The Russian state-sponsored APT28 threat group is using a custom variant of the open-source Covenant post-exploitation framework for long-term espionage operations.
Also tracked as Fancy Bear, Forest Blizzard, Strontium, and Sednit, the APT28 hacker group is known for developing high-end implants and breaching notable entities, such as the German Parliament, multiple French organizations, government networks in Poland, and European NATO member countries.
Researchers at cybersecurity company ESET noticed that since April 2024, the Russian group has started using in attacks two implants named BeardShell and Covenant.
“This dual-implant approach enabled long-term surveillance of Ukrainian military personnel,” ESET notes in a report today.
The two pieces of malware have been used recently to target central executive bodies of Ukraine in attacks that exploited the CVE-2026-21509 vulnerability in Microsoft Office via malicious DOC files.
The researchers uncovered these malware families after discovering SlimAgent, a keylogging implant deployed in a Ukrainian government system capable of keystroke capture, clipboard collection, and screenshot capture.
BeardShell is a modern implant that leverages the legitimate cloud storage service Icedrive for command-and-control (C2) communication. It can execute PowerShell commands in a .NET runtime environment and was used together with SlimAgent, according to a report from CERT-UA in June 2025.
ESET found that BeardShell also uses a unique obfuscation technique previously seen in Xtunnel, a network-pivoting tool that APT28 used in the 2010s.
In the recent attacks, the Russian threat group paired BeardShell with a heavily modified version of the open-source Covenant .NET post-exploitation framework.
The changes they introduced include deterministic implant identifiers tied to host characteristics, modified execution flow to evade behavioral detection, and new cloud-based communication protocols.
Since July 2025, the threat actor has used the Filen cloud provider with Covenant. Previously, the attacker used Koofr and pCloud services.
Covenant dashboard Source: ESET
ESET says Covenant is used as the primary implant, and BearShell serves as the fallback tool.
“Since 2023, Sednit developers have made a number of modifications and experiments with Covenant to establish it as their primary espionage implant, keeping BeardShell mainly as a fallback in case Covenant encounters operational issues, such as the takedown of its cloud-based infrastructure.” – ESET
ESET believes that APT28’s advanced malware development team returned to activity in 2024, giving the threat group new long-term espionage capabilities. The technical similarities with 2010-era malware indicate continuity in the threat group’s development team.
Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command-line interface (CLI) tools.
The new trick exploits the common practice among developers these days of downloading and executing scripts through ‘curl-to-bash’ commands from online sources without closely inspecting the assets first.
Researchers at Push Security, a browser threat detection and response company, found that attackers use the new InstallFix technique with cloned pages for popular CLI tools that serve malicious install commands.
Since the current security model “boils down to ‘trust the domain’,” and more non-technical users are now working with tools previously reserved for developers, InstallFix may become a larger threat, the researchers say.
In a report today, Push Security highlights a cloned installation page for Claude Code, Anthropic’s CLI coding assistant, that features the same layout, branding, and documentation sidebar as the legitimate source.
The difference is in the installation instructions for macOS and Windows (PowerShell and Command Prompt), which deliver malware from an attacker-controlled endpoint.
Legitimate (top) and malicious page (bottom) Source: Push Security
The researchers say that apart from the installation instructions, all links on the fake page redirect to the legitimate Anthropic site.
“So a victim that lands on the page and follows the fake instructions could continue normally without realizing anything had gone wrong,” Push Security notes in the report.
The attackers promote these pages through malvertising campaigns on Google Ads, causing malicious ads to appear in search results for queries such as “Claude Code install” and “Claude Code CLI.”
BleepingComputer could confirm that the malicious websites are still being promoted through Google-sponsored search results. When looking for the query “install claude code,” the first result was a Squarespace URL (claude-code-cmd.squarespace[.]com) pointing to a perfect clone of the official Claude Code documentation.
Sponsored Google search pushing fake Claude install sites source: BleepingComputer
Amatera infections
Based on Push Security’s analysis, the payload delivered through these InstallFix attacks is the Amatera Stealer, a piece of malware designed to steal sensitive data (cryptocurrency wallets, credentials) from compromised systems.
