TMoscow Bot: A Russian-Built Telegram Mini App Runs PhaaS for a Chinese-Operated Japanese Financial Phishing Ring — 40+ Domains and an Unauthenticated Admin Panel
TMoscow Bot: A Russian-Built Telegram Mini App Runs PhaaS for a Chinese-Operated Japanese Financial Phishing Ring — 40+ Domains and an Unauthenticated Admin Panel
TL;DR
Following @volrant136's lead on famericanexpress-site.com, we walked into a multi-brand Japanese financial phishing operation that has been running continuously since at least April 2025 against every major Japanese financial institution: American Express Japan, SMBC, Vpass, JCB, SBI Securities, Rakuten Card, Saison, Epos, and PayEasy. URLScan shows 1,933 captures of the shared phishing kit's page title (「マイアカウントにログイン」 — "Log in to My Account") across dozens of hosting providers and multiple countries over the past 13 months.
The operational brains behind the campaign is TMoscow Bot — a full-featured Russian-language Telegram Mini App hosted at tmoscsupbot.com (185.146.233.207, FlokiNET Bucharest, AS200651) that functions as a Phishing-as-a-Service marketplace. The platform ships:
- Role-based access control in Russian:
Главный администратор(Chief Administrator) ·Администратор·Трейдер(Trader) ·Сотрудник(Employee) - Operator trust scoring:
Очень доверенный/Доверенный/Нейтральный/Недоверенный/Скам - Request/ticket workflow:
Новая→В работе→Выполнено/Отклонена - Phishing-kit file distribution (up to 10 files per upload) for affiliates
- Statistics dashboards with period filters
- Per-operator chat threads tied to support tickets
- Two-factor auth on operator accounts
- Integration with external Telegram Mini Apps for lead-finance features
TMoscow Bot is one of the cleanest examples of a commercial PhaaS panel shipped entirely inside the Telegram ecosystem we've seen publicly. And critically: the Telegram Mini App frontend is publicly accessible — the full HTML, JS, and CSS of the management panel can be scraped directly from tmoscsupbot.com without authentication. The /admin/ and /health endpoints are both reachable, and the health endpoint leaks the backend stack (Node.js + Prisma ORM), uptime, and storage mode.
The cross-lingual supply chain is the second headline. The Telegram Mini App UI is entirely in Russian (every interface label, every role, every workflow state — all Cyrillic), strongly suggesting Russian-speaking platform developers. But the campaigns are run by Chinese-speaking affiliates: registrant names like "jia wen shu" from "Da Tong Shi" (Datong, China) on reg.cn, a preference for .icu TLDs via Gname.com (a Singapore/China registrar well-known in Chinese cybercrime tradecraft), and significant historical hosting on Chinese cloud providers (Tencent Cloud 43.x.x.x, CTG Server Singapore). That pairing — Russian developers building the platform, Chinese operators running the campaigns, Japanese victims footing the bill — describes a cross-border PhaaS marketplace that doesn't fit neatly into most of the "Russian cybercrime" or "Chinese APT" narratives the public intel reporting tends to lean on.
What this report adds to the public record:
- First public documentation we could find of the TMoscow Bot Telegram Mini App PhaaS platform at
tmoscsupbot.com/185.146.233.207, including the RBAC model, trust scoring, and software-distribution features - The
1f8f4166599d23eeregistrant hash pivot that links thetmoscsupbot.comC2 platform directly to theamericanexprecs-jp.clubandamericanexpreccs-jp.vipphishing domains from mid-2025 — binding the platform owner to the earliest known domains in the campaign - The
b1722fb0e1313e46s@yahoo.co.jpregistrant email from Setagaya, Tokyo, unmasked onamericamexpress-co-jp.comvia JPRS - The "jia wen shu" / Da Tong Shi registrant on
americanexprecs-jp.clubvia reg.cn — Chinese-speaker attribution anchor - Full infrastructure map across five clusters (Spartan Host US, FlokiNET RO, GMO Japan, Oracle Cloud Japan, CTG Server SG) with 35+ confirmed malicious domains on Spartan Host alone
Hat tip to @volrant136 for the lead. If you've already published reporting on TMoscow Bot, the tmoscsupbot.com platform, the 1f8f4166599d23ee registrant pivot, or the specific Japanese multi-brand phishing campaign covered here, please reply or DM — we'll update and credit.
