Do Son 
Summary of the interactions between the phishing domain and the panel | Source: Intrinsec
Intrinsec’s Cyber Threat Intelligence (CTI) team has uncovered a sophisticated phishing toolkit, named “Premium Panel”, that has been actively used in global phishing campaigns for over two years. Designed for simplicity and effectiveness, this toolkit empowers even low-tier threat actors to launch credential theft operations at scale, targeting industries such as banking, logistics, and telecommunications.
The Premium Panel toolkit consists of PHP pages and JavaScript scripts that capture victims’ credentials and redirect them to phishing or legitimate pages. Intrinsec explained, “Phishing websites usurping a variety of companies worldwide were leveraged since 2+ years. The websites are copies of the legitimate login pages usurped, while the domains usually do not try to spoof the legitimate companies usurped.”
This toolkit has been linked to campaigns impersonating major organizations across Western countries, as well as Saudi Arabia, Israel, South Africa, and other regions. Banking institutions have been a primary target, as financial credentials hold immediate value for attackers.
The toolkit’s functionality is centralized through a control panel, referred to in the report as the “Live Control Panel – Premium.” Threat actors use this dashboard to:
- Track Victims: View IP addresses, monitor real-time page activity, and redirect victims.
- Use Telegram Integration: Set up bots for instant notifications when victims interact with the phishing domain.
- Manage Phishing Pages: Redirect victims to fake login pages for capturing credentials or legitimate sites to lower suspicion.
The report highlights a critical feature of the toolkit: “Some of the phishing pages are hosted on compromised legitimate websites, while others use solutions to easily host websites or temporary domain names such as codeanyapp[.]com, mybluehost[.]me, cloudwayapps[.]com, mywebsitetransfer[.]com, tempurl[.]host, etc..”
The report outlines the technical sophistication of the Premium Panel:
- Dynamic Redirects: The “processor.php” script facilitates victim interaction by keeping connections alive and managing page redirection every 500 milliseconds.
- Exploitation of IPs: Shared IPs have hosted multiple phishing campaigns targeting banking and telecom industries, with recurring addresses like
139.177.180[.]48linked to various fraudulent domains. - OPSEC Mistakes: On some panels, exposed Telegram bot tokens and administrator IDs provided insight into the attackers’ network. Intrinsec noted, “Collecting all bots visible on the phishing panels could be used to map different clusters with targeted countries/companies/industries.”
The campaigns associated with Premium Panel are not isolated. The timeline demonstrates repeated exploitation of the toolkit across multiple geographies and industries, with activity intensifying in 2023 and 2024. Intrinsec stated, “We anticipate that threat actors will continue to use this toolkit for phishing purposes, usurping known companies.”
Related Posts:
- Intrinsec Report: China’s Strategic Exploitation of Cybersecurity Vulnerabilities
- PROSPERO & Proton66: Unmasking the Bulletproof Hosting Connection
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
