FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks

According to Fortinet Labs, third parties have already purchased top-level domains (TLD) such as and, which could potentially be a breach of the Anticybersquatting Consumer Protection Act (ACPA).

A TLD like Businesscentral.ZIP was found to automatically download a malicious executable titled file.exe whenever a user visited the domain.

Phishing attacks have irked the cybersecurity fraternity for more than a decade due to the clever masquerading tactics threat actors use to make these attacks successful. In its FortiGuard Labs Global Threat Landscape Report 2022 released on July 17, 2023, the company found phishing the primary attack method to acquire initial access in a network breach.

.ZIP domain and Phishing Attacks

Threat actors are constantly improving this vector as FortiGuard Labs’ researchers Jonas Walker and Fred Gutierrez have discovered that .ZIP domain is the latest addition to threat actors’ phishing weaponry.

As per the report FortiGurad shared with, TLDs (top-level domains) represent a domain name’s final segment, such as .COM, .ORG, or .NET, etc. These names have a critical role in the web structure for being the highest level of domain names in the DNS hierarchy.

Over time, hundreds of new TLDs have appeared, called generic TLDs or gTLDs, which offer customized addresses for organizations and users that resonate with their brand, such as,, or These generic TLDs have opened new doors for threat actors to exploit, and the recent availability of .ZIP domains for public purchasing has extended its exploitation scope considerably.

The emergence of gTLDs has already made detecting phishing attacks difficult. Now, adding a commonly used file extension for compressed files, the .ZIP domain, will make it more complex by creating confusion, particularly among non-techno-savvy users. It will serve as an effective tool for phishers as the domain will add authenticity to a fraudulent site.

An unsuspecting user would consider it a file extension and download it without hesitation. One such attempt was detected recently when several users reported about the chatgptzip file registered on 20th May and offering a download link promising the latest chatbot version. However, the ZIP archive contained this message:

Then another file registered on 15th May, titled assignmentzip, was found that redirected visitors to a downloadable ZIP archive containing clean files. In another case, researchers found voorbeeldzip registered on 20th May, which in English means example.

FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
(Fortinet Labs)

Researchers noted that these files didn’t collect any information yet, but malicious websites are created to exploit the popularity of .ZIP extension. Such as, the 42zip domain, registered on 15th May, automatically downloaded a zip file and launched the classic Zip Bomb attack.

The domains excelpatchzip and outlook365updatezip are also examples of malicious TLDs. The domain businesscentralzip automatically downloaded a malicious executable titled file.exe. Some other malicious domains include:

  • joomlazip
  • msnbczip
  • nozominetworkszip
FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
The two .ZIP domains aimed at the login credentials of Gmail and Outlook users (Fortinet Labs)

To stay safe, FortiGuard Labs urges users to bloc .ZIP domains at the firewall level as a blanket strategy and use web filters and browser extensions to assess the authenticity of a website and double-check URLs before clicking, particularly when shared by an unsolicited source. Lastly, always update antivirus programs, operating systems, and web browsers to patch the latest security flaws.

Related Posts