Clever ‘File Archiver In The Browser’ phishing trick uses ZIP domains

ZIP file

A new ‘File Archivers in the Browser’ phishing kit abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files.

Earlier this month, Google began offering the ability to register ZIP TLD domains, such as, for hosting websites or email addresses.

Since the TLD’s release, there has been quite a bit of debate over whether they are a mistake and could pose a cybersecurity risk to users.

While some experts believe the fears are overblown, the main concern is that some sites will automatically turn a string that ends with ‘.zip,’ like, into a clickable link that could be used for malware delivery or phishing attacks.

For example, if you send someone instructions on downloading a file called, Twitter will automatically turn into a link, making people think they should click on it to download the file.

Twitter DM automatically turns into a linkTwitter DM automatically turns into a link
Source: BleepingComputer

When you click on that link, your browser will attempt to open the site, which could redirect you to another site, show an HTML page,  or prompt you to download a file.

However, like all malware delivery or phishing campaigns, you must first convince a user to open a file, which can be challenging.

A file archiver in the browser

Security researcher mr.d0x has developed a clever phishing toolkit that lets you create fake in-browser WinRar instances and File Explorer Windows that are displayed on ZIP domains to trick users into thinking they are opened .zip file.

“With this phishing attack, you simulate a file archiver software (e.g. WinRAR) in the browser and use a .zip domain to make it appear more legitimate,” explains a new blog post by the researcher.

In a demonstration shared with BleepingComputer, the toolkit can be used to embed a fake WinRar window directly in the browser when a .zip domain is opened, making it look like the user opened a ZIP archive and is now seeing the files within it.

While it looks nice when displayed in the browser, it shines as a popup window, as you can remove the address bar and scrollbar, leaving what appears to be a WinRar window displayed on the screen, as shown below.

Fake in-browser WinRar screen pretending to open a ZIP archiveFake in-browser WinRar screen pretending to open a ZIP archive
Source: BleepingComputer

To make the fake WinRar window even more convincing, the researchers implemented a fake security Scan button that, when clicked, says that the files were scanned and no threats were detected.

Fake file scannerFake file scanner
Source: BleepingComputer

While the toolkit still displays the browser address bar, it is still likely to trick some users into thinking this is a legitimate WinRar archive. Furthermore, creative CSS and HTML could likely be used to refine the toolkit further.

mr.d0x also created another variant that displays a fake in-browser Windows File Explorer pretending to open a ZIP file. This template is more of a work-in-progress, so has some items missing.

Fake Windows File Explorer shown in the browser
Source: BleepingComputer

Abusing the phishing toolkit

mr.d0x explains that this phishing toolkit can be used for both credential theft and malware delivery.

For example, if a user double-clicks on a PDF in the fake WinRar window, it could redirect the visitor to another page asking for their login credentials to properly view the file.

The toolkit can also be used to deliver malware by displaying a PDF file that downloads a similarly named .exe instead when clicked. For example, the fake archive window could show a document.pdf file, but when clicked, the browser downloads document.pdf.exe.

As Windows does not show file extensions by default, the user will just see a PDF file in their downloads folder and potentially double-click on it, not realizing it’s an executable.

Of particular interest is how Windows searches for files and, when not found, attempts to open the searched-for string in a browser. If that string is a legitimate domain, then the website will be opened; otherwise, it will show search results from Bing.

If someone registers a zip domain that is the same as a common file name and someone performs a search in Windows, the operating system will automatically open the site in the browser.

If that site hosted the ‘File Archivers in the Browser’ phishing kit, it could trick a user into thinking WinRar displayed an actual ZIP archive.

This technique illustrates how ZIP domains can be abused to to create clever phishing attacks and malware delivery or credential theft.

mr.d0x is known for previous clever phishing toolkits, such as using VNC for phishing to bypass MFA and the Browser-in-the-Browser technique. Threat actors used the latter to steal Steam credentials.


  • h_b_s Photo h_b_s – 3 days ago

    Characterizing it as “clever” is arguable. Inevitable, obvious, and merely iterative is more apt. Most users are inattentive to details that give this trick away and Chrome’s minimalistic interface is a big part of the problem. The other part of the problem are users that refuse to educate themselves, and geeks that not only refuse to help, but routinely insult people looking for just that kind of help.

  • fromFirefoxToVivaldi Photo fromFirefoxToVivaldi – 3 days ago

    This was just a matter of time. The still have time to fix that ridiculous decision and change it to something less maliciously exploitable, like zzip. Alternatively, browsers and other software should boycott such links.

    I hope this doesn’t count as spam, but it’s possible to block .zip and .mov in NextDNS. If you want to secure less knowledgeable family members this might be the easiest way.

  • gryphenwings Photo gryphenwings – 1 day ago

    Thank you for this. I was looking for an easier way to update DNS for a friends computer.

  • TsVk! Photo TsVk! – 3 days ago

    Well that didn’t take long… lmao

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.29 5M+ Downloads

  • McAfee Consumer Products Removal tool Logo

    McAfee Consumer Products Removal tool

    Version: NA 432,272 Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 23,012 Downloads


Related posts

New sandbox escape PoC exploit available for VM2 library, patch now

Sarah Henriquez

New Nevada Ransomware targets Windows and VMware ESXi systems

Sarah Henriquez

Microsoft: Exchange servers hacked via OAuth apps for phishing

Sarah Henriquez

Leave a Comment