BreakglassIntelligence
Back to reports
highPhishing

Operation PHANTOM CENTRE

InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:ProfileAssessmentpivotTimeline
salmanvsfdomainsc2ratphishingcloudflaretor

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime -- Credential Harvesting / Adversary-in-the-Middle (AiTM) Phishing Source: @salmanvsf Twitter leads

Executive Summary

Investigation of four domains reported by @salmanvsf on Twitter has uncovered a large-scale, professionally operated credential harvesting infrastructure. The four initial domains (vvgks[.]me, vantedglelgx[.]com, inhwabusinesscentre[.]com, starbearingcentre[.]com) are part of a broader campaign operating from a single origin server at 178[.]16[.]53[.]131 (dus.net GmbH / metaspinner net GmbH, Dusseldorf, Germany, AS40999/AS209800). The investigation expanded from 4 domains to at least 7 confirmed campaign domains hosting 200+ unique subdomains, many impersonating real organizations and VPN/SSO/Citrix authentication portals. The infrastructure serves fake Cloudflare challenge pages and rotating "Security Verification" lures to harvest credentials, consistent with an Adversary-in-the-Middle (AiTM) phishing platform.

Key Findings

  • Origin IP discovered: 178[.]16[.]53[.]131 (dus.net GmbH, Dusseldorf, Germany) -- behind Cloudflare CDN
  • 7 campaign domains confirmed on same origin IP, registered through 3 different registrars
  • 3 core domains (inhwabusinesscentre, starbearingcentre, theworkitcentre) share identical registrar (Registrar.eu/OpenProvider), identical nameservers (Regery.net PNS1/2/3), and identical SOA serial numbers (154626345) -- unified operator
  • 200+ unique SSL certificates issued across campaign domains via ZeroSSL, indicating massive subdomain infrastructure
  • VPN/SSO phishing specialization: subdomains impersonate Palo Alto GlobalProtect, Fortinet FortiGate, Cisco AnyConnect, Citrix Receiver, and Microsoft OWA/SSO
  • 15+ real organizations targeted by name in subdomain certificates
  • Fake Cloudflare challenge pages used as anti-analysis evasion (rotating titles: "Attention Required", "Security Verification Required", "Secure Authentication Portal", etc.)
  • DGA-like subdomain generation: countoncopelandcom[.]cloud shows ~60 random 8-character subdomains, suggesting automated infrastructure
  • 2 of 4 initial domains already burned: vvgks[.]me and vantedglelgx[.]com returned NXDOMAIN, demonstrating rapid infrastructure rotation
  • Infrastructure still partially live: theworkitcentre[.]com and countoncopelandcom[.]cloud still resolve to the origin IP as of 2026-04-03

What Was Found vs. What Was Known

AspectPrior Reporting (@salmanvsf)Our Findings
Domains4 suspicious domains7+ campaign domains, 200+ subdomains
IPsCloudflare CDN IPs onlyTrue origin: 178[.]16[.]53[.]131 (Dusseldorf, DE)
Infrastructure"Suspicious"Full AiTM phishing platform with VPN/SSO specialization
VictimsUnknown15+ named organizations identified from certificates
Registrar linkUnknown3 domains share Registrar.eu + Regery.net NS + identical SOA
StatusUnknown2 burned, 2 SERVFAIL, at least 2 still live

Attack Chain

Phishing Email/SMS
    -> Victim clicks link
        -> Cloudflare CDN (edge proxy)
            -> Origin: 178[.]16[.]53[.]131 nginx/1.18.0 (Ubuntu)
                -> Fake Cloudflare challenge page (anti-bot)
                    -> Credential harvesting form (VPN/SSO/OWA clone)
                        -> Stolen credentials exfiltrated to operator
                            -> AiTM session hijack (probable)

Infrastructure Analysis

Origin Server

IPASNProviderLocationPorts (historical)Status
178[.]16[.]53[.]131AS40999/AS209800dus.net / metaspinner net GmbHDusseldorf, DE22, 80, 443LIVE (SSH only)

Adjacent Infrastructure

IPPortsHostnamesNotes
178[.]16[.]53[.]13022, 80, 443islamic2026news[.]orgSame /24, potentially related
178[.]16[.]53[.]13222, 80, 82--Active, unknown purpose
178[.]16[.]53[.]129139--SMB exposed

