Diesel Vortex: Inside the Russian cybercrime group targeting US & EU freight
Overview#
In February 2026, Have I Been Squatted, in joint collaboration with Ctrl-Alt-Intel, uncovered a sophisticated criminal phishing operation run by a Russian threat actor group we are designating Diesel Vortex. The group spent at least five months systematically targeting freight and logistics companies across the United States and Europe, stealing over 1,600 unique login credentials from users of major logistics platforms including DAT Truckstop, Penske Logistics, Electronic Funds Source (EFS), and Timocom. Telegram webhook logs recovered from the platform show Armenian-language coordination among operators, indicating an Armenian-speaking component alongside the Russian infrastructure ties.
This operation was not the work of a lone actor. It was a structured, financially driven criminal service sold to other operators, with evidence suggesting the group was actively employing spearphishing and voice phishing techniques, specifically targeting trucking and logistics Telegram groups. Through the impersonation of the legitimate platforms that their targets would be using daily, operators intercepted logins and multi-factor authentication codes in real time, and went on to intercept shipment information (via invoice redirection and double‑brokering), access personal details, and steal funds.
Despite sophisticated technical infrastructure including automated domain rotation, layered anti-detection systems, and Telegram-based operator consoles, the actor made critical mistakes that exposed their full codebase, victim database, internal communications, and future plans. This has provided us with a rare insight into the inner workings of the group, their criminal network, and the financial infrastructure sustaining it.
Collaborative investigation#
We want to acknowledge the teams at Google Threat Intelligence, Cloudflare, GitLab, IPInfo and Ping Identity who were involved in the coordinated takedown of this infrastructure. We also want to thank the Microsoft Threat Intelligence Center and CrowdStrike for their additional assistance, and the affected parties who assisted with victim notification efforts.
We also highlight the joint research with the team at Ctrl-Alt-Intel who helped extend the research within a timeframe that otherwise would not have been possible -- ensuring existing victims were notified and that the operation was brought down in a timely manner, including analysis of Armenian-language operator logs and infrastructure pivots.
What’s the impact?#
Based on our investigation, we can confirm that the current iteration of the operation has been running between September 2025 and February 2026. Additional coordination data suggests related operator activity predates this time period, but that earlier activity is assessed with lower confidence than the confirmed campaign period.
| Metric | Value |
|---|---|
| Stolen credentials | 3,474 pairs, (1,649 unique) |
| Unique visitor IPs | 9,016 |
| Phishing domains deployed | 52 |
| Target contact emails | 75,840 (57,092 unique) |
| Check fraud attempts (EFS) | 35 |
How we got here#
Have I Been Squatted flagged an unusual cluster of domain typosquats targeting a customer domain. While investigating one of these sites, we discovered an exposed .git directory served at the root of the domain.
Git is a version control system developers use to track changes to code over time. When accidentally exposed on a web server, a .git directory can leak an entire project's source code, commit history, and contributor identities. Using the open-source tool, git-dumper, we were able to obtain and reconstruct the full repository. A SQL dump dated February 4, 2026 (36.6MB) provided a detailed picture of platform activity.