The malicious InstallFix commands for macOS contain base64-encoded instructions for downloading and executing a binary from a domain controlled by the attacker. In one case, BleepingComputer found that the threat actor used the domain wriconsult[.]com, which is currently down.
For Windows users, the malicious command uses the legitimate utility ‘mshta.exe’ to retrieve the malware and triggers additional processes like ‘conhost.exe’ to support the execution of the final payload, Amatera information stealer.
Cloned Claude install guide with malicious commands source: BleepingComputer.com
Amatera is a fairly new malware family, believed to be based on the ACR Stealer, sold as a subscription service (MaaS) to cybercriminals.
The malware was recently observed distributed in separate ClickFix attacks that abused Windows App-V scripts for payload delivery. It can steal passwords, cookies, and session tokens stored in web browsers and collect system information while evading detection by security tools.
Push Security reports that the attacks are particularly evasive, also because the malicious sites are hosted on legitimate platforms such as Cloudflare Pages, Squarespace, and Tencent EdgeOne.
The researchers also published a video showing how the InstallFix attack works, from the search query to copying a malicious command.
In a campaign last week, threat actors used the InstallFix technique with fake OpenClaw installers hosted in GitHub repositories that were promoted by Bing’s AI-enhanced search results.
Users looking for Claude Code must ensure they get installation instructions from official websites, block or skip all promoted Google Search results, and bookmark software download portals for tools they need to re-download frequently.
The researchers provide indicators of compromise that include the domains for serving the cloned guides, for hosting the malicious payloads, and the InstallFix commands.
Microsoft will turn on hotpatch security updates by default for all eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, beginning with the May 2026 Windows security update.
The updates will be delivered through Windows Autopatch, the company’s enterprise service that automatically keeps Windows and Microsoft 365 software up to date.
Under the previous update model, IT administrators typically allowed 3 to 5 days for users to restart their devices before forcing compliance (a window that left their organizations exposed to attacks).
However, with this change, Microsoft estimates that the time to reach 90% patch compliance will be halved.
“Starting with the May 2026 Windows security update, Windows Autopatch is enabling hotpatch security updates by default because they are the quickest way to get secure. This change in default behavior will impact all eligible Microsoft Intune devices. Additional IT controls are coming in April,” Microsoft said.
“You can disable hotpatch updates at the tenant level and enable them for specific devices and vice versa. When you’re ready for hotpatch updates by default, just toggle ‘When available, apply without restarting the device (hotpatch)’ back to Allow,” it added.
Windows Autopatch management toggle (Microsoft)
Admins can check device readiness using the Hotpatch quality updates report in Intune to confirm whether devices have installed the April 2026 baseline update and meet the prerequisites to receive hotpatch updates in May.
Organizations that are not ready will be able to opt out at the tenant level using controls in Microsoft Intune (which will go live on April 1, 2026) by going through the following steps:
Open Microsoft Intune.
Navigate to Tenant administration > Windows Autopatch > Tenant management.
Select the Tenant settings tab.
Toggle the “When available, apply updates without restarting the device (“hotpatch”) setting to either Allow or Block.
Because April is a hotpatch baseline month, admins have until May 11, 2026, before any hotpatch updates are deployed, providing them with enough time to review and adjust.
Windows Autopatch was first announced in April 2022 and reached general availability for customers with Windows Enterprise E3 and E5 licenses in July 2022.
Microsoft says that Windows Autopatch is now running on more than 10 million production devices, applying security fixes the moment they are installed, eliminating the need for a system restart.
The number of zero-day vulnerabilities uncovered in enterprise software and appliances reached an all-time high last year, analysis by Google Threat Intelligence Group (GTIG) has warned.
In the report, released on March 5, GTIG said it tracked 90 zero-day vulnerabilities which were actively deployed by cyber attackers during 2025. Google defined a zero-day as “a vulnerability that was maliciously exploited in the wild before a patch was made publicly available.”
These findings are higher than the 78 zero-days tracked during 2024 but lower than the record-high of 100 zero days tracked in 2023.
Google has also warned that the way attackers use zero-days is changing and that enterprise technology is the new primary target for exploitation. 43 (48%) of zero-days identified during 2025 targeted enterprise software and appliances, up from 36 (46%) in 2024.