Domain Infrastructure

DomainRegistrarNSCreatedOrigin IPStatusPurpose
inhwabusinesscentre[.]comRegistrar.euRegery PNS1/2/32025-05-15178[.]16[.]53[.]131SERVFAILVPN/SSO phishing
starbearingcentre[.]comRegistrar.euRegery PNS1/2/32025-05-07178[.]16[.]53[.]131SERVFAILOrg-targeted phishing
theworkitcentre[.]comRegistrar.euRegery NS1/2/32025-05-25178[.]16[.]53[.]131LIVEVPN/SSO phishing
countoncopelandcom[.]cloudDynadotDyna-NS2025-09-02178[.]16[.]53[.]131LIVEDGA subdomain phishing
prjnation[.]sbsHostingerCloudflare2025-11-23CloudflareLIVEPhishing
vvgks[.]me(deleted)--Unknown--NXDOMAINBurned
vantedglelgx[.]com(deleted)--Unknown--NXDOMAINBurned

Registration Pattern (Registrar.eu Cluster)

The three "centre" domains show identical registration patterns:

  • Registrar: Hosting Concepts B.V. d/b/a Registrar.eu (IANA ID 1647)
  • Nameservers: Regery.net (DEVEXPANSE LTD, UK, IANA ID 4342) -- PNS1/PNS2/PNS3 or NS1/NS2/NS3
  • SOA Serial: 154626345 (identical across all three -- same DNS zone management)
  • Registrant Country: US (WHOIS privacy redacted)
  • Creation window: May 7-25, 2025 (3 domains in 18 days)
  • Domain naming: All end in "centre" with legitimate-sounding business names

Web Server Fingerprint

  • Server: nginx/1.18.0 (Ubuntu) -- consistent across all domains
  • TLS: ZeroSSL certificates (ECC Domain Secure Site CA)
  • Evasion: Fake Cloudflare challenge pages with rotating titles
  • URL structure: Long Base64-like path tokens (e.g., /kmNM3Eni6WAfCkOv...)

Certificate Analysis

inhwabusinesscentre[.]com -- 120+ unique certificates issued, including:

VPN/Remote Access phishing subdomains:

  • globalprotect, gp, prelogon (Palo Alto)
  • anyconnect, connect (Cisco)
  • sslvpn, vpn, vpn1, vpn2, vpn3, webvpn, securevpn, officevpn, drvpn, clientesvpn, studentsvpn
  • remoteaccess, remoto, mobileconnect, secureconnect, secureaccess
  • firewall, gateway, vpnssl

Identity/SSO phishing subdomains:

  • sso, login, auth, sts (Security Token Service)
  • owa, autodiscover (Microsoft Exchange)
  • extranet, intra, office, teams, my, cloud, workspace
  • citrix, receiver, virtualapps, labvirtual, virtualstudent
  • vdi, desktop, desktopstudent, cloudapp

Telemetry/C2 subdomains (with typos -- OPSEC failure):

  • raventelemetry, raventelemtry (note: "telemtry" typo)
  • aventelemetry, fraventelemetry

Infrastructure test subdomains:

  • httpscore-88-pjznvq-1472-infra-node-12 (multiple truncation variants)
  • secure-34-xqtrpl-3829-data-hub-05
  • core-88-pjznvq-1472-infra-node-12

starbearingcentre[.]com -- 150+ unique certificates, including:

Organization-targeted subdomains:

  • simcotechnologies (Simco Technologies)
  • theprogressivegroup (The Progressive Group)
  • greencastleresources (Greencastle Resources)
  • swiftsureinnovations (Swiftsure Innovations)
  • matitherapeutics (Mati Therapeutics)
  • cognixion (Cognixion)
  • fendxtech (FendX Technologies)
  • cnresources (CN Resources)
  • alliancedescadres (Alliance des Cadres -- French)
  • routehub (RouteHub)

DGA/random subdomains:

  • b1d52846-d5f9-44c3-9c13-dd9cef14e10c (UUID format)
  • dywoeixb, yldbewxq (random strings)

theworkitcentre[.]com -- 100+ certificates including:

Organization-targeted:

  • newportprivatewealth (Newport Private Wealth)
  • wtkfsnatoschool (NATO School reference)
  • siemprete

VPN-specific:

  • fortigate, fortivpn, fw (Fortinet)
  • globalprotect, palovpn, panvpn, panglobal (Palo Alto)
  • anyconnect, sslvpn, webvpn
  • vpn-eu, us-vpn, vpn-usa (geographic VPN targeting)

Infrastructure/DGA:

  • svc-64-hxplnr-8051-digital-hub-02
  • hub-42-bpjqlt-1985-storage-node-06
  • app-56-qpltnv-2748-secure-hub-09

Multi-language targeting:

  • buitenland (Dutch: "abroad")
  • correo (Spanish: "email")
  • poczta (Polish: "mail")
  • acceso (Spanish: "access")
  • remoto (Spanish: "remote")
  • clientesvpn (Spanish: "clients VPN")

Threat Actor Profile

Attribution Assessment

  • Confidence: MEDIUM
  • Country/Region: Likely Western European or Latin American nexus (multi-language targeting: English, Spanish, French, Dutch, Polish)
  • Motivation: Financial -- credential harvesting for account takeover, likely AiTM phishing-as-a-service
  • Sophistication: HIGH -- professional infrastructure management, rapid domain rotation, Cloudflare CDN abuse, ZeroSSL automation, anti-analysis evasion

OPSEC Failures

  1. Typo in subdomain: "raventelemtry" vs "raventelemetry" -- operator misspelled during cert issuance
  2. UUID subdomain: b1d52846-d5f9-44c3-9c13-dd9cef14e10c exposed in CT logs (likely internal reference)
  3. Shared SOA serial: All three Regery-registered domains share SOA serial 154626345, linking them definitively
  4. Adjacent IP: 178[.]16[.]53[.]130 hosting islamic2026news[.]org may provide additional attribution pivot
  5. Infrastructure node naming pattern: "hub-42-bpjqlt-1985-storage-node-06" pattern used across multiple domains, creating a unique fingerprint

Actor Timeline

DateEvent
2025-05-07starbearingcentre[.]com registered
2025-05-15inhwabusinesscentre[.]com registered
2025-05-25theworkitcentre[.]com registered
2025-07-22Mass cert issuance begins (starbearingcentre)
2025-07-28Mass cert issuance (inhwabusinesscentre)
2025-08-28Peak cert issuance across both domains
2025-09-02countoncopelandcom[.]cloud registered (Dynadot)
2025-09-15-20VPN/SSO phishing subdomain deployment (inhwabusinesscentre)
2025-10-05-15Organization-targeted phishing (starbearingcentre: Progressive Group, Simco, etc.)
2025-10-15Last observed activity on raventelemetry.inhwabusinesscentre
2025-11-15-24theworkitcentre phishing deployment (NATO School, Newport Private Wealth)
2025-11-23prjnation[.]sbs registered (Hostinger)
2025-11-24-29countoncopelandcom[.]cloud DGA subdomain burst (~60 subdomains)
2026-02-02inhwabusinesscentre last WHOIS update
2026-04-03Investigation date -- inhwa/star SERVFAIL, theworkitcentre/countoncopeland LIVE

Victim Analysis

Confirmed Targeted Organizations (from certificate subdomain names)

OrganizationSectorEvidenceConfidence
Simco TechnologiesEngineering/Environmentalsimcotechnologies.starbearingcentre[.]comHIGH
The Progressive GroupMarketing/Consultingtheprogressivegroup.starbearingcentre[.]comHIGH
Greencastle ResourcesNatural Resourcesgreencastleresources.starbearingcentre[.]comHIGH
Swiftsure InnovationsTechnologyswiftsureinnovations.starbearingcentre[.]comHIGH
Mati TherapeuticsPharmaceuticals/Biotechmatitherapeutics.starbearingcentre[.]comHIGH
CognixionNeurotechnology/Accessibilitycognixion.starbearingcentre[.]comHIGH
FendX TechnologiesAntimicrobial Technologyfendxtech.starbearingcentre[.]comHIGH
CN ResourcesNatural Resourcescnresources.starbearingcentre[.]comMEDIUM
Alliance des CadresFrench Professional Orgalliancedescadres.starbearingcentre[.]comHIGH
RouteHubLogistics/Techroutehub.starbearingcentre[.]comMEDIUM
Newport Private WealthFinancial Servicesnewportprivatewealth.theworkitcentre[.]comHIGH
NATO School (Oberammergau)Military/Defense Educationwtkfsnatoschool.theworkitcentre[.]comHIGH
Copeland (Count On Copeland)Government/Councilcountoncopelandcom[.]cloudHIGH
VLMC/VLCMTechnology Servicesvlmc/vlcm.starbearingcentre[.]comMEDIUM

Targeting Patterns

  • Sector diversity: Technology, biotech, financial services, government, military education, professional organizations
  • Geographic spread: North America, Europe (incl. NATO), Latin America
  • Multi-language: English, Spanish, French, Dutch, Polish -- indicating international targeting
  • VPN/SSO focus: Heavy emphasis on remote access credential theft (GlobalProtect, FortiVPN, AnyConnect, Citrix)

