ACCORDING to Infoblox, a threat actor has been abusing the internet infrastructure TLD .arpa to host phishing content on domains that should not resolve to IP addresses. The campaign exploits DNS record management controls, with the attacker creating IPv6 address space and delegating control of the corresponding .arpa subdomain to add A records for reverse DNS names and serve phishing content.
The activity uses Cloudflare and Hurricane Electric as part of the DNS chain, with some domains shadowed by prepending randomly generated subdomains to create unique FQDNs. The phishing pages impersonate major brands and hide the actual domain behind a reverse DNS string and redirects, making detection harder.
Infoblox notes that hijacked CNAME records of education, government, media, retail and telecom entities were abused, and that reverse DNS domains were resolved to two IPs belonging to Cloudflare’s edge network. The campaign has been observed since September 2025, with some domains used in more than 100 email runs per day.