Operation Kellington: One MD5 Hash to a Corporate Impersonation Campaign Targeting a Malaysian Publicly Traded Company
A typosquat domain with working email authentication impersonating Kelington Group Berhad (KLSE)
One Metasploit payload hash. That's all it took to uncover a fully operational phishing infrastructure impersonating Kelington Group Berhad -- a publicly traded semiconductor and clean energy company on the Kuala Lumpur Stock Exchange -- complete with a cloned corporate website, working email infrastructure that passes SPF and DKIM checks, and a Meterpreter backdoor concealed behind Apache on port 443.
This is the story of Operation Kellington -- how a typosquat domain with one extra letter became the foundation for a targeted campaign against Malaysia's industrial engineering sector.
It Started With a Hash
On March 31, threat researcher @salmanvsf (reposted by @Fact_Finder03) flagged a Metasploit payload -- ab.exe, MD5 cafc9d45da602fdf794421fc90375024 -- calling back to a Vultr VPS in Singapore at 45.76.180[.]12. A known payload phoning home to a known IP. Routine, on the surface.
But when we looked at what else was running on that server, the picture changed entirely.
The Double-L
The VPS at 45.76.180[.]12 wasn't just a Metasploit listener. It was serving a full website on ports 80 and 443 -- Apache/2.4.52 on Ubuntu, with a Let's Encrypt certificate. The site looked professional. Clean layout, corporate branding, detailed service pages for industrial gas systems, semiconductor manufacturing, and clean energy solutions.
It was the website of Kelington Group Berhad, a Malaysian industrial engineering company founded in 1999, listed on Bursa Malaysia under the ticker KELINGTON.
Or rather, it was a pixel-perfect clone of it.
The domain: kellington-group[.]com. Two L's. The legitimate domain is kelington-group[.]com -- one L. Registered via NameCheap on September 4, 2025, the typosquat is a single-character deviation from a company that builds ultra-high-purity gas systems for semiconductor fabs. The kind of company whose partners and clients deal in contracts worth millions.
The HTML source confirmed the method. HTTrack comments embedded in every page revealed the exact moment the site was cloned:
<!-- Mirrored from kelington-group.com/ by HTTrack Website Copier -->
Date of capture: September 8, 2025 -- four days after the domain was registered. The actor stood up the domain, provisioned TLS, and had a working website clone within a week.
Emails That Pass Every Check
A cloned website is one thing. What elevated this from a basic lure page to a credible phishing operation was the email infrastructure.
The actor configured Mailgun EU as the mail exchange for kellington-group[.]com. This isn't a throwaway email setup. It's a professional transactional email service with:
- MX records: mxa.eu.mailgun.org / mxb.eu.mailgun.org
- SPF:
v=spf1 include:mailgun.org ~all - DKIM:
email.kellington-group[.]comCNAME pointing to eu.mailgun.org - DMARC:
v=DMARC1; p=none; pct=100
This is the critical detail. An email sent from ceo@kellington-group[.]com would pass SPF validation. It would pass DKIM signing. And because DMARC is set to p=none, even receiving servers that check DMARC policy would deliver the message without quarantine or rejection.
To a finance department at one of Kelington's suppliers receiving an email about an updated bank account for wire transfers, or to a partner company receiving a "revised contract" with an attached executable -- the email would look legitimate at every layer of authentication. The From address is one letter off from the real company. The domain has valid DNS records. The sending infrastructure is Mailgun, a service used by thousands of legitimate businesses.
This is Business Email Compromise infrastructure, purpose-built and fully operational.
The Backdoor Behind the Webserver
The Metasploit payload ab.exe that triggered the original tweet doesn't have a dedicated listener port. Our scan of 45.76.180[.]12 found only two ports open: 80 and 443. Both serve the cloned website through Apache.
This means the Meterpreter listener is operating as reverse_https on port 443, concealed behind the Apache webserver. The C2 traffic blends with legitimate HTTPS connections to the cloned site. From a network monitoring perspective, a victim's machine calling back to kellington-group[.]com over HTTPS looks indistinguishable from someone browsing a corporate website.
The payload filename -- ab.exe -- is consistent with default msfvenom naming conventions. A low-effort choice that suggests the actor prioritized speed over stealth on the payload side, while investing significant effort in the social engineering infrastructure.
The Second Domain
During infrastructure analysis, we discovered that a second domain also resolves to 45.76.180[.]12: calais.isf[.]vu.
The parent domain isf.vu is registered to Telecom Vanuatu and hosts subdomains associated with legitimate Pacific Islands organizations. The calais subdomain is linked to Central Park Consulting Limited, an Australian company. Yet it serves the same cloned Kelington website content as kellington-group[.]com.
Two explanations: either the actor registered or compromised a subdomain under a legitimate Vanuatu domain to add another layer of infrastructure, or a DNS record was hijacked to point at the attacker's VPS. Either way, the same Kelington clone is served regardless of which Host header is sent -- the server doesn't differentiate between its domains.
OPSEC Failures
The actor's preparation was methodical -- domain registration, website cloning, email infrastructure, TLS certificates, C2 concealment -- but several operational failures reveal the seams:
The expired certificate. The Let's Encrypt certificate for kellington-group[.]com was issued September 4, 2025 and expired December 3, 2025. It's been expired for four months. Every browser visiting the site now displays a security warning. Let's Encrypt certificates auto-renew trivially with certbot, which means either the renewal process broke and nobody noticed, or the actor abandoned active phishing via the website while keeping the email and C2 infrastructure running.
