The Tip Was Dead. The Kit Was Not: Inside a SumUp Phishing Operation With an Open Admin Panel and Moroccan Fingerprints

The tip was a dead link. A 404. The kind of thing most analysts would note, shrug at, and move on from. But a phishing URL that was live and now isn't still tells you something important: someone stood up infrastructure on that server, and they probably didn't clean up everything when they moved.

They didn't.

This is the story of Live Control Panel Premium -- a SumUp phishing kit discovered on a compromised German wedding venue's website, featuring an admin panel with zero authentication, real-time victim session hijacking, Telegram exfiltration, and linguistic fingerprints that trace back to a Moroccan operator. By the time we finished pulling threads, we'd mapped 7 deployments across 4 countries and identified a coordinated campaign targeting small businesses and merchants across Europe.

The Tip That Wasn't

On March 31, security researcher @JAMESWT_MHT flagged a suspicious URL on a German domain -- chateau-royal[.]de/1212/pub/mul/web/. Classic phishing path structure: numbered directory, nested subdirectories, a /web/ endpoint that screams credential harvester.

The URL returned a 404.

But here's the thing about phishing kit operators: they iterate. They move directories around. They test paths and rename things. The /mul/ directory was dead, but the /1212/pub/ prefix was specific enough to suggest a deliberate deployment structure. So instead of walking away from the 404, GHOST started probing adjacent paths.

/1212/                     -> HTTP 500 (PHP framework -- something's here)
/1212/pub/                 -> HTTP 403 (directory exists, listing denied)
/1212/pub/mul/             -> 404 (the dead tip)
/1212/pub/log/             -> HTTP 302 redirect -> web/login.php

/log/ instead of /mul/. The kit hadn't been taken down. It had been moved. And it was live.

A Wedding Venue With a Parasite

The host domain, chateau-royal[.]de, belongs to a legitimate German business -- Chateau Royal, a wine import/export company in Dusseldorf that appears to double as a wedding and event venue. Their website is a static HTML site mirrored with HTTrack back in 2017, sitting on Host Europe GmbH shared hosting with an OpenSSH 8.0 instance carrying 14 known CVEs according to Shodan.

The WHOIS record was last updated on March 26, 2026 -- five days before our investigation. That timing aligns with the compromise window. Someone popped this neglected web server, uploaded a phishing kit into a nested directory structure, and started operations while the legitimate business owners almost certainly had no idea their domain was now harvesting payment credentials.

This is the unglamorous reality of phishing infrastructure: the attackers don't need bulletproof hosting in Moldova. They need a forgotten website with a valid TLS certificate and a domain that won't trigger email filters. A German wine importer fits perfectly.

What SumUp Is and Why It Matters

SumUp is a European fintech company that provides mobile point-of-sale card readers and payment processing to small businesses -- restaurants, market stalls, freelancers, local shops. They operate across the UK, Italy, Germany, France, Ireland, and Brazil. If you've tapped your card at a farmer's market or a small cafe in Europe, there's a decent chance it was a SumUp terminal.

This targeting is deliberate. SumUp merchants are small business owners, not enterprise security teams. They're less likely to recognize a sophisticated phishing page, more likely to panic at an account verification email, and their accounts are directly connected to payment processing and fund withdrawals. Compromise a SumUp account and you have access to a merchant's revenue stream.

The Panel With No Lock on the Door

At /1212/pub/log/panel/, we found the operator's admin interface. It's branded "Live Control Panel Premium" and features a dark theme with ghost-pattern SVG backgrounds -- polished enough to look like a commercial product.

It has zero authentication.

No login page. No session check. No API key. No Basic auth. Nothing. Navigate to the URL and you're in. You can see every victim's stolen credentials, control active sessions, view the Telegram bot configuration, and manipulate the entire phishing flow. The operator left the keys in the ignition and the engine running.

The panel exposes:

• Telegram bot token: 6219907498:AAEHeqbQRZLBB4zrID4OfmExfc_F0_woXRc with chat ID -983035836 (a group chat -- multiple operators likely receive the stolen data)
• Victim IP addresses with online/offline status indicators (green/red)
• All harvested credentials displayed in real-time: email, password, SMS OTP, email OTP, and card data
• A PC-blocking toggle to force mobile-only access (phishing pages render better on mobile and users are less likely to inspect URLs)
• A kill switch to disable all phishing pages simultaneously

But the panel's most dangerous feature is the redirect system.

