[cryptarch]

Then it turns out parent is the ransomware vendor and the linked file turns out to contain the ransomware, with a few letters in the URL substituted for Unicode lookalikes so it appears to be a legitimate Windows update.

I'm not saying that's truly what's happening, but it's easy to imagine. I'd verify I'm connecting to the right domain and double-check with e.g. VirusTotal if I were you.

[Dylan16807]

It doesn't take voodoo to figure out if something is ascii or not.

[i336_]

https://www.xn--80ak6aa92e.com

[Dylan16807]

What's your point? If I put the non-punycode version in my ascii checker it immediately tells me it isn't ascii.

Having to check because registrars are dumb has nothing to do with the fact that doing the check is easy.

[i336_]

That's very true. Such attacks are predicated on an ignorant and/or lazy target demographic, I guess.

Incidentally, when I copied the link out of Chrome (57) it pasted the punycode link even though it showed "apple.com" in the omnibox. So then I carefully copy-pasted just the domain and TLD to work around Chrome's link-copying magic, submitted, and... discovered that Arc punycode-ifies Unicode domains.

So that was interesting, but it kind of killed the impact of the point I was making.

[cryptarch]

It doesn't, but you do have to do a manual check and remember to do that.