GTIG said that the increase “underscores the shift toward enterprise infrastructure as a structural change in the threat landscape, reflecting the value of tools that enable privilege escalation, high-level access and broad scale of impact.”
Attackers Target Security and Networking Appliances
Of those zero-day exploits which targeted enterprise, almost half (21) targeted security and networking solutions. They are a prominent target for attackers, because if a zero-day in the technology can be exploited, it is useful for code execution and unauthorized access to the wider network via privileged infrastructure components.
In addition to this, security and networking appliances, including routers, switches and security appliances, often sit at the edge of the network, which can be overlooked by defenders. Attackers know this, which is why they target edge devices as they increasingly look to exploit zero-days in enterprise products.
“High-profile exploitation of enterprise tools and virtualization technologies demonstrate that attackers are deeply embedding themselves in critical business infrastructure,” said GTIG.
Source: Google Threat Intelligence Group
While targeting of enterprise applications is on the rise, for now, end users remain the most common target for zero-day exploitation, although the gap is closing. In 2025, 52% (47) of the tracked zero-days were used to exploit end-user platforms and products.
Of these, operating systems were the most targeted end-user product accounting for 24 (27%) of the tracked zero-days. The operating system most targeted by zero-days was Microsoft Windows.
Browser-Based Zero-Days Reach ‘Historic’ Low
The report pointed out that mobile operating systems saw a “notable” increase in targeting during 2025, with a total of 15 zero days in 2025 compared to the nine identified in 2024.
Meanwhile, the number of browser-based zero-day vulnerabilities tracked during the period dropped to eight (9%) in Google described as a “historical low.”
While one for reason for this is that browsers are better secured than they were previously, GTIG also suggested that attackers’ operational security has improved, which has made their activity more difficult to track, potentially reducing the volume of observed exploitation in this space.
The report also noted that during 2025, nine zero-days were linked to attacks by financially motivated threat groups, including two ransomware operations. This figure is nearly double the five zero-days attributed to financially motivated threat actors in 2024.
The report concluded that as the ongoing use of zero-day vulnerabilities by nation-state backed hacking operations – particularly those operating out of China – cybercriminal groups and others continues, defenders should be prepared for when, not if they are targeted.
“System architectures should be designed and built with ingrained security awareness, enabling inherent segmentation and least privilege access. Comprehensive defensive measures as well as response efforts require a real-time inventory of all assets to be audited and maintained,” said Google.
“While not preventative, continuous monitoring and anomaly detection, within both systems and networks, paired with refined and actionable alerting capabilities is a real-time way to detect and act against threats as they occur,” the company added.
A China-linked advanced persistent threat actor tracked as UAT-9244 has been targeting telecommunication service providers in South America since 2024, compromising Windows, Linux, and network-edge devices.
According to Cisco Talos researchers, the adversary is closely associated with the FamousSparrow and Tropic Trooper hacker groups, but is tracked as a separate activity cluster.
This assessment has high confidence and is based on similar tooling, tactics, techniques, and procedures (TTPs), and victimology observed in attacks attributed to the threat actors.
The researchers note that while UAT-9244 shares the same target profile as Salt Typhoon, they could not establish a solid connection between the two activity clusters.
New malware targeting telco networks
The researchers found that the campaign used three previously undocumented malware families: TernDoor, a Windows backdoor; PeerTime, a Linux backdoor that uses BitTorrent; and BruteEntry, a brute-force scanner that builds proxy infrastructure (ORBs).
TernDoor is deployed through DLL side-loading, using the legitimate executable wsprint.exe to load malicious code from BugSplatRc64.dll, which decrypts and executes the final payload in memory (injected into msiexec.exe).
The malware contains an embedded Windows driver, WSPrint.sys, which is used to terminate, suspend, and resume processes.
Persistence is achieved via scheduled tasks and Windows Registry modifications, which are also used to hide the scheduled task.
Additionally, TernDoor can execute commands via remote shell, run arbitrary processes, read/write files, collect system information, and self-uninstall.
PeerTime is an ELF Linux backdoor that targets multiple architectures (ARM, AARCH, PPC, MIPS), suggesting it was designed to compromise a broad range of embedded systems and network devices used in telecom environments.
