Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

January 7, 2026 Anurag GawandeLeave a comment

Overview

During analysis of a phishing URL chain, I observed a fake Cloudflare Turnstile verification page acting as an intelligent traffic filtering gate. Rather than protecting a website, this page selectively blocks, redirects, or allows access based on geolocation, proxy usage, and browser fingerprinting.

This phishing infrastructure demonstrates Traffic Distribution System like behavior commonly used in modern phishing and scam operations to evade security researchers, sandboxes, and automated crawlers while delivering payloads only to high-confidence victims.

Redirection Chain

The Cloudflare page is not legitimate and does not load any official Turnstile JavaScript. Instead, it is a static imitation combined with heavy client side fingerprinting.

Fake Cloudflare Verification Page

The landing page is designed to closely mimic a legitimate Cloudflare interstitial, creating a false sense of trust for the victim. It displays the French language title “Un instant…“, along with Cloudflare style branding and logos to appear authentic. A fake human verification checkbox labeled “Vérifiez que vous êtes humain” is presented, imitating Cloudflare’s Turnstile challenge, despite performing no real validation. The page also shows a fabricated Ray ID, a detail commonly associated with genuine Cloudflare error or verification pages. To further reinforce legitimacy, the attackers include links pointing to real Cloudflare policy and documentation pages, a tactic intended to reduce suspicion and bypass casual scrutiny by users and automated scanners alike.

However, no real Turnstile challenge exists. All logic is client side JavaScript + server side decision APIs, not Cloudflare infrastructure.

Browser Fingerprinting & Bot Detection

Once the page loads, the script silently collects a detailed browser fingerprint, including:

navigator.userAgent
navigator.webdriver (Selenium / automation detection)
Headless browser indicators
Plugin count and language settings
WebGL vendor and renderer (VM / sandbox detection)
LocalStorage and SessionStorage availability
Timezone information
Honeypot fields (website, email-confirm) to detect autofill bots

All of this data is packaged and exfiltrated to backend endpoints such as:

/_internal/base/validation/collect_info.php
/_internal/api/dashboard.php

Geo Blocking and Proxy Detection

Using Fiddler with different exit locations, the server’s decision engine responses were captured. These responses clearly show country based blocking and proxy detection logic.

This confirms explicit detection of hosting providers, VPNs, and proxy infrastructure, even when traffic originates from France.

Decoy Redirect Behavior

If a visitor is classified as blocked or suspicious, the page redirects to:

hxxps://www.mediapart.fr

This serves multiple purposes:

Makes the site appear benign during casual inspection
Misleads analysts and automated scanners
Prevents security tools from accessing the real phishing content

Only approved traffic (likely residential French IPs, real browsers) proceeds to the malicious landing page.

Why France?

Several indicators strongly suggest that this phishing infrastructure is specifically oriented toward French users. The landing page content and interface are fully localized in French (fr_FR), indicating deliberate language targeting rather than generic reuse. Access behavior appears to follow a country based allow list model, where visitors from non-French regions are blocked or redirected. When access conditions are not met, the site redirects to a well-known French news outlet as a decoy, helping the infrastructure appear benign during casual checks. Additionally, all CAPTCHA elements and user interface text are presented entirely in French, reinforcing the assessment that this setup is designed to blend seamlessly into a French browsing context and evade suspicion among local users.

Infrastructure Observations

Both domains involved in the redirect chain were newly registered on 2026-01-06.

Detection And Hunting Notes

Defenders should look for:

Fake Cloudflare Turnstile pages without official Cloudflare JS
Hidden honeypot form fields
/collect_info.php or /dashboard.php?action=visit patterns
Conditional redirects to legitimate news sites
Different behavior between residential vs proxy IPs

Confirmed malicious phishing traffic distribution system.

This is not a Cloudflare protection page.
It is a selective traffic gate designed to evade analysis and deliver phishing content only to real victims.

Source

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages

January 5, 2026 Anurag GawandeLeave a comment

Overview

This blog documents a large-scale parasite SEO (search engine poisoning) campaign identified across dozens of domains hosted on Cloudflare Pages.