TMoscow Bot — The Platform
Infrastructure
| Field | Value |
|---|---|
| Domain | tmoscsupbot.com |
| IP | 185.146.233.207 |
| ASN | AS200651 — FlokiNET ehf |
| Location | Bucharest, Romania (FlokiNET datacenter) |
| Web server | nginx 1.24.0 (Ubuntu) |
| Backend stack | Node.js + Prisma ORM (leaked via /health) |
| TLS cert | CN=tmoscsupbot.com, Let's Encrypt E8, issued 2026-03-28 |
| Domain registered | 2026-03-27 (Tucows) |
| Nameservers | ns1-4.flokinet.net (bulletproof) |
| Registrant jurisdiction | Seychelles, hash 1f8f4166599d23ee |
| Last build | 2026-04-08 (updated one day before our investigation) |
| Observed uptime | ~16 hours at time of investigation |
| Known vulns | CVE-2023-44487 (HTTP/2 Rapid Reset), CVE-2025-23419 |
The entire /admin/ tree is reachable over plain HTTPS. The /health endpoint returns a JSON payload that confirms the Prisma ORM backend, the uptime counter, and the storage mode — it's a shorter version of the same unauthenticated-health-endpoint mistake we wrote up yesterday on a completely unrelated Flask C2. It's a surprisingly common pattern: operators stand up a management panel, bolt on a /health or /admin/ route for their own monitoring, and forget to lock it down before publishing.
What the panel ships
The operator side of the panel implements a complete PhaaS marketplace. Every interface string is Russian, every concept is named in Russian, and the design mirrors the commercial Telegram Mini App SaaS patterns you'd see in a legitimate SaaS product:
Four-role RBAC
| Role (Russian) | English | Scope |
|---|---|---|
Главный администратор | Chief Administrator | Full platform control |
Администратор | Administrator | Admin panel access |
Трейдер | Trader | Software distribution + lead-finance features |
Сотрудник | Employee | Software distribution + lead-finance features |
Five-tier operator trust scoring
| Tier (Russian) | English |
|---|---|
Очень доверенный | Very Trusted |
Доверенный | Trusted |
Нейтральный | Neutral |
Недоверенный | Suspicious / Untrusted |
Скам | Scam |
The presence of an explicit "Scam" tier for flagging bad-acting affiliates is a commercial-marketplace feature — it implies a reputation system enforced at the platform level, where the administration tracks which traders and employees have ripped off other affiliates or exit-scammed clients, and surfaces that rating to other users of the platform. It's the same trust-model primitive you see on legitimate freelancer marketplaces.
Ticket workflow
Новая (New) → В работе (In Progress) → Выполнено (Done) / Отклонена (Rejected)
Standard helpdesk workflow primitives. "Software" requests go through this flow, suggesting operators use tickets to request specific phishing-kit variants or feature modifications from the platform admins.
Software distribution
File upload / distribution subsystem with a 10-file-per-upload limit. This is how phishing kits get handed out to affiliates. The existence of a platform-managed kit distribution means the operators are not running their own builds — they're pulling kits from a centralized admin-controlled catalog.
Statistics + chat + 2FA + external Mini Apps
Statistics dashboards with period filters (Yesterday / 7 days / 30 days), integrated per-ticket operator-to-admin chat, two-factor authentication for operator accounts, and integration with external Telegram Mini Apps for "lead finance" features — presumably the actual cashout / money-movement leg of the operation.
The net picture is: TMoscow Bot is run like a SaaS product with customer support, QA, and a reputation economy, not like a one-person phishing panel.
