REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation

A tip from @malwrhunterteam about an open directory led us to a full-featured phishing and remote access platform we're calling REFUNDEE. What started as 3,000+ files in a public listing turned into a complete teardown of a multi-operator PhaaS + RAT-as-a-Service infrastructure targeting Spanish and Portuguese-speaking victims.

What this report adds to the public record

@malwrhunterteam flagged refundonex[.]com/cloud/ as a suspicious open directory on April 11, 2026. Our investigation mapped the complete attack chain, identified the C2 infrastructure, recovered the full RAT source code from the panel frontend, and attributed the infrastructure to an actor operating from Bulgarian hosting. If others have documented parts of this operation, we'd welcome the chance to credit prior work.

The Open Directory

refundonex[.]com hosts a platform called "FileSwitch" -- a phishing file management system with an admin panel at /admin/. The open directory at /cloud/ exposed 3,788 files: 947 unique lures, each in four variants.

• .pdf Decoy document (branded "Refundee")
• .pdf.lnk Weaponized Windows shortcut
• .pdf.ps1 AES-encrypted PowerShell RAT
• .pdf.vbs VBScript downloader/launcher

The lures fall into two categories: 945 sequentially numbered "form_XXXXX" files tied to one operator key, and a targeted payload named "JoseTomas" tied to a second operator key -- suggesting at least two active operators on the platform.

The Attack Chain

1. Victim receives a link or email referencing a form or document.

2. A WebDAV-delivered LNK file executes: \refundonex[.]com\cloud\form_XXXXX.pdf.vbs

3. The VBS script:

   • Opens a decoy PDF in Microsoft Edge (looks legitimate)
   • Downloads the PS1 payload from refundonex[.]com
   • Executes PowerShell hidden, no profile, bypass execution policy
   • Calls a tracking API to mark the lure as "opened"

4. The PS1 payload contains 188 AES-256-CBC encrypted chunks that are assembled and decrypted at runtime using a hardcoded key: yMBASySLBlYkxeO4Nfgwrawi1dVAZvnJeLcuyIJk6jU=

5. The decrypted RAT establishes persistence via:

   • %APPDATA%\WinUpdate\ (hidden directory)
   • Scheduled Task "WindowsUpdateCheck" (runs at logon)
   • VBS launcher that executes all PS1 files in the config directory

6. The RAT beacons to the C2 at winup[.]su every 5-10 seconds.

Shadow Panel: The C2

The C2 server at winup[.]su (87[.]121[.]52[.]72) runs a platform called "Shadow Panel." The dashboard HTML and full application JavaScript (180KB) were accessible without authentication at /dashboard.html -- a significant OPSEC failure by the operator.

From the recovered frontend code, Shadow Panel offers:

Remote Shell Execute arbitrary PowerShell on victims Screenshot Capture Take victim desktop screenshots File Explorer Browse victim filesystem File Transfer Upload/download files to/from victims Browser Extraction Steal passwords and cookies Octo Browser Import Import stolen sessions into antidetect browser Clipboard Hijacker Replace crypto wallet addresses on clipboard Wallet Stealer Dedicated wallet extraction module Auto-Commands Queue commands to run automatically on new victims Operator Management Multi-operator model with individual API keys Client Tagging Organize victims by tags and country Rclone Backup Exfiltrate data via cloud storage

The WebSocket protocol supports real-time communication with events including wallet:run, wallet:broadcast, admin:broadcast, tm:install, browser-sessions:get, octo:config:get, and backup commands.

29 API Endpoints Recovered

The frontend JavaScript revealed the complete API surface:

Authentication: /api/auth (Bearer token) Client Management: /api/clients/{id}/tags File Management: /api/files, /api/download/client Browser Data: /api/browser-data/extraction/{id}/cookies /api/browser-data/extraction/{id}/passwords /api/browser-data/import-octo Auto Commands: /api/auto-commands (CRUD + toggle + reorder) Operator/Builder: /api/operator/status, /templates, /generate, /history, /stats Crypto Clipper: /api/wallet-config Tags: /api/tags (CRUD), /api/keys/bulk-tags

Infrastructure

Both servers sit on adjacent IPs at VPS.BG in Sofia, Bulgaria:

refundonex[.]com 87[.]121[.]52[.]71 AS34224 Neterra Ltd. winup[.]su 87[.]121[.]52[.]72 AS34224 Neterra Ltd.

refundonex[.]com was registered March 17, 2026 through Porkbun with WHOIS privacy enabled. winup[.]su was registered five days later on March 22 through FE-SU, the Russian .su registrar -- and here the actor made a mistake. The .su TLD has limited WHOIS privacy options, exposing the registration email: nikola4010@proton[.]me.

The C2 IP (87[.]121[.]52[.]72) has historical associations with multiple suspicious short-lived domains going back to 2021: sifr-infso[.]club, carweap[.]net, febystm[.]net, mrchexp[.]net, hchdko[.]net -- a pattern consistent with rotating malware infrastructure over several years.

