Cybersecurity researchers at Infoblox Threat Intel have uncovered a highly sophisticated phishing campaign<\/a> that exploits the foundational plumbing of the internet to bypass enterprise security controls. <\/p>\n In a novel evasion tactic, threat actors are weaponizing the\u00a0 This approach actively circumvents traditional domain reputation checks, presenting a unique and emerging challenge for network defense systems.<\/p>\n Unlike conventional consumer-facing TLDs such as\u00a0 Its primary function is reverse DNS mapping<\/a>, which translates IP addresses back into domain names. It was fundamentally never designed to host public-facing websites or web content.<\/p>\n However, attackers have discovered critical blind spots in the DNS record management systems of certain providers. <\/p>\n By leveraging free IPv6 tunnel services, threat actors gain administrative control over specific IPv6 address blocks. <\/p>\n Instead of creating the expected reverse DNS pointer (PTR) records, they generate standard\u00a0 According to Infoblox<\/a>, the attack sequence typically begins with malspam emails impersonating major consumer brands. <\/p>\n These emails contain a single hyperlinked image that promises a free prize or falsely claims a subscription has been interrupted. When a victim clicks the image, they are redirected through a complex Traffic Distribution System (TDS). <\/p>\n The TDS fingerprints the user\u2019s traffic, specifically targeting mobile devices operating on residential IP addresses before finally delivering the malicious payload.<\/p>\n Alongside the\u00a0 By registering the expired domains that these abandoned CNAMEs still point to, attackers seamlessly hijack the digital reputation of highly trusted entities to mask their malicious traffic<\/a>.<\/a>\u200b<\/p>\n Dr. Ren\u00e9e Burton, VP of Infoblox Threat Intel, noted that weaponizing the\u00a0 Because reverse DNS domains possess an implicitly clean reputation and lack traditional registration data, standard security tools that rely on URL structure and blocklists fail to detect them. <\/p>\n Organizations must begin treating core DNS infrastructure as a potential attack surface and deploy specialized filtering to monitor unusual record additions in the\u00a0 Organizations must begin treating core DNS infrastructure as a potential attack surface and deploy specialized filtering to monitor unusual record additions in the\u00a0 Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Phishing Schemes Abuse .arpa TLD and IPv6 Tunnels to Evade Detection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n.arpa<\/code>\u00a0top-level domain (TLD) and utilizing IPv6 tunnels to host malicious phishing content. <\/p>\n![\"An](\"https:\/\/i0.wp.com\/cyberpress.org\/wp-content\/uploads\/2026\/02\/image-90.png?ssl=1\")
.com<\/code>\u00a0or\u00a0.net<\/code>, the\u00a0.arpa<\/code>\u00a0domain is exclusively reserved for internal internet infrastructure. <\/p>\nA<\/code>\u00a0records for these\u00a0.arpa<\/code>\u00a0subdomains. This creates fully qualified domain names disguised as core infrastructure addresses, which security tools inherently trust and rarely scrutinize.<\/p>\nThe Attack Chain and Hijacked CNAMEs<\/strong><\/h2>\n
![\"\u00a0The](\"https:\/\/i0.wp.com\/cyberpress.org\/wp-content\/uploads\/2026\/02\/image-91.png?ssl=1\")
.arpa<\/code>\u00a0abuse, this campaign heavily relies on dangling CNAME hijacking. Threat actors have compromised abandoned subdomains belonging to reputable governments, media organizations, and universities. <\/p>\n.arpa<\/code>\u00a0namespace effectively turns the core of the internet into a phishing delivery mechanism. <\/p>\n.arpa<\/code>\u00a0namespace.<\/p>\nIndicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n \nIndicator<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n <10 random letters>.5.2.1.6.3.0.0.0.7.4.0.1.0.0.2[.]ip6[.]arpa<\/code><\/td>\nIPv6 reverse DNS domain with DGA subdomain<\/td>\n<\/tr>\n \n <10 random letters>.1.9.5.0.9.1.0.0.0.7.4.0.1.0.0.2[.]ip6[.]arpa<\/code><\/td>\nIPv6 reverse DNS domain with DGA subdomain<\/td>\n<\/tr>\n \n <10 random letters>.8.1.9.5.0.9.1.0.0.0.7.4.0.1.0.0.2[.]ip6[.]arpa<\/code><\/td>\nIPv6 reverse DNS domain with DGA subdomain<\/td>\n<\/tr>\n \n <10 random letters>.9.a.d.0.6.3.0.0.0.7.4.0.1.0.0.2[.]ip6[.]arpa<\/code><\/td>\nIPv6 reverse DNS domain with DGA subdomain<\/td>\n<\/tr>\n \n <10 random letters>.d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2[.]ip6[.]arpa<\/code><\/td>\nIPv6 reverse DNS domain with DGA subdomain<\/td>\n<\/tr>\n \n actinismoleil[.]sbs<\/code><\/td>\nMalicious phishing domain<\/td>\n<\/tr>\n \n cablecomparison[.]shop<\/code><\/td>\nMalicious phishing domain<\/td>\n<\/tr>\n \n cheapperfume[.]shop<\/code><\/td>\nMalicious phishing domain<\/td>\n<\/tr>\n \n drumsticks[.]store<\/code><\/td>\nMalicious phishing domain<\/td>\n<\/tr>\n \n fightingckmelic[.]makeup<\/code><\/td>\nMalicious phishing domain<\/td>\n<\/tr>\n \n dulcetoj[.]com<\/code><\/td>\nTDS domain<\/td>\n<\/tr>\n \n golandof[.]com<\/code><\/td>\nTDS domain<\/td>\n<\/tr>\n \n politeche[.]com<\/code><\/td>\nTDS domain<\/td>\n<\/tr>\n \n taktwo[.]com<\/code><\/td>\nTDS domain<\/td>\n<\/tr>\n \n toindom[.]com<\/code><\/td>\nTDS domain<\/td>\n<\/tr>\n \n publicnoticessites[.]com<\/code><\/td>\nDomain with a subdomain acting as a hijacked CNAME<\/td>\n<\/tr>\n \n hobsonsms[.]com<\/code><\/td>\nDomain with a subdomain serving as a hijacked CNAME<\/td>\n<\/tr>\n \n hyfnrsx1[.]com<\/code><\/td>\nDomain with a subdomain acting as a hijacked CNAME<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n .arpa<\/code>\u00a0namespace.<\/p>\n