The Cross-Lingual Supply Chain
The evidence consistently paints a supply-chain picture rather than a single-actor campaign:
Russian-speaking platform developers
- Every interface string in TMoscow Bot is Russian Cyrillic
- The name itself — "TMoscow" — reads as "Telegram + Moscow"
- FlokiNET Romania / Iceland hosting is a documented preference for Russian-speaking cybercrime communities
- Tucows as registrar for
tmoscsupbot.com— Western registrar, Seychelles privacy, matches Russian-speaking operator patterns rather than Chinese ones
Chinese-speaking affiliates
- Registrant name "jia wen shu" (贾文书?) from "Da Tong Shi" (Datong City, Shanxi, China) on
americanexprecs-jp.club— viareg.cn, a mainland Chinese registrar almost exclusively used by Chinese-speaking operators .icuTLD preference —.icuvia Gname.com is the standard Chinese cybercrime domain posture (see also yesterday's Luo Quan Silver Fox post for the same TLD pattern)- Historical hosting in Chinese cloud providers — Tencent Cloud (
43.x.x.xrange) and CTG Server Singapore (AS152194), both well-documented in Chinese-nexus cybercrime tradecraft - The
b1722fb0e1313e46s@yahoo.co.jpemail onamericamexpress-co-jp.comis a Japanese-language yahoo.co.jp address which is suggestive of a Japan-resident operator — but the registration happened via JPRS, which simply means the.co.jpTLD requires JP contact info; the actual operator could still be running remotely
The supply-chain read
Russian-speaking platform devs build the PhaaS toolkit. They operate the Telegram Mini App, maintain the panel code, run the admin infrastructure, and rent access to affiliate operators. Chinese-speaking affiliates rent the platform, pick a target brand from the catalog (Japanese financial institutions in this case), configure their preferred registrar / hosting combination, deploy the shared phishing kit, and receive harvested credentials through the platform's ticketing system. Japanese financial institution customers are the victims. Three languages, three populations, one marketplace in the middle.
That supply-chain pattern is worth naming explicitly because it breaks the mental model of "Russian cybercrime vs. Chinese APT" that a lot of CTI analysis still defaults to. This is Russian tooling rented to Chinese operators targeting Japanese victims. Treat any "country attribution" from the victim side, the infrastructure side, or the language side with appropriate skepticism.
The 1f8f4166599d23ee Registrant Pivot
WHOIS registrant hashes are a defensive feature some registrars expose — they hash the actual registrant PII into a short identifier so researchers can pivot on registrant identity without the registrar exposing the underlying data. If two domains share the same registrant hash at the same registrar, they were registered by the same account.
tmoscsupbot.com (the TMoscow Bot C2 platform) was registered under hash 1f8f4166599d23ee. The same hash appears on:
americanexprecs-jp.club— the earliest known phishing domain in this campaign (April 2025, via reg.cn)americanexpreccs-jp.vip— a sibling phishing domain from May 2025
That's the direct link between the PhaaS platform and the phishing campaign. The same person / team that registered the TMoscow Bot control plane in March 2026 was the same person / team that registered the earliest-known phishing domains in the campaign twelve months earlier. Whoever runs the platform has been running this campaign since it began.
The Japanese Financial Phishing Operation
Target brand set
| Brand | Legit domain | Phishing domains observed |
|---|---|---|
| American Express Japan | americanexpress.com/ja-jp | 15+ |
| SMBC / Sumitomo Mitsui Card (三井住友カード) | smbc-card.com | 20+ |
| JCB Card | jcb.co.jp | 5+ |
| SBI Securities (SBI証券) | sbisec.co.jp | 2+ |
| Rakuten Card (楽天カード) | rakuten-card.co.jp | 2+ |
| Saison Card (セゾンカード) | saisoncard.co.jp | 1+ |
| PayEasy (ペイジー) | pay-easy.jp | 1+ |
| Epos Card | eposcard.co.jp | 1+ |
| Ekinet (えきねっと) | eki-net.com | 1 (suspected) |
Every major Japanese consumer financial brand is on the target list. The phishing kit is multi-brand by design — the same template code adapts per brand by swapping the assets directory (amex_logo.png, banner_campaign.jpg, etc.) and keeping the shared マイアカウントにログイン ("Log in to My Account") page title as the kit fingerprint.
