Credential Phishing Pages Mimicking Legitimate Webmail Login Portals

SUMMARY :

Since August 2024, an India-linked threat actor has been targeting entities in China and South Asia using credential phishing pages that mimic legitimate webmail login portals. The campaign primarily focuses on government and defense sectors. The phishing domains share common characteristics, including registration via 1api, use of Royalhost nameservers, and resolution to IP address 65.21.85[.]206. The actor employs domain naming conventions related to webmail login or file download themes, often combined with references to specific targeted entities. Some domains redirect to credential phishing pages hosted on Netlify. The tactics, techniques, and procedures are consistent with previously reported Indian targeted intrusion actors, such as Sidewinder and Patchwork.

OPENCTI LABELS :

china,government,south asia,domain spoofing,credential phishing


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Credential Phishing Pages Mimicking Legitimate Webmail Login Portals