The campaign relies on a reused malicious HTML template that impersonates Amazon style product pages, injects gambling related SEO spam, and abuses canonical, Open Graph, and structured data fields to hijack the reputation of unrelated legitimate websites.

Analysis using urlscan hash searches confirms that the same page template is deployed at scale, with only the embedded “legitimate” URL changing between deployments. This behavior indicates an automated SEO spam operation, not isolated compromise.

Notably, the template also embeds a legitimate Amazon sign-in URL, further reinforcing the illusion of authenticity and increasing the phishing risk surface.

No direct credential harvesting or malware delivery was observed. Nevertheless, the activity is malicious by intent, designed to manipulate search rankings and mislead both users and search engines.

Campaign Overview

The campaign combines multiple well-known SEO abuse techniques:

Fake Amazon product page URL structures
Free static hosting infrastructure (primarily Cloudflare Pages)
Gambling keyword injection (e.g., slot gacor, JUDOLBET88)
Canonical and Open Graph metadata pointing to unrelated trusted websites
Hidden backlink farms to inflate SEO signals
Embedded legitimate links to trusted services (Amazon sign-in)

Amazon Product Page Impersonation

A representative example observed in this campaign:

/dp/B08ZJVVMT4?ref=MarsFS_eero_en

Key indicators:

/dp/<ASIN> is specific to Amazon product URLs
ref= parameters mimic Amazon referral tracking
No legitimate product details, pricing, or checkout functionality exists

These URLs are crafted solely to exploit search engine familiarity and trust, not to serve users.

Embedded Amazon Sign-In Link (Risk Amplifier)

One critical finding in the analyzed html(landing page) template is the presence of a real Amazon sign-in URL:

hxxps://www.amazon.com.au/ap/signin?openid.return_to\u003dhttps%3A%2F%2Fwww.amazon.com.au%2FAmazon-dual-band-Wi-Fi-router-Charcoal%2Fproduct-reviews%2FB0DG4WZZPV%3Fie%3DUTF8\u0026openid.identity\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.assoc_handle\u003dauflex\u0026openid.mode\u003dcheckid_setup\u0026marketPlaceId\u003dA39IBJ37TRP1C6\u0026language\u003den\u0026openid.claimed_id\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select\u0026openid.ns\u003dhttp%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0

Although the link itself points to a legitimate Amazon domain, its inclusion serves several malicious purposes:

Trust reinforcement – Users who notice an Amazon login link may assume the page itself is legitimate.
Phishing pre-conditioning – The page trains users to expect Amazon authentication, lowering suspicion if future variants introduce credential-harvesting overlays or fake login forms.
Search engine deception – Legitimate outbound links to trusted brands can reduce automated suspicion and increase perceived legitimacy.

Infrastructure Abuse: Cloudflare Pages

A significant portion of the identified pages are hosted on pages.dev, indicating widespread abuse of Cloudflare Pages.

Why attackers favor this platform:

Attackers increasingly favor this platform because it offers free and frictionless deployment, allowing malicious infrastructure to be spun up with minimal effort or cost. The ability to rapidly propagate and clone sites enables large-scale campaigns using identical templates across numerous URLs. Built-in HTTPS support lends a false sense of legitimacy to victims while reducing setup overhead for attackers. Finally, takedown at scale is challenging without direct provider intervention, making the infrastructure resilient and attractive for sustained phishing and social-engineering operations.

The presence of identical HTML hashes across multiple pages.dev sites strongly suggests automated mass deployment.

Reputation Hijacking via Metadata Manipulation

One of the most critical behaviors in this campaign is the deliberate misuse of trusted third-party websites via metadata fields:

canonical
og:url
Structured data (Organization url)

In each deployment, these fields are set to different legitimate, unrelated websites, including:

Government portals
Educational institutions
Corporate websites
NGOs and public services

Why this technique is effective

Search engines treat canonical and structured data fields as strong trust signals. By embedding legitimate URLs, attackers attempt to:

Launder authority into spam pages
Artificially boost ranking
Associate gambling content with reputable entities
Pollute search results tied to trusted sites

The rotation of abused legitimate URLs across deployments confirms this is intentional and systematic, not accidental misconfiguration.

