Threat Research

Mining for DNS Maxims: Top 10 Malware of Q3 2025

CircleID

CIS published the top 10 malware of Q3 2025 and identified 31 domain IoCs for five malware; after filtering with WhoisXML MCP Server, 26 domains were analyzed in depth, revealing historical resolutions, registration patterns, and associated artifacts. The investigation found early warnings for some domains, a likely typosquatter, thousands of email-connected domains (56 weaponized), and multiple IP- and string-linked artifacts. #SocGholish #Gh0stRAT

Keypoints

  • CIS named the top 10 malware for Q3 2025 and flagged 31 domain IoCs for five of those families; after removing legitimate domains, 26 domains were analyzed.
  • Three malware from Q2 (SocGholish, Agent Tesla, ZPHP) reappeared in Q3; SocGholish stayed at rank 1 and Agent Tesla at rank 3, while ZPHP fell to rank 5.
  • Two domains were flagged as likely-to-be-malicious at registration 150โ€“598 days before being labeled IoCs (Gh0stxmcxmr[.]com and hemeraldpinesolutions[.]com).
  • One domain (trendings[.]top) appears to be part of a bulk registration with look-alikes (trendingg[.]shop, trendingon[.]store), consistent with typosquatting activity.
  • WHOIS and Domain Info analysis showed the 26 domains were created between 2012 and 2025, distributed across 13 registrars (PDR, MarkMonitor, Tucows, etc.), and registered in six countries (16 in the U.S.).
  • DNS Chronicle returned 2,564 historical domain-to-IP resolutions for 25 domains; ebuilderssource[.]com recorded the oldest resolution (02/05/2017).
  • WHOIS History and Reverse WHOIS linkage produced 45 unique email addresses (17 public) and 5,266 email-connected domains, of which 56 were already observed conducting malicious activity (examples: dashboard-aave[.]us, help-opensea[.]us).

MITRE Techniques

  • [T1566 ] Phishing โ€“ Malware and associated infrastructure were used to support phishing campaigns, with multiple email-connected domains observed performing phishing. (โ€˜Phishingโ€™)
  • [T1583.001 ] Domain Registration โ€“ Adversaries registered and bulk-registered domains (including look-alikes) to acquire infrastructure and enable typosquatting and malicious distribution. (โ€˜was bulk-registered with two look-alikesโ€”trendingg[.]shop and trendingon[.]storeโ€™)

Indicators of Compromise

  • [Domain ] domains identified as IoCs for analyzed malware โ€“ ebuilderssource[.]com, Gh0stxmcxmr[.]com, and 24 other domains (26 total analyzed)
  • [Email-connected domain ] domains discovered via Reverse WHOIS and Threat Intelligence (5,266 total) โ€“ dashboard-aave[.]us, help-opensea[.]us, and 5,264 other email-connected domains
  • [IP address ] observed IP artifacts โ€“ 11 IP addresses were identified in association with artifacts (7 found malicious); no specific IP addresses were listed in the article
  • [IP-connected domain ] domains with historical domain-to-IP resolutions (104 total) โ€“ Gh0stvip5944[.]com, warpdrive[.]top, and 102 other IP-connected domains
  • [String-connected domain ] domains linked by shared strings (606 total) โ€“ examples include f3322[.]org, lzh[.]fr, and 604 other string-connected domains (one of these was found malicious)
  • [WHOIS email addresses ] historical WHOIS email artifacts โ€“ 45 unique email addresses collected (17 public); specific email addresses were not enumerated in the article

Read more: https://circleid.com/posts/mining-for-dns-maxims-top-10-malware-of-q3-2025

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint