New Phishing Trends and Evasion Techniques

Zscaler ThreatLabz researchers recently came across multiple phishing campaigns using novel obfuscation and evasion techniques. In this blog, we will present an analysis of four phishing campaigns and the various obfuscation methods used in each, also describing some of the tools the attackers used to obfuscate their JavaScript code. 

JavaScript is a powerful, flexible, and popular scripting language used in numerous web applications. There are many packers and obfuscators available to reduce the size of the JavaScript code, to hide business logic, and make the source code unreadable, and attackers also take advantage of these tools.   

Why obfuscate?

Each day, security engines are becoming smarter, using machine learning, heuristics, image recognition, and other innovations to detect phishing attacks. In parallel, attackers are applying new and sophisticated techniques for evading detection, including the use of obfuscation and by hosting phishing content on trusted providers such as Google hosting domains. The main purpose of code obfuscation is to protect exposed code by making it extremely hard to decipher and understand, but obfuscation is also heavily used to bypass automated URL analysis engines which prolongs the malware’s survival. Obfuscation tools are also used by many legitimate websites to prevent their code from analysis and theft.
 

Phishing Campaign 1:

This campaign is sophisticated, as demonstrated by the well-designed phishing pages that are difficult to distinguish from legitimate pages. The attackers used the latest tactics to evade detection from signature-based scan engines, with most of the JavaScript code being obfuscated.

URL: tawooos[.]com/commonn/login/?code=<Mail ID>

Figure 1: Microsoft login phishing page

Obfuscated part of source code

The tool used to obfuscate is JavaScript Obfuscator 4.3. It's readily available on multiple free software download sites. In Figure 2, the portion highlighted in red is the function that performs the deobfuscation and the portion highlighted in blue is an argument to that function. You can see that there are many backquotes in the source code (highlighted in yellow). This function removes the backquotes and decodes the rest of the data and returns the decoded code.

Figure 2: Microsoft login phishing page source code

Deobfuscated source code

A few keywords in the source code are highlighted below. The presence of all of these keywords together can be used to flag this page as phishing.

Figure 3: Deobfuscated source code

After sending the credentials to the command-and-control (C&C) server, the victim gets redirected to a legitimate Microsoft site. 

Figure 4: PCAP of phishing page sending the credentials to the server

As the phishing pages are obfuscated, they are undetected by analysis engines.

Figure 5: No VT detections
 

Phishing Campaign 2:

In this case, the entire source code has been obscured with multilayered obfuscation. The first layer is using the Eval Execution obfuscation and Base64 encoding. All of these phishing pages were seen to be hosted on storage.googleapis[.]com. Like Amazon Simple Storage Service (Amazon S3), storage.googleapis[.]com is a hosting domain, used to store and access data on Google Cloud. Many analysis engines allowlist these domains, and attackers take advantage of the fact that these domains/IPs belong to trusted sources.

http://storage.googleapis[.]com/asmuggishly-757767673/billing.html

Figure 6: Chase Phishing page

Part of the source code is Base64 encoded, which gets decoded at runtime by atob() and then executed by the eval() function.

Figure 7: Source code of Chase phishing page

The following is the code after one first round of deobfuscation. We can notice that it is still heavily obfuscated and not in a readable format. This is a hex encoding function and variable names obfuscation, in which the variable and function names and the strings in the code are being obfuscated using hexadecimal patterns to make the JavaScript code hard to read and detect.

Figure 8: Source code after one round of deobfuscation

After accepting the user credentials, they are sent across to hxxps://moneysmtp[.]com/email-list/chase-nww/action.php, which is controlled by the attacker, and then redirects the user to the legitimate Chase website.

Figure 9: PCAP of phishing page sending the credentials to the server

Below are snapshots of a few phishing pages targeting different brands using the same multilevel obfuscation techniques.