Template Reuse at Scale (urlscan Evidence)

Using urlscan hash-based searching, numerous sites were identified that share the same HTML fingerprint, indicating widespread reuse of a single template. These pages exhibit an identical DOM structure, contain the same hidden link blocks, and reuse identical SEO spam content across deployments. The only meaningful difference between each instance is the abused “legitimate” URL embedded into the template, highlighting automated cloning and large-scale propagation of the campaign.

This strongly confirms the presence of centralized template generation, with a single source producing identical page structures across multiple deployments. The consistent reuse further indicates automated deployment mechanisms, enabling rapid and large-scale rollout of these pages. Together, these patterns point to clear campaign level coordination, rather than isolated or opportunistic activity.

Such behavior is typical of industrial SEO poisoning operations.

Hidden Link Farm Injection

Each page contains a hidden HTML section (display:none) populated with:

Dozens of gambling-related anchor texts
Links pointing to the selected legitimate website for that deployment

Hidden link farms are a strong indicator of malicious SEO activity, designed to manipulate backlink metrics without user visibility.

Hidden Gambling Keyword

SLOT888, NAGATOTO, ANGKANET, ANGKABET, LADANGTOTO, BRI4D, SULE4D, WD YUK, OVOGG, GASING77, BROMO777, AGEN88, HQTOTO805, INFINI88, LAWU88, KENZO88, RAPI88, BETON88, KUDA4D, RAJA4D, LOTUS88, GIGA88, SULE88, TAMBANG88, MINION88, DEWA99, DEWA333, DEWATOTO, RAJA PAITO, RAJAJUDI, RAJAJP, RAJADEWA55, PADUKARAJA, WEBINI33, HYPE168, BOLA88, DEVIL666, 91DEWA, RAJA111, ROG777, TOTO77, TOP1TOTO, IBC4D, KIPASWIN, VANTASLOT, MANGJP, SAVEFROM IG, YANDEX EU, DAUN77, RAJAKOI, BIMABET, IDCASH, REDMITOTO, MEGA228, MEGAWIN228, INDOLOTTERY88, AMERIKATOTO, AMERIKA TOTO, BOLA GACOR, DADU ONLINE, DEWA666, WDBOS, SURYA123, RAYA123, JARWO123, MANCINGDUIT, MANCING DUIT, PANGKALANTOTO, NAGASAON, KAOS TOGEL, WOLES TOGEL, VESPA TOGEL, PINTU TOGEL, NADIMTOGEL, OMUTOGEL, DAYAK77, ALEXISTOGEL77, SASARANJITU, EUROTOGEL, JEBOLTOGEL, GENGTOTO, FENDI188, BIGWIN, MEGAWIN, MAHAZEUS, HARTA500, RTP JOSTOTO, ARYA88, NANASTOTO, DEPOBOS, JEJUSLOT, TARIKWDKU88, IDN SLOT, IDN POKER, SLOT88, SLOT88 RESMI, SLOT ONLINE, SLOT GACOR, SLOT THAILAND, SITUS TOGEL, TOTO TOGEL, TOTO SLOT, TOTO 4D, TOGEL ONLINE, TOGEL 4D, LUNA TOGEL, SITUS RAFFI AHMAD, SITUS TOTO 4D, SITUS TOGEL 4D, SITUS TOTO TOGEL, SITUS TOGEL TERBESAR, SITUS TOGEL RESMI, SITUS TOGEL TERPERCAYA, SLOT DEPO 10k, SLOT DEPO 10000, DEPO 10 BONUS 10, DEPO 20 BONUS 