Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.
WhoisXML API analyzed 8.9+ million domains registered between 1 and 31 March 2026 that appeared in Newly Registered Domains to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number rose by 1.7% from 8.7+ million NRDs last month.
We also determined the top TLD extensions used by 2.1+ million domains registered with malicious intent from the First Watch Malicious Domains Data Feed in March 2026. This number decreased by 11.6% from the previous month.
Next, we studied the top TLD extensions of 1.1+ million confirmed malicious domains from the Threat Intelligence Data Feeds this month, which rose by 4.8% from 1.0+ million in February.
Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.
Zooming in on the March 2026 NRDs
TLD Distribution
Out of the 8.9+ million domains registered in March 2026, 80.2%, down from 82.0% last month, used gTLD extensions. The remaining 19.8%, up from 18.0%, meanwhile, used ccTLD extensions.
In March 2026, the .cn and .lol TLDs ousted two of last month’s top 5 NRD TLDs—.info and .xyz. This shift may reflect a combination of factors. For .cn, the increase likely reflects ongoing structural demand within China’s domain ecosystem, including regulatory factors and a preference for locally trusted domains, rather than a single identifiable short-term driver.
For .lol, meanwhile, the increase may reflect short-term factors like registrar activity or bulk registrations. The extension’s association with gaming, specifically League of Legends (often shortened to “LoL”), and the First Stand event in Brazil held on 16–22 March 2026 could also have contributed to periodic interest.
Here is a MoM comparison with ranking changes for the top 5 TLD extensions of the March 2026 NRDs.
| MARCH 2026 TOP TLD | MARCH 2026 TLD VOLUME | FEBRUARY 2026 TLD VOLUME | RANKING CHANGE FROM FEBRUARY TO MARCH 2026 |
| .com | 3,792,947 | 3,210,862 | → (Unchanged) |
| .shop | 381,377 | 283,267 | ↑ from 5 to 2 |
| .top | 277,990 | 343,734 | ↓ from 2 to 3 |
| .cn | 247,839 | 164,311 | ↑ from 9 to 4 |
| .lol | 237,975 | 65,197 | ↑ from 24 to 5 |
Overall, the top 5 NRD TLD volume rose by 11.0% from 4.4+ million in February to 4.9+ million in March 2026.
We then analyzed the March 2026 TLDs further to identify the most popular gTLDs and ccTLDs among the new domain registrations.
The .lol and .org extensions joined the March gTLD topnotchers, taking .info and .xyz’s places.
We already posited a possible reason for the rise in the .lol NRD volume above. In .org’s case, a likely factor for its slight increase in ranking from last month may be registrations ahead of a scheduled wholesale price increase effective 1 June 2026.
Meanwhile, .cn remained the most utilized ccTLD in this month’s ranking. However, the .cc ccTLD evicted .in from the top 5. This increase likely reflects short-term factors like registrar activity or bulk registrations. At the same time, .cc has seen sustained use as a flexible branding alternative, which may have contributed to its continued presence among higher-volume TLDs.
Here is a MoM comparison with ranking changes for the top 5 ccTLD extensions of the March 2026 NRDs.
| MARCH 2026 TOP ccTLD | MARCH 2026 ccTLD VOLUME | FEBRUARY 2026 ccTLD VOLUME | RANKING CHANGE FROM FEBRUARY TO MARCH 2026 |
| .cn | 247,839 | 164,311 | → (Unchanged) |
| .uk | 162,629 | 157,831 | → (Unchanged) |
| .ru | 158,680 | 153,937 | → (Unchanged) |
| .br | 119,605 | 106,128 | ↑ from 5 to 4 |
| .cc | 116,604 | 87,754 | ↑ from 7 to 5 |
Overall, the top 5 NRD ccTLD volume rose by 16.8% from 689,775 in February to 805,357 in March 2026.
Registrar Distribution
This month’s top registrar 5 list had two new entrants. GMO Internet Group and Spaceship took the spots of Hostinger Operations and NameSilo, respectively.
Here is a MoM comparison with ranking changes for the top 5 NRD registrars.
| MARCH 2026 TOP REGISTRAR | MARCH 2026 REGISTRAR VOLUME | FEBRUARY 2026 REGISTRAR VOLUME | RANKING CHANGE FROM FEBRUARY TO MARCH 2026 |
| GoDaddy | 1,145,314 | 1,041,998 | → (Unchanged) |
| Namecheap | 918,436 | 876,171 | → (Unchanged) |
| GMO Internet Group | 481,112 | 343,115 | ↑ from 6 to 3 |
| Dynadot | 437,457 | 409,451 | → (Unchanged) |
| Spaceship | 402,343 | 336,126 | ↑ from 7 to 5 |
Overall, the top 5 NRD registrar volume rose by 7.5% from 3.1+ million in February to 3.3+ million in March 2026.
A Closer Look at the Domains Registered with Malicious Intent in March 2026
TLD Distribution
Next up, we sought to take a closer look at the domains deemed to have been registered with malicious intent from the get-go in March 2026. We determined that 2.1+ million domains in all appeared on the First Watch Malicious Domains Data Feed, down by 11.6% from 2.3+ million last month.