$ curl -i https://rsrmissecured.top/.git/config
HTTP/2 200
date: Mon, 23 Feb 2026 ██:██:██ GMT
content-length: 281
last-modified: Wed, 28 Jan 2026 10:11:58 GMT
accept-ranges: bytes
server: cloudflare
cf-cache-status: DYNAMIC
alt-svc: h3=":443"; ma=86400
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = [email protected]:global-profit-team/src/globalprofit_panel.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main$ ll ~/src/
total 71328
drwxr-xr-x 63 root root 2016 Feb 13 23:42 ./
drwxrwxrwt 1 root root 4096 Feb 13 23:38 ../
drwxr-xr-x 14 root root 448 Feb 13 23:42 .git/
-rw-r--r-- 1 root root 81 Feb 13 23:42 .gitignore
-rw-r--r-- 1 root root 959 Feb 13 23:42 .htaccess
-rw-r--r-- 1 root root 26105 Feb 13 23:42 86236721-g127-651g-hs1jx4-63f6ls3as20lc.png
-rw-r--r-- 1 root root 9932 Feb 13 23:42 9fa3c1b7-4d82-4e0f-a9b3-72c4f8e91d55.png
-rwxr-xr-x 1 root root 2335 Feb 13 23:42 OwnClass.php*
-rw-r--r-- 1 root root 1244 Feb 13 23:42 README.md
-rw-r--r-- 1 root root 33695925 Feb 13 23:42 SQL_DUMP.sql
drwxr-xr-x 89 root root 2848 Feb 13 23:42 ajax/
-rw-r--r-- 1 root root 1223 Feb 13 23:42 ask_resend_central.php
-rw-r--r-- 1 root root 1223 Feb 13 23:42 ask_resend_timocom.php
drwxr-xr-x 40 root root 1280 Feb 13 23:42 assets/
drwxr-xr-x 29 root root 928 Feb 13 23:42 assets2/
-rw-r--r-- 1 root root 134652 Feb 13 23:42 authorize.php
lrwxr-xr-x 1 root root 4 Feb 13 23:42 awstats-icon -> icon/
lrwxr-xr-x 1 root root 4 Feb 13 23:42 awstatsicons -> icon/
-rw-r--r-- 1 root root 40 Feb 13 23:42 ban.php
-rw-r--r-- 1 root root 1501 Feb 13 23:42 config.php
drwxr-xr-x 15 root root 480 Feb 13 23:42 cron/
drwxr-xr-x 21 root root 672 Feb 13 23:42 csv/
-rw-r--r-- 1 root root 38384404 Feb 13 23:42 dump_04_02_2026.sql
drwxr-xr-x 22 root root 704 Feb 13 23:42 google/
drwxr-xr-x 9 root root 288 Feb 13 23:42 icon/
-rw-r--r-- 1 root root 22509 Feb 13 23:42 index.php
-rw-r--r-- 1 root root 3254 Feb 13 23:42 jquery.cookie.js
drwxr-xr-x 4 root root 128 Feb 13 23:42 landing/
drwxr-xr-x 29 root root 928 Feb 13 23:42 live/
-rw-r--r-- 1 root root 266114 Feb 13 23:42 login.php
-rw-r--r-- 1 root root 5436 Feb 13 23:42 logo1.png
drwxr-xr-x 34 root root 1088 Feb 13 23:42 njhTghagTGgYT/
-rw-r--r-- 1 root root 0 Feb 13 23:42 output.txt
-rw-r--r-- 1 root root 6414 Feb 13 23:42 page.php
drwxr-xr-x 29 root root 928 Feb 13 23:42 phpmy/
-rw-r--r-- 1 root root 19907 Feb 13 23:42 send.php
-rw-r--r-- 1 root root 6963 Feb 13 23:42 send_2fa_teleroute.php
-rw-r--r-- 1 root root 7000 Feb 13 23:42 send_codx_teleroute.php
-rw-r--r-- 1 root root 6788 Feb 13 23:42 send_efs_2fa.php
-rw-r--r-- 1 root root 8274 Feb 13 23:42 send_efs_checks.php
-rw-r--r-- 1 root root 6788 Feb 13 23:42 send_efs_code.php
-rw-r--r-- 1 root root 6249 Feb 13 23:42 send_efs_first.php
-rw-r--r-- 1 root root 6794 Feb 13 23:42 send_efs_pinnumber.phpIn addition to the phishing templates we identified, we also found code relating to a Phishing-as-a-Service (PhaaS) platform under active development branded internally as "GlobalProfit" and seemingly marketed to other operators under the name "MC Profit Always". MC likely refers to ‘US Motor Carrier’, a unique operating authority identifier issued by the Federal Motor Carrier Safety Administration (FMCSA).
The Git config pointed to a private code repository hosted on GitLab.com. The Git reflog shows a two-contributor commit history with one contributor responsible for most core platform commits and another adding deployment documentation in Russian in February 2026.
$ git log --all --format='%aN <%aE>' | sort | uniq -c | sort -nr
7 root <[email protected]>
2 Babmble Bee <[email protected]>We monitored the exposed repository for new commits over the course of our analysis, observing daily development activity. Test subscriber accounts, payment processing infrastructure, and deployment documentation, all added in the weeks before discovery. Later commits show signs of scrubbing secrets and making the codebase more production-ready, indicating that the operators were likely preparing for a wider commercial launch.
Targeting US & EU logistics sectors#
The group built dedicated phishing infrastructure for platforms used daily by freight brokers, trucking companies, and supply chain operators. Load boards, fleet management portals, fuel card systems, and freight exchanges were all in scope. These platforms sit at the intersection of high transaction volumes and the targeted workforce isn’t typically the primary focus of enterprise security programs, and the operators clearly knew it.
