Abusing .arpa: The TLD That Isn’t Supposed to Host Anything

This intelligence report describes phishing campaigns that weaponize IPv6 reverse DNS (ip6.arpa) by creating A records for reverse FQDNs—combined with hijacked CNAMEs, subdomain shadowing, and traffic distribution systems—to evade detection and host malicious landing pages; the report includes campaign timelines, example HTML/lures, provider abuse (Cloudflare, Hurricane Electric), short-lived indicators, and a table of observed domains and TDS hosts.