PeerTime installation flow Source: Cisco Talos
Cisco Talos documented two versions for PeerTime. One variant is written in C/C++ and the other is based on Rust. The researchers also noticed Simplified Chinese debug strings in the instrumentor binary, an indicator of its origin.
Its payload is decrypted and loaded in memory, and its process is renamed to appear legitimate.
PeerTime, an ELF-based peer-to-peer (P2P) backdoor, uses the BitTorrent protocol for command-and-control (C2) communications, downloads and executes payloads from peers, and uses BusyBox to write the files on the host.
Finally, there’s BruteEntry, which consists of a Go-based instrumentor binary and a brute-forcing component. Its role is to turn compromised devices into scanning nodes, known as Operational Relay Boxes (ORBs).
BruteEntry infection chain Source: Cisco Talos
The attacker uses the machines running BruteEntry to scan for new targets and brute-force access to SSH, Postgres, and Tomcat. Login attempt results are sent back to the C2 with task status and notes.
In a technical report today, Cisco Talos researchers provide details on the capabilities of the three pieces of malware, how they are deployed, and achieve persistence.
Cisco Talos researchers have listed indicators of compromise (IoCs) associated with the observed UAT-9244 activity, which defenders can use to detect and block these attacks early.
Trend Micro found BoryptGrab stealer spreading through 100+ GitHub repositories, stealing browser data, crypto wallets, system information, and user files.
Trend Micro uncovered a campaign distributing the BoryptGrab information stealer through more than 100 GitHub repositories.
BoryptGrab is designed to collect browser and cryptocurrency wallet data, system details, and common files. Some variants also deploy a PyInstaller backdoor called TunnesshClient, which creates a reverse SSH tunnel to communicate with attackers.
The malware is distributed via ZIP archives posing as software tools and game cheats, linked to over 100 GitHub repositories.
“By tracing the infection chain, we were able to observe several ZIP archive files in the wild (all with similar naming conventions) that masquerade as common software tools (including gaming cheat hacks).” reads the report published by Trend Micro. “As the “github-io” patterns in some ZIP file names suggest, searching for the software tool patterns leads to over a hundred public Github repositories delivering malware.”
Evidence such as Russian-language comments and infrastructure suggests the threat actors may have a Russian origin.
Attackers spread the malware through public GitHub repositories that pose as free software tools, game cheats, or utilities.
They stuff README files with SEO keywords so search engines rank the malicious repositories near legitimate results. One example mimics a Voicemod Pro download page and links to a GitHub-hosted site that looks like a normal project directory.
The page contains Russian comments and redirects visitors through a chain of encoded URLs until it reaches a fake download page that generates a ZIP archive containing the malware. Many repositories reuse the same logic and sometimes send tracking data to the attackers.
The downloaded ZIP files launch the infection through several methods. In one route, an executable side-loads a malicious libcurl.dll that decrypts a hidden launcher payload.
The launcher downloads the BoryptGrab information stealer and may also retrieve other payloads, including Vidar variants, a PyInstaller backdoor called TunnesshClient, and a Golang downloader named HeaconLoad. The launcher uses build names such as Shrek, Leon, or CryptoByte to request specific payloads and sets scheduled tasks to keep the malware running.
“Some launcher payload variants contain build names (with some differing from each other). The launcher payload passes the build name as the “-b” argument when executing the BoryptGrab stealer it downloads.” continue the report.
Another infection path uses a VBS downloader that hides commands inside integer arrays. The script decodes PowerShell commands, downloads a launcher from a remote server, and can even add Microsoft Defender exclusions to avoid detection. That launcher then retrieves the BoryptGrab stealer and other tools from the attacker’s infrastructure.
In some variants, a .NET loader or embedded scripts trigger the same process, while others include the HeaconLoad downloader directly. HeaconLoad maintains persistence with registry entries and scheduled tasks, sends system information to a command-and-control server, and downloads additional bundles when available.
Several payloads rely on obfuscation techniques such as XOR-encrypted strings, dynamic API resolution, and code injection. Russian-language comments and log messages appear throughout the infrastructure and malware samples, suggesting the operators likely have a Russian background.