Compromised credentials spanned the logistics sector's operational backbone. Victims included users of major load boards like DAT Truckstop and Central Dispatch, where brokers and carriers connect to move freight. Fleet management systems from providers like Penske were targeted, as were fuel card networks including Electronic Funds Source (EFS).
A separate template was dedicated specifically to EFS check fraud. European and North American freight exchanges including Timocom, Teleroute, and Highway were also in scope, along with logistics platforms like Girteka serving cross-border transport.
The Bigger Picture#
Among the most valuable artefacts recovered from the exposed repository was a 3.5MB file, apidata-full.txt, stored within the code for the Google phishing module. This file contained the complete raw Telegram callback data logged by the platform’s webhook handlers, effectively capturing every interaction the operators had with their own infrastructure over the course of the operation. While much of this data related to victim notifications and credential alerts, it also provided our first direct window into the actors behind the platform, their communications, working patterns, and internal structure.
Embedded within the volume of callback data was a link to an Xmind mind map that had been shared between operators. Remarkably, when accessed ten months after the document’s last modification, the link remained live. The mind map below appears to represent the group’s entire operational blueprint, providing a top-down overview of the platform’s structure, revenue streams, staffing roles, acquisition methods, and targeted communities.
The map revealed a highly organised operation. It outlined distinct functional roles including a call-centre, mail support, programmer, and staff responsible for finding drivers, carriers, and logistics contacts. It details acquisition channels including DAT Search Truck, general mail campaigns, and rate confirmation fraud, alongside revenue figures for different operational tiers.
We recreated an interactive, translated version of the original mindmap below.
A dedicated section mapped out the group’s infiltration of logistics and trucking Telegram communities, with dozens of specific channels listed as active or intended targets for victim acquisition. The map also referenced resellers, outsourcing arrangements, and financial tracking across categories including calls, mail, rate confirmations, expenses, and revenue.
This blueprint only reinforced what the codebase had already made clear: this was not an opportunistic campaign. It was a deliberate, structured criminal enterprise with defined roles, revenue targets, and a long-term growth strategy.
There are ghosts in the machine#
The platform is a traditional LAMP (Linux, Apache, MySQL/MariaDB, PHP) stack with an application spanning over 2,100 files, backed by a 54-table database.
The recovered codebase was not built in a single pass. Its central configuration file (config.php) sets the panel hostname to lpanel-bumaepxuje.top and all filesystem paths to /home/lpanel-bumaepxuje/, yet several core modules still resolve a data file from /home/highrisecarriers/, a completely different hosting account. The Google, Yahoo, and Microsoft credential-capture pages are among those pointing to this older path.
The Telegram webhook handler adds another layer. It connects to a database under the identity office1-central, with its own distinct credentials. A fourth domain (lpanel-bckaoplsks.top) appears across hundreds of referrer entries in the recovered SQL dump, recording real victim traffic that arrived through that hostname. The iframe API domain (lpanel-bumaepxuje-iframe.top) is the only secondary domain that appears to be intentionally active rather than a leftover.
The admin panel directory contains several backup and superseded files alongside .backup copies of active pages. Older versions of the login page, domain management interface, mailer configuration, and link management all remain in place. These are the kind of artefacts that accumulate when a codebase is iteratively ported and patched rather than cleanly deployed from a single source of truth.
As such, we strongly believe that this codebase was moved and/or adapted across multiple environments before the currently recovered deployment. The mixed panel hostnames, divergent filesystem paths, inconsistent database credentials, and retained legacy files all point to the same conclusion--this actor had been operating for a longer time period than what we’re able to observe, possibly over multiple years
Cloaking, the main event#
The cloaking system passes through a nine-stage funnel before the phishing page is rendered. At any stage, the request can be dropped, redirected, or served an HTTP error code; the specific error code is configurable, so operators could make the server appear to be in any number of benign broken states.
1. Global kill switch#
A system_status table in the database controls whether the platform serves anything at all. A single database field toggles the entire operation on or off, returning a configurable HTTP status code (400 through 505) to all visitors when disabled. The operators can turn the lights off instantly across all campaigns without touching DNS or server configuration.
2. Activity and scheduling#
Before any visitor filtering occurs, the kit evaluates five conditions in the following priority order. Any failure in this chain terminates the request.
