WhoisXML API Blog

Cyber attribution — the process of identifying the person or group behind a cyber attack or other activity — is, perhaps, one of the most interesting tasks in cybersecurity. It feels like detective work. You find clues and use them to identify the murderer, but in the case of cybersecurity, a) it’s not always the gardener, and b) you’re looking for cyber threat actors rather than murderers.

At the same time, cyber attribution is very challenging — those clues are often needles in large haystacks, and attributing something to a specific threat group is often quite difficult and time-consuming. Not to mention that the majority of analysts’ time is usually spent on threat containment. 

And yet, cyber attribution has to be done. 

WhoisXML API analyzed 8.8+ million domains registered between 1 and 31 January 2026 that appeared in Newly Registered Domains to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number dropped by 14.0% from 10.2+ million NRDs last month.

We also determined the top TLD extensions used by 2.2+ million domains registered with malicious intent from the First Watch Malicious Domains Data Feed in January 2026.

Next, we studied the top TLD extensions of 1.0+ million confirmed malicious domains from the Threat Intelligence Data Feeds this month, which dropped by 2.3% from 1.1+ million in December.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

Executive Summary

This report inaugurates To Cache A Predator, a threat research series from the WXA Internet Abuse Signal Collective (WXA IASC) that correlates open and closed source data – including global telemetry, enrichment datasets, and honeypot observations – to track attacker infrastructure and tactics across global networks. This first episode consolidates our current findings on CVE-2025-55182 (“React2Shell”).

Across WXA IASC NetFlow-derived telemetry, U.S. exposure enrichment, and Niihama honeypot data, React2Shell-associated activity shows a coherent campaign defined by:

If you’ve heard about preemptive security before, it’s probably because Gartner has warned tech product leaders against ignoring or delaying the implementation of preemptive security capabilities in their cybersecurity solutions. 

According to Gartner, failing to invest in preemptive security puts product leaders at risk — they could face career-ending cyberattacks and lose market share within two to four years.
All of that sounds very bleak. But what exactly is this preemptive security thing — and what does it mean for both cybersecurity solutions companies and their end users?

Authors:
Ching Chiao, Head of APAC & Corporate Development, Whois API, Inc.
Ed Gibbs, Field CTO, WHOIS API Inc.

The Newest Member of Your Team Is a Bot—and They Have the Keys to the Vault

For two decades, cybersecurity has been a game of containment—building higher walls around processes and tighter boxes around applications. But the sudden, viral rise of “Agentic AI” has effectively signaled a demolition of those boundaries. Whether it is senior engineers buying Mac Minis for the sole purpose of hosting an instance of Moltbot (formerly known as Clawdbot) or enterprises deploying autonomous agents to manage SOC workflows, the paradigm has shifted. We are no longer just using AI; we are hiring digital employees and handing them the keys to our identity kingdom without so much as a background check. By granting these agents “delegated authority” to act on our behalf, we have created a massive, unsecured territory: we are calling it AI Agent Surface Management (ASM-AI) .

Introducing New gTLD Intelligence Services (NGIS): The intelligence layer for New gTLD applicants, brand protection professionals, and the ICANN community.

Author:
Ching Chiao, Head of APAC & Corporate Development, Whois API, Inc.

As the ICANN community prepares for the next New gTLD application window, set to open in April 2026, one thing is already clear. This round will be far more data-driven than the last.

In 2012, many New gTLD decisions were shaped by marketing narratives, forward-looking projections, and limited historical evidence. Since then, the domain name ecosystem has matured. Registries, governments, brand owners, and evaluators now have access to years of operational, DNS, and abuse data that did not exist during the first round.

For the 2026 program, critical steps such as string selection, public comment periods, formal objections, and GAC advice will increasingly rely on objective, defensible evidence rather than subjective interpretation. Stakeholders are expected to justify positions with data.

This shift reflects a broader expectation across the community. Different stages of the application process raise different questions, from early feasibility and risk assessment to later scrutiny around confusion and public interest.

That shift is what led us to build New gTLD Intelligence Services (NGIS).

WhoisXML API analyzed 10.2+ million domains registered between 1 and 31 December 2025 to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number rose by 16.9% from 8.7+ million NRDs last month.

We also determined the top TLD extensions used by 27.3+ billion domains from our DNS database’s A record full file dated 4 December 2025, indicating a 14.6% drop from November’s 31.9+ billion domains.

Next, we studied the top TLDs of 1.1+ million domains, up by 5.0% from 1.0+ million in November, detected as IoCs this month.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.