20, PADI777, SGP777, MPO100, MPO222, MPO007, MPOCASH, MPONUSA, MPO888, MPO77, MPOGACOR, LOS303, POS4D, OLLO4D, GAJAH77, DOLAR168, STARBET77, PANDAWA138, ZET77, KINGBET88, PERI909, ALADIN88, LIGA303, SITOOLS88, MPOJUTA, HAKIM77, SPBO, JET777, MINO4D, KOKO333, BATMAN123, MAXPRO88, MAMI188 LOGIN, TANAH4D, BAGONG88, IMPIAN888, SLOTONLINE, TEKTOK4D, MPO69, SLOTRESMI, PARTNER4D, MANJA88, PASUKAN99, TOOLS367, DAYANG4D, DEWABET138, HORMAT88, BUMI33, ROYALBET, ROYAL51, PAIRBET, WALET789, SULTAN99, MENARA88, SUBUR89, JOKER555, ZONA138, SARANATOGEL, SLOTGOPAY, 888WIN, SLOTQQ, SUPERSPIN555, QQZEUS, SOLO4D, 4DTOGEL, 88ASIA, SUPERWD, OLO4D, 4DASIA, QQ88, PINTU4D, QQ888, BETTOGEL, CAPIT4D, BOLASIAR, BADAI4D, ASIA118, MBO777, BIG365, ASOKA88, JURAGAN69, SUHU189, SUHU69, SUHUTOTO, KLIKSLOT, OLX888, PREMANSLOT, SAKTI123, RATUMACAU, KANTORBOLA, MT777, JP777, MPO99, ASIA4D, DEWA4D, STAR777, MPO4D, 75WBET, 56KBET, 55KBET, 55BET, 33BET, 777LIVE, 777BET, PC777, INA777, GM777, DEWAGACOR, HOKI88, HOKI188, PAY4D, ASIABET88, SKY777, JP88, 188BET, GACOR4D, SLOT303, SLOT77, DEWI78, UNYIL4D, JOSTOTO, ASIASLOT, SLOT99, BOS4D, AGEN188, AHA4D, STARSLOT, CUANSLOT, SITUS4D, PASARBARIS, WIN888, WIN777, BET77, BET88, IDNSLOT, 999BET, TOPSLOT, JUARASLOT, AGEN168, SLOT121, RAJA777, 77SLOT, PGSOFT, 88SLOT, ADA777, NEKO77, DRAGON77, INDOWIN, HOKI303, GACOR303, BET188, SLOTCUAN, AGENSLOT, RTPSLOT, VIRAL4D, JP4D, 100TOGEL, GBO138, DOSENTOTO, PARITOTO, JUDOLBET, GACOR888, HAHA303, KOKO288, AIRBET, ASIA303, TOKOWIN99, VIOBET, PRAGMATIC77, VIRAL99, GENG88, GOKIL303, GRAND77, SENIOR4D, XXTOTO, MILD88, DEWAASIA, BOSS88, INDOMASTER88, WADAH4D, CUAN368, BOLAPELANGI, FAIRTOTO, BINTANGMPO, AKARSLOT, SBOTOP, PITASLOT, KAISAR88, JAZZ188, ASIAPLAY, KAPTEN33, CRAZYRICH88, MESSIPOKER, SALDO4D, SURAT4D, REDWIN69, HOMEBET88, PG TOTO, DANA TOTO, MPO SLOT, NEXUS SLOT, SLOT TOGEL, SLOT MAXWIN, SLOT 777, gacor303, slot303, SLOT DEPO 10K, SLOT HOKI, HOKI SLOT, SLOT GACOR 5000, TOGEL HK, JUDOLBET88, SLOT BRI, SLOT BCA, PRAGMATIC PLAY, JAYASLOT, LINK GACOR, HONDA4D, SARANGSBOBET, ALEXIS4D, LEVIS4D, PULAU88, GGPLAY88, INI SLOT 88, PLAYKING88, JAM GACOR DAN POLA OLYMPUS, JAM GACOR MAXWIN, JAM GACOR SLOT MAHJONG WAYS 1, JAM GACOR SUGAR MAXWIN, JAM JACKPOT SLOT, OLX123, IWANTOTO, SLOT88JP, GACOR88, RATUBET, RAJABET, JUDI4D, BANDARTOTO, SLOTASIAN, DANAGACOR, TOTO888, TOTO303, TOTO777, JUARABET, ASUAGACOR, 4DTOTO, DANA888, PGSLOT, JUDI2D, AGEN2D, EMAS4D, RACUNSLOT, MASTER77, GACOR168, SLOTASIA88, JUDITOTO, FAFABET, GACOR999, BET89, SLOT22

The presence of hundreds of gambling keywords hidden from users but visible to crawlers is one of the strongest static indicators of malicious SEO activity, even in the absence of malware or credential harvesting code.

