Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon

    Wednesday, April 2, 2025 In: Threat Research Print

    Date: 04/02/2025

    Severity: Critical

    Summary

    Since late 2024, attackers have used new phishing tactics involving QR codes, including hiding phishing links behind legitimate website redirects. Some also use Cloudflare Turnstile for user verification to evade security crawlers and lure victims to fake login pages. Certain phishing sites appear tailored to specific targets, indicating prior reconnaissance. These attacks have been widespread across the U.S. and Europe, affecting industries like medical, automotive, education, energy, and finance.

    Indicators of Compromise (IOC) List

    Domain\URL :

    https://ebjv.com.au/filesharer

    https://a1892279.nhubiubuniunuion.workers.dev

    https://docuusign.statementquo.com/ey8YO?e=

    https://fa8ea903.nhubiubuniunuion.workers.dev/

    http://dhzyxo.promptexpression.com/?e=

    https://docusignelectronic.courtappdirectory.com/6PkvL/?e=

    https://storage.cloudcourtdoc.com/wsTtv?e=

    https://fbl.5jbl2j.com/P6ThlTUUTfoKMgwqFKuQ/

    https://docdxsiga.goodbreadtrucklng.com/gbkrV/

    https://Docxxdoct.goodbreadtrucklng.com/U6bXM/

    https://wtcg.rolixanorn.ru/n7cLGYDs/

    https://dmcomunicacaovisual.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9UjFKVU9YUT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N

    https://advitya-heights.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPU9Ya3piRFU9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N

    https://clases.pastorluiscastro.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVVrcGhRMFE9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N

    https://htbilisim.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9V2tVNWFuWT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123

    https://www.magneticosrmn.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9T0hwWFUxZz0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N

    https://vk.hrewatecea.ru/0Jrsf/

    https://gracious-tranquility-production.up.railway.app/fa910c532fc9c990/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJmYTkxMGM1MzJmYzljOTkwIiwiaWF0IjoxNzMzOTQ2NjQ0fQ.GDYykGf3tTA6K0GSiSvl01y_U0zveiKk9jmR_B3jTEw

    https://web-ofisi.com.tr/yeni/T6epXbk4ck8zZNXyS5wyRzTbm43LOM1gR49#

    Hash :

