Exotic Domain Scams: Why .ZIP and .APP Links Are Tricking Everyone

Your brain processes this as a legitimate GitHub repository download link for Kubernetes. You click it. You get what you expect—a software download for a trusted open-source project.

Now look at this slightly different link:

https://github.com/kubernetes/kubernetes/archive/refs/tags/@v1.27.1.zip

This looks almost identical. Your brain processes it the same way. But this URL is malicious. The actual domain is “1.zip”—a phishing attacker purchased a .zip domain and used URL manipulation to disguise it as a GitHub link. When you click, you land on a fake GitHub login page and enter your credentials.

The attacker now has your GitHub account. They can access your repositories, steal credentials, deploy malware, or pivot into your company’s infrastructure.

This is the .ZIP and .APP domain scam. And according to Interisle Consulting’s Phishing Landscape 2025 report, exotic top-level domains have become a phishing epidemic. Over 1.5 million unique phishing domains were reported in 2025—38% more than 2024. Of these, nearly 9 out of 10 in new gTLDs (generic top-level domains like .ZIP, .APP, .MOV) were maliciously registered.

How Exotic TLDs Created A Phishing Paradise

To understand this vulnerability, we need to understand how domain names and top-level domains evolved.

The Traditional TLD System

For decades, top-level domains were limited: .COM, .NET, .ORG, .EDU, .GOV, .COUNTRY codes (.US, .UK, .DE). These were familiar. Users knew what they looked like. Phishers had limited territory to operate in.

Google became suspicious when someone tried to register “google.xyz” or “google.shop”—obvious phishing attempts using suspicious TLDs. Security filters flagged suspicious TLDs (especially .XYZ, .SHOP, .INFO, .TOP) as higher risk.

The New gTLD Expansion

In 2013, ICANN approved hundreds of new gTLDs: .TECH, .CLOUD, .DIGITAL, .FINANCE, .SECURITY, and most notably for our story: .ZIP, .MOV, and .APP.

These seemed reasonable. Why not have .APP domains for applications? .ZIP for file hosting? They aligned with common file extensions and industry terminology.

Google thought this way too. In May 2023, Google released eight new gTLDs including .ZIP and .MOV to the public. The company saw no problem with it.

Security researchers immediately panicked. Within hours, security researchers realized the vulnerability.

The URL Parsing Vulnerability

Here’s the technical problem: URLs have a specific format:

protocol://[username:password@]domain:port/path

The part before the “@” symbol is optional username and password. The part after is the actual domain.

So this URL:

https://github.com/kubernetes@malicious.zip

Could be interpreted as:

“Log into @malicious.zip using credentials github.com/kubernetes”

Most modern browsers removed this interpretation for security reasons—they ignore text before the “@” symbol and just go to the domain after it.

But the damage was already done. Users see the full URL and their brains parse it incorrectly. The eye catches “github.com” and skips past “@malicious.zip”. The domain you actually visit is “malicious.zip”, but your brain thinks you clicked a GitHub link.

According to ESED’s security analysis, this vulnerability is so fundamental that blocking .ZIP entirely might be the only solution—a radical but perhaps necessary response.

Real-World Exploitation: What Actually Happened

This wasn’t theoretical. Within days of .ZIP becoming public, attackers registered malicious domains and began phishing.

The Immediate Abuse

According to Digitec’s reporting from May 2023, over 1,200 .ZIP domains were registered in the first days. Many contained phishing content:

microsoft-office.zip – Fake Microsoft login page trying to steal passwords
officeupdate.zip – More Microsoft phishing
Numerous other domains mimicking legitimate services

Security vendors started blocking these domains, triggering a cat-and-mouse game. Attackers registered new malicious .ZIP domains faster than security tools could add them to blocklists.

The Broader TLD Abuse

According to Interisle’s 2025 analysis, .ZIP and .MOV domains aren’t alone in abuse. The most exploited new gTLDs in 2025 were:

.TOP – 122,597 phishing domains
.BOND – 524% increase in phishing (most abused relative to size)
.XYZ – 110,045 phishing domains
.SHOP – 105,448 phishing domains
.XIN – 10,810.2 phishing score (25-365x higher than .COM)

What’s striking: 77% of all phishing domains registered in 2025 were maliciously registered (intentionally for phishing). In new gTLDs, that rate jumped to 88-96%.

The Scattered Spider Connection: Phishing Evolution

Advanced phishing actors quickly adapted to exotic domain abuse.

The Scattered Spider Campaign

According to Push Security’s analysis of Scattered Spider TTPs in 2025, the group evolved their phishing strategy:

Rapid domain rotation: Register domain, use it for 2-3 hours, then abandon it. By the time security vendors identify and block it, it’s already deactivated.
Keyword-stuffed domains: Use domains containing “okta”, “sso”, “help”, “hr”, “corp”, “my”, “internal”, “vpn”—keywords that make phishing pages look legitimate
Subdomains on rentable platforms: Register domains on publicly rentable subdomains like “it.com” which limits WHOIS information and looks more legitimate than obvious phishing TLDs

The attack flow: victim receives email with link to short-lived .ZIP or .TOP domain. Click link, land on perfect replica of login page. Enter credentials. Attacker captures credentials and initiates account compromise.