BoryptGrab is a C/C++ information stealer designed to collect large amounts of sensitive data from infected systems. The malware accepts optional command-line arguments such as –output-path to define where stolen data will be stored and –build-name to tag collected information. If attackers do not provide a build name, the malware uses a default value or relies on hardcoded identifiers such as CryptoByte, Shrek, Sonic, or Yaropolk, which help operators track infections.
Before collecting data, BoryptGrab performs anti-analysis checks.
“BoryptGrab detects whether it is executed in a virtual machine environment by querying registry entries and checking VM-related files. As part of its anti-analysis check, BoryptGrab also compares the names of running processes against a predefined list. It also attempts to execute with elevated privilege.” continues the report. “When the “–output-path”/”-o” argument is not given, BoryptGrab formats a default output path name using the current time, public IP address, and country code. Later, a directory with this output path name is created to stage collected data.”
It searches for signs of virtual machines, scans running processes against a predefined list, and attempts to gain elevated privileges. If no output path is specified, it creates a directory using the current time, public IP address, and country code to store stolen data.
The stealer targets data from many browsers, including Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex. It uses techniques from public GitHub tools designed to bypass Chrome’s App-Bound Encryption and decrypt stored browser credentials. The malware loads an encrypted internal payload that extracts saved passwords and records installed applications.
BoryptGrab also downloads a helper tool to assist with Chromium-based browser extraction. Beyond browser data, it steals information from numerous desktop cryptocurrency wallets such as Exodus, Electrum, Ledger Live, Atomic, Binance, Wasabi, and Trezor. It captures screenshots, gathers system details, and includes a “file grabber” module that collects files with specific extensions from common directories. The malware also extracts Telegram files, browser passwords, and in newer variants, Discord tokens.
After gathering the data, BoryptGrab compresses and uploads the archive to the attacker’s server. Some variants also download TunnesshClient, a PyInstaller backdoor that establishes a reverse SSH tunnel, allowing attackers to run commands, move files, and use the infected system as a proxy.
“The BoryptGrab campaign illustrates an evolving threat ecosystem targeting users through deceptive software downloads and fake GitHub repositories.” concludes the report.
Microsoft says threat actors are increasingly using artificial intelligence in their operations to accelerate attacks, scale malicious activity, and lower technical barriers across all aspects of a cyberattack.
According to a new Microsoft Threat Intelligence report, attackers are using generative AI tools for a wide range of tasks, including reconnaissance, phishing, infrastructure development, malware creation, and post-compromise activity.
In many cases, AI is used to draft phishing emails, translate content, summarize stolen data, debug malware, and assist with scripting or infrastructure configuration.
“Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure,” warns Microsoft.
“For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions.”
Threat actor use of AI across the cyberattack lifecycle Source: Microsoft
AI used to power cyberattacks
Microsoft has observed multiple threat groups incorporating AI into their cyberattacks, including North Korean actors tracked as Jasper Sleet (Storm-0287) and Coral Sleet (Storm-1877), who use the technology as part of remote IT worker schemes.
In these operations, AI tools help generate realistic identities, resumes, and communications to gain employment at Western companies and maintain access once hired.
Jasper Sleet leverages generative AI platforms to streamline the development of fraudulent digital personas. For example, Jasper Sleet actors have prompted AI platforms to generate culturally appropriate name lists and email address formats to match specific identity profiles. For example, threat actors might use the following types of prompts to leverage AI in this scenario:
Example prompt 1: “Create a list of 100 Greek names.”
Example prompt 2: “Create a list of email address formats using the name Jane Doe.“
Jasper Sleet also uses generative AI to review job postings for software development and IT-related roles on professional platforms, prompting the tools to extract and summarize required skills. These outputs are then used to tailor fake identities to specific roles.
The report also describes how AI is being used to assist with malware development and infrastructure creation, with threat actors using AI coding tools to generate and refine malicious code, troubleshoot errors, or port malware components to different programming languages.
Some malware experiments show signs of AI-enabled malware that dynamically generate scripts or modify behavior at runtime.
Microsoft also observed Coral Sleet using AI to quickly generate fake company sites, provision infrastructure, and test and troubleshoot their deployments.
When AI safeguards attempt to prevent the use of AI in these tasks, Microsoft says threat actors are using jailbreaking techniques to trick LLMs into generating malicious code or content.