Figure 10: Dropbox phishing page

Figure 11: Microsoft phishing page
 

Phishing Campaign 3:

Web.app is a mobile platform used for building mobile apps hosted by Firebase, which is Google’s mobile app platform. Under this category, all the phishing pages are hosted on the Web.app domain and use SSL certificates issued by Web.app. In this scenario, phishing pages are partially obfuscated by hex-encoding variable names obfuscation, as described in the previous case. Here, the tool that is used to obfuscate the source code is JavaScript Obfuscator. We believe this tool is also utilized in phishing campaign 2 for some level of obfuscation. This is a free tool and has multiple levels for obfuscation, such as Low, Medium, and High.

The tool is available on GitHub:

https://github.com/javascript-obfuscator/javascript-obfuscator

Online version:

https://obfuscator.io/

This variant is mostly targeting Microsoft. 

Figure 12: OneDrive phishing page

Figure 13: OneDrive phishing page source code

Figure 14: Phishing page source code after deobfuscation

As we can see how the attackers are continuously abusing Google's trusted domains, the graph below gives a peek into the number of phishing pages hosted on storage.googleapis[.]com and *.web.app seen across the Zscaler cloud. (These stats include all blocked transactions and are not specific to the cases in this analysis.)

Figure 15: December 2020 blocked transactions for storage.googleapis[.]com and *.Web.app
 

Phishing Campaign 4:

This variant differs from the previous three cases, where the evasion technique was JavaScript obfuscation. In this fourth scenario, attackers are using embedded Base64 images for evasion, achieved by increasing the size of the source code. The campaign involves adding all the required images in the source code itself in the Base64-encoded format, to make it difficult for the analysis engines to detect these phishing pages. Under this variant, most of the phishing pages are hosted on compromised WordPress websites and target Microsoft brand. 

Figure 16: Microsoft phishing page

Figure 17: Source code of Base64 encoded images

 

Zscaler has been successfully detecting and blocking all the four variants described in this report.

Figure 18: Phishing pages seen on Zscaler cloud between Nov 2020 and Jan 2021

 

Conclusion

Phishing attacks have always been on the rise. As the security products are upgrading their detection methodologies, attackers have also upped the ante by evolving the way in which the phishing content is being delivered as well as tactics being leveraged to make the phishing pages stay undetected for longer period.

Zscaler ThreatLabz team continues to monitor these campaigns, as well as others, to help keep our customers safe from phishing attacks.

 

Indicators of Compromise:

Campaign 1:

