DNS-registrar admin credential phishing — impersonates GoDaddy / Namecheap / Cloudflare Registrar / Route 53 / Squarespace (ex-Google Domains) / Gandi / Porkbun / Hover / Name.com / Dynadot / Enom / NetworkSolutions / IONOS / OVH with a DNSSEC-key-rotation, authoritative-nameserver-change, domain-transfer-authorization, glue-record-update, or admin-console-re-authentication narrative + credential-harvesting link on a non-registrar host. Targets registrar ADMIN accounts (distinct from iter-1844 / 2013 consumer "pay this renewal invoice" payment-scam shape — disjoint vocabulary). Blast radius: one compromise = transfer the domain + change authoritative NS + redirect MX to harvest email + issue valid TLS certs for the victim's brand. Full infrastructure takeover. Sixth entry in the platform-operator sub-family (booking-extranet 1068, storm-2755 1061, PQC 1079, npm-maintainer 1084, extension-publisher 1085, this iter). Real precedents: Sea Turtle / DNSpionage (Cisco Talos 2018-2019), GoDaddy customer-compromise 2022-2024, Namecheap phishing waves 2023-2025, Mandiant M-Trends 2025, ICANN compliance advisories

Credential phishing that targets DNS-registrar admin account holders — the people with tenant-level control over a domain's registration, nameservers, glue records, DNSSEC keys, and transfer locks. Attack surface covers the major public registrars: GoDaddy, Namecheap, Squarespace Domains (ex-Google Domains), Cloudflare Registrar, Amazon Route 53, Gandi, Porkbun, Hover, Name.com, Dynadot, Enom, Tucows, NetworkSolutions, IONOS (1&1), OVHcloud, and Dreamhost Domains. The narrative hooks into plausible registrar-security events: (a) "DNSSEC key rotation required" — a real quarterly-to-annual maintenance event that admins do handle through the console, (b) "domain transfer authorization pending" — the 5-day AUTH-CODE verification window for EPP transfers, (c) "authoritative nameserver change detected" — ICANN-mandated change-confirmation emails, (d) "glue record update required" — rare but legitimate event, (e) "domain admin console re-authentication" — the generic credential-verification framing. The credential-harvesting link points at a typosquat host (godaddy-dnssec-admin.example, namecheap-transfer-auth.example) that captures the registrar admin credentials. Once compromised, the attacker can: transfer the domain to an attacker-controlled registrar account, change the authoritative NS records to point at attacker-controlled nameservers, redirect MX records to harvest inbound email (credential-reset messages, banking alerts, internal comms), and — with the domain under their control — issue valid TLS certificates for the victim's brand via any public CA. Full infrastructure takeover. This is the sixth signal in the "low-volume, very-high-impact" platform-operator sub-family after booking-extranet (iter 1068, hospitality-partner → guest fraud), storm-2755 payroll-pirate (iter 1061, Workday/O365 admin → paycheck redirection), PQC certificate-migration (iter 1079, CA admin → MITM on arbitrary domains), npm-maintainer-token (iter 1084, package publishers → downstream install infection), and browser-extension-publisher (iter 1085, extension developers → signed malicious updates). Each has narrow target population + catastrophic blast-radius per compromise. Real precedents documenting the registrar-admin-phish vector: Cisco Talos published detailed analysis of the Sea Turtle (DNSpionage) campaign in 2018-2019 — a state-sponsored actor group that compromised registrars in the Middle East and North Africa to redirect government and telecom domains. GoDaddy disclosed multiple customer-compromise events through 2022-2024 where phishing of customer registrar accounts drove downstream fraud. Namecheap had a major SendGrid account compromise in 2023 that pivoted to customer phishing. Mandiant M-Trends 2025 and ICANN compliance advisories both track registrar-account hijacking as an ongoing threat category. Distinct from iter-1844 `fake-domain-renewal-hijack-scam` and iter-2013 `fake-domain-name-expiry-renewal-invoice-scam` — those fire on the PAYMENT shape ("pay this fake invoice to renew"); THIS signal fires on the CREDENTIAL shape ("verify your admin console to approve the pending DNS change"). Disjoint vocabularies. Legitimate registrar communications link exclusively to the registrar's own domain: `godaddy.com`, `namecheap.com`, `domains.google`, `domains.cloudflare.com`, `route53.amazonaws.com`, `gandi.net`, etc. Any admin-security email whose sign-in link is hosted elsewhere is, by construction, a phish. If you hold registrar admin accounts: enable hardware-backed 2FA (FIDO2 security key) on every account, enable registrar-lock and transfer-lock on every valuable domain, use role-separated sub-accounts for DNS operations vs billing operations, and go directly to the registrar's admin console via a bookmarked URL — never click the link in the email.