SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, March 2nd, 2026: Reversing Fake Fedex; Abusing .ARPA; MSFT Authenticator Update; Apex One Vuln; Special AirSnitch Webcast
12 snips
Mar 2, 2026 A walkthrough of a FedEx-themed phishing attack that delivers a Donut loader and XSwarM payload. A deep dive into attackers abusing .ARPA reverse zones and how to spot suspicious DNS lookups. A heads-up about Microsoft Authenticator blocking rooted and jailbroken devices. A critical Trend Micro Apex One directory traversal fix and an invite to a live AirSnitch webcast.
AI Snips
Chapters
Transcript
Episode notes
Fake FedEx Email Hid Donut Loader
- Johannes Ulrich describes a fake FedEx email that delivered a 7-zip attachment which contained a batch file and encoded PowerShell payload.
- The analyst ran the PowerShell to dump decrypted code (set breakpoints) revealing a 'donut loader' that ultimately loads and executes Xworm.
Familiar Shipping Emails Lower Guard
- Johannes Ulrich notes that repetitive legitimate FedEx emails desensitize recipients, making them more likely to open malicious attachments.
- The attack leverages contextual familiarity rather than novel domain tricks to bypass user suspicion.
Phishers Abuse Delegated .ARPA Reverse Zones
- Infoblox observed phishing using delegated .ARPA reverse DNS zones as normal domains, allowing TLS certs and hosting like any other domain.
- Attackers register IPv6 reverse zones (via Hurricane Electric), point NS to Cloudflare, and host phishing pages under the .ARPA name.