One IP, One Shrug Emoji, and a Complete PayPal Account Takeover Chain: SMS Interception, German Telecom Targeting, and a Fresh Estonian BPH Network

@malwrhunterteam tweeted an IP address with a shrug emoji: 45.151.106[.]88. No context. No hashtags. Just an IP and a shoulder shrug.

Behind that IP: a Golang C2 server, a Russian-language SMS interception platform stealing one-time passwords from German telecom providers, a PayPal phishing domain, a Dutch financial fraud page, Microsoft domain fronting infrastructure, and an Estonian hosting provider that announced 12 /24 prefixes in a three-day window.

The attack chain is complete: phish the credentials, steal the 2FA code via SMS interception, take over the account. No step missing.

The SMS Platform

The most significant finding isn't the C2 at .88 -- it's what's running on 95.85.236[.]1, an adjacent IP in the same hosting provider.

Ports 9999 and 50000 serve a Russian-language SMS interception platform -- a full REST API for acquiring temporary phone numbers and intercepting SMS messages sent to them. The platform specifically targets three German telecom providers:

• Freenet -- German mobile and internet provider
• GMX -- German email and mobile services
• Klein -- German telecom

The interface is entirely in Russian. Pricing is in rubles. This is a service built by Russian speakers for Russian-speaking fraud operators, targeting German victims.

The platform's API allows an operator to:

1. Request a temporary German phone number from a specific provider
2. Use that number during a PayPal (or banking) account signup or password reset
3. Receive the SMS verification code via the API
4. Complete the verification and take over the account

A Node.js backend with Redis caching on port 9000 handles the queue management. The architecture suggests this is a multi-tenant service -- multiple fraud operators sharing the same SMS interception infrastructure.

The PayPal Chain

geld-paypal[.]com -- German for "money-PayPal" -- was registered March 15, 2026. It sits behind Cloudflare. The domain name tells you exactly what it does: it's a German-language PayPal phishing page.

The attack chain connects the components:

German-language PayPal phishing email
  → Victim enters credentials on geld-paypal[.]com
    → Operator receives stolen username + password
      → Operator logs into real PayPal with stolen creds
        → PayPal sends SMS 2FA code to victim's phone
          → Operator uses SMS API to intercept the code
            → Account takeover complete

A second domain, beveiligdbetaald[.]com (Dutch for "securely paid"), was registered March 20, suggesting the operation targets both German and Dutch financial services.

The C2

The original target -- 45.151.106[.]88 -- runs a Golang binary behind a double-layered Caddy reverse proxy on Windows Server 2022. It's extremely locked down: only the /health endpoint responds. Everything else returns nothing.

But the server leaks through NTLM authentication headers, revealing a VM UUID: VM-d1985d06-5d30-47e8-82f4-b0a7d7a8252b. The server first appeared on March 11, 2026 -- two weeks before the SMS platform and phishing domains went live. This was the first piece of infrastructure stood up, likely the operator's management server.

Microsoft Domain Fronting

Two adjacent IPs -- 45.151.106[.]98 and 5.252.155[.]15 -- in the same hosting provider serve valid Microsoft TLS certificates. This is domain fronting infrastructure: traffic appears to go to Microsoft services but is actually routed to the attacker's backend. It's a technique that makes C2 communications extremely difficult to block because the destination IP serves legitimate Microsoft content alongside malicious traffic.

MHost LLC (AS200823)

All of this runs on MHost LLC, an Estonian hosting provider operating AS200823. MHost announced 12 /24 prefixes (3,072 IP addresses) within a three-day window from March 20-23, 2026. The rapid prefix announcement, combined with the mix of phishing, SMS fraud, exposed databases, and domain fronting hosted on the network, strongly suggests bulletproof hosting.

Estonia's EU membership provides a veneer of legitimacy -- Estonian IPs have better reputation scores than Russian or Ukrainian hosting -- while the country's relatively small cybersecurity enforcement capacity makes takedown requests slower to process.

Indicators of Compromise

Network Indicators

• 45[.]151[.]106[.]88 (Golang C2, Windows Server 2022)
• 95[.]85[.]236[.]1 (SMS interception platform, ports 9999/50000/9000)
• geld-paypal[.]com (PayPal phishing, German)
• beveiligdbetaald[.]com (financial phishing, Dutch)
• 5[.]188[.]87[.]49 (related NetSupport infrastructure)
• AS200823 (MHost LLC, Estonia)

Host Indicators

• NTLM VM UUID: VM-d1985d06-5d30-47e8-82f4-b0a7d7a8252b
• Caddy reverse proxy headers
• Golang binary serving /health endpoint only

Detection

Four YARA rules and ten Suricata signatures are available on our GitHub:

• STIX Bundle
• IOCs by investigation
• All YARA rules
• All Suricata rules
• Full IOC feed (JSON)

---

h/t @malwrhunterteam for the tip.