- Whether the link is active
- Whether the link is being accessed within its allowed scheduled time window
- Whether the associated domain is active
- Whether the assigned template is active
- Whether the template's own schedule allows access
3. IP blocklist#
The cicklock_filter table [sic] contains 254 entries covering IP ranges belonging to security vendors, cloud providers, and research organisations. Entries support both exact IP matches and CIDR notation. Blocked ranges include Facebook, Google, AWS, Azure, DigitalOcean, Hetzner, and a range of security tool providers such as but not limited to, Cisco and Palo Alto.
4. ISP filtering#
Rather than relying on IP ranges alone, the platform also performs an ISP lookup via the ipinfo.io API. The response is checked against a list of 49 blocked ASN organization name substrings using bidirectional matching, so a visitor whose ISP name contains "Google", "Microsoft", "Palo Alto", "Cisco", or "Yandex" (among others) is blocked, regardless of whether their IP appears in the static blocklist. This catches cloud egress and corporate security infrastructure that rotates IPs too frequently to maintain in a static list.
5. User-agent filtering#
Sixteen user-agent patterns are blocked outright, covering the major search crawlers (Googlebot, Bingbot, Slurp, Baidu, Yandex) and generic automation identifiers. A secondary check in page.php runs the same logic for visit registration. If the user-agent is empty or matches bot|crawler|spider|curl|wget|python|facebook|preview, the visit is silently discarded.
6. URL parameter gate#
Each phishing link record in the database has a clo_parameter and clo_value column. The victim's URL must include a specific GET parameter with a matching value (for example, ?ref=abc123). Without this pair, the request is dropped. Phishing URLs cannot be discovered by crawling or scanning; they only work when distributed with the correct parameter embedded, as they would be in a targeted email campaign.
7. Custom URL path validation#
The custom URL path validation stage requires the request path to exactly match the link’s custom_url_string configured in the database.
For example, the EFS template uses a custom_url_string = /security/logon.jsp and iframe_domain = ernigr-esfilc.com. A request like https://ernigr-esfilc[.]com/security/logon[.]jsp?verify=7g2q978fg11jka=891FHjaH32-2f1Hnb2sF passes because the path before the query string is /security/logon.jsp. Requests to /, /security/, or any other path are blocked, so crawlers or scanners that hit the root or common paths never reach the phishing page.
8. Ban list check#
The banlist table is checked against the visitor's session ID and IP address. Sessions can be banned individually or by IP. Operators trigger bans via a Ban command in the Telegram operator interface. A softer variant, Block24, applies a 24-hour temporary block. The earliest ban dates to October 2025.
9. iframe token validation#
When a phishing link is configured to use a secondary "iframe domain" (discussed below), requests to the system domain must carry a valid HMAC-SHA256 signed token in the ?tocken= parameter [sic]. The token is generated server-side and is injected into the iframe src attribute before the page is served. The token uses a base64(payload).hex(hmac_signature) format and a 10-second TTL. Tokens are single-use, but critically, the server never enforces a maximum lifetime, it only checks that the expiry is still in the future. This means that a forged token with an arbitrarily long TTL passes validation. Since the HMAC secret and all claim values are hardcoded in the source code, we could trivially forge tokens to bypass the advertise-domain layer entirely. The dual-domain architecture that this token protects, and why it matters, is discussed in the next section.
The dual-domain architecture#
The kit’s dual-domain architecture is arguably the most technically interesting part of this kit. Rather than distributing the phishing domain directly in emails, the platform uses two separate domains working in tandem -- a "system" domain (hosted on a .top or .icu TLD) and an "advertise" domain (typically hosted on a .com TLD). The advertise-domain is what victims see in the phishing emails sent by the threat actors (likely picked because .com portrays legitimacy) while the system-domain does the actual work behind the scenes.
When a victim clicks the link in a phishing email, they land on the advertise-domain. This page acts as a thin wrapper by serving a minimal HTML page containing a full-screen iframe. This essentially functions as an embedded browser window that loads a second webpage within the first, filling the entire visible page. The advertise-domain’s iframe src points to the system-domain, where the real phishing content lives. Critically, the victim never sees or requests the system-domain directly; their address bar only ever shows the .com advertise-domain.
Since we had access to the SQL dump, we could validate that the top-frame request looks as follows.
GET https://penskecar[.]riersrmissecured[.]com/_c/cstm/4325/reg/DOTLookup.aspx
The advertise-domain returns this minimal HTML wrapper, and the victim's browser then fetches the phishing content from the system-domain (penskecar[.]rsrmissecured[.]top) inside the iframe. To prevent direct access by scanners and researchers, the iframe URL includes the signed token discussed in Step 9 above.
