Date: 03/31/2026
Severity: High
Summary
Researchers uncovered and analyzed the full source code of an AI-driven AiTM phishing platform called “UPMI ULTIMATE,” linked to a group named “Team Unlimited.” The code was retrieved from an exposed central server that manages licensing, intelligence sharing, and remote control for all client instances. Designed as a paid offering, the platform reflects a Phishing-as-a-Service model with licensed deployments. It includes a remote kill switch and a shared intelligence system where campaign data from all operators improves overall evasion tactics. The toolkit delivers end-to-end capabilities, including email phishing, link obfuscation, domain rotation, CAPTCHA gating, and credential harvesting via Evilginx. Testing activity dates back to March 12, 2026, with hardcoded credentials and sensitive tokens also discovered in the source code.
Indicators of Compromise (IOC) List
Domains\URLs : | brevantic.online tms.ac cybernt.us docviewportal.com go.docviewportal.com webmail.tms.ac pablotechnostore.com bowhead-transport.com workplaceoutreach.online vvearcon.com trns.live professionalinsurancesolutions.com ventrisecure.com ventracloud.com brevantic.com mcapilllotlivveoffice.com Mxlicense_control_bot UPMi035bot go.docviewportal.com/d/<base64url_token> webmail.tms.ac/djMfuXoi |
IP Address : | 143.198.27.52 147.182.195.233 104.194.152.178 157.250.207.92 212.52.6.239 205.198.88.186 104.131.106.42 45.61.136.190 64.95.13.174 193.111.125.137 103.101.202.72 64.52.80.3 |
Hash : | 3192549bc2198bc3f4ed775c55102ddd131f1a2466f5459ebe23198d4a02105c 79b74ed25250b9b9fa60a710f0f93bbf9ec0155c006f2af453e278f2e5af8c6f |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "ventrisecure.com" or url like "ventrisecure.com" or siteurl like "ventrisecure.com" or domainname like "brevantic.online" or url like "brevantic.online" or siteurl like "brevantic.online" or domainname like "tms.ac" or url like "tms.ac" or siteurl like "tms.ac" or domainname like "cybernt.us" or url like "cybernt.us" or siteurl like "cybernt.us" or domainname like "docviewportal.com" or url like "docviewportal.com" or siteurl like "docviewportal.com" or domainname like "go.docviewportal.com" or url like "go.docviewportal.com" or siteurl like "go.docviewportal.com" or domainname like "webmail.tms.ac" or url like "webmail.tms.ac" or siteurl like "webmail.tms.ac" or domainname like "pablotechnostore.com" or url like "pablotechnostore.com" or siteurl like "pablotechnostore.com" or domainname like "bowhead-transport.com" or url like "bowhead-transport.com" or siteurl like "bowhead-transport.com" or domainname like "workplaceoutreach.online" or url like "workplaceoutreach.online" or siteurl like "workplaceoutreach.online" or domainname like "vvearcon.com" or url like "vvearcon.com" or siteurl like "vvearcon.com" or domainname like "trns.live" or url like "trns.live" or siteurl like "trns.live" or domainname like "professionalinsurancesolutions.com" or url like "professionalinsurancesolutions.com" or siteurl like "professionalinsurancesolutions.com" or domainname like "ventracloud.com" or url like "ventracloud.com" or siteurl like "ventracloud.com" or domainname like "brevantic.com" or url like "brevantic.com" or siteurl like "brevantic.com" or domainname like "mcapilllotlivveoffice.com" or url like "mcapilllotlivveoffice.com" or siteurl like "mcapilllotlivveoffice.com" or domainname like "Mxlicense_control_bot" or url like "Mxlicense_control_bot" or siteurl like "Mxlicense_control_bot" or domainname like "UPMi035bot" or url like "UPMi035bot" or siteurl like "UPMi035bot" or domainname like "go.docviewportal.com/d/<%>" or url like "go.docviewportal.com/d/<%>" or siteurl like "go.docviewportal.com/d/<%>" or domainname like "webmail.tms.ac/djMfuXoi" or url like "webmail.tms.ac/djMfuXoi" or siteurl like "webmail.tms.ac/djMfuXoi" |
Detection Query 2 : | dstipaddress IN ("104.194.152.178","45.61.136.190","143.198.27.52","147.182.195.233","104.194.152.178","157.250.207.92","212.52.6.239","205.198.88.186","104.131.106.42","64.95.13.174","193.111.125.137","103.101.202.72","64.52.80.3") or srcipaddress IN ("104.194.152.178","45.61.136.190","143.198.27.52","147.182.195.233","104.194.152.178","157.250.207.92","212.52.6.239","205.198.88.186","104.131.106.42","64.95.13.174","193.111.125.137","103.101.202.72","64.52.80.3") |
Detection Query 3 : | sha256hash IN ("3192549bc2198bc3f4ed775c55102ddd131f1a2466f5459ebe23198d4a02105c","79b74ed25250b9b9fa60a710f0f93bbf9ec0155c006f2af453e278f2e5af8c6f")
|
Reference:
https://ctrlaltintel.com/research/AiTM-Phishing/