captive.g.aaplimg.com makes many outbound connections

On my Macbook captive.g.aaplimg.com is making about one connections per 15 seconds. When I saw this on my Pi-Hole logs I was suspicious of a rootkit. It appears to be ExpressVPN (expressvpnd) daemon connecting with Apple to, ostensibly, verify internet connectivity and or the time. The image below shows the tcpdump revealing expressvpnd connecting with captive.g.aaplimg.com (underlined). If you are experiencing odd/frequent outbound requests run a TCPdump as shown below.

Issue command: sudo tcpdump

The key point is that connections to a given domain (in this case an Apple domain: captive.g.aaplimg.com) are not necessarily nefarious. This situation underscores that many legitimate app developers enlist stable domains for basic housekeeping functions (time keeping, connectivity checks etc).

Lastly, I love ExpressVPN. If you read this post and are in need of a VPN service ExpressVPN is the way to go. {ExpressVPN, if you read this I love your service, feel free to credit my account with additional months!}