Detection

Neither domain has significant detection coverage. At the time of investigation, winup[.]su had zero detections on VirusTotal. refundonex[.]com had zero malicious flags (3 suspicious only).

The RAT can be detected by monitoring for:

• Scheduled tasks named "WindowsUpdateCheck" with VBS launchers
• Files in %APPDATA%\WinUpdate\ (especially update.ps1, config.json, launcher.vbs, clip.ps1)
• HTTP beacons to /api/client/poll/{clientId} with key, host, user, os parameters
• WebDAV connections to refundonex[.]com

YARA and Sigma rules are included in the IOC section below.

IOCs

Domains: refundonex[.]com Payload staging (FileSwitch) inst[.]refundonex[.]com Subdomain -> Vercel (tracking) winup[.]su C2 server (Shadow Panel)

IPs: 87[.]121[.]52[.]71 refundonex[.]com 87[.]121[.]52[.]72 winup[.]su

File Hashes (SHA256): a23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da form_00007.pdf (decoy) 3a352caa662ec74a150e03ccc637eb347f4a0423f976837637ac1f2484f0d329 form_00007.pdf.lnk 5a011813db8497a4db303c90cb5f1948fcf4fcdd8bbe16c0e029195e6734d4f2 form_00007.pdf.vbs ee5b302161c9a29defd0a9d3be674e831775099475dbf02d10949e4a4e8ae265 form_00007.pdf.ps1 (encrypted RAT) 010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a JoseTomas.pdf.lnk 439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965 JoseTomas.pdf.vbs e47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73 JoseTomas.pdf.ps1 (encrypted RAT) f74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d testx.pdf.ps1

Host Indicators: %APPDATA%\WinUpdate\ Persistence directory %APPDATA%\WinUpdate\config.json RAT config %APPDATA%\WinUpdate\update.ps1 RAT payload %APPDATA%\WinUpdate\launcher.vbs Hidden launcher %APPDATA%\WinUpdate\clip.ps1 Clipboard hijacker Scheduled Task: WindowsUpdateCheck

Network Indicators: https://refundonex[.]com/cloud/ Open directory https://refundonex[.]com/admin/ FileSwitch panel https://winup[.]su/ Shadow Panel login https://winup[.]su/dashboard.html Shadow Panel dashboard https://winup[.]su/api/client/poll/ Beacon endpoint \refundonex[.]com\cloud\ WebDAV delivery path

AES Key (for payload decryption): Key: yMBASySLBlYkxeO4Nfgwrawi1dVAZvnJeLcuyIJk6jU= IV: 7ZqsfLae3/HI37laU11Wew==

Actor: nikola4010@proton[.]me WHOIS registrant (winup[.]su)

YARA Rule: rule Shadow_Panel_RAT { meta: description = "Detects Shadow Panel RAT PS1 payload" author = "GHOST - Breakglass Intelligence" date = "2026-04-12" strings: $s1 = "WinUpdate" ascii wide $s2 = "WindowsUpdateCheck" ascii wide $s3 = "/api/client/poll/" ascii wide $s4 = "/api/client/response" ascii wide $s5 = "Decrypt-AES" ascii wide $s6 = "defaultServers" ascii wide $s7 = "launcher.vbs" ascii wide $s8 = "update.ps1" ascii wide condition: 3 of them }

rule Refundee_LNK_Phish { meta: description = "Detects Refundee/FileSwitch LNK phishing lure" author = "GHOST - Breakglass Intelligence" date = "2026-04-12" strings: $s1 = "refundonex.com" ascii wide $s2 = "wscript.exe" ascii wide $s3 = ".pdf.vbs" ascii wide condition: all of them }

Sigma Rule (Scheduled Task Persistence):

title: Shadow Panel RAT Scheduled Task status: experimental description: > Detects creation of WindowsUpdateCheck scheduled task used by Shadow Panel RAT for persistence author: GHOST - Breakglass Intelligence date: 2026-04-12 logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'WindowsUpdateCheck' - 'WinUpdate' - 'launcher.vbs' condition: selection falsepositives: - Unlikely level: high

Sigma Rule (RAT Beacon):

title: Shadow Panel RAT C2 Beacon status: experimental description: > Detects HTTP beacon traffic to Shadow Panel C2 author: GHOST - Breakglass Intelligence date: 2026-04-12 logsource: category: proxy detection: selection: c-uri|contains: - '/api/client/poll/' c-uri|contains|all: - 'key=' - 'host=' - 'user=' - 'os=' condition: selection falsepositives: - Unlikely level: high

Suricata Rule:

alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"GHOST Shadow Panel RAT C2 Beacon"; flow:established,to_server; content:"/api/client/poll/"; http_uri; content:"key="; http_uri; content:"host="; http_uri; reference:url,intel.breakglass.tech; classtype:trojan-activity; sid:2026041201; rev:1; )

Credits

h/t @malwrhunterteam for the initial open directory find that kicked off this investigation.

Investigation by GHOST -- Breakglass Intelligence https://intel.breakglass.tech @BreakGlassIntel