This token is an HMAC-SHA256 payload using the (amusingly named) hardcoded super_secret_key_123 as a signing secret with a 10-second TTL and replay protection. This signing secret can be used to ascertain that the request came from a legitimate advertise-domain session rather than a direct scan.
This dual-domain split also enables the kit's real-time command loop. The top-frame page served by the advertise-domain runs a JavaScript polling loop that hits /ajax/check_request.php on the system-domain every second. That endpoint checks the requests table for any pending operator commands for the victim's session. These commands originate from the Telegram operator channel, where operators click inline buttons (e.g., "Gmail", "Live", "Yahoo", "Ban", "Phone Code") after receiving a credential-theft notification.
When a command is returned, the advertise-domain top frame executes it by calling postMessage() into the iframe that contains the phishing page. Supported actions include redirecting the user (navigating the iframe to a new URL, such as the Google, Microsoft, or Yahoo phishing modules) and refresh (reloading the current page). The postMessage() bridge is what allows an operator sitting in Telegram to, in real time, steer a victim from a logistics credential form into an email phishing flow or ban them from the session, all while the victim only ever being aware of the .com advertise-domain in their address bar. The iframe receives the message, acts on it, and the victim is none the wiser that the instruction originated from a cross-domain operator channel.
The advertise URL is a static string built from the link record https://{subdomain}.{iframe_domain}{custom_url_string}[?{clo_parameter}={clo_value}] (or without subdomain if blank). Operators obtain it from the admin panel links list or the Telegram bot, then manually paste it into the email campaign HTML when composing phishing emails.
Operators can hot-swap either domain independently through the admin panel or the Telegram /domains bot command; burned domains can be replaced in seconds without disrupting active sessions.
One of the key takeaways in this analysis is how the dual-domain architecture effectively bypasses browser block-list protections. When the system domain gets flagged as malicious, the victim never navigates to it directly. Their browser loads the advertise-domain in the top frame, which is clean. The flagged system-domain only appears inside the iframe. Based on our testing, it seems that these browser safety features evaluate the top-level frame only, allowing the inner iframe on the flagged origin to render without any warnings. The phishing content loads in full view of the victim, served from a domain that has already been identified as malicious.
Credential harvesting flows#
The platform maintains 22 target-specific templates, each with its own credential capture handler and database table. EFS is the most elaborately targeted, with flows that capture login, password, PIN, security token, and 2FA code in sequence. Template 22 is dedicated entirely to EFS check fraud, capturing check number, dollar amount, payee name, and money code. Thirty-five check fraud attempts were confirmed in the database at the time of analysis.
Once a credential is captured, the operator sends a Telegram command redirecting the victim to a secondary phishing page targeting their email provider. Separate modules exist for Google, Microsoft Office 365, and Yahoo. The Google module presents a multi-stage flow covering email address, password, and six different 2FA method variants. The victim's browser polls the server every second for operator instructions; the operator controls the flow in real time through Telegram buttons. Operator approval is required for each step--without a live operator, the victim cannot advance. When the operator signals completion, the wrapper redirects the victim to the legitimate target URL so they believe they signed in successfully while the operator retains the stolen credentials.
Telegram operator console#
The kit uses Telegram as its primary command channel, enabling real-time interactive victim manipulation. Ten distinct bot tokens were recovered, each serving a specific operational function. Nine of the ten tokens remained active at the time of analysis; only the Yahoo OTP token had been revoked.
