WhoisXML API Blog

WhoisXML API analyzed 8.7+ million domains registered between 1 and 28 February 2026 that appeared in Newly Registered Domains to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number dropped by 0.5% from 8.8+ million NRDs last month.

We also determined the top TLD extensions used by 2.3+ million domains registered with malicious intent from the First Watch Malicious Domains Data Feed in February 2026. This number increased by 5.4% from the previous month.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

In this post, we explain what the nslookup command does, how to use it, and when you might want to use a different tool for retrieving DNS data.

What could possibly go wrong when managing a domain? Buy it once, don’t forget to renew later — and that’s it, right? Well, those who do it for a living know that it’s more than just a set-it-and-forget-it task — there are plenty of other domain risks.

Why it matters (and why admins keep waking up at nights wondering whether they did something wrong with domain configurations) is that the price of making a mistake is very high when it comes to domain management. A single mistake can take down your website, affect email deliverability, or damage customer trust. 

This post breaks down some of the biggest risks associated with domains, illustrates them with real-life examples, and provides a remediation/mitigation/prevention plan.

Cyber attribution — the process of identifying the person or group behind a cyber attack or other activity — is, perhaps, one of the most interesting tasks in cybersecurity. It feels like detective work. You find clues and use them to identify the murderer, but in the case of cybersecurity, a) it’s not always the gardener, and b) you’re looking for cyber threat actors rather than murderers.

At the same time, cyber attribution is very challenging — those clues are often needles in large haystacks, and attributing something to a specific threat group is often quite difficult and time-consuming. Not to mention that the majority of analysts’ time is usually spent on threat containment. 

And yet, cyber attribution has to be done. 

WhoisXML API analyzed 8.8+ million domains registered between 1 and 31 January 2026 that appeared in Newly Registered Domains to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number dropped by 14.0% from 10.2+ million NRDs last month.

We also determined the top TLD extensions used by 2.2+ million domains registered with malicious intent from the First Watch Malicious Domains Data Feed in January 2026.

Next, we studied the top TLD extensions of 1.0+ million confirmed malicious domains from the Threat Intelligence Data Feeds this month, which dropped by 2.3% from 1.1+ million in December.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

Executive Summary

This report inaugurates To Cache A Predator, a threat research series from the WXA Internet Abuse Signal Collective (WXA IASC) that correlates open and closed source data – including global telemetry, enrichment datasets, and honeypot observations – to track attacker infrastructure and tactics across global networks. This first episode consolidates our current findings on CVE-2025-55182 (“React2Shell”).

Across WXA IASC NetFlow-derived telemetry, U.S. exposure enrichment, and Niihama honeypot data, React2Shell-associated activity shows a coherent campaign defined by:

If you’ve heard about preemptive security before, it’s probably because Gartner has warned tech product leaders against ignoring or delaying the implementation of preemptive security capabilities in their cybersecurity solutions. 

According to Gartner, failing to invest in preemptive security puts product leaders at risk — they could face career-ending cyberattacks and lose market share within two to four years.
All of that sounds very bleak. But what exactly is this preemptive security thing — and what does it mean for both cybersecurity solutions companies and their end users?

Authors:
Ching Chiao, Head of APAC & Corporate Development, Whois API, Inc.
Ed Gibbs, Field CTO, WHOIS API Inc.

The Newest Member of Your Team Is a Bot—and They Have the Keys to the Vault

For two decades, cybersecurity has been a game of containment—building higher walls around processes and tighter boxes around applications. But the sudden, viral rise of “Agentic AI” has effectively signaled a demolition of those boundaries. Whether it is senior engineers buying Mac Minis for the sole purpose of hosting an instance of Moltbot (formerly known as Clawdbot) or enterprises deploying autonomous agents to manage SOC workflows, the paradigm has shifted. We are no longer just using AI; we are hiring digital employees and handing them the keys to our identity kingdom without so much as a background check. By granting these agents “delegated authority” to act on our behalf, we have created a massive, unsecured territory: we are calling it AI Agent Surface Management (ASM-AI) .