1solutionpbt[.]com/mpl/officev4/
3dmerchant[.]com/css/officev4/
a2zconsultant[.]com/one/officev4/
adbmedwaste[.]club/crist/audio/
aderarty[.]club/manuel/audio/
adpngo[.]in/one/officev4/
alnada-eg[.]com/common/oauth/
alphanettingsolutions[.]com/one/officev4/
alqudari[.]com/bui/
amorexigente[.]org[.]br/eni/offi/
amr[.]rmal[.]com[.]sa/sui/
annyrorse[.]com/officev4/
antliaworks[.]com/one/officev4/
aoeioanc[.]com/zimc/
aprilwight[.]com/.well-known/officev4/
ascendrsps[.]com/.well-known/officev4/
atone-health[.]co[.]uk/aaakhis/
auxczvbb[.]tk/acb/pcvbm/
bandmusicconnection[.]com/jmz/officev4/
bayfieldadvisers[.]com/omfa/
beebay[.]biz/ed/officev4/
beijingmark[.]com/asvii/aidofficev4kv0f9/
bergenintemational[.]com/omfa/
berioacn[.]com/saga/
bestdevelopers[.]in/tui/
bestsoundbases[.]com/zui/xqu/
binceste[.]com/xec/
bnet[.]russianviptravel[.]com/wap[.]secure/
breathpunch[.]com/officev4/
building-inspections[.]com/holu/mcz/
cauproviden[.]ml/common/login/
chespicac[.]com/tesd/
cheyennedormitory[.]com/officev4/
cilipadi[.]net/common/oauth/
classicnet[.]in/secure/
clougheybowlingclub[.]co[.]uk/printrecording/officev4/
coachcuz[.]com/.well-known/officev4/
comproautoschocados[.]cl/sui/
contraprova[.]com[.]br/vr/officev4/
cozmyklaw[.]com/.well-known/officev4/
cracksense[.]com/ww/lk4/
crossroadschurchjenks[.]com/cy/officev4/
dcare-eg[.]com/hols/officev4/
dealercarshare[.]com/officev44/
deskimps[.]com/delc/
domefavors[.]com/menc/
donatecaballero[.]com/common/login/
donmikia[.]uk/ches/
drivangalindo[.]com[.]br/officev4/
efimilos[.]com/officev44/
elmoprofessional[.]com/officev4/
embedinn[.]com/.well-known/officev4/
eoianac[.]com/thuc/
esbonacorp[.]pe/maz/officev4/
esquadraocelular[.]com[.]br/.well-known/officev4/
fanvironmental[.]club/dxb/audio/
fatsofleece[.]com/officev4/
fewasoc[.]com/nomac/
filmtvdb[.]net/avcnm/
firekillertech[.]com/tui/
forumwebsitehosting[.]com/tui/
friendsoftoto[.]com/incub/incub/
galaxycarcare[.]com/.well-known/officev4/
geekshub[.]com/mowa/officev4/
getyourads[.]xyz/officev4/
globalseedsindia[.]com/one/officev4/
graysmail[.]com/gkala/
gtechsoftware[.]in/.well-known/officev4/
gvihardwares[.]com/.well-known/mm/me/
healestbenefits[.]com/one/officev4/
hpma[.]in/.well-known/officev4/
husdocssl[.]ml/common/login/
ipe[.]unsa[.]edu[.]ar/richhhhh/
ipservercr[.]com/aui/
iwsas[.]com/.well-known/officev4/
janalamas[.]com/lcn/
japanesport[.]com/aa/officev4/
jataq[.]com/.well-known/officev4/
jerioanc[.]com/dasex/
jornalcorreiodovale[.]com[.]br/mcv/moz/
k9apparels[.]com/in/officev4/
kaliony[.]bootydev[.]co[.]uk/resources/vbn/tdds/
kol-voip[.]life/topt/
kontakllc[.]com/m12/muz/
lakewaydirectory[.]com/aa/officev4/
lanuevadelpueblo[.]com/.well-known/officev4/
linpelts[.]com/decx/
livademir[.]com/common/auth/
manacinema[.]com/dsd/managerssss/
mc-solutions[.]com/css/officev4/
mellifluousweb[.]net/common/oauth/
millcityingsstudios[.]icu/.well-known/officev4/