| Bot Name | Token | Chat ID | Purpose |
|---|---|---|---|
TesterAlarm | 7967355869:AAHD9bNBM-*************************** | -1003515284204 | Main operator channel used for interactive victim manipulation |
BlankAllert | 8181188332:AAEX0CLZQH*************************** | -1003003282427 | Credential delivery (Blank operator) |
Admin1Allert | 8296067401:AAHCRnzUhS*************************** | -1003204336232 | Credential delivery (Leo operator) |
OnlyAllert | 8134021983:AAEbd3CL8K*************************** | -1003190091768 | Credential delivery (Only/admin) |
FirstNameAllert | 8414780197:AAHl4Xf4bZ*************************** | -1003248873206 | Credential delivery (FirstName operator) |
WhenAllert | 8321990670:AAG5eHUhsM*************************** | -1003256643573 | Credential delivery (When/Penske operator) |
StatusBot | 8427122724:AAExbpbNu0*************************** | -1003066791908 | Payment and project notifications |
InfoAlarmBot | 7559073158:AAGnIg7rRj*************************** | -1003377185486 | Domain down alerts (inactive) |
Registration Bot | 8563141260:AAHiBOv6eb*************************** | (webhook target) | Webhook registration helper |
Yahoo C2 | 7227029718:AAFzi4WkuU*************************** | -2151162240 | Yahoo module credential delivery (revoked) |
Operator-driven credential harvesting#
When a victim submits credentials, the operator receives a Telegram message with inline buttons. The victim's browser polls /ajax/check_request.php every second, waiting for the operator's response. Without a live operator, the victim cannot advance—the server returns Invalid or wait and the page stays put. This points to active, hands-on activity, not passive harvesting.
The operator controls the entire flow through button presses. After capturing an email address, the operator clicks "Get Pass" to request the password. After capturing the password, they can request specific 2FA methods. The Invalid command (used 1,559 times across 4,657 logged requests) is particularly telling. Operators were regularly sending victims back to re-enter credentials, either to confirm accuracy or to capture 2FA tokens before they expired. When the operator signals completion (success or ban), the client sends postMessage('exit:' + rurl) to the parent frame, redirecting the victim to the legitimate target URL so they believe they signed in successfully while the operator retains the stolen credentials.
Infrastructure evolution and domain churn#
Follow-up reconnaissance revealed infrastructure lineage not present in the recovered code. The StatusBot webhook pointed to globalprofit-lpanel-abcdefghij[.]top, a domain that didn't appear anywhere in the source files or database. Investigation showed it was the original panel domain, registered September 23, 2025. It was suspended by the registrar approximately 17 days later (around October 10 2025), likely following an abuse report, and now resolves to ns1[.]suspended-domain[.]com.
After that suspension, the operators stood up two successor panel domains:
| Domain | Registered | Registrar | Status |
|---|---|---|---|
globalprofit-lpanel-abcdefghij[.]top | 2025-09-23 | PDR Ltd | Suspended (clientHold) |
lpanel-kkbnukltpo[.]top | 2025-12-05 | Web Commerce Communications | Active |
lpanel-bumaepxuje[.]top | 2026-01-06 | Global Domain Group LLC | Active (primary) |
lpanel-bumaepxuje-iframe[.]top | n/a | n/a | Active (iframe API) |
Each new panel domain used a different registrar, a pattern consistent with an operator adapting after the first suspension. The naming convention also evolved--the original domain carried the "globalprofit" brand in plain text; later domains use random strings. The StatusBot webhook was never updated after the suspension, meaning domain-status and payment-alert notifications had been broken since October 2025.
Email campaign infrastructure#
The platform's built-in mailer used multiple spoofed sender personas routed through Zoho SMTP and Zeptomail infrastructure.
The "eMаnаgеr" in the second sender name is intentional. Those а characters aren't ASCII, they're Cyrillic Unicode homoglyphs, visually identical to the Latin letter but treated as a completely different string by email filters. We suspect that this was done to evade email filtering.
The email body takes the same technique further.
The words "vеrifу," "соnfirm," "aссоunt," and most of the surrounding words are laced with Cyrillic е, у, о, а, п characters. The subject lines follow the same pattern
One of the templates in the database is explicitly named uniqualized - letters cyrylic.
Cryptocurrency and financial intelligence#
The platform's subscription model accepted BTC and USDT through an external payment processor. Wallet values stored directly in the recovered database appear to be placeholders, indicating that operational payment artifacts were likely managed through external service records rather than local configuration.
A separate recovered Telegram message archive indicates active crypto-linked coordination among operators and supports the assessment that the campaign was financially motivated and moving toward broader commercialization.
Admin panel and subscriber model#
The admin panel sits at /njhTghagTGgYT/ (a randomized path) via a session-based RBAC layer.
The admin panel's live monitoring view renders victim-submitted credential data as raw HTML with no sanitization. Credentials are stored in the user_messages table with <b class="copyable"> tags for one-click copying in the interface, and the JavaScript rendering inserts msg.message directly into innerHTML. An escapeHtml() function exists in the source but is applied only to non-message fields. We'll leave the implications of that as an exercise for the reader.
