DeafNews
// 1 CRITICAL · 1 CVE · 1 EXPLOIT IN THE LAST 24H
Phishing

Banking Phishing: Evasion via IPv4-Mapped IPv6

Published: Updated: By DeafSuite team 6 min read Phishing
Share
WhatsApp Facebook X (Twitter) LinkedIn Reddit Telegram Email
A phishing campaign targeting Belgian e-banking exploits compressed IPv4-mapped IPv6 syntax to bypass regex-based security checks and erase DNS traces.

An active phishing campaign against a Belgian e-banking service uses IPv4-mapped IPv6 addresses in compressed notation to evade regex-based security controls and eliminate any DNS footprint. The incident, documented on June 19, 2025 by senior Internet Storm Center (ISC SANS) handler Xavier Mertens, demonstrates how strict compliance with an RFC standard can become an evasion weapon in an attacker's hands.

Key Takeaways
  • The malicious URL employs the syntax ::ffff:5511:74be, which per RFC 4291 represents the IPv4 address 85.17.116.190 mapped into IPv6 format
  • The bracket notation [...] instructs the URL parser to treat the content as a literal IPv6 address, bypassing simple regex designed to extract domain names
  • No DNS record exists for the address, removing an entire layer of detectability and intelligence
  • The final redirect loads the phishing kit at verificatie.qzz.io, with a path suggesting targeting of a Belgian banking institution

How the Notation Deceives the Parser

The address observed in the malicious URL is https://[::ffff:5511:74be]. The syntax, seemingly arcane, is technically valid and well-defined. As Mertens documents, the prefix ::ffff: signals an IPv4-mapped IPv6 address, formalized in Section 2.5.5 of RFC 4291.

The final two hexadecimal groups, 5511 and 74be, correspond to the IPv4 octets 85, 17, 116, and 190: 0x55=85, 0x11=17, 0x74=116, 0xbe=190. The underlying address is therefore 85.17.116.190, an ordinary IPv4 disguised as IPv6.

The evasion mechanism triggers upstream. The square brackets [...] force the URL parser to interpret the content as a literal IPv6 address, not a domain name. Security controls that extract domains or IPs via simplified regex — built to catch dotted alphanumeric strings or decimal octets — fail to recognize the structure. The filter sees a format that does not match expected patterns and lets it pass.

"The technique used by the attacker is to bypass simple security controls trying to extract domain names and IP addresses via simple regular expressions. The notation '[...]' tells the URL parser that what's inside is a literal IPv6 address. But it's not a real IPv6 address." — Xavier Mertens, Senior ISC Handler

The Advantage of DNS Absence

An immediate consequence of the technique is the removal of DNS from the attack path. As Mertens notes: "there is no DNS record!" — an operational advantage for the attacker, not a defect. Without resolution requests, there are no recursive queries to monitor, no passive records to analyze, no sinkholes or reactive blacklists to trigger.

The URL does not resolve by name; it connects directly to the underlying IP address. For teams that base monitoring on DNS logs, anomalous queries, or domain reputation, this vector is invisible by design. The gap is not technical but architectural: the URL parser does its job correctly, and in doing so removes an entire layer of observability.

The Redirect Infrastructure and Possible Target

The observed IPv6 URL does not host the fraudulent content directly; it directly: it redirects to https://3439-aanmelden.verificatie.qzz.io/mon-belfius. The domain qzz.io serves as hosting for the final phishing kit. The path /mon-belfius suggests targeting of the Belfius banking service, a major Belgian institution, although the source does not explicitly name the institution.

The domain verificatie.qzz.io — with the Dutch-language subdomain "verificatie" (verification) — indicates linguistic targeting of the Flemish-Belgian market. The numeric prefix 3439- in the subdomain may serve to instantiate multiple kits or track campaign segments. The dossier does not specify the current status of the domain or any takedown actions.

The following actions derive directly from Mertens' analysis and the structure of the documented incident:

Verify URL parsers in security tools. Controls that extract domains or IPs via simple regex must be tested against IPv4-mapped IPv6 syntax. The [::ffff:xxxx:xxxx] notation with bracket notation must be explicitly included in matching patterns or handled as a special case.

Monitor direct connections to literal IPs. HTTPS connections to bracket-notation IPv6 addresses in emails or proxy logs warrant manual inspection, especially when followed by redirects. The absence of DNS queries does not imply absence of suspicious traffic.

Analyze redirect paths for targeting indicators. Patterns like /mon-[institution] or regional linguistic subdomains like verificatie can signal targeted campaigns before public reports emerge. The numeric prefix 3439- suggests multiple kits are active on variable subdomains.

Assess threat intelligence feed coverage. If intelligence relies on DNS-based indicators, IPv4-mapped IPv6 URLs escape by construction. It is necessary to integrate sources that actively monitor underlying IPs or post-redirect landing domains.

Why This Matters

The dossier does not document the campaign's scale nor the number of potential victims. No infrastructure overlaps emerge linking the actor to known groups at this time. The source does not specify whether the bypassed controls are endpoint security, email gateways, or other defensive layers, nor whether the technique has been observed in previous campaigns.

The brief does not list specific remediation measures or verbatim operational recommendations from the primary source. It is not documented whether URL parser implementations in browsers, networking libraries, or security tools handle IPv4-mapped IPv6 syntax uniformly, or whether discrepancies between software stacks amplify the problem. The dossier also does not specify the nature of any potentially exposed data or the attack's success in terms of compromised credentials.

What the case makes legible is a systemic pattern: the tension between standards compliance and operational security. RFCs are designed for interoperability, not resilience against malicious actors. When a "correct" parser by design defeats a "simplified" control by necessity, the attacker exploits a structural misalignment, not a patchable vulnerability.

FAQ

Is this a software vulnerability or an evasion technique?

The dossier classifies it as an evasion tactic, not a vulnerability with an associated CVE. The URL parser functions as specified; the security control does not cover the case.

Can regex filters be updated to cover this syntax?

The source provides no technical guidance on this. The evidence map shows that the complexity of IPv6 notation — with zero compression, mapped formats, and bracket notation — makes simple regex patterns inherently incomplete, but does not propose alternative solutions.

Is the qzz.io domain still active?

The dossier does not document the domain's status or any takedown actions at the time of publication.

Information is based on the cited source and current as of publication.

Sources

Sources and references
  1. [::ffff:5511:74be]
  2. 3439-aanmelden.verificatie.qzz.io
  3. isc.sans.edu
  4. rfc-editor.org
  5. raw.githubusercontent.com