A (6:02)
New Install Fix Social engineering tricks Target coding Novices criminals abuse ancient ARPA top level domain in clever phishing attacks. ZombieZip help gets malware past modern security tools, Iranian and Russian teams ramp up cyber retaliation and Israel responds with a humorous video. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. A new cyber attack campaign dubbed Install Fix is exploiting the popularity of AI coding assistance like Anthropic's Cload code to deliver malware to unsuspecting users. This campaign, reported by Dark Reading, combines malvertising with social engineering to target developers and organizations that use AI tools. Researchers at Push Security recently uncovered fake installation pages for clone code spreading through Google sponsored ads. These cloned pages mimic the official site for Anthropic's coding assistant, making them almost indistinguishable from the real thing. Users searching for terms like clone code or clone code install are being lured into clicking on these malicious links that appear above legitimate search results. Once on the fake site, users are instructed to copy and paste install commands into their system terminals. However, these commands deploy the Amatera Stealer malware instead of installing legitimate software. The malware is designed to steal sensitive developer credentials, potentially granting attackers access to enterprise development environments. The Install Fix campaign builds on the click Fix social engineering technique, which uses fake error messages or captcha bot challenges to trick users into executing malicious commands. This variation is particularly dangerous because it targets users who are already comfortable working with command line interfaces and accustomed to pasting commands directly into terminals, an insecure practice that unfortunately has become common in the tech world. According to Push Security, attackers are specifically targeting code. Due to its rapid adoption across multiple industries, the tool has become a go to assistant for developers and organizations, making it a high value target. The campaign also takes advantage of Google sponsored ads, which bypass traditional email security measures like phishing filters. These malicious ads appear at the top of search results, fooling users into clicking links that seem legitimate and your regular reminder that Google and others are not required to know who their purchases are putting out these ads. Additionally, the attackers are hosting the fake install pages on domains from trusted providers like Cloudflare, Pages, Tencent, Edge1 and Squarespace. This makes malicious sites appear even more credible and harder to detect. The attack is a wake up call for organizations and especially for developers to revisit some core security practices. Push Security warns that this is a quote, fast moving situation, end quote. With malicious domains being created quickly and taken down, it's cat and mouse out there. While indicators of compromise can help, the short lifespan of these domains means the best defense is user caution and robust security practices. As cybercriminals continue to adapt their tactics to exploit AI adoption and rising interest in tools like Claude code, organizations must stay vigilant in order to protect both their developers and their enterprise environments. For more details on this campaign, check out darkraiding.com a new phishing campaign is leveraging the special use arpa domain and IPv6 reverse DNS to bypass traditional Phishing Defenses this creative abuse of Internet infrastructure highlights a growing trend of attackers exploiting trusted systems for malicious purposes. The ARPA domain, typically reserved for core Internet infrastructure and tied to the original history of the Internet and arpanet, is meant to support reversed DNS lookups, a process that maps IP addresses back to host names. IPv4 reverse lookups use the in addr arpa domain, while IPv6 lookups rely only on IPv6 arpa. However, cybercriminals have discovered a way to weaponize this system for phishing attacks. In these malicious campaigns, attackers first acquire their own block of IPv6 addresses through tunneling services. By gaining control of the DNS zone for this address space, they can manipulate the reverse DNS zone to create additional DNS records, such as a name records that point to phishing sites. For example, a phishing email may include a link disguised as a legitimate image or message, but the underlying URL directs victims to a malicious reverse DNS domain. Because these domains are tied to the ARPA tld, they lack traditional domain registration data such as who is information or domain age. This makes them much harder for email security gateways and other detection tools to flag as suspicious. When a user clicks on the link, their device resolves the attacker controlled reverse DNS name servers, which then redirect them to a phishing site via a traffic distribution system. This traffic distribution system filters users based on factors like device type, IP address, and web refers to to ensure that only valid targets are directed to the phishing site. Non targets are sent to legitimate websites, further complicating automated analysis by security researchers. The phishing emails observed with this campaign use common lures such as fake surveys, prize offers, or account notifications. These tactics aim to trick users into clicking on links that lead to attacker controlled domains. Researchers at Infoblox discovered that attackers are abusing trusted DNS providers like Hurricane Electric and Cloudflare to host their malicious reverse DNS records. In some cases, phishing links even resolve to a Cloudflare IP address, effectively hiding the true location of the attacker's backend infrastructure. In addition to ARPA abuse, the campaign also employs other advanced phishing techniques, such as hijacking dangling CNAME records and using subdomain shadowing. These methods allow attackers to serve phishing content through subdomains associated with legitimate organizations, further boosting their credibility. The campaign exemplifies how threat actors are increasingly exploited trusted