Ip6.arpa reverse-DNS phishing campaign using IPv6 tunneling
Campaign
Summary
Hide ▲
Show ▼
A phishing campaign is abusing ip6.arpa reverse DNS and IPv6 tunneling to slip past domain reputation checks and email security gateways, making malicious links harder to block. Attackers are turning reverse-DNS infrastructure into phishing hosting by creating attacker-controlled records for IPv6 ranges. The messages use lures such as prize and account notification prompts, with the links hidden behind embedded images. The short-lived links and trusted DNS infrastructure make the operation more difficult to investigate and disrupt.
Related Happenings
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
Campaign
First: 11.03.2026 16:45
Last: 11.03.2026 16:45
Sources 1
About this happening:
A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims
CampaignAbout this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Europol-led takedown of Tycoon 2FA
Law Enforcement
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...
Europol-led takedown of Tycoon 2FA
Law EnforcementAbout this happening: **Europol** and partner agencies **dismantled Tycoon 2FA**, a **phishing-as-a-service** toolkit used for **AitM credential harvesting**, removing a major cybercrime platform and d...
Latest development: 17.04.2026 22:05
Following the Europol-led Tycoon 2FA takedown, phishers worldwide moved to rival PhaaS providers such as Mamba 2FA, EvilProxy, and Sneaky 2FA, while device code phishing accelerated and some actors reused Tycoon-era PDFs, source-code quirks, and techniques in EvilTokens-style account takeover campaigns.
RedAlert SMS phishing espionage campaign
Campaign
First: 03.03.2026 18:15
Last: 03.03.2026 18:15
Sources 1
About this happening:
A **RedAlert** mobile espionage campaign is using **SMS phishing** and a trojanized emergency app to target **civilians** during the **ongoing Israel-Iran conflict**. The operatio...
RedAlert SMS phishing espionage campaign
CampaignAbout this happening: A **RedAlert** mobile espionage campaign is using **SMS phishing** and a trojanized emergency app to target **civilians** during the **ongoing Israel-Iran conflict**. The operatio...
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 03.03.2026 13:10
Last: 03.03.2026 13:10
Sources 1
About this happening:
**Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Jinkusu-Starkiller ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Jinkusu** is marketing **Starkiller** as a phishing-as-a-service platform that proxies live login pages to **bypass MFA** and capture session tokens. The service lets customers...
Timeline
-
08.03.2026 16:12 2 articles · 2mo ago
ip6.arpa reverse-DNS phishing campaign
Initial DisclosureThreat actors abuse ip6.arpa reverse DNS and IPv6 address space to host phishing infrastructure, obtaining IPv6 ranges through tunneling services, creating attacker-controlled A records instead of expected PTR records, and hiding backend locations behind trusted DNS infrastructure such as Cloudflare and Hurricane Electric. The lures use prize, survey reward, or account notification imagery, and the links are short-lived to hinder analysis and detection.
Show sources
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12
- Hackers abuse .arpa DNS and ipv6 to evade phishing defenses — www.bleepingcomputer.com — 08.03.2026 16:12