
2	CoinMiner	Crypto miner that typically uses WMI to spread across networks	4(4 domains)	4(4 domains)
3	Agent Tesla	RAT that targets Windows OSs sold on cybercriminal forums	9(5 domains; 4 subdomains)	8(4 domains; 4 subdomains)
6	Calendaromatic	Backdoor that masquerades as a legitimate calendar download spread via malvertisements and SEO poisoning	5(5 domains)	5(5 domains)
7	ZPHP	JS downloader distributed via malicious or compromised sites as fake browser updates	8(8 domains)	5(5 domains)
8	VenomRAT	Open-source RAT often dropped by other malware or spread via malspam	6(6 domains)	2(2 domains)
9	ACR Stealer	Infostealer written in C++ often used by the SideCopy threat group	7(7 domains)	5(5 domains)

Note that we excluded domains originally identified as IoCs that were owned by legitimate entities from our list for further analysis aided by the WhoisXML API MCP Server. That said, we analyzed 46 IoCs from among those originally identified by the CIS. We excluded 15 domains in all, leaving us with 32 domains and 14 subdomains for our in-depth investigation.

Our deep dive into the 46 IoCs for seven of the top 10 malware of Q4 2025 led to these discoveries:

145 unique client IP addresses communicated with eight domains classified as IoCs
Seven domains named as IoCs were deemed likely to have been registered with malicious intent from the get-go
359 email-connected domains, 25 of which were confirmed malicious
29 IP addresses, 19 of which were confirmed malicious
283 IP-connected domains, one of which was confirmed malicious
692 string-connected domains, one of which was confirmed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Validating the Subdomain IoCs

We gathered more information on the 14 subdomains identified as IoCs using Jake AI.

We learned that 11 of them were unresponsive during the subdomain checks even if some could be part of the infrastructure of legitimate companies. Two subdomains had private registration details but while one was under a well-established domain, the other was recently registered. What was most interesting, however, was that the last subdomain we analyzed, akilay[.]kingx[.]info, was confirmed malicious.

Jake AI result confirming the malicious nature of the subdomain akilay[.]kingx[.]info

New DNS-Related Insights for the Domain IoCs Uncovered

We then moved on toward gathering more information about the 32 domains identified as IoCs.

Sample network traffic data from the IASC revealed that 145 unique client IP addresses under seven distinct ASNs communicated with eight of the domains tagged as IoCs via 501 DNS queries between 1 and 30 January 2026.

The results of our First Watch Malicious Domains Data Feed queries also revealed that seven domains classified as IoCs were deemed likely to turn malicious 20—517 days before they were reported as such on 29 January 2026.

MALWARE	DOMAIN IoC	FIRST WATCH DATE	NUMBER OF DAYS BEFORE THE REPORT DATE
Agent Tesla	kingx[.]info	08/30/24	517
Calendaromatic	ovementxview[.]com	09/13/25	138
CoinMiner	umnsrx[.]net	09/24/25	127

Next, we queried the 32 domains named as IoCs on WHOIS API and discovered that:

They were created between 10 March 2008 (selcukpeker[.]com related to ZPHP) and 9 January 2026 (obsidianmidnight[.]top connected to ZPHP).
While one domain did not have a registrar on record, the remaining 31 were administered by 15 different registrars.

While two domains did not have registrant countries on record, the remaining 30 were registered in nine different countries.

After that, we queried the 32 domains categorized as IoCs on DNS Chronicle API and learned that 31 had a total of 3,550 historical domain-to-IP resolutions over time. We listed the domain that recorded the first resolution for each malware below.

MALWARE	DOMAIN IoC	FIRST RESOLUTION DATE	LAST RESOLUTION DATE
SocGholish	paquetesparaorlando[.]com	02/06/17	01/29/26
CoinMiner	karbowanec[.]com	02/06/17	10/28/25
Agent Tesla	gcsho[.]com	02/05/17	01/27/26
Calendaromatic	krestinaful[.]com	12/09/21	01/24/26
ZPHP	ijels[.]com	02/06/17	01/26/26
VenomRAT	theriygrt[.]com	08/02/25	11/03/25
ACR Stealer	apposx[.]com	02/05/17	06/21/25

New Artifacts Related to the 7 of the Top 10 Malware Discovered

We began our hunt for new connected artifacts by querying the 32 domains identified as IoCs on WHOIS History API and discovered that 18 had 43 unique email addresses in their historical WHOIS records. Further scrutiny showed that 16 of them were public email addresses.

Historical Reverse WHOIS API queries for the 16 public email addresses led to the discovery of 359 unique email-connected domains after those already tagged as IoCs were filtered out.

When queried on Threat Intelligence API, we learned that 25 email-connected domains have already been weaponized for various attacks. Here are five examples.

EMAIL-CONNECTED DOMAIN	ASSOCIATED THREAT	DATE FIRST SEEN	DATE LAST SEEN
1sou[.]top	Malware distribution	06/11/25	01/30/26
as5yo[.]top	Malware distribution	08/26/25	01/30/26
chinapark[.]top	Malware distribution	06/11/25	01/30/26
downloadfreak[.]top	Malware distribution	06/11/25	01/30/26
haidao10[.]top	Malware distribution	04/27/25	01/30/26

A closer look at the malicious email-connected domains revealed several similarities. For instance, 14 were classified as malicious on the same date (11 June 2025) in relation to malware distribution, suggesting their likely usage in the same campaign.

Next, we queried the 32 domains named as IoCs on DNS Lookup API and found out that 24 resolved to 29 unique IP addresses.

The results of our Threat Intelligence API queries for the IP addresses showed that 19 have already figured in various malicious campaigns

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN [74% +3 extra months, from $2.99/month]

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider — Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.
Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.

The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.