DNS Investigation: Is xDedic Truly Done for After Its Takedown?

Researchers expanded an initial list of 19 xDedic indicators by using WHOIS, DNS, reverse-WHOIS, reverse-IP, screenshot lookups, and domain discovery to uncover 150 related artifacts, including 15 email-connected, 126 IP-connected, and nine string-connected domains. Two of the discovered domains—omerta[.]cc and vsoloviev[.]ru—were flagged as malicious, while xdedic[.]io remains in DNS and may be part of the marketplace infrastructure. #xDedic #omerta_cc #vsoloviev_ru #xdedic_io

Keypoints

Expanded the original 19 xDedic IoCs (3 domains, 16 IPs) to 150 potentially connected artifacts: 15 email-, 126 IP-, and nine string-connected domains.
Bulk WHOIS showed only xdedic[.]biz retained current registrar data (PSI-USA, Inc.; created 12 Sep 2014; registrant country: Canada).
Bulk IP geolocation placed the 16 IP IoCs across 11 countries and 13 ISPs, with Cloudflare hosting four of them.
Reverse WHOIS using a public registrant email revealed 15 email-connected domains; omerta[.]cc was associated with malware.
Reverse IP lookups on the 16 IP IoCs returned 126 unique hosted domains; three IPs appeared dedicated (186[.]2[.]163[.]126, 87[.]236[.]215[.]18, 91[.]220[.]101[.]43) and vsoloviev[.]ru was linked to generic threats.
Domains & Subdomains Discovery for the string “xdedic” found nine domains; xdedic[.]io was created in 2016 and archived content suggests it was part of the marketplace era.

MITRE Techniques

[T1583.001] Domain Registration – Discovery and analysis of newly created and legacy domains that may form part of infrastructure: ‘A majority of them were created after the cybercriminal marketplace’s takedown.’
[T1590.002] Query DNS – Use of DNS and reverse IP lookups to map domain-to-IP and IP-to-domain relationships: ‘we performed DNS lookups for the three domain IoCs, which did not turn up IP addresses… Reverse IP lookups for the 16 IP addresses named as IoCs showed… they hosted 126 IP-connected domains.’
[T1589] Gather Victim Identity Information (WHOIS) – Bulk and historical WHOIS queries to extract registrar, creation date, registrant country, and email addresses: ‘we subjected the three domains identified as IoCs to a bulk WHOIS lookup that revealed that only one of the domain IoCs—xdedic[.]biz—had current WHOIS data.’
[T1598] Search Open Technical Databases – Reverse WHOIS and Threat Intelligence API queries to link email addresses and domains and to check threat associations: ‘Reverse WHOIS Search uncovered 15 domains with the email address in their historical WHOIS records… one email-connected domain—omerta[.]cc—according to Threat Intelligence API was associated with a malware attack.’
[T1587] Search Open Websites / Archives – Use of screenshot lookup and archival services (Wayback Machine) to verify current accessibility and historic content of domains: ‘Screenshot API queries for the 126 IP-connected domains also revealed that 117 remained accessible to date’ and ‘a Wayback Machine archived screenshot for xdedic[.]io showed … it has been taken down by the authorities.’

Indicators of Compromise

[Domain IoC] original domain evidence – xdedic[.]biz (WHOIS current record: PSI-USA, Inc.; created 12 Sep 2014; registrant country: Canada)
[Email-connected domain] discovered via historical WHOIS – omerta[.]cc (associated with malware), and 14 more email-connected domains
[IP address] identified as potentially dedicated – 186[.]2[.]163[.]126, 87[.]236[.]215[.]18 (dedicated IPs), and other IPs such as 91[.]220[.]101[.]43
[IP-connected domain] discovered by reverse IP lookup – vsoloviev[.]ru (flagged for generic threats) and other hosted domains (total 126 IP-connected domains)
[String-connected domain] discovered via domain string search – xdedic[.]io (created 16 Jun 2016; archived content suggests marketplace linkage), and eight other xdedic.* domains

Researchers began with three domain and 16 IP IoCs attributed to xDedic and performed a sequence of technical mappings: bulk WHOIS to extract registrar and creation metadata (only xdedic[.]biz retained current WHOIS), bulk IP geolocation to determine country and ISP distribution, and historical WHOIS/Reverse WHOIS to recover registrant emails which yielded 15 email-connected domains. They then used Reverse IP lookups on the 16 IP IoCs, finding three likely dedicated IPs (186[.]2[.]163[.]126, 87[.]236[.]215[.]18, 91[.]220[.]101[.]43) that collectively hosted 126 unique domains, and enriched results via Threat Intelligence API (identifying omerta[.]cc and vsoloviev[.]ru as malicious/generic threats).

Complementary methods included DNS lookups (which for the three original domain IoCs returned no current A records), Screenshot API and archival checks to assess live accessibility (117 of 126 IP-connected domains remained accessible via screenshots; some domains showed errors or parked pages), and Domains & Subdomains Discovery for the “xdedic” string, which surfaced nine related domains. WHOIS timelines for those string-connected domains indicated most were registered after the takedown, though xdedic[.]io (created in 2016) matched the marketplace’s active period and had archived pages consistent with takedown activity.

The combined process expanded the IoC dataset to 150 artifacts (15 email-, 126 IP-, nine string-connected domains), highlighted two domains with flagged malicious associations (omerta[.]cc and vsoloviev[.]ru), and identified candidate infrastructure (three dedicated IPs and xdedic[.]io) that may warrant further investigation or mitigation. These steps illustrate a systematic OSINT and DNS-centric workflow for broadening infrastructure-related IoCs and prioritizing follow-up actions.