mjhs-mu[.]org/common/login/
mshdigital4u[.]com/wp-errs/officev4/
mycloudquant[.]com/common/
nationalstandardtrustsavings[.]com/in/officev4/
newbrunswickwebdesign[.]com/officev44/
nms-sy[.]com/.well-known/officev4/
nmvformacion[.]com/common/login/
nrg91[.]gr/wp-includes/pomo/wp_includesss/bodsanfr/officev4/
oamii[.]com/css/officev4/
pastryrinse[.]com/wp_includesss/officev4/
pathwaysflp[.]com/cgi/officev4/
peeschute[.]com/.well-known/officev4/
perduepavementsolutions[.]com/officev44/
phenoindia[.]com/st/officev4/
pinazindustries[.]com/common/login/
plombierhochelagamaisonneuve[.]ca/officev4/
poligamografico[.]com/.well-known/officev4/
poophawseholev[.]com/**bc34n**/
precipitateafloat[.]com/officev4/
productcreationprofit[.]com/wps/officev4/
production[.]kaplanstock[.]com/wps/officev4/
protrainservices[.]com/dapot/
pruebaeme[.]pinfo[.]co/wp-file/officev4/
pwanprime[.]com/ioui/
rajputanaonline[.]com/one/officev4/
reversespeech[.]org/database1/officev4/
riceroadssuite[.]xyz/efkvrelsziteefj/
ringacandy[.]net/wpnews/officev4/
rooftimegc[.]com/officev4/
roshanpackages[.]com[.]pk/wp-includes/wp_includess/offficees/officev4/
royalpromotion[.]ch/common/oauth/
rrssserralheria[.]com[.]br/cn/officev4/
saltacil[.]com/asiom/
samh-conglomerat[.]com/.well-known/officev4/
satnampsyllium[.]com/aa/officev4/
securemessage2020[.]net/bn/cbnzxc/
server213-171-197-190[.]live-servers[.]net/commonn/oauth/
shizzades[.]com/.well-known/officev4/
siddiquiofindia[.]com/.well-known/officev4/
sjrfood[.]com/wp-includes/pomo/wp_includes/officev4/
smartclickearn[.]com/afxcyc/
staronepestcontrol[.]co[.]in/.well-known/officev4/
summitmicrosystems[.]com/officev44/
sushiyany[.]com/ok/officev4/
tapali[.]com[.]pk/pc/officev4/
tdcpk[.]org/.well-known/officev4/
tenbellsnyc[.]com/exchange/officev4/
title5inspector[.]com/custom/officev4/
tombintery[.]com/den/
traviskidd[.]net/tui/
umcstmarks[.]org/ofc/officev4/
urinaryfoyer[.]com/officev4/
urupatopfest[.]com[.]br/epla/mzx/
vedrunapalamos[.]org/commonn/oauth/
vivirsinfronteras[.]cl/sui/
vo-icetech[.]live/topt/
volgaboutique[.]com/.well-known/officev4/
webinar[.]eventcasterindia[.]com/officev4/
webqoder[.]com/login/index[.]php
wecontainmultitudes[.]world/tui/
whizz[.]pk/.well-known/officev4/
wideneed[.]com/.well-known/officev4/
www[.]aydinlarizabe[.]com[.]tr/common/
www[.]azia[.]ca/azure/eiirffice4049/
www[.]bagstailor[.]com/jkm/
www[.]cap-cap[.]md/addon/plugin/
www[.]chitrakootdham[.]com/kip/
www[.]friss[.]com[.]ec/addin/pluggin/
www[.]fxtokeninvest[.]com/csss/0d9d0fficev40d0d/
www[.]gdsi[.]co[.]za/able/903uuisfficev4db/
www[.]gigacorp[.]com[.]ar/excel/officev4/
www[.]radiodestellosdeluz[.]com/cffm/officev4knsioe3/
www[.]teotozmaskesi[.]com/mvip/
www[.]unique-ltd[.]com/ofz/mzu/
www[.]vedantacareerforum[.]in/addin/plugins/
www[.]weblifeinfotech[.]com/.well-known/officev4/
www[.]yellowpowerghana[.]com/admin/agree/