    b6130b45131035bec8d9b0304e934f2db0ee092ccaa709c3c2e8dd93770527bb

    e2cdd7eb0ea24c22d1e3dfea557a5a47dfdcd7c6b00b05bd5d099e0c8633ac25

    fa38f31ed09774cfd2627bff376c27c44611b842b96f3215b0a491805d525a40

    0209e93d568da3cd33f7af9e8733dd6eb56b3957b19622126f5115f36c2433dd

    6963820a6dadba2779a4b3999c5fde88faf8cf2dfa55d032b307217d9a80b77c

    a4d40396bc437933a7f097e3ba997c91c82a5f516a719f6181ca4d51fa85a7aa

    1c3be2037b2a7b36311ef8fbcaa416ecb250dc20f5881570e8373e6e7f8237b1

    8ea80304722e4285987b66dd8c74853b8a1474f585d7e24dc7616be4265d0d82

    cbc5c6edb34ca898ca55f166ec64b23b057f9d8e8859c6fe9c9065bb42991f5b

    46897a4edb500df17e32ccee8a3134e3a15db387dd0492d8e110200d8cb57b60

    3f2a3cc1216bfc6d1aa6d1b75150350da86a3a8c9c5b014c4b5f7ca62935c88c

    e682612a533382ddc188f547b37d93fd3f2de8ac7d5fd5f76eb92a22849109aa

    6a0c8d59d5d0b2bd44d81a3f3e20bcd6c515ca6bd30c3bf090bccc4049276276

    6472293c24554bf52772a9f8543fe7ae973f1d5b4795ccc14940beeddcba118e

    9fe76bad7fa4f45ef49e720dde442f31f4c1847c7322ec09c09c5dd851f4de38

    56d3e1daddd87a2454084a4687d6c245b3a3b2f2010d705d2b1983c0e87a5509

    1bd8cace9e338eacdd9e41b55c594404483e1a1860d1946f612ecd21a6a7e5e5

    3d66c093763eef0aa1b7c31242516d8d56e8fbe178f0915063045a6f85e61399

    389ba4f794b66abe4fde0ede57450abb63ba1a3cd43940925762f206b03e1bea

    0e03f873f1fb44e2d9f8ba29c80158f23735bb2ef819feb99f5623e933d752e9

    0d0d4cd198de3a8b5af74fbebfc4c657609570157f8f961499433d0d5f748e7c

    8c744eadec25b92de4ada45cdbc5e4c3507195127b2ed2f8450a7435b50b1f25

    1737819220920abfa1d2201c0986df84b6570cbbc8d1aa96245151ed95c5992d

    b39855bd43bf45aff70da6fbd918789b17ff58d9c6764cc40db9aec4ecb79cc0

    de158906c855857d435635ebfd1ac97a6715b0a890f536aafcf55c601585f751

    07fec0a55956f66f20888e21f72a01c043b1c02a141c07988a6313099526c796

    891abde147f30c6dfd791f7f2f7cb081f5474f4f1392f670ed55a6d6cd3f14a2

    bdcfe5bf6eba8f59248739e1634bc43d50f5c55efbb7412c3b41e94f1a313771

    5a5134dfed0d47d23073547ace40ff63be0b3138d835d6d5b0a5c5c3e1aa3d8e

    2f38a598fd49256691c707198c546ab84ddeafedbe72c60a9d03364263820d25

    3e8a9620823039b938b662d6285330baca7f3930e790faeaf4e4b95dd3c02427

    bc5e4ad38e324d742af28a2302bc6f59ec5f603f69b72bec7149b2cfbb50d980

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URL :