MITRE ATT&CK Mapping

TacticTechniqueIDApplication
Initial AccessPhishing: Spearphishing LinkT1566.002Domain-specific phishing URLs
Credential AccessAdversary-in-the-MiddleT1557AiTM session hijacking (probable)
Credential AccessInput Capture: Web Portal CaptureT1056.003Fake VPN/SSO login portals
Resource DevelopmentAcquire Infrastructure: DomainsT1583.0017+ domains across 3 registrars
Resource DevelopmentAcquire Infrastructure: ServerT1583.004Dedicated server at dus.net GmbH
Resource DevelopmentObtain Capabilities: Digital CertificatesT1588.004200+ ZeroSSL certificates
Defense EvasionImpersonation: DomainsT1656Legitimate-sounding business names
Command and ControlProxy: CDNT1090.002Cloudflare CDN as reverse proxy

IOC Summary

Network Indicators

Origin IP:

  • 178[.]16[.]53[.]131 (AS40999 / AS209800, dus.net GmbH / metaspinner net, Dusseldorf, DE)

Domains (Registrar.eu/Regery cluster):

  • inhwabusinesscentre[.]com
  • starbearingcentre[.]com
  • theworkitcentre[.]com

Domains (Other registrars, same origin IP):

  • countoncopelandcom[.]cloud
  • prjnation[.]sbs

Domains (Burned/NXDOMAIN):

  • vvgks[.]me
  • vantedglelgx[.]com

Adjacent IP of interest:

  • 178[.]16[.]53[.]130 (islamic2026news[.]org)

Infrastructure Fingerprints

  • SOA Serial: 154626345
  • Server: nginx/1.18.0 (Ubuntu)
  • SSH: OpenSSH 9.2p1 Debian 2+deb12u5
  • Certificate Issuer: ZeroSSL ECC Domain Secure Site CA
  • Subdomain naming pattern: [org-name].[campaign-domain].com
  • Infrastructure node pattern: [type]-[num]-[random]-[num]-[purpose]-[num].[domain]
  • URL token pattern: Long Base64-like path segments

Behavioral Indicators

  • Fake Cloudflare challenge page titles:
    • "Attention Required! | Cloudflare"
    • "Secure Authentication Portal"
    • "Security Verification Required"
    • "Access Control Verification"
    • "Account Security Check"
    • "Security Gateway"
    • "Please stand by, while we are checking your browser..."

Immediate (24-48 hours)

  • Block 178[.]16[.]53[.]131 at network perimeter
  • Block all campaign domains at DNS/proxy level
  • Search email logs for links to any campaign domain or subdomain
  • Alert SOC to fake Cloudflare challenge page pattern
  • Notify targeted organizations (especially NATO School, Newport Private Wealth)

Short-term (1-2 weeks)

  • Monitor Regery.net NS for new domain registrations matching "centre" naming pattern
  • Monitor 178[.]16[.]53[.]0/24 for new web services
  • Check CT logs for new ZeroSSL certs issued to campaign domains
  • Review VPN authentication logs for anomalous sessions during campaign active period (Oct-Nov 2025)

Medium-term (1-3 months)

  • Submit abuse reports to: Registrar.eu, dus.net GmbH, Cloudflare, ZeroSSL
  • Submit IOCs to ThreatFox, PhishTank
  • Monitor for infrastructure rotation to new IPs/registrars

Abuse Reports

Registrar.eu (abuse@registrar.eu)

Subject: Phishing domains -- inhwabusinesscentre.com, starbearingcentre.com, theworkitcentre.com Domains registered through your registrar are hosting credential harvesting phishing infrastructure impersonating VPN/SSO portals and targeting named organizations including NATO School. Evidence: VirusTotal flagged 7-9/94 malicious, URLScan confirms phishing pages served from origin IP 178.16.53.131.

dus.net GmbH

Subject: Phishing origin server at 178.16.53.131 Server at this IP is hosting credential harvesting infrastructure serving fake Cloudflare challenge pages and rotating phishing portals. 7+ domains confirmed. Server running nginx/1.18.0 on Ubuntu with OpenSSH 9.2p1.

Cloudflare (CDN abuse)

Subject: Cloudflare CDN used to proxy phishing infrastructure Multiple phishing domains using Cloudflare CDN to mask origin IP 178.16.53.131. Domains serve fake "Attention Required" Cloudflare challenge pages as anti-analysis evasion. This is active abuse of Cloudflare infrastructure.

References

  • @salmanvsf Twitter reporting (initial leads)
  • URLScan.io historical scans (Oct 2025)
  • crt.sh Certificate Transparency logs
  • VirusTotal domain analysis
  • Shodan host data

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."

Share