September 2025: Domain Activity Highlights

WhoisXML API analyzed 8.7+ million domains registered between 1 and 30 September 2025 to identify the most popular registrars, top-level domain (TLD) extensions, and other global domain registration trends.

We also determined the top TLD extensions used by 42.1+ billion domains from our DNS database’s A record full file dated 4 September 2025.

Next, we studied the top TLDs of 1.0+ million domains detected as indicators of compromise (IoCs) this month.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

You can download an extended sample of the data obtained from this analysis from our website.

Zooming in on the September 2025 NRDs

TLD Distribution

A majority of the 8.7+ million domains registered in September 2025, 82.9% to be exact, down from 83.4% last month, used generic TLD (gTLD) extensions, while the remaining 17.1%, up from 16.6%, used country-code TLD (ccTLD) extensions.

The .com TLD remained the most popular extension used by 35.7% of the total number of newly registered domains (NRDs), down from 45.9% in August. The other most used TLDs on the top 5 followed with a significant gap as in the previous month. Three of the remaining four topnotchers were gTLDs, namely, .xyz with a 10.2% share, .top with 5.2%, and .shop with 3.9%. The last TLD was ccTLD .cn with a 2.9% share.

We then analyzed the September TLDs further to identify the most popular gTLDs and ccTLDs among the new domain registrations.

Out of 627 gTLDs, .com remained the most used, accounting for a 43.1% share, down from 45.9% in August. The rest of the top 5 lagged far behind. In fact, the four other gTLDs only clocked in a 26.2% share in total. The four remaining gTLDs were .xyz with a 12.3% share, .top with 6.3%, .shop with 4.7%, and .org with 2.9%.

Meanwhile, .cn continued to top the list of 212 ccTLD extensions with a 16.6% share, up from 13.5% in August. The .ru ccTLD followed with a 9.3% share, up from 9.2% last month. Then came .cc with an 8.4% share, .uk with 8.3%, and .in with 5.1%.

Registrar Distribution

GoDaddy continued to reign supreme among the 2,586 registrars with a 13.0% share, down from 14.0% in August. Namecheap took the second spot with a 10.1% share, down from 10.4% last month. The rest of the topnotchers were GMO Internet Group with a 9.8% share, Spaceship with 6.8%, and Dynadot with 5.0%.

WHOIS Data Redaction

Just like in August, fewer NRDs had redacted WHOIS records in September, 47.3% to be exact, down from 49.3%. A total of 52.7%, meanwhile, up from 50.7% last month, had unredacted WHOIS records.

A Closer Look at the September 2025 DNS Records

Top TLDs of the A Record Domains

Next, we analyzed 42.1+ billion domains from our DNS database’s A record full file dated 4 September 2025, which included DNS resolutions from the past 365 days. We found out that 42.0% used the .com gTLD, down from 43.0% in August. The rest of the top 5 comprised two other gTLDs (i.e., .net with a 9.5% share and .org with 7.3%) and two ccTLDs (i.e., .de with a 4.1% share and .ru with 3.6%).

Cybersecurity through the DNS Lens

Top TLDs of the September 2025 Domain IoCs

We analyzed 1.0+ million domains tagged as IoCs for various threats detected in September. Our analysis revealed that .com remained the most popular TLD with a 16.7% share, down from 18.0% in August. The remaining top TLDs were all gTLDs as well, namely, .org with a 15.2% share, .net with 14.3%, .biz with 10.1%, and .bazar with 7.2%.

Threat Reports

Below are the threat reports we published in September 2025.

• Into the Deep DNS Sea with the JSCEAL Campaign: The JSCEAL campaign targeted crypto app users using malicious ads that tricked victims into installing fake crypto trading apps. The apps, of course, masked variants of JSCEAL. A total of 94 domains were identified as IoCs. We learned that one of the domain IoCs was recorded with two look-alikes in the Typosquatting Data Feed and more.

• A Deep Dive into the GreedyBear Attack: The GreedyBear crypto theft campaign actors have already amassed more than US$1 million. They used 150 weaponized Firefox extensions, close to 500 malicious executables, and dozens of phishing sites. A total of 18 domains were identified as IoCs, which WhoisXML API dove deeper into. Find out what we learned.

• Cross-Examining the CAPTCHAgeddon Brought on by ClickFix: The actors behind the ClickFix stealer, an evolved version of fake browser updates, used fake CAPTCHA pages that enabled it to evade detection and beat popular anti-bot solutions. As a result, it exfiltrated victims’ account credentials and other data from their computers. We analyzed 172 IoCs comprising 156 domains and 16 IP addresses and uncovered 5,064 new artifacts and other pertinent insights.

• Deep Dive: 3 Lazarus RATs Caught in Our DNS Trap: We further analyzed the three remote access Trojans (RATs) a Lazarus subgroup linked to AppleJeus, Citrine Sleet, UNC47363, and Gleaming Pisces used in a recent attack. We jumped off 19 domains and two IP addresses tagged as IoCs and discovered that one client IP address communicated with one domain IoC, two unique potential victim IP addresses communicated with two unique IP IoCs, and one domain IoC was dubbed likely to turn malicious 189 days before being tagged as such. We also unearthed new artifacts.

You can find more reports created in the past months here.

Feel free to contact us for more information about the products and capabilities used to analyze domain registration events or support other use cases.