Unfortunately, as of 16 April 2019, I’m still seeing traffic on this domain.
Here are some others I’m seeing:
dfbfb63dcaff96fbe9616fb806e4799f.com
8d46980d994cc618aeed127df1b5c86d8acd86ce.info
07bf396c25d9a624281c97752aee0247e4229b84.xyz
07bf396c25d9a624281c97752aee0247e4229b84.com
07bf396c25d9a624281c97752aee0247e4229b84.info
d234304f57772cf6be78ab6c24a65c91ce896fff.xyz
d234304f57772cf6be78ab6c24a65c91ce896fff.com
d234304f57772cf6be78ab6c24a65c91ce896fff.info
8d46980d994cc618aeed127df1b5c86d8acd86ce.xyz
cbb0c7dae8061aca012b8a910062c33f3642e383.com
cbb0c7dae8061aca012b8a910062c33f3642e383.xyz
cbb0c7dae8061aca012b8a910062c33f3642e383.info
security without obscurity 
Did NordVPN provide an explanation as to why this was happening?
LikeLike
No. They just said it would be fixed in the latest update. I have the latest update and am still seeing events from devices with the updated user-agent string.
LikeLike
I do not in the slightest, beleive what Nord are saying.
We too noticed these random domains. this is not a method you would use to see if an API call is working. This is what a botnet infected host does when it’s looking for a C&C server.
LikeLike
100% agreed. It is not expected behavior.
LikeLike
I have now 234 rules in LittleSnitch from URLs trying to be accessed from NordVPN.
This is getting very strange.
I tested a few of them, and for theses, they were all registered on 2019-04-24 to NameCheap.inc
LikeLike