Indicators of Compromise (IOCs)

Domains

*.pages.dev

Behavioral Patterns

/dp/B0
pages.dev/dp/
Canonical: unrelated trusted domain
Embedded legitimate sign-in URL

This campaign represents a coordinated parasite SEO operation that combines brand impersonation, reputation hijacking, and infrastructure abuse.
While no direct credential theft was observed, the inclusion of a legitimate Amazon sign-in link significantly increases the phishing risk potential, indicating a design that is deceptive by intent and easily extensible into active scams.

Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP

December 31, 2025December 31, 2025 Anurag Gawande5 Comments

Overview

I investigated a phishing email impersonating WordPress.com that claims a domain renewal is due soon and urges immediate action to prevent service disruption. The campaign leads victims to a fake WordPress payment portal hosted on attacker infrastructure and performs theft of credit card details and 3-D Secure OTPs, which are exfiltrated to the attacker via Telegram.

Phishing Email Analysis

Subject: Renewal due soon – Action required

Key red flags in the email:

A critical red flag in this email is the absence of any specific domain name, which is highly unusual for a legitimate renewal notice. The message relies heavily on urgency-based language such as “Action required” to pressure the recipient into acting quickly, while using a generic greeting instead of addressing the actual account holder or domain. The call-to-action button redirects users away from genuine WordPress infrastructure to an external site, further indicating malicious intent. Despite these warning signs, the email maintains a polished and professional tone, a tactic commonly used by phishing campaigns to evade spam filters and appear credible to unsuspecting users.

The email attempts to create panic by suggesting website and email disruption, pushing users to act without verification.

Phishing Landing Page & UI Impersonation

Victims are redirected to:

hxxps://soyfix[.]com/log/log/

The phishing page is carefully designed to visually mimic a legitimate WordPress checkout flow, creating a false sense of trust for the victim. It displays familiar elements such as a “Secure order validation” banner and a seemingly valid domain registration for one year. The pricing breakdown appears realistic and professional, listing a subtotal of 13 US$, VAT at 21% amounting to 2.73 US$, and a final total of 15.73 US$. This level of detail is intentionally used to make the transaction appear authentic and to persuade users to proceed with entering their payment information.

Notably missing: the actual domain name being “renewed”.

Credit Card Harvesting Logic

Upon clicking Pay Now, the JavaScript collects:

Cardholder Name
Card Number
Expiry Date
CVV

The data is sent via a POST request to:

send_payment.php

Despite the generic filename, console messages and code comments explicitly state the data is forwarded to Telegram, indicating the attacker is using a Telegram bot/channel as a Command & Control (C2) exfiltration mechanism.

This confirms immediate card data theft at the moment of submission.

Fake 3-D Secure Verification & OTP Theft

After card submission, the site displays a convincing fake 3-D Secure modal showing:

Merchant: WordPress Inc
Transaction reference
Date/time
Amount: 15.73 $

The victim is prompted to enter an SMS OTP, which is then:

Validated only for length (6 digits)
Sent to:

send_sms.php

Exfiltrated to Telegram, as indicated in code comments and console logs

The page always returns “Verification failed”, forcing victims to re-enter OTPs, allowing attackers to harvest multiple valid codes.

Deception & Trust-Building Techniques

The script deliberately simulates legitimate banking behavior:

7 second loading screen after payment

4 second “verification processing” delay

Branded VISA / MasterCard / AMEX logos
Repeated OTP retry loop

These delays are psychological trust mechanisms, making the attack appear authentic and reducing user suspicion.