 

Campaign 2:

storage[.]googleapis[.]com/alimli-147731386/index[.]html
storage[.]googleapis[.]com/acabouca-827409132/index[.]html
storage[.]googleapis[.]com/arecollectedly-745846914/index[.]html
storage[.]googleapis[.]com/asublaryngeal-942401075/index[.]html
storage[.]googleapis[.]com/aincogent-763500794/index[.]html
storage[.]googleapis[.]com/acurrock-418037438/index[.]html
storage[.]googleapis[.]com/aappendorontgenography-768893843/index[.]html
storage[.]googleapis[.]com/atidemark-450148136/index[.]html
storage[.]googleapis[.]com/ainsulse-944751843/index[.]html
storage[.]googleapis[.]com/agrege-856858175/index[.]html
storage[.]googleapis[.]com/anonconsciously-414681870/index[.]html
storage[.]googleapis[.]com/aabacuses-222389253/index[.]html
storage[.]googleapis[.]com/asmuggishly-757767673/billing[.]html
storage[.]googleapis[.]com/awebelos-698265298/index[.]html
storage[.]googleapis[.]com/agroover-952673710/index[.]html
storage[.]googleapis[.]com/acalibres-620331939/index[.]html
storage[.]googleapis[.]com/atranshumant-443099926/index[.]html
storage[.]googleapis[.]com/asyconia-659992695/login[.]html
storage[.]googleapis[.]com/apenfieldite-92629163/index[.]html
storage[.]googleapis[.]com/atornillos-106102152/index[.]html
storage[.]googleapis[.]com/afoveae-583108632/index[.]html
storage[.]googleapis[.]com/apapilio-458653235/stage1[.]html
storage[.]googleapis[.]com/akimchee-439724010/index[.]html
storage[.]googleapis[.]com/astrick-186905561/index[.]html
storage[.]googleapis[.]com/ahoardward-946940086/index[.]html
storage[.]googleapis[.]com/axanthones-495191651/index[.]html
storage[.]googleapis[.]com/amegilphs-163639534/index[.]html
storage[.]googleapis[.]com/adottling-195946905/index[.]html
storage[.]googleapis[.]com/amoslemin-967310995/index[.]html
storage[.]googleapis[.]com/acinques-665639902/login[.]html
storage[.]googleapis[.]com/aunsacrificed-190687410/index[.]html
storage[.]googleapis[.]com/ascrofuloderma-46621213/index[.]html
storage[.]googleapis[.]com/auntwirl-391340861/index[.]html
storage[.]googleapis[.]com/aimparting-68711433/index[.]html
storage[.]googleapis[.]com/aatalantis-739623290/index[.]html
storage[.]googleapis[.]com/abegruntle-40246949/index[.]html
storage[.]googleapis[.]com/aconceptualised-470215097/index[.]html
storage[.]googleapis[.]com/arudderhead-370810423/index[.]html
storage[.]googleapis[.]com/aastromancer-398680604/index[.]html
storage[.]googleapis[.]com/apa-317407023/index[.]html
storage[.]googleapis[.]com/aamphioxus-906636459/index[.]html
storage[.]googleapis[.]com/apontoneer-591920887/login[.]html
storage[.]googleapis[.]com/aprerepresentation-66370527/index[.]html
storage[.]googleapis[.]com/aunroyalness-974087096/index[.]html
storage[.]googleapis[.]com/aabietate-713295939/index[.]html
storage[.]googleapis[.]com/anefas-17843827/login[.]html
storage[.]googleapis[.]com/anonhabituating-594465665/index[.]html
storage[.]googleapis[.]com/aintervalometer-123954896/index[.]html
storage[.]googleapis[.]com/aherdess-767357057/index[.]html
storage[.]googleapis[.]com/apardonless-780884267/index[.]html
storage[.]googleapis[.]com/agermanely-776975203/index[.]html
storage[.]googleapis[.]com/adaylighted-903538410/index[.]html
storage[.]googleapis[.]com/anoneternally-982088190/index[.]html
storage[.]googleapis[.]com/aunstacked-984917203/index[.]html
storage[.]googleapis[.]com/arhopalocerous-457551896/index[.]html
storage[.]googleapis[.]com/aautosensitized-682287836/index[.]html
storage[.]googleapis[.]com/avirilisms-842115393/index[.]html
storage[.]googleapis[.]com/aarbalo-251593828/index[.]html
storage[.]googleapis[.]com/asyringitis-538839216/index[.]html
storage[.]googleapis[.]com/acionorrhaphia-41254689/index[.]html
storage[.]googleapis[.]com/apavises-321779368/index[.]html
storage[.]googleapis[.]com/aundiscernably-733914186/index[.]html
storage[.]googleapis[.]com/aunregard-438947492/emp[.]html