In addition to generative AI use, Microsoft researchers have begun to see threat actors experiment with agentic AI to perform tasks autonomously and adapt to results.
However, Microsoft says AI is currently used primarily for decision-making rather than for autonomous attacks.
Because many IT worker campaigns rely on the abuse of legitimate access, Microsoft advises organizations to treat these schemes and similar activity as insider risks.
Furthermore, as these AI-powered attacks mirror conventional cyberattacks, defenders should focus on detecting abnormal credential use, hardening identity systems against phishing, and securing AI systems that may become targets in future attacks.
Microsoft is not alone in seeing threat actors increasingly using artificial intelligence to power attacks and lower barriers to entry.
Google recently reported that threat actors are abusing Gemini AI across all stages of cyberattacks, mirroring what Amazon observed in this campaign.
Amazon and the Cyber and Ramen security blog also recently reported on a threat actor using multiple generative AI services as part of a campaign that breached more than 600 FortiGate firewalls.
Researchers observed Iran-linked actors targeting IP cameras across Israel and Gulf countries, likely to support military intelligence and battle damage assessment.
According to the , cyber operations are increasingly used to support military activity and battle damage assessment (BDA). During the Israel-Iran tensions, researchers from Check Point Software Technologies observed a surge in attacks targeting IP cameras across Israel and Gulf countries, including the UAE, Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus. The activity, attributed to Iran-linked actors, relied on VPN and VPS infrastructure to scan devices, mainly Hikvision and Dahua Technology cameras, for known vulnerabilities.
“During the ongoing conflict, we identified intensified targeting of IP cameras from two manufacturers starting on February 28, originating from infrastructure we attribute to Iranian threat actors.
The targeting extends across Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus – countries that have also experienced significant missile activity linked to Iran. On March 1st, we additionally observed camera-targeting activity focused on specific areas in Lebanon.” .”
“We also observed earlier, more targeted activity against cameras in Israel and Qatar on January 14–15. These dates surround with Iran’s temporary closure of its airspace, reportedly amid expectations of a potential U.S. strike.”
Researchers believe the goal was reconnaissance and real-time monitoring to support intelligence gathering and potential military targeting.
Threat actors targeted the following vulnerabilities in Hikvision and Dahua devices:
CVE
Vulnerability
CVE-2017-7921
An improper authentication vulnerability in Hikvision IP camera firmware
CVE-2021-36260
A command injection vulnerability in the Hikvision web server component
CVE-2023-6895
An OS command injection vulnerability in Hikvision Intercom Broadcasting System
CVE-2025-34067
An unauthenticated remote code execution vulnerability in Hikvision Integrated Security Management Platform
CVE-2021-33044
An authentication bypass vulnerability in multiple Dahua products
The experts state that Chinese manufacturers have patched all the above issues.
Researchers analyzed exploitation attempts for CVE-2021-33044 and CVE-2017-7921 linked to infrastructure attributed to Iran.
In October 2021, experts warnedthat proof-of-concept (PoC) exploit code was available for two authentication-bypass vulnerabilities in Dahua cameras, tracked as CVE-2021-33044 and CVE-2021-33045. A remote attacker can exploit both vulnerabilities by sending specially crafted data packets to the vulnerable cameras.
Since early 2026, scanning activity targeting IP cameras has surged across Israel and several Middle East countries, often aligning with geopolitical tensions such as protests in Iran, U.S. military visits to Israel, and fears of potential strikes.
Similar patterns appeared during the June 2025 Israel-Iran conflict, when compromised cameras were likely used for reconnaissance and battle damage assessment, including a case involving a camera near Israel’s Weizmann Institute before a missile strike.
“One of the best-known cases occurred when Iran struck Israel’s Weizmann Institute of Science with a ballistic missile and had reportedly taken control of a street camera facing the building just prior to the hit” concludes the report.
Defenders should reduce risks by removing public internet access to cameras and placing them behind VPN or zero-trust gateways. Organizations should change default passwords, enforce strong unique credentials, and keep device firmware updated. Cameras should run on isolated network segments with restricted outbound traffic. Security teams should also monitor for repeated login failures, suspicious remote access, and unusual outbound connections.
Threat actors are abusing the special-use “.arpa” domain and IPv6 reverse DNS in phishing campaigns that more easily evade domain reputation checks and email security gateways.
