Dangerous Domains in the NDSW/NDSX Malware Campaign | WhoisXML API

Threat Reports

Both Aged and New Domains Play a Role in the NDSW/NDSX Malware Campaign

The threat actors behind the NDSW/NDSX malware campaign1 used both newly registered and aged domains, likely to get the best of both worlds. But the digital breadcrumbs they left behind could help investigators get a step closer to catching them.

Our in-depth analysis revealed:

  • Unredacted registrant email addresses from the historical WHOIS records of the domains identified as threat indicators of compromise (IoCs)
  • More than 200 domains that used the same registrant email addresses as the aged domain IoCs
  • An additional IP address that the domain IoCs resolved to
  • More than 100 domains that shared the domain IoCs’ IP addresses, one of which is deemed malicious
  • Some domains that shared common strings with the IoCs (“sync + adv.,” “static + visit,” and “ads + profit + network”)

Download a sample of the threat research materials now or contact us to access the complete set of research materials.


  • [1] https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html
Try our WhoisXML API for free
Get started