The Loominost Pivot: How a $1.47/Month cPanel Reseller Sits On Top of 38 FakeMeeting Phishing Domains — And Links Back to Its Operator Through a Shared Google Analytics ID

TL;DR

Following @1ZRR4H's lead on googlomeeting.com, we walked one of the FakeMeeting / ClickFix campaigns targeting Google Meet, Zoom, DocuSign, and Paperless Post users back to its operator. The campaign lives on a single Shock Hosting cPanel box (fl-s2.serverpanel.com at 104.225.130.131) and runs 38+ typosquatted phishing domains under a vanity-nameserver brand called loominost.com. Loominost presents itself as a budget cPanel reseller — "The Fastest & Cheapest cPanel Hosting on The Internet" — $1.47/month. In reality, it's the operator's own front.

Three independent attribution anchors point at the same human:

1. DNS SOA leak — johnseamus89@gmail.com is stamped into the SOA records of 11+ of the phishing domains
2. WHOIS registrant name — googlemeetmenow.us is registered without privacy protection to "Terry Johnson"
3. Google Analytics pivot — G-XDVX0QEYVC is embedded in the loominost.com website and in phishing pages served from the campaign infrastructure, tying the hosting brand to the phishing operation via a shared tracking ID

The attack chain itself is textbook FakeMeeting / ClickFix: fake Google Meet "joining" screen → Windows-style "update required" popup → fake Microsoft Store page → GoogleMeetInstaller.zip auto-download → a walkthrough page that coaches the victim through running the payload. The final-stage binary (based on prior public reporting from Malwarebytes, Netcraft, and others) is Teramind remote monitoring software repurposed as commodity RAT-ware. That part of the story is already well documented — Malwarebytes published a technical deep dive in February 2026, Netcraft and Sekoia have prior pieces from 2024–2025, and @1ZRR4H's own thread traces the campaign back further.

What this report adds to the public record is the full operator stack — the SOA leak, the unprotected WHOIS name, the GA ID pivot, and the tie between the operator's legit-looking loominost.com reseller business and the 38 phishing domains it provides DNS and hosting for. We can't find prior public writeups that link johnseamus89@gmail.com, "Terry Johnson", the G-XDVX0QEYVC tracking ID, or the Loominost brand directly to this campaign under one operator identity.

Hat tip to @1ZRR4H for the lead, and to Malwarebytes / Netcraft for the prior FakeMeeting / Teramind technical work that makes this post a pivot and not a primer. If you've already published reporting on johnseamus89, Terry Johnson, loominost.com, or the specific G-XDVX0QEYVC tracking ID as the pivot, please reply or DM — we'll update and credit.

---

The Attribution Stack

Anchor 1 — the SOA email leak

DNS SOA records on 11+ of the phishing domains contain johnseamus89@gmail.com in the rname (responsible-name) field. That field is supposed to be a real contact address for the DNS zone, and most operators either leave it as hostmaster@<domain> or scrub it entirely. Leaving a personal Gmail address in SOA is an unforced error that any dig SOA query will surface.

Domains with johnseamus89@gmail.com in SOA:

googlomeeting.com
googlomeetings.com
googlemeet-meetings.us
googlemeetmenow.us
googlemeetinterview.help
google-meetingsnow.click
googlemeeting.click
fritchat.xyz
meeting-live.site
zoom-meetingnow.us
preview-sign.online
(+ others across the 38-domain set)

That's the pattern repeating across every campaign-owned zone. The SOA field is the first thing we check in any OPSEC-reckless operator investigation because it costs the operator nothing to scrub and costs the investigator nothing to query.

Anchor 2 — the unprotected WHOIS registrant

googlemeetmenow.us was registered without privacy protection, and the WHOIS registrant name reads:

Registrant: Terry Johnson

Whether "Terry Johnson" is a real legal name, a pseudonym matching another handle elsewhere, or a persona that also gets used somewhere cross-indexable, we can't say from WHOIS alone. But the name is stable and searchable — that makes it a pivot target for anyone doing historical WHOIS correlation work across other NameSilo / Namecheap registrations from the same timeframe.

Anchor 3 — the Google Analytics pivot

This is the one that matters most. The loominost.com reseller website and the phishing pages served from the campaign infrastructure share the same Google Analytics measurement ID:

G-XDVX0QEYVC

Google Analytics measurement IDs are property-scoped. Two websites sharing the same G- ID means either:

1. The same person set both up under the same Analytics account, or
2. Someone copy-pasted the tracking snippet from one site to the other and didn't notice they were now sharing analytics data

Either reading makes loominost.com operator-controlled. The first is the more plausible: the operator ships a tracking snippet into their cPanel templates, and every new phishing domain provisioned under Loominost inherits the same G-XDVX0QEYVC ID by default. It's a templating convenience that also happens to be a one-line attribution anchor.

The G-XDVX0QEYVC ID is the specific pivot we want other researchers to carry forward. If this tracking ID shows up on any additional sites, those are also operator-controlled.

Putting the three together

Anchor	Value	Source
Personal Gmail	johnseamus89@gmail.com	DNS SOA records on 11+ phishing domains
Registrant name	Terry Johnson	Unprotected WHOIS on googlemeetmenow.us
Tracking ID	G-XDVX0QEYVC	Shared between loominost.com and phishing pages
Hosting brand	Loominost (loominost.com)	Self-operated cPanel reseller on Shock Hosting
Vanity NS prefix	ns3/4/5/6/7/8.loominost.com	→ 107.161.50.4 / 199.87.210.5 (Shock Hosting DNS)

kevin@loominost.com is the loominost.com registrant of record (Chun Keat Ng, Box Hill, Melbourne, Australia, phone +61.472670109) — that's a separate identity anchor we could not definitively merge with johnseamus89@gmail.com / "Terry Johnson". It could be:

• The same operator with two email addresses and a WHOIS alias (most likely given all the other overlaps)
• A friend / business partner who registered the shell brand for the operator
• The legitimate hosting reseller whose customer account is abused by a separate actor

We can't ground-truth which of those it is from open sources. The infrastructure-level link is hard (same nameservers + same cPanel tenant + same tracking ID). The human-level identity merge is soft until someone with subpoena power pulls the Namecheap registrant records.

---

The Loominost Front

Loominost (loominost.com) markets itself at its landing page as:

"The Fastest & Cheapest cPanel Hosting on The Internet"

Starting from $1.47 / month

It has a legitimate-looking WordPress marketing site, a published pricing page, stock-photo testimonials, and a support email. Underneath, the product is a thin reseller layer on top of Shock Hosting LLC (AS395092, Piscataway NJ). Every Loominost customer runs on the fl-s2.serverpanel.com / wa-s1.serverpanel.com servers in Shock Hosting's fleet. Every Loominost nameserver (ns3.loominost.com through ns8.loominost.com) resolves to the same two Shock Hosting DNS IPs:

ns3/5/7.loominost.com  →  107.161.50.4   (ns1.shockhosting.com, NYC)
ns4/6/8.loominost.com  →  199.87.210.5   (ns2.shockhosting.com, LA)

The six-variant vanity NS rotation is a branding exercise — it's the same two DNS servers under six different hostnames so that different customers / different campaigns can have slightly different "looking" NS records without actually running distinct DNS infrastructure.

What makes Loominost operator infrastructure rather than just a reseller-whose-customer-is-a-phisher is the convergence:

• All 38+ phishing domains use Loominost nameservers
• All phishing domains trace their SOA records back to johnseamus89@gmail.com
• Loominost's own website shares a Google Analytics ID with those phishing pages
• The Loominost brand has existed since 2023-01-11 — nearly three years of runway for the operator to build a legit-looking front before the current FakeMeeting wave started in December 2025

The 38+ Phishing Domains

Registered primarily through NameSilo and Namecheap, active since at least 2025-12-20, new domains added weekly:

Google Meet impersonation

googlomeeting.com              (clientHold / suspended Mar 2026)
googlomeetings.com
googlemeet-meetings.us
googlemeetmenow.us
googlemeetinterview.help
google-meetingsnow.click
googlemeeting.click
ggooggllemeetmeetingggn.com
ggoooglemeettinggninvit.click
googgleemeetinginterviiew.live
goggllemmeettiingnc.com        (newest observed — 2026-04-09)
9goooglemeetts.live
cloud04meet.com
fritchat.xyz                   (titled "Google Meet Mockup - Windows")
meeting-live.site
qkltt28zm3bxw.live

Zoom impersonation

sec3viewing.live
zoom-meetingnow.us

DocuSign impersonation

preview-sign.online

Paperless Post impersonation

paperlesspostinvite.site

Adjacent / staging

blue-review.info
us-04-web.one                  (open directory)
all-in1aboutus247.org          (open directory)
wp.hotmail101.xyz              ("BUY HOTMAIL ACCOUNTS" marketplace)

The wp.hotmail101.xyz entry is worth noting — it's a Hotmail / Outlook account marketplace sharing the same hosting tenant as the FakeMeeting phishing domains. That's the kind of side-business cross-contamination that suggests an operator running multiple criminal ventures out of the same cPanel account.

The Attack Chain

Textbook ClickFix / FakeMeeting, consistent with Malwarebytes' February 2026 deep dive:

1. Victim receives fake meeting invite link
2. Stage 1  /meeting/invite.php       — pixel-perfect Google Meet "joining" clone
3. Stage 2  Windows-style popup        — "Google Meet needs to be updated"
4. Stage 3  /microsoft-store.php       — fake Microsoft Store with publisher, screenshots, reviews
5. Stage 4  /download.php              — auto-download GoogleMeetInstaller.zip (hidden iframe, 1.5s delay)
6. Stage 5  /install-guide.php         — walkthrough page teaching victim to extract + run the payload
7. Stage 6  Teramind remote monitoring agent installed

The fake Microsoft Store page is branded as "Google Meet — One Platform to Connect" with publisher "Google Meet Video Communications, Inc.", five fake screenshots, and fabricated five-star reviews from "Sarah K.", "Mark T.", and "Dana P." The install-guide page is particularly cynical — it teaches victims to bypass their OS security warnings by clicking "Run" or "Yes" when Windows SmartScreen flags the payload.

Specific URL patterns observed across the campaign:

https://googlomeeting.com/meeting/invite.php
https://fritchat.xyz/googlemeet/invite.php
https://fritchat.xyz/googlemeet/microsoft-store.php
https://googlemeet-meetings.us/update/GoogleMeetInstaller.zip
https://googlemeet-meetings.us/update.html
https://sec3viewing.live/install-guide.php
https://sec3viewing.live/microsoft-store.php
https://preview-sign.online/view/Docu-Sign/

The Zoom-themed variant on sec3viewing.live even includes a file:///C:/Users/%USERNAME%/Downloads link on the install-guide page so victims can one-click their Downloads folder and find the payload — a detail that reveals how much the operator cares about infection completion rate.

The Shared Mail IP

104.225.130.2 (fl-s2.serverpanel.com) is the shared outbound mail IP for the entire cPanel server — Shock Hosting's default routing for email from any account on the fl-s2 box. The operator's phishing domains all carry +ip4:104.225.130.2 in their SPF records, which means:

• Phishing emails originating from this IP will pass SPF checks against the operator's domains
• A single block at email gateways on the 104.225.130.2 + matching SPF pattern disrupts the delivery side of every campaign on this cPanel server
• MailChannels (relay.mailchannels.net) is the upstream relay used for final delivery

The IP sits in an otherwise clean /24 that also hosts 2–3 legitimate non-phishing tenants (13c.tel, longbaydunesmb.com, kyliejae.com) as co-residents on the shared IP, plus at least two other phishing campaigns on adjacent dedicated IPs in the same /24:

IP	PTR	Role
104.225.130.2	fl-s2.serverpanel.com	Shared outbound mail IP — SPF anchor
104.225.130.131	fl-s2.serverpanel.com	FakeMeeting / Teramind phishing campaign (our target)
104.225.130.133	fl-s2.serverpanel.com	Financial phishing cluster (cbsecure-auth.com, cb-clientmail.com, staement-care1help-cen.com)
104.225.130.134	fl-s2.serverpanel.com	Wealth management phishing (mycpwealtth.com)

The financial phishing cluster on .133 uses NS records that point directly at ns1/ns2.shockhosting.com — not at the Loominost vanity NS. That's a different operator pattern and suggests at least two independent phishing operations share the fl-s2 box. Our operator controls only the Loominost-NS-branded subset.

Detection & Hunting

Block list

# Vanity nameservers (all 38+ phishing domains use these)
ns3.loominost.com  ns4.loominost.com  ns5.loominost.com
ns6.loominost.com  ns7.loominost.com  ns8.loominost.com

# Hosting server IPs
104.225.130.131    # Primary phishing campaign
104.225.130.133    # Financial phishing (different operator, same box)
104.225.130.134    # Wealth management phishing (different operator, same box)
209.182.224.202    # wa-s1.serverpanel.com (secondary campaign server)

# Shared mail IP — block at email gateway
104.225.130.2

# Operator Gmail for abuse reporting
johnseamus89@gmail.com

Hunting signatures

• DNS SOA hunt — any DNS zone with johnseamus89.gmail.com (DNS-escaped) or johnseamus89@gmail.com in the SOA rname field
• Google Analytics hunt — grep your web proxy logs for G-XDVX0QEYVC. That ID on any site that isn't Loominost's own marketing page is operator infrastructure.
• SPF hunt — any domain whose SPF record contains +ip4:104.225.130.2 is probably in the same tenant cluster
• URL pattern hunt — /meeting/invite.php, /microsoft-store.php, /install-guide.php, /update/*.zip served from domains with excessive character repetition (ggooggllemeet*, ggoooglemeett*)
• ZIP artifact hunt — GoogleMeetInstaller.zip downloaded from any domain matching *meet* or *zoom* on .click / .live / .site / .xyz / .help TLDs
• Process hunt — Teramind agent binaries in non-enterprise-managed directories (Teramind is legitimate commercial software, so naive block rules will false-positive on legitimate deployments; the indicator is placement, not presence)

Title-based scanning

Page titles served from the campaign pages are surprisingly consistent and make a good passive fingerprint:

"Google Meet"
"Google Meet Mockup - Windows"
"Google Meet - Microsoft Store"
"Google Meet | Download Installer"
"Google Meet | Secure Video Meetings"
"Zoom - Microsoft Store"
"Installation Guide"
"DocuSign: Electronic Signature..."

Any page with those titles served from non-google.com / non-zoom.us / non-docusign.com infrastructure is a strong phishing signal.

JARM fingerprint

The entire Shock Hosting fl-s2 cluster produces the same JARM:

29d29d00029d29d00042d43d00041d598ac0c1012db967bb1ad0ff2491b3ae

That JARM is shared across all services on the cluster — it won't tell you individual tenants, but it will tell you when you're looking at fl-s2.

Disclosure

• Shock Hosting abuse — abuse@shockhosting.com — for the phishing tenants on 104.225.130.131, .133, .134 and the wa-s1.serverpanel.com secondary box
• MailChannels abuse — for the email-relay abuse
• Namecheap / NameSilo — for the registered phishing domains
• Google — johnseamus89@gmail.com is tied to a credential-phishing operation; Google can act on the account and on the Analytics property G-XDVX0QEYVC
• Let's Encrypt — for certificate issuance on the phishing domains

Prior art

• Malwarebytes — "Fake Zoom and Google Meet scams install Teramind: A technical deep dive" (February 2026)
• Netcraft — "Remote Access Delivered Through Fake Zoom and Google Meet Calls"
• Sekoia — "ClickFix tactic: The Phantom Meet"
• Earlier 2024 coverage from The Hacker News, BleepingComputer, and helpnetsecurity on the broader FakeMeeting / ClickFix chain

If you've already published reporting on this specific Loominost operator cluster, the G-XDVX0QEYVC tracking ID, or the johnseamus89 / Terry Johnson / Chun Keat Ng attribution, please reply or DM — we'll update and credit.

---

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."