Puppet Master: Real-Time Session Hijacking

Most phishing kits are fire-and-forget. The victim lands on the page, enters their credentials, and gets redirected to the real site. The stolen data goes to a log file or a Telegram bot, and the operator reviews it later.

This kit is different. The operator sits at the panel and controls the victim's browser in real time.

Here's how it works. Every phishing page includes a JavaScript polling loop that checks the panel's backend every 500 milliseconds:

var targets = {
  1: "login.php?e",      // LOGIN ERROR -- force credential re-entry
  2: "sms.php",          // SMS OTP -- request verification code
  3: "sms4.php",         // SMS ERROR -- "wrong code, try again"
  4: "email.php",        // EMAIL OTP -- request email code
  5: "email.php?e=",     // EMAIL ERROR -- "wrong code, try again"
  6: "final.php"         // DONE -- redirect to real sumup.com
};

setInterval(function(){
  $.post("../panel/classes/processor.php",
    {redirectionListener:1},
    function(data){
      redirect = data;
      if(redirect == 0) return false;
      clearRedirections();
      window.location = targets[redirect];
    });
}, 500);

The victim enters their email and password on the login page. The credentials are sent to send.php, which pushes them to the Telegram bot and displays them in the panel. The victim is then parked on a loading page -- a convincing SumUp-branded spinner -- while the operator reviews the stolen credentials.

Now the operator makes a decision. They can:

1. Push to SMS OTP: The victim sees a page requesting their 6-digit SMS verification code. The operator is simultaneously attempting to log into the real SumUp with the stolen credentials, triggering a legitimate SMS code to the victim's phone.

2. Push to SMS Error: If the code doesn't work (maybe they mistyped, maybe the operator needs a fresh one), the victim is bounced to a "please re-enter" page.

3. Push to Email OTP: Same flow, but for email-based two-factor codes.

4. Push to Final: Once the operator has everything they need, the victim gets a "Verification Complete" message and is redirected to the real sumup.com. The victim thinks they just completed a security check. The operator has their credentials, their 2FA codes, and in many cases their card data.

Each step is manual. Each redirect is a conscious decision by the operator watching the panel. This isn't automated credential harvesting -- it's a human-operated man-in-the-middle attack with the phishing page as the proxy. The victim is a puppet. The operator pulls the strings.

The Full Attack Chain

[1] Phishing email sent via SendGrid (user u61519686)
     |
[2] SendGrid tracking link -> qrcodeveloper.com QR redirect -> phishing URL
     |
[3] SumUp login page: email + password harvested -> Telegram bot
     |
[4] Loading page: victim held while operator reviews credentials
     |
[5] Operator controls the flow via panel redirect buttons:
     |-> SMS OTP page (6-digit code harvest)
     |-> SMS retry page (if code was wrong)
     |-> Email OTP page (6-digit code harvest)
     |-> Email retry page (if code was wrong)
     |-> Card data page (number, expiry, CVV, cardholder name)
     |
[6] Final page: "Verification Complete" -> redirect to real sumup.com
     |
[7] Operator logs into real SumUp with stolen credentials + intercepted OTPs
     |
[8] Account takeover -> fund withdrawal, fraudulent transactions

The delivery mechanism deserves its own mention. The phishing emails are sent through SendGrid, a legitimate email delivery platform, under user ID u61519686. Using SendGrid means the emails come from infrastructure with established sender reputation -- they're far less likely to land in spam than emails from a freshly registered domain. The tracking links pass through qrcodeveloper[.]com, a QR code redirect service behind Cloudflare, adding another layer of legitimacy to the URL chain.