storage[.]googleapis[.]com/aforetelling-819024589/index[.]html
storage[.]googleapis[.]com/aphellogen-38165975/index[.]html
storage[.]googleapis[.]com/aunvirtuous-274079806/index[.]html
storage[.]googleapis[.]com/aelectant-280636513/index[.]html
storage[.]googleapis[.]com/asclerae-148597782/index[.]html
storage[.]googleapis[.]com/aidaein-829771506/index[.]html
storage[.]googleapis[.]com/aterremotive-103281912/index[.]html
storage[.]googleapis[.]com/agalactorrhoea-9550585/index[.]html
storage[.]googleapis[.]com/atizzy-269292408/index[.]html
storage[.]googleapis[.]com/acital-822541724/index[.]html
storage[.]googleapis[.]com/aprotriaene-335157269/index[.]html
storage[.]googleapis[.]com/ascholarch-890788164/index[.]html
storage[.]googleapis[.]com/aprediscontinuance-732910131/index[.]html
storage[.]googleapis[.]com/asubfestive-203388889/index[.]html
storage[.]googleapis[.]com/afulani-210582469/index[.]html
storage[.]googleapis[.]com/adaedal-37002271/index[.]html
storage[.]googleapis[.]com/aserpentarii-284490402/index[.]html
storage[.]googleapis[.]com/azax-39729869/index[.]html
storage[.]googleapis[.]com/asynonymatic-139119700/index[.]html
storage[.]googleapis[.]com/aaedegi-836148196/index[.]html
storage[.]googleapis[.]com/aoperations-27053020/index[.]html
storage[.]googleapis[.]com/aproctoscopies-858386799/index[.]html
storage[.]googleapis[.]com/atetramin-839735637/index[.]html
storage[.]googleapis[.]com/apeshkash-437756860/index[.]html
storage[.]googleapis[.]com/aallylate-704586416/index[.]html
storage[.]googleapis[.]com/amaria-707832457/index[.]html
storage[.]googleapis[.]com/ahammers-75087009/index[.]html
storage[.]googleapis[.]com/aorthopterology-195657039/index[.]html
storage[.]googleapis[.]com/agnarliness-34634799/index[.]html
storage[.]googleapis[.]com/alechriodont-807475378/index[.]html
storage[.]googleapis[.]com/afloodlike-845296568/thank-you[.]html
storage[.]googleapis[.]com/afloodlike-845296568/ccdetails[.]html
storage[.]googleapis[.]com/aengleim-22202313/index[.]html
storage[.]googleapis[.]com/aozokerit-940378069/index[.]html
storage[.]googleapis[.]com/anonblended-222328769/index[.]html
storage[.]googleapis[.]com/ahough-723819821/index[.]html
storage[.]googleapis[.]com/aenwrapped-497258674/index[.]html
storage[.]googleapis[.]com/ascombresox-752589947/index[.]html
storage[.]googleapis[.]com/ahennaing-195361189/index[.]html
storage[.]googleapis[.]com/apackage-889059598/index[.]html
storage[.]googleapis[.]com/acerithium-715663857/index[.]html
storage[.]googleapis[.]com/asemilegislatively-737555048/index[.]html
storage[.]googleapis[.]com/areimpart-731291280/index[.]html
storage[.]googleapis[.]com/aschizophrenic-852501158/index[.]html
storage[.]googleapis[.]com/aostraeacea-303476625/surf5[.]html
storage[.]googleapis[.]com/aostraeacea-303476625/surf2[.]html
storage[.]googleapis[.]com/aostraeacea-303476625/surf4[.]html
storage[.]googleapis[.]com/acryptocarp-224010971/index[.]html
storage[.]googleapis[.]com/asangil-455740481/index[.]html
storage[.]googleapis[.]com/aemendatory-273709545/index[.]html
storage[.]googleapis[.]com/atripersonalism-844191482/index[.]html
storage[.]googleapis[.]com/arituale-126920889/index[.]html
storage[.]googleapis[.]com/afirecrest-55660520/index[.]html
storage[.]googleapis[.]com/atostao-328917181/index[.]html
storage[.]googleapis[.]com/akartvelian-558252283/yahoo[.]html
storage[.]googleapis[.]com/acondescendent-298330894/index[.]html
storage[.]googleapis[.]com/aindeliberately-897258294/index[.]html
storage[.]googleapis[.]com/acartooned-590869782/index[.]html
storage[.]googleapis[.]com/anonabsolution-546507296/index[.]html
storage[.]googleapis[.]com/aprehallux-831372274/index[.]html
storage[.]googleapis[.]com/adingled-862723013/index[.]html
storage[.]googleapis[.]com/abootmaking-335640809/index[.]html
storage[.]googleapis[.]com/ahiren-7401734/index[.]html
storage[.]googleapis[.]com/ainca-12736189/index[.]html
