Montana Empire - AI-Assisted Phishing Kit Impersonating Turkish E-Commerce Platform

    Thursday, April 9, 2026 In: Threat Research Print

    Date: 04/09/2026

    Severity: High

    Summary

    Active phishing kit impersonates a national postal service e-commerce platform, mimicking four storefronts (unifone, masterfone, newphone, dogabilisim). We call this kit “Montana Empire,” based on a phrase found in its admin panel. Evidence shows AI-assisted development, including a project directory and tool session permission logs. An exposed server directory revealed two archives, indicating a multi-brand phishing operation. The kit includes a reusable SQLite database, Telegram bot credentials for data exfiltration, and entries for multiple fake storefronts. Additional elements include a bcrypt-hashed admin password, scraped product listings, and an IBAN for payment collection.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    pttvm.com

    pttavm.magaza-tamamla.com

    magaza-tamamla.com

    https://pttvm.com/magaza/unifone

    https://pttvm.com/magaza/newphone

    https://pttvm.com/magaza/masterfone

    https://pttvm.com/magaza/dogabilisim

    http://pttvm.com/PTTAVM.zip

    http://pttvm.com/letgovip.zip

    http://pttvm.com/mentalite.php

    Hash : 

    eb07edaa2786cfddfa4c15526168f2200d85300aee0a8f253b32d2462a7b0bcd

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "pttvm.com" or url like "pttvm.com" or siteurl like "pttvm.com" or domainname like "pttavm.magaza-tamamla.com" or url like "pttavm.magaza-tamamla.com" or siteurl like "pttavm.magaza-tamamla.com" or domainname like "magaza-tamamla.com" or url like "magaza-tamamla.com" or siteurl like "magaza-tamamla.com" or domainname like "https://pttvm.com/magaza/unifone" or url like "https://pttvm.com/magaza/unifone" or siteurl like "https://pttvm.com/magaza/unifone" or domainname like "https://pttvm.com/magaza/newphone" or url like "https://pttvm.com/magaza/newphone" or siteurl like "https://pttvm.com/magaza/newphone" or domainname like "https://pttvm.com/magaza/masterfone" or url like "https://pttvm.com/magaza/masterfone" or siteurl like "https://pttvm.com/magaza/masterfone" or domainname like "https://pttvm.com/magaza/dogabilisim" or url like "https://pttvm.com/magaza/dogabilisim" or siteurl like "https://pttvm.com/magaza/dogabilisim" or domainname like "http://pttvm.com/PTTAVM.zip" or url like "http://pttvm.com/PTTAVM.zip" or siteurl like "http://pttvm.com/PTTAVM.zip" or domainname like "http://pttvm.com/letgovip.zip" or url like "http://pttvm.com/letgovip.zip" or siteurl like "http://pttvm.com/letgovip.zip" or domainname like "http://pttvm.com/mentalite.php" or url like "http://pttvm.com/mentalite.php" or siteurl like "http://pttvm.com/mentalite.php" 

    Detection Query 2 :

    sha256hash IN ("eb07edaa2786cfddfa4c15526168f2200d85300aee0a8f253b32d2462a7b0bcd")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-07-Montana-Empire.txt    


    Tags

    MalwareAITurkeyPhishingMimicTelegramExfiltrationCommercial Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.