Unprecedented Abuse of .arpa Infrastructure TLD Uncovered in Sophisticated Phishing Campaign

Threat actors abuse the .arpa infrastructure TLD and DNS record controls at Cloudflare to host stealthy phishing sites, evading traditional domain filters.

By: AXL Media

Published: Mar 10, 2026, 7:17 AM EDT

Source: The information in this article was sourced from SecurityWeek

Exploiting the Backbone: The Weaponization of .arpa

In a significant departure from typical phishing tactics, a new campaign has been identified abusing the .arpa top-level domain (TLD). Unlike common TLDs like .com or .org, .arpa is a specialized infrastructure domain designed strictly for technical functions, such as mapping IP addresses to domains (reverse DNS). Infoblox reports that threat actors are now manipulating DNS record management controls to host active web content on these domains. Because .arpa is considered a highly trusted part of the internet's core architecture, many security filters are not configured to block it, allowing malicious links to slip past traditional perimeter defenses.

Mechanism of Attack: IPv6 Manipulation and A-Record Abuse

The attack functions by exploiting the delegation of IPv6 address space. Once a threat actor acquires control of an IPv6 block, they are granted authority over the corresponding .arpa subdomain. Instead of using this authority for legitimate reverse DNS (PTR) records, the attackers create standard A-records for the reverse DNS names. This allows a string that should only exist for administrative routing to resolve to a malicious website. According to researchers, DNS providers such as Cloudflare and Hurricane Electric inadvertently permitted these configurations, providing the attackers with a reliable, high-reputation platform to launch their lures.

Stealth Through Obfuscation and Cloudflare Edge Integration

To ensure the longevity of the campaign, the threat actor employs several layers of obfuscation. They prepend randomly generated subdomains to the .arpa strings, creating unique Fully Qualified Domain Names (FQDNs) for every phishing email. These unique URLs make it nearly impossible for static blocklists to keep pace. Furthermore, the identified FQDNs resolve to IP addresses on Cloudflare’s edge network. This integration effectively masks the true location of the malicious server, making it appear as though the phishing site is hosted by a trusted global CDN, which further evades reputation-based security tools.