An email led me to investigate one of the biggest PHISHING campaigns of the moment!

An email led me to investigate one of the biggest PHISHING campaigns of the moment!

05/02/2026

Author: Juan Mathews Rebello Santos

1. EXECUTIVE SUMMARY

This technical report documents the forensic investigation conducted by me upon receipt of a fraudulent email containing an alleged prize notification and pending financial deposit. The analysis revealed a sophisticated cybercriminal infrastructure operating phishing, scareware and affiliate fraud campaigns on an international scale.

During the investigation, I identified a chain of redirects consisting of:

  • electronic spam with social engineering;
  • abuse of Cloudflare Pages infrastructure;
  • commitment of government employees in the Democratic Republic of Congo;
  • Command and Control infrastructure (C2);
  • use of Domain Generation Algorithm (DGA);
  • Wildcard SSL certificates;
  • and monetization through Norton/Gen Digital affiliate programs via Impact Radius.

The operation demonstrates a high level of technical professionalism, anti-analysis evasion and automation of malicious campaigns.

2. ORIGIN OF THE INVESTIGATION

The investigation began after I received a clearly forged email sent to the address:

[email protected]

The subject of the message was:

Prize Code

The email's content mixed Arabic text with messages of financial urgency, a strategy used to hinder anti-spam filters and increase the appearance of legitimacy.

Identified excerpt:

شكراً على مشاركتك في المسابقة
يرجى الاحتفاظ بالكود للمراجعة عند السحب

Approximate translation:

“Thank you for participating in the contest.
Please keep the code for verification during the draw.”

The message also featured a supposed promotional code:

Code: 9132289937520370

However, the real objective of the email was to trick the user into clicking on a malicious link inserted in the middle of the message:

⚠️ Urgent: Your $3,639.00 deposit is on hold. Confirm now:
https://obs.regideso.cd/?8nqrpm

The content also displayed my email address to add a sense of personalization and legitimacy:

[email protected]

Analysis demonstrated that the email was built to combine:

  • fake awards;
  • financial urgency;
  • foreign language;
  • social engineering;
  • and partial concealment of the scam.

The objective was to induce the victim to click immediately.

3. MALICIOUS REDIRECT CHAIN

When accessing the link:

https://obs.regideso.cd/?8nqrpm

I identified that the domain only functioned as an intermediate relay within the operation.

The complete flow observed during the investigation was:

Email Spam
↓
obs.regideso.cd
↓
linen-wharf-river.pages.dev
↓
Random subdomains of yandehyto.com
↓
Scareware/phishing end domains

Among the final destinations identified were:

  • pelnoriva.shop
  • baleiddiste.com
  • phidatharacce.com

This architecture demonstrates a professional chain of infrastructure obfuscation, making tracking, automated blocking, and forensic analysis difficult.

4. COMMITTED RELAY ANALYSIS

The domain:

obs.regideso.cd

resolved to the IP:

161.35.30.54

hosted on DigitalOcean infrastructure.

The asset appeared to belong to the public water supply company of the Democratic Republic of Congo:

  • REGIDESO SA

During the analysis of the web environment, I identified:

  • unauthorized PHP files;
  • scripts acting as redirectors;
  • Laravel environment exposure;
  • backend operating in Debug mode.

Observed files:

  • info.php
  • index.php

Absolute internal server paths were also exposed:

C:\api-factures\api-factures\

The exposure of this information confirms severe hardening flaws and insecure configuration of the Laravel framework.

5. COMMAND AND CONTROL INFRASTRUCTURE (C2)

The core of the operation was centralized on a server operating as:

  • central redirector;
  • click tracker;
  • monetization gateway;
  • and campaign controller.

Endpoint identified:

/click.php

6. EVASION TECHNIQUES

6.1 Cloaking against analysis

I identified that the server implemented active cloaking against:

  • researchers;
  • automated scanners;
  • Datacenter IPs;
  • tools like curl and Nmap.