The entire attack lifecycle—registration, phishing campaign, domain takedown—happens in hours. Security tools can’t keep up with this velocity.

Why .ZIP and .APP Are Particularly Dangerous

All exotic TLDs are risky. .ZIP and .APP are especially dangerous for specific reasons.

File Extension Confusion

.ZIP is a file extension everyone knows. Compressed archives. Downloads.

When you see a URL ending in “.zip”, your brain thinks “this is a file download.” That automatic mental categorization can overcome skepticism. Your brain processes it as legitimate before conscious analysis kicks in.

Similarly, .APP triggers thoughts of “legitimate application download.”

These domains trigger automatic trust patterns.

Visual Similarity to Legitimate Content

A URL like “github.com.zip” or “microsoft-updates.app” looks almost identical to “github.com” or “microsoft-updates.com”. The visual difference is subtle.

Most users won’t scrutinize the difference. They see “github” or “microsoft” in the domain and assume legitimacy.

Evasion of Legacy Security Tools

Email security tools from 2010-2015 look for suspicious TLDs like .XYZ or .SHOP. But .ZIP seems legitimate enough that older tools might not flag it as risky.

Newer security tools are catching up. But the cats-and-mice game continues.

The Current Phishing Landscape: Exotic TLDs Dominating

The scale of exotic domain abuse is staggering.

Volume Explosion

According to Interisle’s analysis:

38% increase in unique phishing domains year-over-year (to 1.5 million+)
Nearly 9 of 10 phishing domains in new gTLDs maliciously registered
37 different TLDs appeared in top 20 for phishing abuse over 5-year period
24 of those 37 were new gTLDs

TLDs with Highest Phishing Scores

According to Cybercrime Information Center’s Q1 2025 analysis:

.XIN – 10,810.2 (mostly from “Unpaid Toll Scam” campaigns)
.TOP – 5,543.1
.BOND – 4,891.7
.XYZ – 3,287.3
.SHOP – 2,991.8

These scores are 25-365 times higher than .COM’s score of 29.6.

What You Can Do Right Now

Personal Defense

Scrutinize URLs before clicking: Hover over links (don’t click). Read the actual domain carefully, not just the text.
Be suspicious of unusual TLDs: If a domain ends in .ZIP, .APP, .TOP, .BOND, .XYZ, .SHOP—evaluate extremely carefully. Legitimate vendors rarely use these TLDs.
Type known URLs directly: Don’t click email links to Gmail, GitHub, Microsoft, or other accounts. Type the URL directly into your browser.
Enable security extensions: Browser extensions like uBlock Origin, Bitwarden, or 1Password provide phishing detection.
Use hardware security keys: If your important accounts support it, hardware security keys (Yubikey) prevent phishing even if you enter credentials on a fake site.

Organizational Defense

Block suspicious TLDs at gateway: If you have Gatefi network controls, consider blocking access to .ZIP, .MOV, .APP, .TOP, .BOND, .XYZ, and other high-abuse TLDs. It’s extreme but may be justified.
Email filtering enhancements: Configure email security to flag links containing “@” symbols (URL parsing attacks). Flag emails linking to suspicious TLDs.
Security awareness training: Specifically teach staff about exotic domain phishing. Show examples of .ZIP and .TOP domains.
MFA enforcement: Implement multi-factor authentication everywhere. Even if credentials are stolen, phishing page can’t get past MFA on the real site.
DMARC/SPF/DKIM configuration: Properly configure email authentication to prevent domain spoofing.

Broader Solutions

Some security experts advocate for blocking all .ZIP, .MOV, .APP domains at registry level. ICANN has resisted this, arguing that legitimate uses exist and blocking entire TLDs is excessive.

But according to security researchers cited in ESED’s analysis: “Given the low real-world usage of .ZIP domains, it may be best to block access to them until it is clear whether they are useful.”

The alternative is accepting ongoing phishing epidemics from exotic TLDs.

Conclusion: Exotic TLDs Are Here To Stay

The .ZIP and .APP domain vulnerabilities revealed something uncomfortable: expanding the domain namespace creates attack surface.

ICANN released hundreds of new gTLDs with good intentions: competition, choice, diversity. What actually happened: phishers exploited legitimate-looking TLDs to deceive users at unprecedented scale.

The phishing landscape of 2025 is dominated by exotic domains. Until behavioral defenses (user skepticism, browser detection, security tools) catch up, organizations should assume constant exotic domain phishing attempts.

Stay skeptical of unusual TLDs. When in doubt, type the URL directly rather than clicking email links. And if you’re an organization leader, seriously consider blocking high-abuse TLDs at your network gateway.

The exotic domain phishing epidemic isn’t slowing down. It’s accelerating.