Four European Phishing Campaigns Dissected: Shared Registrars, Russian Hosting, and an OPSEC Disaster on DigitalOcean
TL;DR
We hunted four active phishing campaigns targeting European banking, postal, and classifieds customers across PhishTank, URLhaus, and OpenPhish. Two French-targeting campaigns share the same registrar, PHP stack, and 24-hour registration window — pointing to a single actor or PhaaS provider. One campaign has survived 10+ months by burning through Russian shared hosting accounts. The eBay Kleinanzeigen panel leaks its own origin IP and exposes anonymous FTP, MySQL, and Telnet to the internet.
Campaign 1: Société Générale — Automated Domain Registration at Scale
Target: Société Générale banking customers (France)
A threat actor registered 27 domains (sgpass-fr021.com through sgpass-fr050.com) in two scripted bursts — 16 domains in 40 seconds, then 11 in 34 seconds — on March 2-3, 2026. All resolve to a single Omegatech VPS in Amsterdam.
Infrastructure
| Component | Detail |
|---|---|
| IP | 178.16.53.234 |
| ASN | AS202412 — Omegatech LTD (Seychelles shell, Amsterdam VPS) |
| Stack | nginx -> Apache, PHP 8.4.18, Plesk |
| Registrar | NICENIC INTERNATIONAL GROUP CO., LIMITED (Hong Kong) |
| DNS | Actor-controlled: ns3.my-ndns.com (Baidu/Cloud Innovation, AfriNIC), ns4.my-ndns.com (Tencent Cloud, Singapore) |
| TLS | Per-domain Let's Encrypt R12, TLS 1.3 |
| Admin panel | Plesk on :8443 (brave-shaw.178-16-53-234.plesk.page) |
The actor runs custom nameserver infrastructure under my-ndns.com, giving them instant DNS control over all domains from a single point. WHOIS registration data is laughably fake — country BS (Bahamas), state bfdbfd.
Credential Harvester
The phishing endpoint /pages/asset.php is a PHP credential harvester with aggressive server-side geo-filtering. It blocks:
- Non-French residential IPs
- Datacenter ASNs
- Known bot user-agents
Spoofing X-Forwarded-For, Accept-Language: fr-FR, and French browser UAs has no effect — the filtering is server-side IP geolocation only. Non-targeted requests receive HTTP 503.
DNS Sinkhole Status
| Resolver | Status |
|---|---|
Quad9 (9.9.9.9) | BLOCKED |
Google (8.8.8.8) | BLOCKED |
Cloudflare (1.1.1.1) | STILL RESOLVING |
MITRE ATT&CK
| Technique | ID | Description |
|---|---|---|
| Phishing | T1566 | Credential harvesting via cloned bank login |
| Acquire Infrastructure: Domains | T1583.001 | 27 domains via scripted bulk registration |
| Acquire Infrastructure: DNS Server | T1583.002 | Custom nameserver infra (my-ndns.com) |
| Acquire Infrastructure: Virtual Private Server | T1583.003 | Omegatech VPS |
Campaign 2: CORREOSNOBOT — 10 Months of Russian-Hosted Smishing
Target: Spanish residents via parcel redelivery scam ("0.27 EUR fee for address correction")
This kit has been operational for over 10 months (April 2025 - March 2026) by rotating through 23 shared hosting accounts on hoster.ru. When one account gets burned, a new srv######.hoster-test.ru instance spins up immediately.
Infrastructure
| Component | Detail |
|---|---|
| IP | 31.28.24.114 (all active servers) |
| ASN | AS12616 — Filanco LLC / Citytelecom (Moscow) |
| Stack | nginx 1.16.1 -> Apache 2.2.15 (CentOS), PHP 7.2.31 |
| TLS | Expired / HTTP only |
Kit Structure
Recovered from URLScan historical data:
/cor2K25/corr/
├── corr.php # Step 1: fake tracking notification
├── billing.php # Step 2: address harvesting (PII)
├── payement.php # Step 3: credit card theft
├── css/ # bootstrap, atlas, animate
├── image/ # Correos branding, payment logos, app store buttons
└── js/ # jQuery 3.5.1, jquery.mask.js (card input masking)
The filename payement.php (French-influenced misspelling of "payment") is a consistent fingerprint across all deployments. The kit's internal name — CORREOSNOBOT — explicitly references its antibot capability. Later deployments use the sanitized alias correosclean.
