Morphing Meerkat’s Phishing Tactics: Abusing DNS MX Records

A recent report has uncovered a sophisticated phishing operation that uses DNS techniques to tailor content to victims. This operation, dubbed Morphing Meerkat by Infoblox Threat Intelligence, involves phishing kits that dynamically serve fake login pages by abusing DNS mail exchange (MX) records.

“We have discovered a phishing kit that creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands,” Infoblox reports.

Morphing Meerkat doesn’t rely on outdated tricks. It abuses:

• DNS MX records to identify the victim’s email service provider
• DoH (DNS-over-HTTPS) queries to obscure its reconnaissance
• Adtech redirects (e.g., DoubleClick) to bypass spam filters
• Obfuscated JavaScript to cloak code from researchers
• Telegram bots and EmailJS to exfiltrate stolen credentials

“This PhaaS platform is relatively advanced and offers many powerful services to its users, including mass spam delivery,” the report says.

Once a victim clicks a link in a phishing email—often disguised as a bank, shipping service, or IT admin notice—they are redirected through compromised WordPress sites, free hosting services, or abused ad networks, finally landing on a phishing page tailored to their email domain.

The phishing kits use the victim’s email domain to perform a DNS MX record lookup via DoH, querying services like Google Public DNS or Cloudflare. The result? A dynamic match to one of 114+ spoofed brand templates.

“Instead of mapping each email domain to an HTML resource, threat actors can accurately determine the service provider of an email domain using its MX record SLD—and do so at scale.”

So whether you’re using Gmail, Outlook, Yahoo, or a niche regional provider, Morphing Meerkat displays a fake login page that mirrors your real one—complete with localization. The kit even dynamically translates text into over a dozen languages, including Korean, Russian, Spanish, and Japanese.

This platform is built for stealth:

• Users who don’t pass the correct URL hash (e.g., #{email_address}) are redirected to the real login page, tricking researchers.
• Webpages block Ctrl+U, Ctrl+S, and right-click to prevent viewing source code.
• JavaScript is heavily obfuscated, inflated with meaningless code, and encoded via Base64, atob(), and unescape().

“This technique only serves to muddy threat analysis and waste threat investigators’ precious time,” notes Infoblox.

Morphing Meerkat’s spam campaigns have impersonated brands from Foxmail to Maersk, with subject lines like:

• “Password Deactivation Alert”
• “Action Required: {email_account} Login Settings Expired”
• “Payment Advice USD50,000 Recipient Copy”

Each email uses HTML formatting, spoofed addresses, and embedded links pointing to fake login portals. Behind the scenes, these campaigns are routed through a centralized network of ISPs, with heavy use of infrastructure from iomart (UK) and HostPapa (US)—typical for centralized PhaaS operations.

Infoblox discovered four common exfiltration methods:

1. EmailJS – Sends stolen credentials to attacker-controlled inboxes
2. PHP scripts – Save credentials directly on the same site
3. AJAX requests – Stream data to remote endpoints
4. Telegram bots – Post stolen logins to private channels via exposed webhooks

“We suspect the actors poll the channels and delete messages in real time to destroy evidence,” Infoblox explains.

Even though the bots expose their API tokens, most credential logs vanish quickly—suggesting real-time monitoring and manual cleanup.

Unlike amateur phishing kits, this PhaaS platform:

• Adjusts the phishing experience in real time based on DNS intelligence
• Fools international users with dynamic translation
• Evades detection with redirect logic and spoofed UX
• Scales effortlessly, allowing even unskilled actors to launch advanced attacks

“Morphing Meerkat is another example of a long-running operation that is difficult to detect at scale… They know where security blind spots are.”

Infoblox recommends:

• Blocking DoH traffic at the network level
• Preventing access to non-essential adtech and file-sharing infrastructure
• Monitoring MX record queries from endpoints
• Investing in DNS-layer security and phishing detection tools

As the report concludes: “Visibility and monitoring of networks are critical… If a security system cannot see the threat, it cannot detect it.”

Related Posts:

• Muddling Malspam: Unveiling the Use of Spoofed Domains in Malicious Spam Campaigns
• Infoblox Uncovers Malicious Wave in .US Domain Registrations
• 13,000 MikroTik Routers Hijacked for Global Malspam Operation