Telegram as Exfiltration Channel

This campaign deliberately avoids traditional command-and-control (C2) infrastructure by abusing lightweight PHP endpoints as relay points and forwarding stolen data directly to Telegram bots or channels. Through this mechanism, attackers can receive highly sensitive information including credit card details, one-time passwords (OTPs), and potentially additional victim metadata such as IP addresses and user-agent strings. Telegram based exfiltration has become increasingly popular among threat actors because it is easy to set up, uses encrypted transport by default, incurs minimal infrastructure costs, and is significantly harder to disrupt or take down compared to conventional hosted C2 panels.

Email Header Analysis

Display name impersonates WordPress
Actual sender domain: theyounginevitables[.]com
No affiliation with WordPress / Automattic

This is brand impersonation via display name spoofing.

Originating IP

217.160.125.42

Relayed via

smtp.aliyun-inc.com
out25-220.sg.a.dm.aliyun.com (8.219.25.220)

Observations

Infrastructure hosted on Alibaba Cloud (Aliyun)
Commonly abused for:
- Bulk phishing
- Scam campaigns
- Low-cost SMTP relays

Authentication Results

spf=pass

dkim=pass
d=theyounginevitables.com
s=aliyun-ap-southeast-1

dmarc=pass (p=NONE)

Sending IP 8.219.25.220 is authorized for theyounginevitables[.]com.

The domain’s DMARC policy is configured with p=NONE, which means there is no enforcement in place to protect against email spoofing. As a result, messages that fail DMARC checks are neither quarantined nor rejected, allowing unauthenticated or spoofed emails to be delivered to recipients without restriction. This weak configuration significantly increases the risk of phishing and impersonation attacks abusing the domain’s identity.

Message-ID

<8000000182331289985.auto.1765042452@theyounginevitables.com>

This indicates that the email was auto-generated rather than manually composed. Such structured, numeric heavy Message-ID formats are commonly associated with bulk SMTP frameworks and automated mailing tools, making this a typical characteristic of large scale phishing or spam campaigns rather than legitimate, individually sent communications.

Feedback-ID

vip_edm_SmtpTrigger

The presence of vip_edm_SmtpTrigger strongly suggests that the email was sent through a mass mailing or EDM (Electronic Direct Mail) system rather than a legitimate transactional email platform. This indicator is commonly associated with bulk marketing or automated email distribution frameworks and is inconsistent with genuine billing or renewal infrastructure, further reinforcing that the message is part of a large scale phishing or spam operation.

Indicators of Compromise (IOCs)

Domain

soyfix[.]com

Exfiltration Endpoints

/send_payment.php
/send_sms.php

Techniques

Brand impersonation (WordPress)
Credit card phishing
3-D Secure OTP interception
Telegram-based C2
JavaScript-driven exfiltration

Defensive Recommendations

Never renew domains via email links
Always verify billing inside the official WordPress dashboard
Block newly registered domains at mail gateways
Monitor for Telegram-based data exfiltration patterns
Train users on fake 3-D Secure verification loops

RMM Abuse in a Crypto Wallet Distribution Campaign

December 31, 2025 Anurag Gawande7 Comments

_{Analysis of a Suspicious “Eternl Desktop” MSI Installer Dropping LogMeIn Resolve}

Overview

A professionally written announcement email titled “Eternl Desktop Is Live — Secure Execution for Atrium & Diffusion Participants” is currently circulating within the Cardano community.

At first glance, the email appears legitimate and well aligned with Cardano’s governance narrative promoting security, decentralization, and staking incentives. However, deeper inspection of the download mechanism and installer behavior raises significant red flags.

Email Social Engineering Highlights

The email leverages high trust messaging and ecosystem specific incentives.

The email strategically references Atrium and the Diffusion Staking Basket to establish legitimacy within the Cardano ecosystem, while also making enticing claims of NIGHT and ATMA token rewards to drive user interest. It reinforces trust by emphasizing “local-first, non-browser signing,” positioning the application as a more secure alternative to browser based wallets. The overall messaging maintains a polished, professional tone with no visible spelling or grammatical issues, lending credibility to the communication. This is capped with a strong, authoritative call to action “Eternl Desktop is where Cardano decisions are finalized.” designed to create urgency and frame the software as an essential tool for serious Cardano participants.