Shared phishing kit fingerprint
The asset structure is identical across every domain:
/assets/img/
├── amex_logo.png ← swapped per target brand
├── banner_campaign.jpg
├── login.png
├── menu.png
├── search.png
├── facebook.png
├── youtube.png
└── x.png
Plus an external resource load: the Japanese flag SVG from upload.wikimedia.org/wikipedia/en/9/9e/Flag_of_Japan.svg. That exact Wikipedia URL is a tight fingerprint — the actor hardlinks the flag rather than bundling it, so every phishing page in this campaign makes the same outbound request to upload.wikimedia.org for the same SVG resource.
Primary phishing factory — 193.218.200.212 Spartan Host
| Field | Value |
|---|---|
| IP | 193.218.200.212 |
| ASN | AS201106 — Spartan Host Ltd |
| Location | Seattle, US |
| OS | Ubuntu Linux |
| Web server | nginx 1.28.2 |
| SSH | OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 |
| TLS default cert | Self-signed Internet Widgits Pty Ltd, Some-State, AU (OpenSSL default) |
| Total domains on IP | 67+ |
| Confirmed malicious | 35+ |
| Default HTTP response | 403 Forbidden (SNI-based virtual hosting) |
193.218.200.212 is the single most prolific phishing factory on the cluster. Three dozen confirmed malicious domains — every major SMBC / Vpass / JCB / Rakuten / SBI variant in the IOC table below — are hosted on this one box. The default self-signed cert is the OpenSSL stub cert (Internet Widgits Pty Ltd, Some-State, AU), which means the operator generated certs for the virtual hosts but never bothered to replace the wildcard fallback cert. It's a "nobody's scanning port 443 on an IP without an SNI" attitude that holds up until someone actually scans.
Five total infrastructure clusters
| Cluster | IP | Provider | Role |
|---|---|---|---|
| A (primary factory) | 193.218.200.212 | Spartan Host (US) | 35+ phishing domains, SMBC+JCB+Rakuten+SBI |
| B (C2 platform) | 185.146.233.207 | FlokiNET (Romania) | TMoscow Bot panel + amex-support-jp domains |
| C (JP cloud) | 160.251.185.96 | GMO Internet (Japan) | AmEx + Saison phishing on Japanese infrastructure |
| D (Chinese-nexus) | 134.122.160.221 | CTG Server (Singapore) | .icu TLD cluster (ae-amex, bilibili-epos, fukuokajapancheck) |
| E (target — AmEx EN) | 34.111.179.208 | Google Cloud | americanexpress-japan.com (now taken down) |
Plus historical Tencent Cloud hosting and Oracle Cloud Japan appearances in the 12-month historical trail.
The b1722fb0e1313e46s@yahoo.co.jp OPSEC Leak
americamexpress-co-jp.com (note the a→am typosquat) is registered through JPRS, the Japanese domain registry, which requires Japan-resident contact details for .co.jp domains. The registrant info on the domain is not privacy-protected and exposes:
- Email:
b1722fb0e1313e46s@yahoo.co.jp - Registrant jurisdiction: Setagaya, Tokyo, Japan (a residential ward in western Tokyo)
The email prefix (b1722fb0e1313e46s) is clearly a randomized disposable address — 17 alphanumeric characters — not a human-chosen username. But the domain (yahoo.co.jp) is a real Japanese Yahoo address, the registrant ward is real, and JPRS validates contact info at registration time. That means either:
- The operator is resident in Japan (or has a confederate who is) and registered this one domain under their real contact details
- The operator used a proxy identity in Japan through a reseller / individual who fronts registrations for clients
- The operator used a stolen / compromised Japanese identity to register through JPRS
All three readings are consistent with what we see — a team with cross-border reach, infrastructure tenancy in multiple countries, but enough Japan-side logistics to clear .co.jp validation at least once.