HTTrack fingerprints. The clone tool left its signature in the HTML source. Any analyst viewing the page source immediately sees the mirroring comments, including the exact source domain and capture date.
Default payload naming. ab.exe is the kind of filename msfvenom generates when the operator doesn't specify an output name. It's a red flag in any inbox and on any endpoint with even basic file inspection.
Host-header agnostic serving. The server returns the same content regardless of the Host header, revealing that multiple domains share the same infrastructure. A properly configured setup would serve different content per domain or reject unknown hosts.
DMARC at p=none. While this improves email deliverability for phishing, it also means the actor never bothered to tighten the policy -- a detail that informed defenders can use to detect the campaign.
Who Is Kelington Group?
Understanding the target is essential context. Kelington Group Berhad isn't a small firm -- it's a publicly traded company on Bursa Malaysia (KLSE: KELINGTON, Registration No. 199901026486). Founded in 1999, it operates across Malaysia, Singapore, and China in:
- Ultra-high-purity gas systems for semiconductor manufacturing
- Clean energy solutions
- Industrial engineering for process facilities
The company's clients include semiconductor fabrication plants -- facilities where a compromised email from a trusted engineering partner could lead to supply chain infiltration, intellectual property theft, or financial fraud at scale.
The choice of target isn't random. Semiconductor supply chains are high-value intelligence targets, and Malaysia is a major node in global chip manufacturing. An actor who can impersonate a company that installs gas systems inside fabs has a plausible pretext to reach deep into those supply chains.
The Timeline
| Date | Event |
|---|---|
| 2024-07-09 | IP 45.76.180[.]12 previously hosts vpn.anvillasoto[.]com (different operator or reused Vultr IP) |
| 2025-09-04 | kellington-group[.]com registered via NameCheap; Let's Encrypt cert issued |
| 2025-09-08 | HTTrack clone of legitimate kelington-group[.]com captured |
| 2025-09-11 | First automated OTX scan of the IP recorded |
| 2025-10-12 | @salmanvsf creates OTX pulse for 45.76.180[.]12 |
| 2025-12-03 | TLS certificate expires -- no renewal |
| 2026-03-19 | calais.isf[.]vu observed resolving to the same IP |
| 2026-03-31 | @salmanvsf reports Metasploit payload ab.exe communicating with the IP |
The infrastructure has been operational since at least September 2025 -- over six months. The email infrastructure remains fully functional today.
Indicators of Compromise
Network Indicators
| Indicator | Context |
|---|---|
| 45.76.180[.]12 | C2 server / phishing host (Vultr Singapore, AS20473) |
| kellington-group[.]com | Typosquat domain (NameCheap, registered 2025-09-04) |
| calais.isf[.]vu | Secondary domain resolving to same IP |
File Indicators
| Indicator | Value |
|---|---|
| Filename | ab.exe |
| MD5 | cafc9d45da602fdf794421fc90375024 |
| Family | Metasploit Meterpreter (likely reverse_https) |
Email Infrastructure
MX: mxa.eu.mailgun.org / mxb.eu.mailgun.org
SPF: v=spf1 include:mailgun.org ~all
DMARC: v=DMARC1; p=none; pct=100
DKIM: email.kellington-group[.]com -> eu.mailgun.org
TLS Certificate
Issuer: Let's Encrypt E8
Serial: 0632840BD0095A0E7EDF1F4A9BBB40365D36
Valid: 2025-09-04 to 2025-12-03 (EXPIRED)
SAN: kellington-group.com
Takeaways
For Kelington Group Berhad: Your brand is being actively impersonated by a domain with working email infrastructure. Emails from @kellington-group[.]com (double-L) will pass SPF and DKIM checks. Your clients, partners, and suppliers should be alerted. A takedown request to NameCheap for the typosquat domain is the immediate priority.
For Malaysian organizations: If you've received correspondence from @kellington-group[.]com, treat it as hostile. Check email logs for the domain and for the Mailgun sending infrastructure. The phishing emails will appear authenticated -- SPF pass, DKIM pass, DMARC pass.
For defenders: The combination of typosquat domain + full website clone + professional email infrastructure + concealed C2 represents a complete attack chain. The expired TLS certificate may seem like a sign of abandonment, but the email infrastructure is still live. Certificate expiration doesn't affect email delivery.
For threat intelligence: This payload (MD5: cafc9d45da602fdf794421fc90375024) is not in MalwareBazaar. The infrastructure had minimal public reporting before this investigation. Corporate impersonation campaigns targeting publicly traded companies in strategic sectors deserve more systematic monitoring -- especially when the impersonation includes working email infrastructure, not just a cloned website.
The actor built a convincing front. One letter, one cloned website, one Mailgun account, and they had everything needed to send authenticated emails as a KLSE-listed semiconductor company. The Meterpreter backdoor was almost an afterthought -- the real weapon was the email.
This investigation was triggered by a tweet from @salmanvsf (via @Fact_Finder03). Infrastructure analysis and corporate impersonation discovery were produced by Breakglass Intelligence's autonomous GHOST investigation system. All evidence was captured via passive and semi-passive methods.
Breakglass Intelligence | March 31, 2026