There are two support contacts mentioned in the footers of the admin panel; one in njhTghagTGgYT/template/footer.php shows © yasomawork.space | for the profit with and "Поддержка" (“Support” in Russian) link to t.me/whataproblemhere. The other, in njhTghagTGgYT/adm-footer.php shows GlobalProfit | for the profit and a commented-out “Support” link pointed to t.me/sqncd.
Attribution#
We are designating this actor as Diesel Vortex based on correlated technical and operational indicators.
OSINT context#
The following OSINT relationship map discovered by Ctrl-Alt-Intel, visualizes publicly available administrative overlaps observed during this investigation. At a high level, the map highlights a cluster of logistics‑adjacent entities, domains, and contact points that intersect with infrastructure observed in the spearphishing operation.
Notable overlaps include shared registrar usage, repeated contact emails, and corporate addresses that appear across multiple entities. The map also captures the relationship
between yasomawork.space (seen in the recovered panel) and its registration trail, alongside adjacent domains associated with “Unix Group” and related logistics entities.
We consider these connections as administrative and infrastructural signals -- useful for correlation but not sufficient on their own to assign responsibility. Our attribution assessment remains grounded in recovered source code, database artifacts, and operational telemetry; the OSINT map serves to strengthen investigative pivots and highlight where additional registry or law‑enforcement data could confirm or refute linkage.
Language, geography, and operational patterns#
Russian is the primary language throughout the recovered environment (commit text, comments and deployment docs). Timezone analysis of Git commits and database timestamps is consistent with UTC+2 to UTC+4. The subscription model and marketing documentation were aimed at Russian-speaking criminal markets.
EXIF metadata (digital metadata inside files) from the phishing kit revealed three pixel-identical copies of an EFS logo, all created in Adobe Photoshop 2022 on a Windows machine. The embedded XMP data shows a UTC+3 timezone (Moscow Standard Time) and a Russian-locale Photoshop installation -- with default layer and channel names written in Russian (Прозрачность, Без имени-1). These aren't transliteration artifacts; they're strings Photoshop only produces when the application itself is configured for a Russian UI. Combined with the Moscow-aligned timezone, this places the kit's graphic assets as originating from a Russian-speaking operator likely working in the Moscow time zone.
We have also been able to extract raw telegram messages dating back to 2024 highlighting the initial works at building and testing the voice phishing and telegram operations.
The platform is built entirely on abused legitimate services. These include GitLab.com for version control, Telegram for commands, Zoho and Zeptomail for email delivery, and Google OAuth for credential interception. No custom network infrastructure exists, which is likely a cost-efficiency choice and, as it turned out, a source of attribution opportunity.
This is financially motivated criminal activity. The PhaaS model, cryptocurrency payment processing, and Russian-language subscriber documentation indicate an operator building toward a commercial criminal service. The MC group activity predating the current kit by at least six months suggests an established actor, not a first-time operation.
Recommendations#
To defend against the attacks used in this report, we recommend implementing phishing-resistant MFA (FIDO2/passkeys) where possible. The Telegram-based real-time interception approach works against TOTP and SMS codes; it does not work against hardware keys or device-bound passkeys.
Deploy DNS filtering using your internal threat-intel feeds, and monitor for typosquatting patterns targeting logistics platform brand names. Character substitutions, transpositions, and prefix/suffix additions are the recurring techniques here. Have I Been Squatted provides a 14-day free trial which includes scanning for typosquatted domains.
Acknowledgments#
We want to acknowledge the teams at Google Threat Intelligence, Cloudflare, GitLab, IPInfo and Ping Identity who were involved in the coordinated takedown of this infrastructure, as well as Microsoft Threat Intelligence Center and CrowdStrike, who provided additional assistance. We also want to thank the affected companies for supporting user notification efforts. We also want to acknowledge the joint collaboration with Ctrl-Alt-Intel throughout the discovery and documentation process.
Evidence has been preserved for chain-of-custody purposes and shared with relevant agencies. Sensitive data (API keys, credentials, personally identifiable information, and attribution-level investigative artifacts) have been redacted. Detailed indicators were shared through trusted channels to support defensive action. We welcome collaboration with threat researchers, law enforcement, and other parties with a legitimate interest in this activity.
For questions, to share related intelligence, or to request access to raw data under appropriate terms, contact [email protected].
For press enquiries, please contact [email protected]
Domain Protection
Protect your brand from typosquatting.
Join security teams using Have I Been Squatted to monitor lookalike domains, phishing infrastructure, and brand impersonation across the open web.