storage[.]googleapis[.]com/amoa-620648817/index[.]html
storage[.]googleapis[.]com/alicitation-522842407/index[.]html
storage[.]googleapis[.]com/aboatsmen-139464055/index[.]html
storage[.]googleapis[.]com/aperform-352099829/adobe-login[.]html
storage[.]googleapis[.]com/akartvelian-558252283/index[.]html
storage[.]googleapis[.]com/ainvendibility-786043259/index[.]html
storage[.]googleapis[.]com/aunshrine-323133029/index[.]html
storage[.]googleapis[.]com/acondemns-905913782/index[.]html
storage[.]googleapis[.]com/abrahmanist-186178631/index[.]html
storage[.]googleapis[.]com/aunbars-780985519/index[.]html
storage[.]googleapis[.]com/aqualitative-811176249/index[.]html
storage[.]googleapis[.]com/ataleful-348821200/index[.]html
storage[.]googleapis[.]com/anickstick-307761326/index[.]html
storage[.]googleapis[.]com/alectorship-84927521/index[.]html
storage[.]googleapis[.]com/aodea-208736814/index[.]html
storage[.]googleapis[.]com/abridely-333489834/index[.]html
storage[.]googleapis[.]com/amalodorant-950451553/index[.]html
storage[.]googleapis[.]com/ayawled-911675812/index[.]html
storage[.]googleapis[.]com/abirky-240459101/index[.]html
storage[.]googleapis[.]com/aoverturning-255869875/index[.]html
storage[.]googleapis[.]com/apseudophallic-889421432/billing[.]html
storage[.]googleapis[.]com/amyelopathy-195390597/index[.]html
storage[.]googleapis[.]com/arepairable-358680916/index[.]html
storage[.]googleapis[.]com/asestines-42817349/index[.]html
storage[.]googleapis[.]com/acrepitation-283172808/index[.]html
storage[.]googleapis[.]com/ajaundiced-513977881/index[.]html
storage[.]googleapis[.]com/aairable-214203130/index[.]html
storage[.]googleapis[.]com/arheumatogenic-683716643/index[.]html
storage[.]googleapis[.]com/amultidestination-847080470/index[.]html
storage[.]googleapis[.]com/apolysomaty-898829058/index[.]html
storage[.]googleapis[.]com/apoitrinaire-12614876/index[.]html
storage[.]googleapis[.]com/askirwhit-47671358/index[.]html
storage[.]googleapis[.]com/avoyeurism-318259797/index[.]html
storage[.]googleapis[.]com/apampanga-166098500/index[.]html
storage[.]googleapis[.]com/anun-908242083/index2[.]html
storage[.]googleapis[.]com/adegradedly-277339018/index[.]html
storage[.]googleapis[.]com/awhalings-302949577/index[.]html
storage[.]googleapis[.]com/abalducta-915289519/index[.]html
storage[.]googleapis[.]com/arelucted-787773075/index[.]html
storage[.]googleapis[.]com/asupplementally-858070387/index[.]html
storage[.]googleapis[.]com/afregatidae-217677069/index[.]html
storage[.]googleapis[.]com/aracoyian-21862863/index[.]html
storage[.]googleapis[.]com/ascotchwoman-979797192/index[.]html
storage[.]googleapis[.]com/aantimoralism-54859598/index[.]html
storage[.]googleapis[.]com/aouthaul-370806468/index[.]html
storage[.]googleapis[.]com/ahercynian-275744290/index[.]html
storage[.]googleapis[.]com/aphotopolymerization-352520518/index[.]html
storage[.]googleapis[.]com/aoverdearness-492275680/index[.]html
storage[.]googleapis[.]com/afergus-935018076/index[.]html
storage[.]googleapis[.]com/aprovisory-825150401/index[.]html
storage[.]googleapis[.]com/aphonasthenia-506169773/index[.]html
storage[.]googleapis[.]com/apoley-215933269/index[.]html
storage[.]googleapis[.]com/aslewingslews-789314006/index[.]html
storage[.]googleapis[.]com/amicroradiographical-929577851/index[.]html
storage[.]googleapis[.]com/aovist-532671161/index[.]html
storage[.]googleapis[.]com/afusileers-968365817/index[.]html
storage[.]googleapis[.]com/areducibility-583369670/index[.]html
storage[.]googleapis[.]com/apooling-267239360/index[.]html
storage[.]googleapis[.]com/alaparotomies-63776556/index[.]html
storage[.]googleapis[.]com/adiskindness-885924575/index3[.]html
storage[.]googleapis[.]com/akrater-612615588/index[.]html
storage[.]googleapis[.]com/ashists-509747929/index[.]html
storage[.]googleapis[.]com/apriestship-638820631/index[.]html
storage[.]googleapis[.]com/aabune-670480603/index[.]html

