Home / Threat Intelligence bulletins / Threat actors weaponizing .ZIP domains to trick victims

Target Industry

Indiscriminate, opportunistic targeting.


When a victim visits a ‘.ZIP’ domain, a new phishing method known as “file archiver in the browser” can be used to emulate file archiver software in a web browser. It is possible that threat actors could enhance social engineering efforts by leveraging HTML and CSS to build a convincing phishing landing page that imitates authentic file archiving software. In order to make the phishing attempt look more credible, threat actors imitate a file archiver programme (like WinRAR) in the browser and utilise a ‘.ZIP’ domain.


  • Data Breach: Phishing attempts using malicious zip archive tools can result in data breaches, revealing sensitive customer data, proprietary information, and corporate secrets.
  • Financial Loss: Phishing attacks may result in financial losses for businesses. Financial fraud, unauthorised transactions, lost company prospects, and possible legal costs related to data breach clean-up.
  • Operational Disruption: Phishing attacks that are successful can stop business operations by compromising infrastructure, networks, and systems. Customer satisfaction may suffer as a result of downtime, decreased productivity, and possible disruption of essential services.
  • Reputation damage: A phishing attack can damage a company’s reputation. Customers might stop trusting the company, stakeholders might question its security procedures, and rivals might take advantage of the circumstance to gain a competitive edge.
  • Regulation and Legal Repercussions: Phishing attacks frequently involve the theft of financial and personal information, which can have regulatory and legal repercussions.

Vulnerability Detection

The detection of a malicious zip archive tool integrated in a browser requires the employment of both security precautions and user awareness. Outlined below are a list of techniques for detecting a malicious zip archive tool inside a browser:

  • Implementing web filtering techniques can assist in preventing access to known dangerous websites or URLs linked to the spread of harmful zip archive tools
  • Reputation Services: The reputation of websites or files can be evaluated by using reputation services, which are either built into browsers, websites or software
  • Browser Add-Ons: By scanning websites for potential risks, browser add-ons and extensions can improve security. These extensions may use recognised signs or behaviour analysis to identify and prevent downloads of dangerous files, including zip archives
  • User Awareness: Educating users about safe browsing practices and warning them about the risks associated with downloading and opening zip archives.

Containment, Mitigations & Remediations

  • End user training: Employees should be trained to detect markers of phishing emails and to abstain from opening files from unverified sources.
  • Endpoint Protection: Endpoint security tools, such antivirus and anti-malware software, should be used to scan and prevent the execution of malicious files, including those included in zip packages, before they can be executed on endpoints.
  • Software Updates: Update all software with the most recent security patches, including operating systems, programmes, and zip archive tools.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Phishing attacks now apply more complex social engineering tactics and more convincingly designed emails, websites, and login pages to lure their targets. In addition, threat actors are increasingly focusing their efforts on particular people or organisations, a practise known as spear phishing or whaling. By personalising the messages to appear more trustworthy, this increases the potential success of the attack effort.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

T1566 – Phishing

T1566.003 - Phishing: Spearphishing via Service

Further Information

Don’t Click That ZIP File! Phishers Weaponizing .ZIP Domains to Trick Victims


Intelligence Terminology Yardstick