The Four OPSEC Failures Stacked
| # | Failure | Impact |
|---|---|---|
| 1 | Registrant hash reuse 1f8f4166599d23ee linking tmoscsupbot.com to americanexprecs-jp.club + americanexpreccs-jp.vip | Direct platform-to-earliest-phishing-domains attribution |
| 2 | Admin email leak b1722fb0e1313e46s@yahoo.co.jp on JPRS WHOIS for americamexpress-co-jp.com | Setagaya Tokyo geolocation anchor |
| 3 | Chinese registrant name "jia wen shu" / Da Tong Shi on americanexprecs-jp.club via reg.cn | Chinese-speaker attribution anchor |
| 4 | Unauthenticated TMoscow Bot frontend — /admin/ and /health both reachable without auth | Full platform HTML/JS/CSS + backend stack leaked (Node.js + Prisma, uptime, storage mode) |
Any one of those would be a soft lead on its own. Four of them stacked on the same campaign, with one that binds the March 2026 C2 platform to the April 2025 earliest-phishing-domains, is what makes this publishable as an operator cluster rather than just an IOC dump.
Timeline
| Date | Event |
|---|---|
| 2025-04-28 | Earliest known phishing domain: americanexprecs-jp.club (reg.cn, 贾文书 Datong) |
| 2025-05-22 | americanexpreccs-jp.vip (Gname, same registrant hash) |
| 2025-06 → 2025-08 | Deployment on Chinese .cn domains hosted on Tencent Cloud (43.x.x.x) |
| 2025-10-03 | supercalifragili.p1y3f47mp.com — Tencent Cloud |
| 2025-12-18 / 2025-12-23 | amex-support-jp.* cluster stands up on FlokiNET (Porkbun registrations) |
| 2025-12-30 | americanexpress-japan.com on Google Cloud (Name.com registration) |
| 2026-01-22 | americamexpress-co-jp.com registered via JPRS with b1722fb0e1313e46s@yahoo.co.jp |
| 2026-01-22 → 2026-03-28 | Massive deployment on Spartan Host 193.218.200.212 — SMBC / JCB / SBI / Rakuten |
| 2026-03-06 | info-payeasy.com on Oracle Cloud Japan |
| 2026-03-21 | americanexpress-site.com on Cloudflare |
| 2026-03-26 | americanexpress-login.com on GMO Internet JP |
| 2026-03-27 | tmoscsupbot.com registered via Tucows (Seychelles privacy hash 1f8f4166599d23ee) |
| 2026-03-28 | Let's Encrypt E8 cert issued for tmoscsupbot.com; saison-netanswer.jp appears on GMO Internet |
| 2026-04-08 | TMoscow Bot platform last-build timestamp — active development ongoing |
| 2026-04-09 | GHOST investigation, this post |
Thirteen months from the earliest known phishing domain to the published C2 platform, with continuous activity through the interval. This is not a burn-and-rebuild operation; it's a steady-state PhaaS business.
Confidence Table
| Claim | Confidence | Basis |
|---|---|---|
tmoscsupbot.com is a Telegram Mini App PhaaS platform | HIGH | Full UI scraped, Russian RBAC / trust scoring / ticket workflow visible |
| The platform runs Node.js + Prisma backend | HIGH | /health endpoint leak |
Registrant hash 1f8f4166599d23ee links the C2 platform to April 2025 phishing domains | HIGH | Direct WHOIS hash match across three domains |
| Russian-speaking platform developers | HIGH | Entire UI in Russian Cyrillic |
| Chinese-speaking affiliate operators | MEDIUM-HIGH | Registrant names in Chinese, reg.cn registrar, .icu TLD preference, Chinese cloud history |
| Cross-lingual PhaaS supply chain | MEDIUM-HIGH | Russian platform + Chinese operators + Japanese victims maps cleanly |
b1722fb0e1313e46s@yahoo.co.jp is tied to a Setagaya Tokyo resident | MEDIUM | Could be real, proxy, or compromised identity |
40+ confirmed malicious domains on 193.218.200.212 are all this operator | HIGH | Shared phishing kit signature, common asset paths, matching page titles |
Detection & Hunting
Block list