 

Campaign 3:

login-51014-file.web[.]app    
onedrive-online718.web[.]app
onedrive-online912.web[.]app
onedrive-online642.web[.]app
onedrive-online236.web[.]app

 

Campaign 4:

www[.]adotcomcompany[.]com/ofc3/r[.]php
accessiondistribution[.]com/ofc3/r[.]php
monteagudoadvogados[.]adv[.]br/ofc3/r[.]php
reggaegills[.]com/ofc3/r[.]php
aamanzano[.]com/home/ofc/r[.]php
ourhomes[.]re/ofc3/r[.]php
armata-neagra[.]ro/ofc3/r[.]php
shakeandvape[.]com/b!/ofc/s/
candaceweststoryteller[.]com/ofc3/s/
cleanedgemanpower[.]com/ofc3/s/
fourcheriverdays[.]com/ofc3/s/
demandpower[.]ca/ofc3/s/
420australia[.]com/ofc3/s/
rehdainstitute[.]com/ofc3/s/
corp-elrociosac[.]com/images/ofc3/r[.]php
touch4career[.]com/ofc3/r[.]php
the-vapors[.]eu/ofc3/r[.]php
thewisetricks[.]com/ofc3/r[.]php
monabelle[.]com[.]br/scss/ofc3/s/
dineshdesai[.]in/wp-admin/ot/ofc/s/
hpma[.]in/ofc3/s/
goticapp[.]com/x/ofc3/s/
gonzaloivangomez[.]com/folder/bin/refresheedofccieesforthenewtwentytwentyscamp/ofc1/s/
avyconsulting[.]in/ofc3/r[.]php
alldelhi[.]com/ofc3/s/
nationalstandardtrustsavings[.]com/lf/ofc1/ofc1/le3_/
ventanalesbogota[.]com/ofc3/r[.]php
3x7konteyner[.]com/ofc3/s/
parmos[.]com[.]tr/ofc3/s/
www[.]storyofmeworkshop[.]com/x/ofc3/s/
sowamsheritagearea[.]org/cgi-bin/ofc3/s/
tailorbrandinsentive[.]net/home/ofc3/r[.]php
shippingdocument[.]com/ofc3/s/
fuhrerscheinprofis[.]com/ofc3/s/
laparotools[.]com/img/33/ofc/s/
zyclone[.]net/ofc3/s/