Overall, 23.5% of the March 2026 NRDs were registered with malicious intent. In addition, two one ccTLD and gTLD each—.cn and .lol—entered the top 5, taking the place of .info and .xyz.
The surge in .lol domain registrations for malicious usage in March 2026 could have been driven by the broader trend of attackers leveraging cheap, niche, or not .com TLDs for rapid phishing, malware delivery, and typosquatting campaigns.
The reasons could be similar for .xyz, which remains popular for high-volume, low-cost registrations, allowing threat actors to generate large numbers of disposable domains for phishing and malware campaigns. The increase may also align with heightened threat activity observed in early March 2026, including campaigns linked to escalating geopolitical tensions involving Iran, as well as newly disclosed exploit frameworks like Coruna that relied on related domain-based infrastructure.
Here is a MoM comparison with ranking changes for the top 5 TLDs of the domains registered with malicious intent.
| MARCH 2026 TOP FIRST WATCH TLD | MARCH 2026 FIRST WATCH TLD VOLUME | FEBRUARY 2026 FIRST WATCH TLD VOLUME | RANKING CHANGE FROM FEBRUARY TO MARCH 2026 |
| .com | 761,404 | 561,902 | → (Unchanged) |
| .top | 204,140 | 214,170 | → (Unchanged) |
| .lol | 192,435 | 46,277 | ↑ from 10 to 3 |
| .cn | 138,063 | 74,642 | ↑ from 7 to 4 |
| .xyz | 132,085 | 185,281 | ↓ from 4 to 5 |
Overall, the top 5 First Watch TLD volume rose by 11.9% from 1.2+ million in February to 1.4+ million in March 2026.
How Many NRDs Were Registered with Malicious Intent?
We also sought to find out how many of the domains registered in March 2026 were registered with malicious intent. Our findings showed that 27.3% of the NRDs under the top 5 TLDs were deemed likely to turn malicious as soon as they were registered.
Cybersecurity through the DNS Lens
TLD Distribution
The top 5 TLDs of the confirmed malicious domains found in March 2026 were the same as those identified in February.
Here is a MoM comparison with ranking changes for the top 5 TLDs of the domains registered with malicious intent.
| MARCH 2026 TOP DOMAIN IoC TLD | MARCH 2026 DOMAIN IoC TLD VOLUME | FEBRUARY 2026 DOMAIN IoC TLD VOLUME | RANKING CHANGE FROM FEBRUARY TO MARCH 2026 |
| .com | 192,787 | 170,526 | → (Unchanged) |
| .org | 168,891 | 157,077 | → (Unchanged) |
| .net | 160,284 | 147,198 | → (Unchanged) |
| .biz | 111,781 | 102,293 | → (Unchanged) |
| .bazar | 78,618 | 78,441 | → (Unchanged) |
Overall, the number of confirmed malicious domains sporting the top 5 TLDs increased by 8.7% from 655,535 in February to 712,361 this month.
Threat Reports
Take a quick look at the threat reports we published in March 2026 below.
- What Remains of Black Basta Now That Alleged Gang Leader Joined the Most Wanted List?: Alleged Black Basta ransomware leader Oleg Evgenievich Nefedov became part of the EU Most Wanted and INTERPOL Red Notice lists. We analyzed 18 network IoCs related to a recent Black Basta campaign and uncovered additional infrastructure components and connections.
- Probing the DNS Depths of PeckBirdy: PeckBirdy, a JavaScript-based C&C framework designed to operate across multiple environments, was linked to campaigns involving modular backdoors HOLODONUT and MKDOOR, Cobalt Strike payloads, stolen code-signing certificates, and the exploitation of CVE-2020-16040. We analyzed 56 network IoCs using our homegrown tools to investigate the threat and uncovered pertinent findings.
- A Close Look under the DNS Hood of CoolClient: A HoneyMyte (also known as “Mustang Panda” or “Bronze President”) campaign used an updated version of the CoolClient backdoor with additional capabilities, including browser credential stealing, reconnaissance, and data exfiltration. We analyzed six network IoCs associated with the attack and unearthed critical findings.
- A Look Back at 11 of the Red Report 2026 Featured Threats: Several state-sponsored and financially motivated threat actors leveraged widely used MITRE ATT&CK techniques identified in Picus Security’s Red Report 2026 to compromise target environments. We analyzed 147 network IoCs linked to STATICPLUGIN, SadBridge Loader, XLoader, Operation BarrelFire, ClickFix, APT36, Chihuahua Stealer, Earth Ammit, PlushDaemon, and Earth Alux. Aided by our homegrown tools, we investigated the threats and uncovered interesting discoveries.
- DNS Deep Dive: LummaStealer + CastleLoader = Larger Threat: LummaStealer continued to operate despite a major law-enforcement disruption in 2025. One of the latest campaigns used CastleLoader as its main delivery mechanism. We analyzed 211 network IoCs, which led to noteworthy findings.
You can find more reports created in the past months here.
Feel free to contact us for more information about the products and capabilities used to analyze domain registration events or support other use cases.