The .arpa domain is a special top-level domain reserved for internet infrastructure rather than normal websites. It is used for reverse DNS lookups, which allow systems to map an IP address back to a hostname.
IPv4 reverse lookups use the in-addr.arpa domain, while IPv6 uses ip6.arpa. In these lookups, DNS queries a hostname derived from the IP address, written in reverse order and appended to one of these domains.
For example, www.google.com has the IP addresses 192.178.50.36 (IPv4) and 2607:f8b0:4008:802::2004 (IPv6). Querying Google’s IP of 192.178.50.36 via the dig tool resolves to an in-addr.arpa hostname and ultimately a regular hostname:
A phishing campaign observed by Infoblox uses the ip6.arpa reverse DNS TLD, which normally maps IPv6 addresses back to hostnames using PTR records.
However, attackers found that if they reserve their own IPv6 address space, they can abuse the reverse DNS zone for the IP range by configuring additional DNS records for phishing sites.
In normal DNS functionality, reverse DNS domains are used for PTR records, which allow systems to determine the hostname associated with a queried IP address.
However, attackers discovered that once they gained control over the DNS zone for an IPv6 range, some DNS management platforms allowed them to configure other record types that can be abused for phishing attacks.
“We have seen threat actors abuse Hurricane Electric and Cloudflare to create these records—both of which have good reputations that actors leverage—and we confirmed that some other DNS providers also allow these configurations,” explains Infoblox.
“Our tests were not exhaustive, but we notified the providers where we discovered a gap. Figure 2 depicts the process the threat actor used to create the domain used in the phishing emails.”
To set up the infrastructure, the attackers first obtained a block of IPv6 addresses via IPv6 tunneling services.
Infoblox’s overview of how the .arpa TLD is abused in phishing emails Source: Infoblox
After gaining control of the address space, the attackers then generate reverse DNS hostnames from the IPv6 address range using randomly generated subdomains that are difficult to detect or block.
Instead of configuring PTR records as expected, the attackers create A records that point those reverse DNS domains to infrastructure hosting phishing sites.
The phishing emails in this campaign use lures that promise a prize, a survey reward, or an account notification. The lures are embedded in the emails as images linked to a reverse IPv6 DNS record, such as “d.d.e.0.6.3.0.0.0.7.4.0.1.0.0.2.ip6.arpa,” rather than a regular hostname, so the target doesn’t see a strange arpa hostname.
Phishing email lures Source: Infoblox
When a victim clicks the phishing email image, the device resolves the attacker-controlled reverse DNS name servers via a DNS provider.
HTML showing image and link using .arpa hostnames Source: Infoblox
In some cases, the authoritative name servers were hosted by Cloudflare, and the reverse DNS domains resolved to Cloudflare IP addresses, hiding the location of the backend phishing infrastructure.
After clicking the image, victims are redirected through a traffic distribution system (TDS) that determines whether they are a valid target, commonly based on device type, IP address, web referers, and other criteria. If the visitor passes validation, they are redirected to a phishing site. Otherwise, they are sent to a legitimate website.
Infoblox says the phishing links are short-lived, only active for a few days. After the links expire, they redirect users to domain errors or other legitimate sites.
The researchers believe this is done to make it harder for security researchers to analyze and investigate the phishing campaign.
Furthermore, as the ‘.arpa’ domain is reserved for internet infrastructure, it does not include data normally found in registered domains, such as WHOIS info, domain age, or contact information. This makes it harder for email gateways and security tools to detect malicious domains.
The researchers also observed the phishing campaign using other techniques, such as hijacking dangling CNAME records and subdomain shadowing, allowing the attackers to push phishing content through subdomains linked to legitimate organizations.
“We found over 100 instances where the threat actor used hijacked CNAMEs of well-known government agencies, universities, telecommunication companies, media organizations, and retailers,” explained Infoblox.
By weaponizing trusted reverse DNS features used by security tools, attackers can generate phishing URLs that bypass traditional detection methods.
As always, the best way to avoid phishing attacks like these is to avoid clicking on unexpected links in emails and instead visit services directly through their official websites.
We use cookies to optimize our website and our service. Read more
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