Download Infrastructure Red Flags

The provided download URL, hxxps://download[.]eternldesktop[.]network, raises immediate concerns, as the domain appears to be newly created and lacks any established historical reputation. There is no independent verification or announcement from official, well known Eternl communication channels to validate its legitimacy. Additionally, the software is distributed as a direct MSI installer without publicly available checksums, digital signature transparency, or formal release notes, preventing users from independently verifying the integrity and authenticity of the installer before execution.

New infrastructure + wallet software + MSI installer is a high-risk combination.

Domain Information

MSI Installer Analysis

File Name: Eternl.msi
File Size: 23.3MB
File Type: Windows Intaller (MSI)
Hash: 8fa4844e40669c1cb417d7cf923bf3e0
Title: LogMeIn Resolve Unattended
Comments: LogMeIn Resolve Unattended v1.30.0.636

Using CFF Explorer, I identified an embedded executable within the MSI file. I then used LessMSI to extract the executable for further analysis.

Extracted Executable File

File Name: unattended-updater.exe
File Type: PE32
File Size: 23.35MB
Original File Name: GoToResolveUnattendedUpdater.exe
File Hash: 3f317e17741122cd4ea30123ba241cd0
File Description: LogMeIn Resolve

During dynamic analysis, the sample was observed writing log files and JSON artifacts to disk.

It also tried to connect to below domains.

hxxt://ip.zscaler.com
hxxt://zerotrust.services.gotoresolve.com
hxxt://dumpster.console.gotoresolve.com/api/live
hxxt://sessions.console.gotoresolve.com
hxxt://devices-iot.console.gotoresolve.com/
hxxps://devices.console.gotoresolve.com/properties
hxxps://applet.console.gotoresolve.com
hxxps://custombranding.console.gotoresolve.com

The executable is placed within a uniquely identified folder created under “C:\Program Files (x86)\GoTo Resolve Unattended“. All executables, along with JSON configuration files related to the RMM setup, are stored in this directory.

The unattended.json configuration file enables unattended access, allowing a technician to connect to the remote system without the end user being physically present.

The application attempts to connect to hxxps://dumpster.console[.]gotoresolve[.]com/api/sendEventsV2 to transmit event information in JSON format. The connection fails, and the application retries the request multiple times.

Why This Is Concerning

This behavior is concerning because Remote Monitoring and Management (RMM) tools inherently provide powerful capabilities such as remote command execution, system monitoring, persistent access, and unattended control. While legitimate in enterprise environments, these features are frequently abused by threat actors during initial access operations, particularly in crypto themed malware campaigns and fake wallet or airdrop lures, where RMM software is leveraged to establish long-term post exploitation persistence on compromised systems.

While LogMeIn Resolve itself is a legitimate product, its silent delivery inside a wallet installer is not legitimate behavior.

Detection Summary

Flagged as PUA / Riskware
Behavioral indicators consistent with remote management agents
Not a known component of any official Eternl wallet release

Threat Assessment

Indicator	Risk
Newly registered download domain	High
MSI installer for wallet software	High
Drops RMM tool	Critical
PUA classification	Confirmed

HIGHLY SUSPICIOUS – DO NOT INSTALL

This campaign exhibits multiple overlapping indicators consistent with supply-chain abuse and trojanized wallet distribution, combined with pre positioning techniques that leverage RMM tools to establish persistent access. Together, these behaviors suggest preparation for potential follow on activity, including future credential harvesting or cryptocurrency wallet compromise.

Indicators of Compromise (IOCs)

Domains:

download[.]eternldesktop[.]network

Files

etrnl.msi
unattended-updater.exe

Product Identifiers

LogMeIn Resolve
GoTo Resolve

Hash

8fa4844e40669c1cb417d7cf923bf3e0
3f317e17741122cd4ea30123ba241cd0

This campaign demonstrates how crypto governance narratives are increasingly weaponized to distribute covert access tooling under the guise of professional software.