Delivery Chain
The campaign uses QR code shortlinks distributed via physical mail and SMS:
qrco.de/bgc2kl --> srv######.hoster-test.ru/correosclean/cor2K25/corr/corr.php?clckid=<AFFILIATE_ID>
qrco.de/bgcAOt --> (same pattern)
The clckid= parameter reveals integration with a TDS (traffic distribution system) for affiliate-driven smishing at scale. The antibot module returns a Russian-language delay page — "your IP is not blocked, site will work in 5 minutes" — confirming the operator's native language.
Hardcoded IOC
A single fake tracking number is used across every deployment spanning 10+ months:
PH9VMC0759767210146026M
Currently Active Servers
srv247611.hoster-test.ru — LIVE
srv247550.hoster-test.ru — LIVE
srv247104.hoster-test.ru — LIVE
srv247078.hoster-test.ru — LIVE
srv246896.hoster-test.ru — LIVE
srv246841.hoster-test.ru — LIVE
MITRE ATT&CK
| Technique | ID | Description |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | SMS/QR-delivered phishing links |
| Acquire Infrastructure: Web Services | T1583.006 | Rotating shared hosting accounts |
| Input Capture: Web Portal Capture | T1056.003 | Multi-step credential/card harvester |
Campaign 3: eBay Kleinanzeigen Panel — Sophisticated Kit, Catastrophic OPSEC
Target: Sellers on eBay Kleinanzeigen (German classifieds) via "buyer has paid, confirm delivery" lures
This is the most technically interesting campaign. The operator built a full-featured phishing panel with Cloudflare protection, multi-language support, and real listing image scraping — then left the origin server wide open.
Infrastructure
| Component | Detail |
|---|---|
| Domain | *.mx51088081.com (wildcard DNS) |
| CDN | Cloudflare (104.21.2.34, 172.67.128.169) |
| Origin IP | 68.183.52.163 — DigitalOcean NYC3, AS14061, Ubuntu 22.04 |
| Registrar | Gname.com Pte. Ltd. (Singapore) |
| Domain age | Registered 2015, repurposed for phishing 2026-03-03 |
| Active since | 22 months (first CT log entry: 2024-05-07) |
Origin IP Leak
The origin IP was exposed in the kit's own HTML error pages and window.serverData JSON objects — a classic self-dox. What we found on direct connection:
| Port | Service | Issue |
|---|---|---|
| 21 | FTP | Anonymous login enabled |
| 23 | Telnet | Open |
| 25 | SMTP | Postfix (mail.example.com — default unconfigured hostname) |
| 3306 | MySQL | MySQL 5.7.38 publicly exposed |
| 8080 | HTTP | Node.js API backend (Access-Control-Allow-Origin: *) |
Anonymous FTP and an internet-facing MySQL instance on a phishing panel origin server. This is a significant evidence collection opportunity for law enforcement.
Victim URL Structure
/receive/<CAMPAIGN_ID>?mail=<BASE64_EMAIL>&meta=<ENCODED_METADATA>
The mail parameter contains the victim's base64-encoded email. Template deployments use mail=W1lPVVJd which decodes to [YOUR] — a placeholder. The kit scrapes real listing images from img.kleinanzeigen.de to make the phishing page match the victim's actual listing.
Fake CAPTCHA Flow
The kit implements a convincing fake Cloudflare verification:
- Spinner animation (1.2s) -> progress bar (2.5s) -> "Continue" button
- Sets hardcoded session cookie:
4d325d7f6f766a0a26cf25c9cd913ab2=__ddd662a80ed73c9412b98893f07ea382 - POSTs
_recaptcha=108to reload with authenticated session - 53-locale translation support (DE, EN, FR, IT, ES, NL, PL, RU, TR, AR, ZH, JA, ...)
