Last week ThreatSTOP published a security analysis report regarding registration of malicious domains used for the Neutrino EK infrastructure.

In the report we mentioned that our analysis found that domains belonging to two ccTLDs, .top and .xyz, were found to host different parts of the I/S.

Shortly after publication of the report we were approached by the team from .xyz and they requested more info and specifically the list of domains that were associated with them.  Once we provided the domains, they were either detected as suspended by the time we published our report (93%) or were suspended imminently after the information was provided.

It is important to note that the good work that is done by the .xyz ccTLD team is helping to secure the internet and they are doing whatever they can to prevent abuse of their registry.

No response has been recorded to date from the .top ccTLD.