Fake “Stable Genesis Airdrop” Campaign Delivering a Crypto Wallet Drainer via Phishing

December 23, 2025 Anurag GawandeLeave a comment

In this analysis, I investigated a suspicious email titled “Stable Genesis Airdrop: Claim for Eligible Wallets Now Open”, which redirected victims to the domain:

hxxps://airdrop.stablereward[.]claims

Through sandbox execution, traffic inspection, and UI analysis, the campaign was confirmed to be a high confidence cryptocurrency phishing operation designed to steal wallet recovery phrases and authorize malicious blockchain transactions.

The site impersonates a fictitious project named “Stable”, abuses Cloudflare protection to evade automated detection, and deploys a fake wallet connection workflow that escalates into seed phrase harvesting.

Key Red Flags in Email Body

Claims gas fees are paid in USDT (technically incorrect for Ethereum)
Vague “Stable network” with no whitepaper, GitHub, or official domain
No verifiable project presence on CoinGecko or CoinMarketCap
Redirects to a non-standard .claims TLD

Domain and Infrastructure Analysis

Newly registered domains + crypto airdrops = classic scam pattern

WHOIS records show that the domain stablereward[.]claims was registered very recently on December 8, 2025, with an update made on December 17, 2025. The domain uses Cloudflare name servers.

Initial Page

The presence of a Cloudflare “Verify you are human” gate indicates an intentional attempt to restrict automated access, as it effectively blocks crawlers and many security scanners from analyzing the site’s content. This technique is commonly used by malicious or suspicious sites to evade sandbox detection and fingerprinting, ensuring that payloads or scam pages are only served to real users while analysis environments are filtered out.

Main Landing Page

The site displays fabricated statistics such as 142,847 eligible wallets and a 50 million token allocation to create a false sense of scale and legitimacy. These exaggerated numbers are paired with a prominent “Connect Wallet” call-to-action designed to lure users into authorizing wallet access

Wallet Interaction And Credential Harvesting

It lists:

MetaMask (recommended)
Trust Wallet
Coinbase Wallet
Ledger
Trezor
Phantom
OKX
Rabby
Uniswap Wallet

The most critical malicious behavior is observed when the site prompts users to “Import Wallet, Enter your 12-word recovery phrase” instead of invoking a legitimate wallet extension.

JavaScript Anti-Analysis Techniques

The observed JavaScript snippet is a deliberate anti-analysis technique used to disrupt inspection and automated execution. By invoking the debugger statement, the script forces execution to pause whenever browser developer tools are open, effectively halting code flow during analysis. This behavior can break automated sandboxes and dynamic analysis environments, compelling security analysts to manually bypass or modify the script before further investigation can continue.

Network Traffic Analysis

The site silently connects to multiple blockchain RPCs:

rpc.ankr[.]com/bsc
bsc-dataseed*[.]bnbchain.org
binance[.]nodereal[.]io

These indicators suggest that the operation is designed with multi-chain capability, targeting both Ethereum and Binance Smart Chain (BSC) users to maximize reach. Such setups typically perform wallet balance enumeration, NFT discovery, and malicious token approval requests that enable silent asset draining. The overall behavior closely matches well-known wallet drainer kits.

Attack Chain Summary

Confirmed Scam

All observed indicators clearly confirm malicious intent. The request for a wallet recovery phrase is explicitly malicious, the newly registered domain presents a high risk profile, and the so called project shows no verifiable legitimacy. On chain interaction analysis indicates RPC based draining behavior, while the presence of anti debugging JavaScript further reinforces deliberate evasion of analysis.

Indicators of Compromise – Domains

airdrop.stablereward[.]claims
stablereward[.]claims

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Author: Anurag Gawande

Analysis of a Fake Cloudflare Turnstile Used as a Traffic Filtering Gate

Large-Scale Parasite SEO Campaign Using Amazon Style Pages on Cloudflare Pages

Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP

RMM Abuse in a Crypto Wallet Distribution Campaign

Fake “Stable Genesis Airdrop” Campaign Delivering a Crypto Wallet Drainer via Phishing