WhoisXML API’s Global Domain Activity Report: Q3 2025 analyzed 25.7+ million newly registered domains and found a 1.2% quarter-over-quarter decrease, while identifying 3.2+ million domains tagged as indicators of compromise and extensive MX/NS resolution data. The report highlights dominant TLDs and registrars (.com, .cn, GoDaddy, Namecheap) and unusual ccTLD activity such as the .cc volume-to-population incongruence. #GoDaddy #Namecheap
Keypoints
- Q3 2025 saw 25.7+ million newly registered domains (NRDs), a 1.2% decrease from Q2 2025.
- gTLD registrations rose by 1.9% while ccTLD registrations fell by 13.3% in Q3 2025.
- .com remained the most popular gTLD for both NRDs and malicious domains; .cn led ccTLD registrations.
- GoDaddy was the top NRD registrar with 14.0% market share, followed by Namecheap at 9.4% and GMO Internet Group at 7.9%.
- The .cc ccTLD showed a pronounced NRD volume-to-population incongruence with 366,698 NRDs despite a population of 593 (NRD per capita ~812.6).
- 3.2+ million domains were tagged as IoCs in Q3 2025; .com accounted for 17.5% of IoC volume and other gTLDs like .org, .net, and .biz also featured prominently.
- The dataset included 2.1+ billion MX and 4.2+ billion NS resolutions over the past 365 days used to identify top FQDNs and providers.
MITRE Techniques
- [T1583] Acquire Infrastructure – Threat actors registered large volumes of domains (NRDs) including 3.2+ million IoCs to support malicious infrastructure: “…3.2+ million domains tagged as indicators of compromise (IoCs) in Q3 2025…”
- [T1566] Phishing – Use of popular gTLDs like .com for IoCs suggests phishing and fraud campaigns leveraging familiar domains: “…threat actors continued to favor using .com domains over others, with the gTLD accounting for 17.5% of the total IoC volume.”
- [T1071] Application Layer Protocol – High volumes of MX and NS resolutions indicate malicious use of mail and DNS infrastructure for campaigns: “…2.1+ billion mail exchange (MX) server and 4.2+ billion name server (NS) resolutions…based on our passive DNS database…”
Indicators of Compromise
- [Domain ] confirmed malicious domains – examples include many .com domains (17.5% of IoCs) and .ru/.cn ccTLDs; report notes 3.2+ million IoC domains.
- [Registrar ] registrar context for NRDs – examples: GoDaddy (14.0% of NRDs), Namecheap (9.4%).
- [TLD ] TLD distribution context – examples: .com, .cn, .cc (366,698 NRDs for .cc) and other gTLDs like .xyz, .top, .shop.
- [DNS Records ] resolution volumes used for analysis – MX servers and NS resolutions: 2.1+ billion MX and 4.2+ billion NS resolutions across 365 days.
Read more: https://circleid.com/posts/global-domain-activity-trends-seen-in-q3-2025