    domainname like "https://advitya-heights.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPU9Ya3piRFU9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N" or siteurl like  "https://advitya-heights.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPU9Ya3piRFU9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N" or url like "https://advitya-heights.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPU9Ya3piRFU9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N"or domainname like "https://docusignelectronic.courtappdirectory.com/6PkvL/?e=" or siteurl like  "https://docusignelectronic.courtappdirectory.com/6PkvL/?e=" or url like "https://docusignelectronic.courtappdirectory.com/6PkvL/?e=" or domainname like "https://fbl.5jbl2j.com/P6ThlTUUTfoKMgwqFKuQ/" or siteurl like  "https://fbl.5jbl2j.com/P6ThlTUUTfoKMgwqFKuQ/" or url like "https://fbl.5jbl2j.com/P6ThlTUUTfoKMgwqFKuQ/" or domainname like "http://dhzyxo.promptexpression.com/?e=" or siteurl like  "http://dhzyxo.promptexpression.com/?e=" or url like "http://dhzyxo.promptexpression.com/?e=" or domainname like "https://storage.cloudcourtdoc.com/wsTtv?e=" or siteurl like  "https://storage.cloudcourtdoc.com/wsTtv?e=" or url like "https://storage.cloudcourtdoc.com/wsTtv?e=" or domainname like "https://a1892279.nhubiubuniunuion.workers.dev" or siteurl like  "https://a1892279.nhubiubuniunuion.workers.dev" or url like "https://a1892279.nhubiubuniunuion.workers.dev" or domainname like "https://clases.pastorluiscastro.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVVrcGhRMFE9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N" or siteurl like  "https://clases.pastorluiscastro.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVVrcGhRMFE9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N" or url like "https://clases.pastorluiscastro.com/m/?c3Y9bzM2NV8xX25vbSZyYW5kPVVrcGhRMFE9JnVpZD1VU0VSMDYwMTIwMjVVMjUwMTA2NTA=N0123N" or domainname like "https://vk.hrewatecea.ru/0Jrsf/" or siteurl like  "https://vk.hrewatecea.ru/0Jrsf/" or url like "https://vk.hrewatecea.ru/0Jrsf/" or domainname like "https://ebjv.com.au/filesharer" or siteurl like  "https://ebjv.com.au/filesharer" or url like "https://ebjv.com.au/filesharer" or domainname like "https://wtcg.rolixanorn.ru/n7cLGYDs/" or siteurl like  "https://wtcg.rolixanorn.ru/n7cLGYDs/" or url like "https://wtcg.rolixanorn.ru/n7cLGYDs/" or domainname like "https://dmcomunicacaovisual.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9UjFKVU9YUT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N" or siteurl like  "https://dmcomunicacaovisual.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9UjFKVU9YUT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N" or url like "https://dmcomunicacaovisual.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9UjFKVU9YUT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N" or domainname like "https://docuusign.statementquo.com/ey8YO?e=" or siteurl like  "https://docuusign.statementquo.com/ey8YO?e=" or url like "https://docuusign.statementquo.com/ey8YO?e=" or domainname like "https://fa8ea903.nhubiubuniunuion.workers.dev/" or siteurl like  "https://fa8ea903.nhubiubuniunuion.workers.dev/" or url like "https://fa8ea903.nhubiubuniunuion.workers.dev/" or domainname like "https://docdxsiga.goodbreadtrucklng.com/gbkrV/" or sitesiteurl like "https://docdxsiga.goodbreadtrucklng.com/gbkrV/" or url like "https://docdxsiga.goodbreadtrucklng.com/gbkrV/" or domainname like "https://Docxxdoct.goodbreadtrucklng.com/U6bXM/" or siteurl like  "https://Docxxdoct.goodbreadtrucklng.com/U6bXM/" or url like "https://Docxxdoct.goodbreadtrucklng.com/U6bXM/" or domainname like "https://htbilisim.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9V2tVNWFuWT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123" or siteurl like  "https://htbilisim.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9V2tVNWFuWT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123" or url like "https://htbilisim.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9V2tVNWFuWT0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123" or domainname like "https://www.magneticosrmn.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9T0hwWFUxZz0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N" or siteurl like  "https://www.magneticosrmn.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9T0hwWFUxZz0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N" or url like "https://www.magneticosrmn.com/m/?c3Y9bzM2NV8xX3NwJnJhbmQ9T0hwWFUxZz0mdWlkPVVTRVIwNjAxMjAyNVUwMzAxMDYzOQ==N0123N" or domainname like "https://gracious-tranquility-production.up.railway.app/fa910c532fc9c990/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJmYTkxMGM1MzJmYzljOTkwIiwiaWF0IjoxNzMzOTQ2NjQ0fQ.GDYykGf3tTA6K0GSiSvl01y_U0zveiKk9jmR_B3jTEw" or siteurl like  "https://gracious-tranquility-production.up.railway.app/fa910c532fc9c990/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJmYTkxMGM1MzJmYzljOTkwIiwiaWF0IjoxNzMzOTQ2NjQ0fQ.GDYykGf3tTA6K0GSiSvl01y_U0zveiKk9jmR_B3jTEw" or url like "https://gracious-tranquility-production.up.railway.app/fa910c532fc9c990/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJmYTkxMGM1MzJmYzljOTkwIiwiaWF0IjoxNzMzOTQ2NjQ0fQ.GDYykGf3tTA6K0GSiSvl01y_U0zveiKk9jmR_B3jTEw" or domainname like "https://web-ofisi.com.tr/yeni/T6epXbk4ck8zZNXyS5wyRzTbm43LOM1gR49#" or siteurl like  "https://web-ofisi.com.tr/yeni/T6epXbk4ck8zZNXyS5wyRzTbm43LOM1gR49#" or url like "https://web-ofisi.com.tr/yeni/T6epXbk4ck8zZNXyS5wyRzTbm43LOM1gR49#"

