Multi-Stage Phishing Campaign Targets Finance

BlueVoyant's Digital Risk Protection (DRP) team and Threat Fusion Cell (TFC) identified and analyzed a credential harvesting phishing campaign targeting a global array of financial institutions, with a pronounced focus on U.S.-based banks and credit unions. This research reveals a campaign operating in two distinct phases: an initial operational phase beginning in late June 2025, then a second, more sophisticated phase commencing in mid-November 2025 that enhanced evasion through the weaponization of the [.]co[.]com domain space and utilization of HTTP referrer constraints to hide its malicious infrastructure. The quick transition between the phases evidence how quickly malevolent actors can level up their attacks in today’s threat landscape.  

What Happened?

The initial attacks were launched with domains like digitquantorevus-blundirexalon[.]shop (registered 26 June 2025), which initially pointed to a dedicated IP (107.150.0[.]42) displaying a "FASTPANEL" landing page and likely indicates a testing and preparation period.  

Then the first phase of the campaign launched in early July when the attackers began mass-registering domains with a unique, procedurally generated naming convention: the prefix digit followed by two hyphenated strings of seemingly random characters, often with a pseudo-Greek or Latinate morphology (e.g., digitkylamorphis-merathindra[.]cfd, digitzypheronix-plexoventara[.]cfd), using TLDs such as .shop, .cfd, and .buzz. These domains were swiftly moved behind Cloudflare to host the fake login pages, many of which primarily spoofed the client login page for a large U.S.-based credit union. 

A significant evolution marked the campaign's second phase that started in mid-November 2025. The actors began registering [.]co[.]com domains spoofing financial institution websites, presenting credible impersonations of real financial institutions. TLS certificates for these malicious sites began being effective on 16 November 2025, likely activating this new tactic and the second phase of the campaign. 

These [.]co[.]com domains serve as the initial entry point in a refined multi-stage chain. The attackers employed a critical evasion technique where any direct access triggers a redirect to a malformed "www[.]www" URL, essentially building a non-existent domain, causing a browser error and hiding the malicious content from automated scanners. However, when accessed via a clickable link in a phishing message (providing a valid HTTP referrer), the domain loads a fraudulent Cloudflare CAPTCHA page. This page, branded for the targeted institution, features a non-functional CAPTCHA that creates a deliberate delay before a Base64-encoded script redirects users to the final harvesting page—that reincorporates the earlier digit* domains. 

The malicious content on these fake CAPTCHA pages is often hidden within a seemingly benign script, embedded in the HTML and designed to execute only under certain conditions.

When the user clicks the fake verification checkbox, the seemingly benign script decodes a Base64-encoded URL (redacted above) and redirects the victim to the credential harvesting site. This encoding technique obscures the malicious destination from casual code review, allowing attackers to maintain the appearance of legitimacy until user interaction triggers the redirect.

Once users reach the final digit*-constructed credential harvesting page, they are presented with a that institution’s spoofed login prompt designed to capture credentials and other sensitive authentication data. This secondary site cannot be accessed directly and will only load if the user carries the correct cookies from the initial visit, ensuring the infrastructure remains concealed from security analysis. After credentials are submitted, the site displays a generic error message suggesting a temporary issue. This tactic discourages immediate suspicion, leading users to believe they encountered a routine glitch, while their data has already been captured and exfiltrated.

In essence, the attackers use the [.]co[.]com domains as sophisticated, disposable lures that pass initial legitimacy checks (TLS, brand recognition) and filter out automated analysis. Then, they redirect to the digit* domains as resilient, mass-producible, and harder-to-track backends that handle the actual sensitive task of credential harvesting. This layered approach significantly enhances the campaign's chances of success and survival against detection and takedown efforts.

Analysis of the spoofed brands confirms the campaign is overwhelmingly targeting large and regional U.S. financial institutions, as well as major credit unions. However, the targeting is not exclusively U.S.-based; the registration of domains spoofing international banks in Denmark, Turkey and Greece indicates a secondary focus on European targets. This dual targeting suggests the threat actor group is either opportunistic on a global scale or operates with a specific mandate to harvest credentials from customers from both U.S. and European financial institutions. 

Registration patterns further reveal the use of privacy shields and falsified identities from registrars like PDR Ltd. and WEBCC. Among the provided registrant information, registrant names included entries such as "James Taylor" in the Seychelles or "George Gonzalez" in the US, which were obviously falsified and used disposable email addresses from domains like @mailshan[.]com or the newly registered @mailerres[.]xyz. The discovery of Russian-language debug strings within the phishing kit's JavaScript code, such as Обнаружен тип формы ("Form type detected") and Инициализация ("Initialization"), provides a strong indicator that the development team is Russian-speaking.

Upon identifying this campaign, BlueVoyant’s DRP team took immediate action, actively coordinating with hosting providers and domain registrars to dismantle the malicious infrastructure and accelerate domain takedowns. Continuous monitoring and automated detection capabilities enable us to identify new instances of this attack as they emerge. Through proactive threat hunting and intelligence sharing with industry partners, BlueVoyant remains ahead of evolving attacker tactics, helping to ensure our clients' sensitive data and digital assets remain protected.

Conclusion

This multi-phase campaign exemplifies the agility of modern cyber adversaries, who may easily refine their tactics to enhance both credibility and evasion. The rapid pivot from a straightforward, basic large-scale credential harvesting operation to a more advanced strategy weaponizing [.]co[.]com domains, demonstrates operational flexibility and technical proficiency. Further, the adversary’s deployment of a more advanced multi-layered evasion chain—incorporating referrer validation, cookie-based access controls, intentional delays, and code obfuscation—effectively creates a more resilient infrastructure that presents barriers for automated security tools and manual analysis.

Organizations must adopt a proactive and intelligence-driven defense posture, emphasizing user education on identifying suspicious domains, implementing stringent multi-factor authentication (MFA) to mitigate the impact of credential theft, and deploying advanced security solutions capable of dissecting complex, multi-stage attack chains. BlueVoyant remains at the forefront of this effort, leveraging continuous monitoring, industry collaboration, and coordinated takedown actions to disrupt this campaign and help safeguard the digital ecosystem.

MITRE ATT&CK Techniques

T1566 (Phishing)

T1587.001 (Malware)

T1071.001 (Web Protocols)

T1583.001 (Domains) 

T1204.001 (Malicious Link)

T1550.004 (Web Session Cookie)

T1567 (Exfiltration)

T1588.004 (Digital Certificates) 

T1562.006 (Indicator Blocking)

T1132.001 (Standard Encoding)

T1584.006 (Web Services)

Indicators of Compromise

digitquantorevus-blundirexalon[.]shop

digitkylamorphis-merathindra[.]cfd

digitzypheronix-plexoventara[.]cfd

107.150.0[.]42