Red Bull Job Scam Exposed: Phishing Campaign Spoofs Brands, Uses “Slow Kill” Tactics to Steal Credentials

Phishing remains one of the most enduring threats to cybersecurity—not for a lack of technological defense, but because of the boundless ingenuity of attackers. Evalian’s Security Operations Centre (SOC) recently unearthed a convincing and evasive phishing campaign that exploited legitimate services, spoofed trusted brands, and sailed past automated security systems—all under the guise of a Red Bull job offer.

This is how the scam begins—simple, familiar, and deceptively authentic. As Evalian’s analysts noted, “Behind the polished tone and fake opportunity lies a multi-domain phishing campaign designed to steal credentials, rapidly deployed infrastructure using low-cost Virtual Private Servers (VPS) for churn, a spoofed Facebook login page, and clever abuse of reputable domains and services.”

Despite passing SPF, DKIM, and DMARC checks, the phishing email made it directly into inboxes. It appeared to originate from messaging-service@post.xero[.]com and passed Microsoft’s Spam Confidence Level with a score of just 1—nowhere near enough to raise alarms.

The real trick was hidden in the Reply-To field: red.bull.crew@srbs.user0212-stripe[.]com. Evalian explains: “This technique, riding on the reputation of a legitimate sender, is increasingly common in modern phishing campaigns.” Using legitimate services like Mailgun allowed the attackers to exploit trusted infrastructure.

Evalian’s SOC loaded the suspicious link—hxxp://redbull-social-media-manager.apply-to-get-hired[.]com—in a sandboxed environment and found a multi-step lure:

1. A reCAPTCHA challenge to deflect automated scanners.
2. A fake job description, mimicking a Glassdoor listing.
3. A spoofed Facebook login page, perfectly replicating the user interface.

Once credentials were entered, they were silently POSTed to /login_job on the server. Despite returning a “504 Gateway Timeout” error, this tactic was likely deliberate. As Evalian explained, “Some phishing kits implement ‘slow kill’ techniques… to evade detection by sandboxes and automated scanners.”

Evalian’s analysts dug deeper by examining the TLS certificate. The certificate’s common name—bot2shimeta.charliechaplin7eont[.]space—was part of a larger infrastructure pattern. Using JARM fingerprinting, the team traced 21 related phishing domains hosted on similarly abusive VPS providers.

The infrastructure included subdomains such as:

• mrbeastmeta.charliechaplin7eont[.]space
• meta.charliechaplin7eont[.]space

These spoofed major brands and influencers, suggesting the kit’s broad and adaptable use across multiple campaigns.

This wasn’t a one-off. Evalian’s team tracked WHOIS records, DNS history, and TLS reuse to identify a network of disposable phishing domains. One such domain—srbs.user0212-stripe[.]com—masqueraded as a tech consultancy site. Evalian reported: “This domain has all the hallmarks of phishing infrastructure obfuscation… a cloaked page shown to non-targeted visitors.”

Their analysis also uncovered shared infrastructure with .mlko.my subdomains and recycled certificates seen in previous phishing attacks, suggesting the use of a phishing-as-a-service (PhaaS) model.

Related Posts:

• Malicious Browser Extension Hijacks Solana Transactions
• Microsoft: Spectre security patch will slow down your PC
• Slow Pisces Targets Crypto Developers with Deceptive Coding Challenges