December 2025: Domain Activity Highlights

WhoisXML API analyzed 10.2+ million domains registered between 1 and 31 December 2025 to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number rose by 16.9% from 8.7+ million NRDs last month.

We also determined the top TLD extensions used by 27.3+ billion domains from our DNS database’s A record full file dated 4 December 2025, indicating a 14.6% drop from November’s 31.9+ billion domains.

Next, we studied the top TLDs of 1.1+ million domains, up by 5.0% from 1.0+ million in November, detected as IoCs this month.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

You can download an extended sample of the data obtained from this analysis from our website.

Zooming in on the December 2025 NRDs

TLD Distribution

Out of the 10.2+ million domains registered in December 2025, 84.9%, down from 85.8% last month, used gTLD extensions. The remaining 15.1%, up from 14.2%, meanwhile, used ccTLD extensions.

The .com TLD remained the most popular extension used by 38.5% of the total number of NRDs, indicating an increase from 33.5% in November. The other most used TLDs on the top 5 followed with a significant gap as in the previous month. The remaining four topnotchers were all gTLDs as well. They were .xyz with a 12.7% share, .bond with 6.0%, .top with 4.3%, and .info with 3.9%. Note, too, that last month’s top 5 stayed the same this month.

We then analyzed the December TLDs further to identify the most popular gTLDs and ccTLDs among the new domain registrations.

Out of 651 gTLDs, .com remained the most used, accounting for a 38.5% share, down from 39.0% in November. The rest of the top 5 lagged far behind. In fact, the four other gTLDs only clocked in a 26.8% share in total. The four remaining gTLDs were .xyz with a 12.7% share, .bond with 6.0%, .top with 4.3%, and .info with 3.9%. As with the top TLDs, this month’s top 5 gTLDs remained the same as last month’s.

Meanwhile, .cn continued to top the list of 217 ccTLD extensions with a 15.6% share, slightly higher than November’s 15.5%. The .ru ccTLD placed second with a 9.8% share, followed by .cc with 8.3%, .uk with 8.1%, and .br with 6.4%. Fifth-ranking .in fell off the list, replaced by .br.

Registrar Distribution

The GMO Internet Group continued to reign supreme among the 2,582 registrars this month with a 12.9% share, down from 14.6% in November. The rest of the topnotchers were GoDaddy with an 11.2% share, Namecheap with 8.7%, Dynadot with 4.9%, and NameSilo with 4.1%. Last month’s fifth placer Spaceship was ousted by NameSilo.

A Closer Look at the December 2025 DNS Records

Top TLDs of the A Record Domains

Next, we analyzed 27.3+ billion domains from our DNS database’s A record full file dated 4 December 2025. Note that the file includes DNS resolutions from the past 365 days. We found out that 43.2%, up from 41.8% last month, used the .com gTLD. The rest of the top 5 comprised two other gTLDs (i.e., .net with an 8.7% share and .org with 7.4%) and two ccTLDs (i.e., .ru with a 3.8% share and .de with 2.5%). Note, too, that this month’s top 5 was the same as last month’s, including in terms of place.

Cybersecurity through the DNS Lens

Top TLDs of the December 2025 Domain IoCs

We analyzed 1.1+ million domains tagged as IoCs for various threats detected in December, up from 1.0+ million last month. Our analysis revealed that .com remained the most popular TLD with an 18.6% share, up from 17.0% in November. The remaining top TLDs were all gTLDs as well, namely, .org with a 15.1% share, .net with 14.3%, .biz with 9.9%, and .bazar with 6.9%.

Threat Reports

Take a quick look at the threat reports we published in December 2025.

• DNS Spotlight: New MITRE ATT&CK Group Entrants as of October 2025: The MITRE ATT&CK October 2025 Updates page listed nine new groups under three categories—Enterprise, Mobile, and ICS. We analyzed 144 IoCs comprising 108 domains, 31 IP addresses, and five email addresses after filtering out legitimate domains from sources MITRE listed for each group.

• Predicting ValleyRAT: Early Detection with First Watch: We analyzed 40 domains listed as ValleyRAT IoCs on the ThreatFox open IoC database as of November 2025. We decided to look for more associated domains using our predictive threat intelligence solution, the First Watch Malicious Domains Data Feed.

• Thumbing through the DNS Traces of TamperedChef: Massive malvertising campaign TamperedChef leveraged apps users commonly installed on their computers. The Acronis TRU identified 58 IoCs comprising URLs and subdomains. We extracted 58 unique domains from them and weeded out those that were legitimate. We were left with 46 domains for further analysis.

• Mining for DNS Maxims: Top 10 Malware of Q3 2025: The Center for Internet Security named the top 10 malware of Q3 2025 and identified 31 domains as IoCs for five of them. After weeding out legitimate domains from their list with the help of the WhoisXML API MCP Server, we were left with 26 domains for our study focusing on the IoCs for SocGholish, Agent Tesla, ZPHP, Gh0st, and Lumma Stealer.

• Illuminating ShadyPanda DNS Infrastructure Facts: ShadyPanda’s seven-year-long campaign affected the browsers of 4.3 million Chrome and Edge users to date. Koi Security identified seven IoCs comprising four domains and three subdomains. After extracting unique domains from the subdomains, we accumulated six domains and three subdomains for further analysis.

You can find more reports created in the past months here.

Feel free to contact us for more information about the products and capabilities used to analyze domain registration events or support other use cases.