Not a One-Off: 7 Deployments, 4 Countries

The chateau-royal[.]de kit was just the one we found first. Pivoting on the kit's fingerprints -- the CSS nonce cvkPNRgHn87c8elY, the "Live Control Panel Premium" footer, the panel structure -- revealed at least 6 additional deployments:

Domain	IP	Provider	Country	Status
chateau-royal[.]de	92.205.50.80	Host Europe GmbH	Germany	LIVE
sh-cp33.yyz2.servername[.]online	66.102.137.74	cPanel hosting	Canada	LIVE
easyuzu77u.sviluppo[.]host	149.62.185.18	Host SpA	Italy	Dead
informatique.sviluppo[.]host	81.31.158.4	Host SpA	Italy	Dead
holy.com[.]mx -> redsquaresolution[.]com	91.238.165.229	Enix Ltd	UK	Dead
explorafeme.com[.]mx -> redsquaresolution[.]com	91.238.165.229	Enix Ltd	UK	Dead
qrcodeveloper[.]com	66.33.60.193	Cloudflare	USA	LIVE

The Italian deployments on Host SpA use wildcard subdomains on sviluppo.host -- "sviluppo" is Italian for "development," suggesting these are shared development hosting accounts, likely compromised. The UK deployments on Enix Ltd route through Mexican .com.mx domains that redirect to redsquaresolution[.]com. The Canadian deployment sits in a cPanel shared hosting environment under the user account ~dunir8.

This is a campaign, not an experiment. Multiple compromised hosts, multiple hosting providers, multiple countries, rotating infrastructure as deployments get detected and taken down. The dead Italian and UK sites suggest this operation has been running long enough for some nodes to be burned already.

The Operator Speaks Darija

Inside the panel's PHP source code -- not in user-generated content, but in hardcoded status messages that the developer wrote -- we found two strings that aren't English, French, or Modern Standard Arabic:

• "Victim kaysaynk tedih lchi blassa hh..." -- "The victim doesn't know where to go"
• "Lvictiiim mchaaa" -- "The victim is gone/left"

This is Moroccan Darija -- the colloquial Arabic dialect spoken in Morocco. It's distinct from Egyptian Arabic, Gulf Arabic, or Levantine Arabic, and immediately recognizable to anyone familiar with North African linguistics. The hh at the end of the first string is the Darija equivalent of "lol." The developer was amused by confused victims.

The second deployment on the Canadian cPanel host provided corroborating evidence. The Telegram bot token and chat ID fields in that panel instance contained gibberish: qzetz'e(yezrt and qzreyzerth. This isn't random -- it's what you get when you mash keys on an AZERTY keyboard, the keyboard layout used in France, Belgium, Morocco, Algeria, and Tunisia. Someone was testing the form fields by typing garbage, and their keyboard told us where they were.

Darija code comments plus AZERTY keyboard artifacts: this operator is almost certainly Francophone North African, most likely Moroccan. This is consistent with known Moroccan cybercrime clusters that have historically targeted European payment processors and banking platforms.

Attribution confidence: MEDIUM-HIGH.

One More Fingerprint

There's a detail that links every phishing page built by this developer: multiple pages contain injected script references from Chrome extension nimlmejbmnecnaghgmbahmbaddhjbecg, loading paths like content/location/location.js and libs/extend-native-history-api.js.

This happens when a developer uses Chrome's "Save As" function to build or template their phishing pages -- any active extensions bleed their content scripts into the saved HTML. The developer didn't notice (or didn't care), and now every page they build carries this extension ID as a fingerprint. It's a tracking beacon they installed on themselves.

Indicators of Compromise

Phishing URLs (Live at Time of Publication)

hxxps://chateau-royal[.]de/1212/pub/log/web/
hxxps://chateau-royal[.]de/1212/pub/log/web/index[.]php
hxxps://chateau-royal[.]de/1212/pub/log/panel/
hxxps://chateau-royal[.]de/1212/pub/log/panel/settings[.]php
hxxps://sh-cp33[.]yyz2[.]servername[.]online/~dunir8/Service/SumUp/web/login[.]php
hxxps://sh-cp33[.]yyz2[.]servername[.]online/~dunir8/Service/SumUp/panel/