Internet infrastructure to evade detection the ARPA domain, being a key component of the Internet's backbone, was not ever designed for this kind of web traffic and its special status makes it an attractive tool for attackers looking to bypass traditional security measures. As phishing tactics grow more sophisticated, staying vigilant and adopting layered security measures involving both technical security controls and user education are critical. This story is a great reminder that often when vendors say they stop 99.9% of phishing, what they actually mean is they stop 99.9% of Phishing they detect. And hackers they're always looking for clever ways, whether it's old school, bleeding edge, or the combination of these two approaches. In this case, a new malware delivery technique dubbed ZombieZip is helping cybercriminals evade detection by antivirus and endpoint detection and response tools. The method, first reported by Bleeping Computer, manipulates zip file headers to conceal malicious payloads, exploiting how security tools process compressed files. The Zombie Zip technique tricks security solutions into believing that the compressed data within the zip file is uncompressed. Normally, security tools scan the contents of zip files to detect potential threats. However, by manipulating the zip header, specifically the method field, attackers confuse these tools into treating compressed data as uncompressed. For example, when the method field is set to stored a flag indicating uncompressed data, security tools scan the file as though it contains raw uncompressed bytes. The problem arises because the data is actually compressed using the deflate algorithm, and the tools fail to identify malicious payloads that can be hidden inside. Standard extraction utilities like WinRAR and 7zip detect errors on corrupted data when attempting to decompress these files, but a purpose built loader created by threat actors can ignore these manipulation headers and correctly extract the payload. This loader allows attackers to recover the malicious content hidden within the zip file. The Zombie Zip technique was devised by Chris Aziz, a security researcher at Bombadil Systems, and demonstrated in a proof of concept published on GitHub. During testing, the technique bypassed 50 out of 51 antivirus engines on VirusTotal, highlighting a significant gap in some of the current security defenses. The CERT Coordination center has assigned CVE2026 0866 to the issue and issued a bulletin warning about the risks posed by malformed archive files. They noted that this vulnerability is reminiscent of CVE 2004 0935, a similar flaw disclosed over 20 years ago. The agency recommends that security tool vendors validate compression method fields against actual data, implement mechanisms to detect inconsistencies in archive structures, and adopt more aggressive archive inspection modes. A surge in cyber retaliation has followed recent military strikes by the United States and Israel against Iran, with hacktivist groups launching a wave of disruptive cyber operations. According to new analysis from Intel 471, these campaigns involve distributed denial of service or DDoS attacks, data breach claims and website defacements targeting governments, defense contractors and critical infrastructure. The report highlighted how ideological and state aligned groups have mobilized to amplify propaganda, signal support and retaliate against perceived adversaries. From February 27 to March 6, Israel was by far the most impacted region, followed by Kuwait, Jordan, Bahrain, Qatar and the uae. The top targeted sectors included national government, aerospace and defense and technology. Pro Iranian groups such as Hendelah Haq, We Are UST and Unit 313 claimed responsibilities for attacks on oil and gas organizations, research institutes and military systems across Israel, Jordan, Saudi Arabia and Bahrain. Other groups like the Cyber Islamic Resistance targeted Israeli communications providers, While the Iraqi FAD team and North African chemos launched DDoS attacks on Israel control systems and telecommunications companies. Additionally, pro Russian groups such as Noname, O5.7 and Z Pentest alliance declared solidarity with Iran, targeting Israeli entities under the OP Israel banner. These groups claim to have disrupted military systems, telecommunications providers and private companies and included alleged breaches of Israel's Iron Dome infrastructure. That's the key missile defense system that Israel relies on to defend against rocket attacks. While the volume of attacks is significant, experts suggest the actual damage has been limited. Much of the claimed activity is likely exaggerated to create psychological impact and attract media attention. According to Intel471, these attacks are often more symbolic than materially disruptive, with many focusing on DDoS and AI driven misinformation campaigns. Looking ahead, Intel 471 expects that Pro Iranian and pro Russian hacktivist activity will continue and will remain focused on DDoS attacks, Breach claims and disinformation campaigns targeting government systems, banking, oil and gas and telecommunications. While the intensity of attacks may decline over time, state aligned adversaries and devoted hacktivist groups are likely to persist. The Israeli National Cyber Directorate on Tuesday put out an unprecedented video of counter psychological warfare targeting Iranian hackers who have been in overdrive trying to spread digital chaos against Israel since the current war started. I watched the video and honestly, it's kind of hilarious. You can catch it with English subtitles at the Jerusalem Post. The link will be in the show notes or below our YouTube video. Honestly, if we could move from real warfare and bombing to to just mean girl vibe videos like this on YouTube I can get behind that. That's Cybersecurity today for Wednesday, March 11, 2026. Thanks for listening and thanks for your continued support. Thanks for leaving reviews, ratings and sharing the show with others. We'd love to reach even more people this year and we continue to need your help. Have a great rest of your week. Jim Love will be back on the news desk on Friday.
