ZIP domains phishing

Clever ‘File Archiver In The Browser’ phishing trick uses ZIP domains

@ndma 29 May 2023


A new 'File Archivers in the Browser' phishing kit abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files.

Earlier this month, Google began offering the ability to register ZIP TLD domains, such as, for hosting websites or email addresses. Since the TLD's release, there has been quite a bit of debate over whether they are a mistake and could pose a cybersecurity risk to users.

While some experts believe the fears are overblown, the main concern is that some sites will automatically turn a string that ends with '.zip,' like, into a clickable link that could be used for malware delivery or phishing attacks.

For example, if you send someone instructions on downloading a file called, Twitter will automatically turn into a link, making people think they should click on it to download the file.

Security researcher mr.d0x has developed a clever phishing toolkit that lets you create fake in-browser WinRar instances and File Explorer Windows that are displayed on ZIP domains to trick users into thinking they are opened .zip file.

In a demonstration shared with BleepingComputer, the toolkit can be used to embed a fake WinRar window directly in the browser when a .zip domain is opened, making it look like the user opened a ZIP archive and is now seeing the files within it.

While it looks nice when displayed in the browser, it shines as a popup window, as you can remove the address bar and scrollbar, leaving what appears to be a WinRar window displayed on the screen, as shown below.

While the toolkit still displays the browser address bar, it is still likely to trick some users into thinking this is a legitimate WinRar archive. Furthermore, creative CSS and HTML could likely be used to refine the toolkit further.

mr.d0x also created another variant that displays a fake in-browser Windows File Explorer pretending to open a ZIP file. This template is more of a work in progress, so has some items missing.

Top Used Phishing TLDs in 2022

According to research done by the Cybercrime Information Center, the top 10 TLDs are:

  • .com

  • .cn

  • .tk

  • .ml

  • .xyz

  • .buzz

  • .shop

  • .cf

  • .net

  • .ga

Google has released eight new top-level domains (TLDs). These TLDs have various purposes, including potential commercial value for law firms, usefulness for academics, and a potential security concern due to two TLDs being based on file extensions.

The eight new TLDs are:

  • .dad

  • .phd

  • .prof

  • .esq

  • .foo

  • .zip

  • .mov

  • .nexus


Last updated