BreakglassIntelligence
Back to reports

Four Suspicious Domains, One Origin IP, and 200 Subdomains Impersonating Every VPN on the Market

An AiTM phishing platform targeting Palo Alto, Fortinet, Cisco, Citrix, and Microsoft SSO portals at 15+ organizations

PublishedApril 3, 2026

Researcher @salmanvsf flagged four domains with multi-layer obfuscation and suspicious registration patterns. We traced them through Cloudflare's CDN to a single origin server in Dusseldorf, Germany, and discovered a professionally operated Adversary-in-the-Middle phishing platform targeting enterprise VPN and SSO authentication portals at scale.

Four domains became seven. Seven domains spawned over 200 unique subdomains. Each subdomain impersonates a specific organization's Palo Alto GlobalProtect, Fortinet FortiGate, Cisco AnyConnect, Citrix, or Microsoft OWA login page. At least 15 real organizations are targeted by name.

Behind Cloudflare

The four initial domains -- vvgks[.]me, vantedglelgx[.]com, inhwabusinesscentre[.]com, and starbearingcentre[.]com -- all sit behind Cloudflare's CDN. Most investigations stop here. We didn't.

The true origin server is 178[.]16[.]53[.]131, hosted at dus.net GmbH / metaspinner net GmbH in Dusseldorf, Germany (AS40999/AS209800). It runs nginx/1.18.0 on Ubuntu. Two additional campaign domains -- theworkitcentre[.]com and countoncopelandcom[.]cloud -- resolve to the same origin, expanding the confirmed infrastructure to at least seven domains.

Three of these domains share identical registrar (Registrar.eu/OpenProvider), identical nameservers (Regery.net PNS1/2/3), and identical SOA serial numbers (154626345). This isn't coincidence -- it's a single operator managing unified infrastructure.

The VPN Phishing Playbook

The subdomain naming convention reveals the targeting strategy. Each subdomain impersonates a specific organization's remote access portal:

  • globalprotect-{company}.{domain} -- Palo Alto GlobalProtect VPN
  • vpn-{company}.{domain} -- Generic VPN portals
  • sso-{company}.{domain} -- Single Sign-On portals
  • owa-{company}.{domain} -- Microsoft Outlook Web Access
  • citrix-{company}.{domain} -- Citrix Receiver/Workspace

Over 200 unique SSL certificates issued via ZeroSSL across the campaign domains. Each certificate covers a subdomain targeting a specific organization. This is industrialized credential harvesting -- the operator has a template for each VPN vendor and stamps out customized phishing pages for each target.

Anti-Analysis Evasion

Visitors to the phishing URLs first encounter a fake Cloudflare challenge page. The page titles rotate between:

  • "Attention Required"
  • "Security Verification Required"
  • "Secure Authentication Portal"
  • "Cloudflare Browser Integrity Check"

This serves two purposes: it blocks automated scanners that don't execute JavaScript, and it builds victim trust by mimicking a familiar security check. Only after passing this gate does the actual credential harvesting form load.

AiTM Architecture

The infrastructure is consistent with an Adversary-in-the-Middle platform. The operator proxies the authentication session between victim and legitimate target, capturing credentials AND session tokens in real time. This defeats traditional MFA -- the operator gets a valid authenticated session, not just a username and password.

The attack chain:

Phishing email/SMS with VPN portal link
  → Cloudflare CDN (edge proxy, legitimate IP reputation)
    → Fake Cloudflare challenge (anti-bot evasion)
      → Credential harvesting form (cloned VPN/SSO portal)
        → AiTM session relay to real authentication server
          → Operator captures credentials + session token

Rapid Rotation

Two of the original four domains (vvgks[.]me and vantedglelgx[.]com) already return NXDOMAIN -- burned and rotated within days of being flagged. Two more show SERVFAIL. But theworkitcentre[.]com and countoncopelandcom[.]cloud remain live, and the origin server at 178[.]16[.]53[.]131 continues accepting connections.

The countoncopelandcom[.]cloud domain shows approximately 60 random 8-character subdomains -- a DGA-like generation pattern suggesting automated infrastructure provisioning. The operator can stand up a new phishing subdomain for a new target in seconds.

Indicators of Compromise

Network Indicators

  • 178[.]16[.]53[.]131 (origin server, dus.net GmbH, Dusseldorf)
  • vvgks[.]me (burned)
  • vantedglelgx[.]com (burned)
  • inhwabusinesscentre[.]com
  • starbearingcentre[.]com
  • theworkitcentre[.]com (live)
  • countoncopelandcom[.]cloud (live)
  • Registrar: Registrar.eu / OpenProvider
  • Nameservers: Regery.net PNS1/2/3
  • SOA serial: 154626345

Detection

Look for:

  • Subdomains matching globalprotect-*, vpn-*, sso-*, owa-*, citrix-* on unfamiliar domains
  • ZeroSSL certificates with VPN vendor names in the CN/SAN
  • Fake Cloudflare challenge pages followed by VPN login forms
  • Connections to 178.16.53.131 from corporate endpoints

YARA and Suricata rules are available on our GitHub:

h/t @salmanvsf for the initial domains.

Share