When it detected a suspicious environment, the server responded with:

HTTP/1.1 302Found
Location: http://yahoo.com/

or:

Location: http://google.com/

This technique drastically reduces the exposure of the malicious landing page to security systems.

6.2 DGA and Wildcard DNS

During the investigation, I identified extensive use of Wildcard DNS in the domain:

yandehyto.com

Any random subdomain resolved correctly to the C2 server.

Identified examples:

  • q5tzrz.yandehyto.com
  • sj9k9f.yandehyto.com
  • whonou.yandehyto.com

This technique allows infinite rotation of URLs without the need to register new domains.

6.3 Wildcard SSL Certificates

The operator used valid Wildcard certificates issued by Let's Encrypt:

*.yandehyto.com

This allowed valid HTTPS for all dynamically generated subdomains, increasing the credibility of the scam.

7. PAYLOAD SCAREWARE ANALYSIS

After the redirects, the victim was redirected to pages hosted at:

  • pelnoriva.shop
  • baleiddiste.com
  • phidatharacce.com

These pages ran malicious JavaScript simulating the interface of:

  • McAfee Total Protection

The code contained functions such as:

start_circleProgress()

that simulated fake antivirus scans and displayed non-existent threats:

  • Win32/Hoax.Renos.HX
  • Trojan IRC/Backdor.Sd.FRV

I also identified:

  • use of the FullScreen API;
  • navigation blocking;
  • tab focus capture;
  • interception of onbeforeunload.

The objective was to generate psychological pressure to induce the victim to immediately purchase antivirus.

8. AFFILIATE FRAUD

Final monetization occurred through redirects to legitimate pages from:

NortonLifeLock Gen Digital

The campaign abused the affiliate platform:

  • Impact Radius

Identifiers found:

Partner ID: 3076190
Campaign ID: 4405

The operating model converted the fear induced by scareware into financial commission.

9. FORENSIC EVIDENCE

HTTP Redirection

HTTP/1.1 302 Found
Server: nginx/1.28.0
Date: Fri, 01 May 2026 20:12:37 GMT
Location: https://sj9k9f.yandehyto.com/click.php?lp=1&uclick=d7qg...

Cloaking detection:

[Detection Triggered] -> Redirect to http://yahoo.com/

SSL Certificate

depth=0 CN = yandehyto.com

X509v3 Subject Alternative Name:
DNS:*.yandehyto.com
DNS:yandehyto.com

Issuer:
C = US
O = Let's Encrypt
CN = E7

10. INDICATORS OF COMMITMENT (IOCs)

IPs

  • 161.35.30.54

Domains

  • smilingtooth.com.sa
  • obs.regideso.cd
  • linen-wharf-river.pages.dev
  • yandehyto.com
  • baleiddiste.com
  • phidatharacce.com
  • pelnoriva.shop
  • pelnoriva.pelnoriva.shop

DGA Subdomains

  • q5tzrz.yandehyto.com
  • sj9k9f.yandehyto.com
  • whonou.yandehyto.com

Affiliate IDs

Impact Radius Partner ID: 3076190
Campaign ID: 4405

11. CONCLUSION

Based on the entire investigation conducted, I concluded that the analyzed campaign represents a highly professional cybercriminal operation, using:

  • phishing;
  • scareware;
  • cloaking;
  • DGA;
  • abuse of legitimate infrastructure;
  • affiliate fraud;
  • and compromised third-party servers.

The operation demonstrates strong technical capacity in:

  • anti-analysis evasion;
  • social engineering;
  • fraudulent monetization;
  • campaign automation;
  • and infrastructure concealment.

12. RELIABLE REFERENCES AND ANALYSIS OF URLS

Below are the links that prove the analysis of domains and URLs on threat intelligence platforms.

VirusTotal

AlienVault OTX

AbuseIPDB

Censys

SecurityTrails

urlscan.io

Shodan

Note: Malicious activities and indicators of compromise have already been reported to the appropriate authorities.