Silent Push performs a comprehensive WHOIS Search to extract, enrich, and correlate registrar-based ownership data for domains observed globally. This process aids SOC teams and security analysts in infrastructure mapping, threat actor attribution, and campaign tracking.
What we collect
Registrant Name & Email: Enables identification of individual or organizational ownership.
Registrar Information: Tracks registration through known registrars, especially those commonly used in abuse.
Domain Creation, Update, and Expiry Dates: Vital for identifying domain age, renewal behaviors, and suspicious time-based patterns.
WHOIS Server: Useful for source tracing and validation.
Nameservers: Allows detection of shared infrastructure and DNS hosting patterns.
Organization & Address Info: Additional signals for corporate vs. individual ownership.
Use WHOIS Search
To investigate domain ownership and registration patterns:
From the Silent Push homepage, select WHOIS Data > WHOIS Search.
Build Your Query:
In Field Name, type or select a WHOIS field (e.g., name, email, created, etc.).
Choose an Operator (equals, !=, contains, >, <, etc.).
Enter the Value.
Optionally add multiple conditions using .
Click Search.
Results table
Result Type | Description |
|---|---|
scan_date | Date/time of the WHOIS scan. |
domain | Queried domain name. |
created | Original domain registration date/time. |
expires | Expiry date unless renewed. |
name | Registered owner name. |
organization | Associated organization. |
registrar | Registrar name. |
zipcode | Owner’s zip/postal code. |
state | Owner's registered state. |
updated | Last modification of WHOIS details. |
nshash | Hash of the nameserver value. |
nameserver | Nameserver used to link to the hosting IP. |
Registered email address. | |
country | Registered country. |
address | Street address. |
city | Registered city. |
Manage results
Feature | Function |
|---|---|
Select All | Bulk-select results. |
Copy | Copy selected/visible records. |
Export | Export current or selected data. |
Filter | Customize visible columns. |
Basic Raw Data | Download results in JSON format. |
Compare | Compare any two records. |
Save | Save search for reuse. |
Hunting example – Lumma Stealer
Use WHOIS pivots to trace threat actor patterns. Investigate a suspicious domain like:
elephancouped[.]funPADNS tab: Identifies ASN = 13335 (Cloudflare)
WHOIS tab: reveals registrant: Klim Puzharskiy
Search Klim Puzharskiy via WHOIS Search → 51 linked domains.
Common traits: .fun TLD, same registrar (PDR), same registration time.
Advanced query example
To investigate using the Advanced Search function:
From the left navigation menu, select Web Data > Web Search > WHOIS Scan.
Select the Advanced Search tab.
Common attributes for precise fingerprinting include the .fun TLD, the same registrar (PDR), the same registration time, nameserver information, and the use of wildcards.
datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun"
Additional pivots
Email field: Search for domains linked to
*@inbox.euName pattern regex: Use
name ~= "^[A-Z][a-z]+ [A-Z][a-z]+$"to identify domains with similar name patterns.
Advanced query with multiple attributes
datasource = "whois" AND created > "2025-02-21 09:36:40" AND registrar = "PDR Ltd. d/b/a PublicDomainRegistry.com" AND nameserver = "*.ns.cloudflare.com" AND domain = "*.fun" AND email = "*@inbox.eu" AND name ~= "^[A-Z][a-z]+ [A-Z][a-z]+$"
Benefits
Silent Push’s WHOIS-based pivots enable users to:
Trace threat actor infrastructure despite DNS/hosting obfuscation.
Identify campaign clusters using registrar, time, email, and other metadata.
Enhance threat attribution when DNS or SSL data is insufficient.