Threat actors are abusing the .arpa TLD and delegated IPv6 address space to create reverse DNS FQDNs that resolve via A records, hosting hidden phishing content that bypasses reputation-based security controls. The campaigns combine this novel .arpa abuse with TDS-based redirects, hijacked dangling CNAMEs, and domain shadowing to deliver and rotate short-lived phishing links that impersonate legitimate brands. #ip6arpa #Cloudflare
Keypoints
- Actors abused delegated IPv6 address space and control of corresponding ip6.arpa zones to create reverse DNS FQDNs that resolve to A records, hosting phishing content via reputable DNS providers.
- Phishing emails use a single embedded image with a hidden hyperlink that points to an ip6.arpa reverse DNS string; clicks fingerprint the victim and redirect through a traffic distribution system (TDS) to the final phishing page.
- Threat actors leveraged free IPv6 tunnels to obtain /64 ranges and used providers such as Cloudflare and Hurricane Electric (and others) to configure name servers and A records for reverse DNS names.
- Campaigns also reused long-standing toolkit techniques: hijacking dangling CNAMEs and domain shadowing to abuse high-profile legitimate domains and subdomains in phishing links.
- Links in the emails have a short lifetime (usually days), perform multiple redirection and filtering checks (device type, residential IP), and often resolve through edge networks that hide the true hosting origin.
- Indicators include ip6.arpa reverse FQDNs with DGA-like subdomains, several malicious phishing domains, TDS domains, and examples of hijacked CNAME parent domains (e.g., publicnoticessites[.]com, hobsonsms[.]com, hyfnrsx1[.]com).
MITRE Techniques
- [T1566] Phishing β Use of spear- or mass-phishing emails with embedded lure images that hide malicious links to deliver credential/financial scams (βThe spam emails in the phishing campaigns we analyzed impersonate major brands and promise a free prize.β).
- [T1583] Acquire Infrastructure β Obtaining IPv6 address space, control of delegated ip6.arpa zones, and configuring DNS records to host malicious content (βThe threat actor acquires some IPv6 address space, for which they are delegated control of the corresponding .arpa subdomain.β).
- [T1583.001] Domain Names (Acquire Infrastructure sub-technique) β Creating and using reverse DNS FQDNs under ip6.arpa (including random subdomains) as unique, trusted-looking landing links to evade domain-based defenses (βTo make their reverse DNS domains harder to detect and block, they prepend the domain with a randomly generated subdomain to make each FQDN unique.β).
- [T1598] Phishing via Redirects / Traffic Distribution (TDS) β Use of traffic distribution systems and multi-stage redirects that fingerprint and filter victims before delivering the phishing landing page (βOnce victims click on the lure image, they are redirected to one of several TDSsβ¦ It initially takes them to a page that analyzes their traffic.β).
- [T1586] Compromise/Abuse of Third-Party Services (dangling CNAMEs / subdomain hijacking) β Hijacking expired/abandoned CNAMEs and creating shadow subdomains under compromised credentials to host or redirect to phishing content (βWe found over 100 instances where the threat actor used hijacked CNAMEs of well-known government agencies, universities, telecommunication companies, media organizations, and retailers.β).
Indicators of Compromise
- [Reverse DNS IPv6 FQDN] IPv6 reverse DNS domains used as malicious links β d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa, .d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2[.]ip6[.]arpa (and several similar DGA-like ip6.arpa FQDNs).
- [Phishing domains] Final malicious landing domains observed in campaigns β actinismoleil[.]sbs, cablecomparison[.]shop (and other short-lived phishing domains such as cheapperfume[.]shop, drumsticks[.]store).
- [TDS domains] Traffic distribution / redirect infrastructure β dulcetoj[.]com, golandof[.]com (also politeche[.]com, toindom[.]com, takt wo variants observed across campaigns).
- [Hijacked CNAME / Parent domains] Legitimate domains whose subdomains were hijacked or used as CNAMEs β publicnoticessites[.]com, hobsonsms[.]com (and hyfnrsx1[.]com as another abused parent domain).