Threat Research

Global Domain Activity Trends Seen in Q2 2025

CircleID
Global Domain Activity Trends Seen in Q2 2025

The Q2 2025 Global Domain Activity Report analyzed 26.0+ million newly registered domains, noting an 11.0% increase from Q1 2025 and identifying 3.9+ million domains tagged as indicators of compromise. Key findings include .com dominating both NRDs and IoC volumes, .cc showing extreme NRD-per-capita incongruence, and GoDaddy, Namecheap, and Dynadot topping registrar market share. #GoDaddy #CocosKeelingIslands

Keypoints

  • Q2 2025 saw 26.0+ million newly registered domains (NRDs), an 11.0% increase from Q1 2025.
  • gTLD registrations rose 15.3% while ccTLD registrations declined 2.7% compared with the previous quarter.
  • .com remained the most popular gTLD for both NRDs and IoCs; .top, .xyz, and .shop trailed other gTLDs.
  • .cc ccTLD showed a large NRD-per-capita anomaly with 262,468 NRDs despite a 593 resident population.
  • 3.9+ million domains were tagged as IoCs in Q2 2025; .com accounted for 21.7% of IoC volume, with .org, .net, .biz, .bazar, .info, .pro and ccTLDs .ru, .cn, .io also in the top lists.
  • GoDaddy led NRD registrars with 13.5% share, followed by Namecheap (9.6%) and Dynadot (4.9%).
  • Passive DNS data included 1.9+ billion MX and 3.8+ billion NS resolutions over the past 365 days supporting threat intelligence and DNS activity insights.

MITRE Techniques

  • [T1071 ] Application Layer Protocol – Use of popular TLDs like .com to host malicious domains and blend with legitimate traffic (“threat actors continued to favor using .com domains over others”).
  • [T1583 ] Acquire Infrastructure – Registration of large volumes of newly registered domains and use of specific registrars for malicious infrastructure (“26.0+ million domains registered… GoDaddy held on to the top NRD registrar spot”).
  • [T1526 ] Domain Generation Algorithms – Abnormal NRD volume-to-population incongruence indicating mass registrations possibly for ephemeral or automated domain use (“.cc accounted for 262,468 NRDs despite having only 593 residents”).

Indicators of Compromise

  • [Domain ] Malicious domains tagged as IoCs in Q2 2025 – example: .com (21.7% of IoC volume), other top gTLDs include .org, .net, and .bazar.
  • [ccTLD ] Country-code TLDs appearing in IoCs – example: .ru, .cn, .io.
  • [Registrar ] High-volume registrars used for NRDs – example: GoDaddy (13.5% share), Namecheap (9.6% share).
  • [Passive DNS ] DNS resolutions supporting IoC mapping – example: 1.9+ billion MX resolutions, 3.8+ billion NS resolutions over the past 365 days.

Read more: https://circleid.com/posts/global-domain-activity-trends-seen-in-q2-2025