Phishing URLs (Dead)

hxxps://informatique[.]sviluppo[.]host/ump/web/login[.]php
hxxps://easyuzu77u[.]sviluppo[.]host/
hxxp://holy[.]com[.]mx/
hxxp://explorafeme[.]com[.]mx/
hxxps://qrcodeveloper[.]com/code/t1z6zMqxlk0IHzqu
hxxps://qrcodeveloper[.]com/code/zCBPKv1vyo2TDjoj

IP Addresses

IP	Role	Hosting
92.205.50[.]80	Compromised host (chateau-royal.de)	Host Europe GmbH, DE
149.62.185[.]18	Kit hosting (sviluppo.host)	Host SpA, IT
81.31.158[.]4	Kit hosting (sviluppo.host)	Host SpA, IT
91.238.165[.]229	Kit hosting (redsquaresolution.com)	Enix Ltd, GB
66.102.137[.]74	Kit hosting (servername.online)	cPanel, CA
66.33.60[.]193	QR redirect (qrcodeveloper.com)	Cloudflare, US

Domains

chateau-royal[.]de
sviluppo[.]host
easyuzu77u[.]sviluppo[.]host
informatique[.]sviluppo[.]host
redsquaresolution[.]com
holy[.]com[.]mx
explorafeme[.]com[.]mx
servername[.]online
qrcodeveloper[.]com

Exfiltration

Indicator	Value
Telegram Bot Token	6219907498:AAEHeqbQRZLBB4zrID4OfmExfc_F0_woXRc
Telegram Chat ID	-983035836 (group chat)
SendGrid User	u61519686

Kit Fingerprints

Indicator	Value
Panel name	"Live Control Panel Premium"
CSS nonce	cvkPNRgHn87c8elY
Login challenge token	b9ea9ac032cf4540b39e241ceace6c3d
Chrome Extension ID	nimlmejbmnecnaghgmbahmbaddhjbecg
Panel background	Ghost-pattern SVG, #1a1a1a dark theme

MITRE ATT&CK

Technique	ID	Application
Compromise Infrastructure: Web Services	T1584.006	Compromised chateau-royal.de and cPanel accounts
Develop Capabilities: Phishing Kit	T1587.001	"Live Control Panel Premium"
Phishing: Spearphishing Link	T1566.002	SendGrid emails with tracking redirects
Input Capture: Web Portal Capture	T1056.003	Multi-step credential, OTP, and card harvest
Exfiltration Over Web Service	T1567	Telegram bot API
Web Service: Bidirectional Communication	T1102.002	Real-time operator panel for session control

Takeaways

For SumUp merchants: If you received an email asking you to verify your account or re-enter your credentials, and the URL wasn't sumup.com, you may have been targeted. Enable hardware security keys if SumUp supports them. SMS and email OTP are interceptable by exactly this kind of kit.

For hosting providers: The compromised infrastructure in this campaign -- Host Europe, Host SpA, cPanel shared hosting -- are all environments where neglected accounts with outdated software become footholds. OpenSSH 8.0 with 14 CVEs on a shared hosting server is an open invitation. Proactive scanning of hosted content for phishing kit signatures would catch deployments like this.

For email security teams: SendGrid user u61519686 is actively distributing phishing emails. The use of legitimate email infrastructure with established sender reputation is specifically designed to bypass domain-based filtering. Tracking link analysis and QR code redirect chain inspection are necessary to catch this delivery mechanism.

For threat intelligence: The "Live Control Panel Premium" kit is a commercial or semi-commercial product being deployed by multiple operators. The Moroccan Darija strings and AZERTY keyboard artifacts are attribution anchors that can be tracked across future deployments. The Chrome extension ID nimlmejbmnecnaghgmbahmbaddhjbecg is a persistent developer fingerprint.

The original tip was a dead URL. The kit had moved one directory over. Everything in this report -- the open panel, the session hijacking, the Telegram tokens, the seven deployments, the Moroccan attribution -- came from refusing to accept a 404 as the final answer.

Persistence pays off.

---

This investigation was triggered by a tip from @JAMESWT_MHT. Infrastructure discovery, panel analysis, and campaign mapping were produced by Breakglass Intelligence's autonomous GHOST investigation system. All evidence was captured via passive and semi-passive methods.

Breakglass Intelligence | March 31, 2026