Unpacking the Risks: Understanding the Dangers of .zip Domain Phishing & .mov Malware TLDs


New top-level domains (TLDs) like .zip and .mov have brought new cybersecurity challenges in the labyrinthine world of cyberspace. These file extensions, which look harmless, can hide dangerous scams. Bolster’s researchers investigated how these new TLDs are used in .zip domain phishing and .mov malware scams, and what they mean for online security.

Case Study

Example 1: Phishing Attack with .zip Domain

Researchers at Bolster conducted a deep-dive investigation and observed multiple phishing websites and scam pages using the “ .ZIP” TLD. One example is hxxps://passport2[.]zip, which camouflages its true intent and indicates a malicious nature. The researchers found that when trying to access this domain, it automatically starts downloading a zip file. Inside the zip file, we found an Id.exe file.

.zip Domain Phishing Attack
Malicious file getting downloaded on the system automatically.
Exe file inside the zip file

In early 2023, a significant phishing campaign targeted small businesses worldwide. Cybercriminals registered the domain invoice2023.zip, creating a site resembling a well-known invoicing service. They then sent out mass emails with the subject line “Urgent: Overdue Invoice #12345,” urging recipients to click the link to view the invoice. The .zip domain led many to believe they were downloading a compressed file. However, the link redirected them to a fake login page, where entering their credentials resulted in stolen information.






File Hash


File Type

.zip file



Example 2: Malware Distribution via .mov Domain

Another example Bolster Researchers observed is hxxps://secure-share.instagram[.]net.content-delivery.20230406[.]mov, with a serving IP of 5[.]9[.]81[.]174.

Scam Page

In another case, the domain holidayvideos.mov was used to lure social media users. Posts and emails promised exciting holiday videos, attracting clicks out of curiosity. Instead of displaying video content, the site prompted users to download a media player update. This “update” was malware designed to steal personal information and monitor keystrokes. The campaign affected thousands of users, highlighting the potential danger of these new TLDs.


How Scammers Exploit .zip and .mov TLDs

Scammers leverage these TLDs by creating domains that mimic familiar file formats, increasing the likelihood of users clicking on them.

Here’s a detailed look at their approach:

1. Domain Registration: Scammers register domains that resemble legitimate filenames, such as payrollrecords.zip or concert.mov. The familiarity of these file extensions can mislead users into thinking they are interacting with genuine files rather than websites.

2. Email Phishing Campaigns: They craft emails with links to these domains, often using urgent or enticing language to prompt users to click. These emails might appear to come from reputable sources, adding a layer of deception.

3. Website Setup: The domains lead to phishing sites that harvest user credentials or pages that prompt malware downloads. These sites are often crafted to look like legitimate services, enhancing their credibility.

4. Execution: Once users interact with these sites, scammers can steal data, install malware, or both. This stolen information can be used for various malicious purposes, including identity theft and financial fraud.

Broader Implications and Impact

Impact on Users and Organizations

Financial Loss: Victims of these scams can suffer significant financial losses, either directly through theft or indirectly through ransomware. For businesses, this can mean the loss of sensitive company data and financial resources.

Data Breaches: Stolen credentials can lead to larger data breaches, affecting the individual and the organizations they work for. These breaches can expose personal and confidential information.

Reputation Damage: Organizations can suffer reputational damage if their customers or employees fall victim to these scams. Trust is crucial to any business relationship; losing it can have long-term consequences.

Increased Cybersecurity Costs: Due to these threats, organizations may need to invest more in cybersecurity measures and incident response. This includes upgrading their security infrastructure and training employees to recognize potential threats.

Technical and Psychological Aspects

Technical Aspects

DNS Exploitation: Scammers exploit the Domain Name System (DNS) by registering deceptive TLDs. Due to their familiar extensions, these domains can be easily mistaken for legitimate files.

Website Cloning: They create websites that closely mimic legitimate sites to trick users. This often involves copying the design and branding of well-known services.

Malware Engineering: Advanced malware can bypass traditional security measures and remain undetected for extended periods. This malware can perform various malicious activities, including data theft and system sabotage.

Psychological Aspects

Social Engineering: Scammers use psychological manipulation, creating a sense of urgency or curiosity to prompt user action. For example, an email might warn that an account will be suspended unless immediate action is taken.

Trust Exploitation: These TLDs exploit users’ trust in familiar file formats and extensions. Many users are accustomed to downloading and opening .zip files or watching .mov files, making these TLDs particularly effective.

Fear and Greed: Tactics often play on users’ fears (e.g., missing out on important updates) or greed (e.g., winning a prize). This can lead to hasty decision-making without considering the risks.

Mitigation Strategies

For Individuals

1. Awareness and Education: Stay informed about common scams and phishing tactics. Understanding the potential risks can help you avoid falling victim to them.

2. Email Vigilance: Be cautious with unsolicited emails, especially those asking for personal information or prompting downloads. Always verify the sender’s authenticity before clicking on any links.

3. Use of Security Tools: If you encounter suspicious or new TLD websites, scan them with the CheckPhish scan tool to verify their legitimacy. Additionally, you can use a sandboxed environment to download the files and check their behaviour. Use open community tools like VirusTotal or MalwareBazaar to understand the nature of the downloaded file.

For Organizations

1. Employee Training: Regularly train employees to recognize and avoid phishing attempts. This includes simulating phishing attacks to test their awareness and response.

2. Email Filtering: Implement robust filtering systems to detect and block phishing emails. These systems can identify suspicious content and prevent it from reaching employees.

3. Incident Response: Develop and maintain a clear plan for phishing and malware incidents. This plan should outline the steps to take when a threat is detected, minimizing its impact.

Future Trends and Predictions

Evolution of Tactics

More Sophisticated Phishing: Phishing tactics will become more sophisticated as awareness grows. They will employ AI and machine learning to create more convincing scams. These advanced techniques can tailor attacks to individual users, increasing their effectiveness.

Expanded Use of New TLDs: Scammers will continue to exploit new TLDs as they become available, requiring ongoing vigilance and adaptation. Keeping up with these trends is crucial for staying protected.

Cross-Platform Scams: Increased integration of scams across multiple platforms (e.g., social media, email, and messaging apps) will make it harder to identify and avoid threats. Coordinated attacks can use different channels to reach and deceive users.

Technological Countermeasures

AI and Machine Learning: Improved AI-driven security solutions will be developed to detect and prevent scams more effectively. These systems can analyze patterns and behaviours to identify potential threats in real time.

Enhanced Authentication: Wider adopting multi-factor authentication (MFA) will protect against credential theft. MFA adds an extra layer of security, making it more difficult for scammers to access accounts even if they obtain login credentials.

Regulatory Measures: To prevent misuse, there is potential for increased regulation and oversight of TLD registrations. Regulatory bodies might implement stricter verification processes for registering certain types of domains.


In the digital realm, .zip and .mov TLDs present opportunities and risks. Cybercriminals exploit these domains for phishing and malware, posing threats to individuals and organizations. Vigilance, awareness, and proactive security measures are crucial defences. By staying informed and collaborating, we can counter cyber threats and foster a safer online ecosystem.