Threat Research

Silent Night, Deadly Sites: How Christmas Cyber Threats Lurk in the DNS

CircleID

An analysis of 22,923 domains containing “christmas” found widespread potentially malicious infrastructure, with 3,229 unique IPs observed and 2,529 of those flagged as weaponized. The dataset shows strong registrar and country concentration, many 2024 registrations, and extensive WHOIS and DNS linkages suggesting a seasonal surge in risky holiday-themed domains. #FirstWatch #WhoisXMLAPI

Keypoints

  • 22,923 “christmas” domains were collected and analyzed from the First Watch Malicious Domains Data Feed.
  • 3,229 unique IP addresses were observed for these domains; 2,529 IPs were classified as malicious/weaponized.
  • 1,331 email-connected domains were identified after reverse WHOIS correlation of public addresses.
  • 21,035 IP-connected domains were found, with 96 domains explicitly marked as malicious.
  • Approximately 84% of the domains were newly created in 2024, indicating a recent spike in holiday-themed registrations.
  • Domains were registered across 65 countries, led by Iceland (11,499 domains) and the United States (4,333 domains).
  • 17,188 domains had historical IP resolutions, totaling 168,578 DNS events from Oct 2019 to Nov 2024.

MITRE Techniques

  • [T1071] Command and Control – Malicious domains used to maintain communications with compromised systems (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
  • [T1566] Phishing – Holiday-themed domains and email-connected properties used to send fraudulent messages to harvest information (‘Involves sending fraudulent emails to trick recipients into revealing personal information.’)
  • [T1003] Credential Dumping – Compromised assets may be leveraged to extract account credentials from systems (‘Extracts account login and password information from compromised systems.’)

Indicators of Compromise

  • [domain] sample malicious/at-risk domains – 12daysofchristmas[.]info, artificialchristmastreesale[.]co[.]uk (and other examples such as nashvillechristmasbus[.]com, yourfunny[.]christmas)
  • [IP addresses] dataset counts and context – 3,229 unique IPs observed for the dataset (2,529 flagged as weaponized); no individual raw IPs listed in the article
  • [email addresses] WHOIS-derived emails – 629 unique emails found from WHOIS (73 public addresses) used to discover 1,331 email-connected domains
  • [subdomains] string-connected subdomains – 1,436 string-connected subdomains identified (counts provided but not exhaustive names)

Read more: https://circleid.com/posts/silent-night-deadly-sites-how-christmas-cyber-threats-lurk-in-the-dns

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint