The WhoisXML API research team analyzed more than 8.2 million domains registered between 1 and 31 October 2024 to identify the most popular registrars, top-level domain (TLD) extensions, and other global domain registration trends.

We also determined the top TLD extensions used by the more than 57.4 billion domains from our DNS database’s A record full file released in the same month.

Next, we studied the top TLDs of more than 1.0 million domains detected as indicators of compromise (IoCs) in October.

Finally, we summed up our findings and provided links to the threat reports produced using DNS, IP, and domain intelligence sources during the period.

You can download an extended sample of the data obtained from this analysis from our website.

Zooming in on the October 2024 NRDs

TLD Distribution

Around three quarters of the 8.2 million domains registered in October 2024, 75.8% to be exact, used generic TLD (gTLD) extensions, while 24.2% used country-code TLD (ccTLD) extensions.

The .com TLD remained the most popular extension used by 37.2% of the total number of newly registered domains (NRDs), up from 36.4% in September. The other most used TLDs on the top 5 followed with a significant gap as in the previous month. They were all gTLDs this time around, namely, .shop with a 3.9% share, .top with 3.2%, .bond with 3.0%, and .xyz with 2.9%.

We then analyzed the October TLDs further to identify the most popular gTLDs and ccTLDs among the new domain registrations.

Out of 645 gTLDs, .com remained the most used, accounting for a 49.1% share, slightly down from 49.3% in September. The rest of the top 5 lagged far behind. In fact, .shop only had a 5.1% share, .top had 4.2%, .bond had 3.9%, and .xyz had 3.9%. Note that the top 5 gTLDs were the same ones that comprised the top 5 TLDs.

Meanwhile, .cn remained the top ccTLD out of 249 extensions with an 8.5% share, marking a big drop from 15.7% in September. The other commonly used ccTLDs were .de with an 8.4% share, .uk with 7.1%, .ru with 7.0%, and .pt with 5.6%.

Registrar Distribution

GoDaddy continued to reign supreme among the registrars with a 14.6% share, even if it went down from 15.4% in September. Namecheap came in second place with a 12.1% share, up from 10.6% last month. Hostinger Operations with a 4.2% share; Dynadot with 4.0%; and Tucows Domains with 3.9% rounded out the top 5.

WHOIS Data Redaction

A majority of the NRDs, 55.4% to be exact, down from 57.5% in September, had redacted WHOIS records. The remaining 44.6% of the NRDs, up from 42.5% in September, meanwhile, had public WHOIS records.

A Closer Look at the October 2024 DNS Records

Top TLDs of the A Record Domains

Next, we analyzed more than 57.4 billion domains from our DNS database’s A record full file dated 3 October 2024, which included DNS resolutions from the past 365 days. We found that 48.7% used the .com TLD, down from 50.7% in September. The rest of the top 5 comprised two other gTLDs (i.e., .net with a 10.2% share and .org with 3.6%) and two ccTLDs (i.e., .de and .ru with a 2.4% share each).

Cybersecurity through the DNS Lens

Top TLDs of the October 2024 Domain IoCs

As usual, we analyzed more than 1.0 million domains tagged as IoCs for various threats detected in October. Our analysis revealed that .com remained the most popular TLD with a 17.1% share, slightly lower than 17.2% in September. The remaining top TLDs were all gTLDs as well, namely, .org with a 15.4% share, .net with 14.6%, .biz with 10.1%, and .bazar with 7.4%.

Threat Reports

Below are the threat reports we published in October 2024.

• Examining the DNS Underbelly of the Voldemort Campaign: The WhoisXML API research team dove deeper into the so-called “malware that must not be named” or the Voldemort campaign by expanding a list of 19 IoCs. Our analysis uncovered 872 potentially connected artifacts.

• Investigating the Proliferation of Deepfake Scams: Deepfakes can pose a serious threat, as evidenced by a multinational company that was tricked into handing out US$25 million to a scammer who pretended to be their company’s CFO. We sought to find out how many potentially related artifacts the threat has.

• A DNS Investigation of the 32 Doppelganger Websites the U.S. Government Seized: The U.S. government seized several websites believed to be part of the Doppelganger campaign. We uncovered several potentially connected web properties that could also be spreading fake news.

• New RomCom Variant Spotted: A Comparative and Expansion Analysis of IoCs: The creators of known ransomware RomCom released a new variant dubbed “Snipbot,” which our team investigated. We uncovered 169 potentially connected artifacts in the process.

• A DNS Investigation into Mamba 2FA, the Latest AitM Phishing Player: Fellow security researchers published 58 IoCs for the new adversary-in-the-middle (AitM) phishing player Mamba 2FA. We expanded their IoC list and found 418 connected artifacts.

You can find more reports created in the past months here.

Feel free to contact us for more information about the products and capabilities used to analyze domain registration events or support other use cases.