# C2 platform
tmoscsupbot.com
185.146.233.207
# Primary phishing factory
193.218.200.212
# Japanese cloud phishing
160.251.185.96
# Known AmEx Japan typosquats
americamexpress-co-jp.com
americanexpress-co-jp.com
americanexpress-login.com
americanexpress-site.com
americanexpress-japan.com
amex-support-jp.online
amex-support-jp.lol
amex-support-jp.pics
amex-support-jp.lat
secure-amex-update.site
# SMBC / Vpass typosquats
mysmbc-co-jp.com
smbczxx.com
mycard-smbc-jp.com
mycard-smbc-co-jp.com
macard-smbc-co-jp.com
smadmin-co-jp.com
mycardvpass-co-jp.com
mycard-vpss-co.com
vpass-info-jp.com
smbc-vpass-info.com
vpass-smbcard-jp.com
vpass-smbccard.com
smbcard-co-vpass.com
account-smbccard-jp.com
smbccard-vpass-jp.com
# JCB
myjcb-card-jp.com
jcb-card-jp.com
jcbcard-co-jp.com
# SBI Securities
sbisec-ne-jp.com
# Rakuten Card
rakutencard-co.com
takuten-co-jp.com
# Saison
saison-netanswer.jp
# PayEasy
info-payeasy.com
Hunting queries
- Title hunt — any page titled
マイアカウントにログインserved from a non-brand-owned domain is the phishing-kit fingerprint - Asset hunt — any request for
/assets/img/amex_logo.png(or sibling filenames in the kit) on a non-amex.com origin - External SVG hunt — any page loading
upload.wikimedia.org/wikipedia/en/9/9e/Flag_of_Japan.svgfrom a non-Wikipedia referrer — that Wikipedia hotlink is the kit's flag asset - Registrant hash hunt — any new domain registered under hash
1f8f4166599d23eeat any registrar that exposes hashes - WHOIS hunt — any new registration with
b1722fb0e1313e46s@yahoo.co.jpas the contact address - Spartan Host AS201106 hunt — any HTTP traffic to Spartan Host IPs on non-standard ports presenting SNI for Japanese financial brand typosquats
- FlokiNET AS200651 hunt — any traffic to
185.146.233.207matching nginx/1.24.0 Node.js + Prisma backend signatures
TMoscow Bot panel signature
For researchers wanting to fingerprint other TMoscow-like panels:
- Russian-language RBAC strings:
Главный администратор,Трейдер,Сотрудник - Trust scoring strings:
Очень доверенный,Скам - Ticket workflow:
Новая,В работе,Выполнено,Отклонена - Prisma ORM exposed via
/health - 10-file upload limit on software distribution
- Telegram Mini App integration hooks
Disclosure
- JPCERT/CC — primary victim-side notification for the Japanese financial sector
- Japanese Financial Services Agency — regulatory notification
- Spartan Host Ltd abuse (
abuse@spartanhost.net) — for193.218.200.212 - FlokiNET abuse (
abuse@flokinet.is) — for185.146.233.207TMoscow Bot C2 + phishing cluster - GMO Internet / Onamae abuse (
abuse@internet.gmo) — for the GMO-hosted phishing domains - Tucows abuse — for
tmoscsupbot.comregistration - Cloudflare Registrar — for AmEx typosquats
- JPRS (
gtld-abuse@jprs.jp) — foramericamexpress-co-jp.com - Let's Encrypt — for cert issuance on phishing domains
- Affected brands directly: American Express, SMBC, JCB, SBI Securities, Rakuten, Saison, Epos, PayEasy
Prior art
- @volrant136's April 8 lead on
famericanexpress-site.com— the original IOC that seeded this investigation - Prior URLScan community captures of the shared phishing kit title
マイアカウントにログイン(1,933 total observations spanning March 2024 → April 2026)
If you've previously published reporting on TMoscow Bot, the 1f8f4166599d23ee registrant hash, the "jia wen shu" registrant name, the Setagaya b1722fb0e1313e46s@yahoo.co.jp anchor, or the specific shared-kit Japanese financial phishing campaign covered here, please reply or DM — we'll update and credit.
GHOST — Breakglass Intelligence "One indicator. Total infrastructure."