Architecture
Cloudflare
|
+-----------+-----------+
| |
Apache/PHP (443) Node.js API (8080)
(victim-facing) (operator panel)
| |
+----------+------------+
|
MySQL 5.7 (3306)
|
FTP (21, anon)
MITRE ATT&CK
| Technique | ID | Description |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Targeted seller lures with real listing data |
| Input Capture: Web Portal Capture | T1056.003 | Fake CAPTCHA -> credential theft |
| Acquire Infrastructure: Web Services | T1583.006 | DigitalOcean droplet + Cloudflare CDN |
| Data Staged: Remote Data Staging | T1074.002 | MySQL on origin for stolen credential storage |
Campaign 4: La Poste/Colissimo — French Food-Word DGA
Target: French residents via parcel delivery notification phishing
Infrastructure
| Component | Detail |
|---|---|
| Domain | *.logis16-prio.pro (wildcard DNS) |
| CDN | Cloudflare (104.21.44.152, 172.67.200.231) |
| Origin | Hidden — PHP 8.4.18, Plesk Linux |
| Registrar | NICENIC INTERNATIONAL GROUP (same as Campaign 1) |
Subdomain Generation
The actor uses French food words as subdomains to evade per-URL blocklists under wildcard DNS:
| Subdomain | Translation | Status |
|---|---|---|
endives | endives | Active |
croustille | crisp/crouton | Active |
fromage | cheese | Partially blocked (Cloudflare) |
jambon | ham | Active |
marmoud | Unknown (possible actor handle) | Active |
Anti-Analysis
The phishing endpoint /as.php redirects all non-victim requests to https://www.lemonde.fr/ — a legitimate French news site used as a decoy. The kit only serves phishing content to visitors arriving via SMS links with valid PHPSESSID tokens.
Cross-Campaign Link Analysis: sgpass-fr <-> logis16-prio
Two of the four campaigns share enough infrastructure overlap to assess a connection with high confidence:
| Indicator | sgpass-fr (Campaign 1) | logis16-prio (Campaign 4) |
|---|---|---|
| Registrar | NICENIC (Hong Kong) | NICENIC (Hong Kong) |
| PHP version | 8.4.18 | 8.4.18 |
| Server platform | Plesk Linux | Plesk Linux |
| Anti-analysis | HTTP 503 + PHPSESSID gating | HTTP 302 to lemonde.fr + PHPSESSID gating |
| Target | France | France |
| Registration date | 2026-03-02/03 | 2026-03-03 |
Assessment: Same threat actor or shared PhaaS platform. The identical tech stack, registrar, and 24-hour registration window make coincidence unlikely.
Platform Abuse at Scale
Beyond these four campaigns, the same feeds revealed massive platform abuse:
| Platform | Abused Pages/Accounts | Campaign Type |
|---|---|---|
| Weebly | 3,584 pages | Various |
| Ghost.io | 787 pages | Crypto wallet phishing |
| Cloudflare Pages | 402 pages | Exodus wallet cluster |
| hoster.ru | 23+ accounts | Correos (10 months) |
| DigitalOcean | 1 droplet | Kleinanzeigen panel |
| Omegatech | 1 VPS | Société Générale |
IOCs
IP Addresses
178.16.53.234 # Société Générale phishing — Omegatech, Amsterdam (AS202412)
31.28.24.114 # CORREOSNOBOT kit — Filanco/Citytelecom, Moscow (AS12616)
68.183.52.163 # Kleinanzeigen panel origin — DigitalOcean NYC3 (AS14061)
Domains
# Société Générale (27 active)
sgpass-fr021.com
sgpass-fr022.com
sgpass-fr023.com
...
sgpass-fr050.com
# eBay Kleinanzeigen
*.mx51088081.com
# La Poste/Colissimo
*.logis16-prio.pro
# CORREOSNOBOT active servers
srv247611.hoster-test.ru
srv247550.hoster-test.ru
srv247104.hoster-test.ru
srv247078.hoster-test.ru
srv246896.hoster-test.ru
srv246841.hoster-test.ru
URLs
sgpass-frNNN.com/pages/asset.php
kleinanzeigen.mx51088081.com/receive/<ID>?mail=<b64>&meta=<data>
*.logis16-prio.pro/as.php
srv######.hoster-test.ru/correosclean/cor2K25/corr/corr.php
QR Shortlinks (Correos)
qrco.de/bgc2kl
qrco.de/bgcAOt
Nameservers (Actor-Controlled)
ns3.my-ndns.com
ns4.my-ndns.com
Registrars
NICENIC INTERNATIONAL GROUP CO., LIMITED — abuse@nicenic.net
Gname.com Pte. Ltd.
Static Kit Fingerprints
# CORREOSNOBOT hardcoded tracking number (all deployments)
PH9VMC0759767210146026M
# Kleinanzeigen hardcoded session cookie
4d325d7f6f766a0a26cf25c9cd913ab2=__ddd662a80ed73c9412b98893f07ea382
Plesk Admin Panel
brave-shaw.178-16-53-234.plesk.page:8443
Investigation conducted 2026-03-04 using public threat intelligence feeds (PhishTank, URLhaus, OpenPhish) and passive reconnaissance. No credentials were entered, no systems were accessed without authorization.