    Hash :

    sha256hash IN ("07fec0a55956f66f20888e21f72a01c043b1c02a141c07988a6313099526c796","0209e93d568da3cd33f7af9e8733dd6eb56b3957b19622126f5115f36c2433dd","e682612a533382ddc188f547b37d93fd3f2de8ac7d5fd5f76eb92a22849109aa","fa38f31ed09774cfd2627bff376c27c44611b842b96f3215b0a491805d525a40","6963820a6dadba2779a4b3999c5fde88faf8cf2dfa55d032b307217d9a80b77c","9fe76bad7fa4f45ef49e720dde442f31f4c1847c7322ec09c09c5dd851f4de38","cbc5c6edb34ca898ca55f166ec64b23b057f9d8e8859c6fe9c9065bb42991f5b","a4d40396bc437933a7f097e3ba997c91c82a5f516a719f6181ca4d51fa85a7aa","3f2a3cc1216bfc6d1aa6d1b75150350da86a3a8c9c5b014c4b5f7ca62935c88c","b6130b45131035bec8d9b0304e934f2db0ee092ccaa709c3c2e8dd93770527bb","e2cdd7eb0ea24c22d1e3dfea557a5a47dfdcd7c6b00b05bd5d099e0c8633ac25","1c3be2037b2a7b36311ef8fbcaa416ecb250dc20f5881570e8373e6e7f8237b1","8ea80304722e4285987b66dd8c74853b8a1474f585d7e24dc7616be4265d0d82","46897a4edb500df17e32ccee8a3134e3a15db387dd0492d8e110200d8cb57b60","6a0c8d59d5d0b2bd44d81a3f3e20bcd6c515ca6bd30c3bf090bccc4049276276","6472293c24554bf52772a9f8543fe7ae973f1d5b4795ccc14940beeddcba118e","56d3e1daddd87a2454084a4687d6c245b3a3b2f2010d705d2b1983c0e87a5509","1bd8cace9e338eacdd9e41b55c594404483e1a1860d1946f612ecd21a6a7e5e5","3d66c093763eef0aa1b7c31242516d8d56e8fbe178f0915063045a6f85e61399","389ba4f794b66abe4fde0ede57450abb63ba1a3cd43940925762f206b03e1bea","0e03f873f1fb44e2d9f8ba29c80158f23735bb2ef819feb99f5623e933d752e9","0d0d4cd198de3a8b5af74fbebfc4c657609570157f8f961499433d0d5f748e7c","8c744eadec25b92de4ada45cdbc5e4c3507195127b2ed2f8450a7435b50b1f25","1737819220920abfa1d2201c0986df84b6570cbbc8d1aa96245151ed95c5992d","b39855bd43bf45aff70da6fbd918789b17ff58d9c6764cc40db9aec4ecb79cc0","de158906c855857d435635ebfd1ac97a6715b0a890f536aafcf55c601585f751","891abde147f30c6dfd791f7f2f7cb081f5474f4f1392f670ed55a6d6cd3f14a2","bdcfe5bf6eba8f59248739e1634bc43d50f5c55efbb7412c3b41e94f1a313771","5a5134dfed0d47d23073547ace40ff63be0b3138d835d6d5b0a5c5c3e1aa3d8e","2f38a598fd49256691c707198c546ab84ddeafedbe72c60a9d03364263820d25","3e8a9620823039b938b662d6285330baca7f3930e790faeaf4e4b95dd3c02427","bc5e4ad38e324d742af28a2302bc6f59ec5f603f69b72bec7149b2cfbb50d980")

    Reference:    

    https://unit42.paloaltonetworks.com/qr-code-phishing/


    Tags

    Healthcare and Public HealthEducationEnergyFinancial ServicesTransportation SystemsMalwarePhishingUnited StatesEurope

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.