Uncovering a Multi-Stage Phishing Kit Targeting Italy's Infrastructure

    Wednesday, November 19, 2025 In: Threat Research Print

    Date: 11/19/2025

    Severity: Medium

    Summary

    A highly automated, multi-stage phishing kit has been uncovered impersonating the major Italian IT provider Aruba S.p.A., a company central to Italy’s digital infrastructure. The kit uses CAPTCHA filtering, data pre-filling, and Telegram-based exfiltration to steal credentials and payment information efficiently and stealthily. Its design reflects the broader rise of phishing-as-a-service (PhaaS), where phishing tools are built and operated like commercial SaaS products. This industrialization makes modern phishing campaigns more scalable, convincing, and difficult to detect—transforming them into a full-fledged criminal supply chain rather than isolated scams.

    Indicators of Compromise (IOC) List

    URLs/Domain

    serdegogozedeytid.bulkypay.xyz

    serdegogozedeytidtelerstore.marina.am

    scarecrow.metalseed.you2.pl

    wordpress-1512889-5811853.cloudwaysapps.com

    firsijdaeeuetevcbcsj.cfolks.pl

    arb-app.nero-network.eu

    srv229641.hoster-test.ru

    IP Address

    31.28.24.131

    23.239.109.118

    192.250.229.24

    109.95.159.70

    45.77.157.140

    185.208.164.121

    185.25.23.155

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "scarecrow.metalseed.you2.pl" or siteurl like "scarecrow.metalseed.you2.pl" or url like "scarecrow.metalseed.you2.pl" or domainname like "firsijdaeeuetevcbcsj.cfolks.pl" or siteurl like "firsijdaeeuetevcbcsj.cfolks.pl" or url like "firsijdaeeuetevcbcsj.cfolks.pl" or domainname like "wordpress-1512889-5811853.cloudwaysapps.com" or siteurl like "wordpress-1512889-5811853.cloudwaysapps.com" or url like "wordpress-1512889-5811853.cloudwaysapps.com" or domainname like "serdegogozedeytid.bulkypay.xyz" or siteurl like "serdegogozedeytid.bulkypay.xyz" or url like "serdegogozedeytid.bulkypay.xyz" or domainname like "serdegogozedeytidtelerstore.marina.am" or siteurl like "serdegogozedeytidtelerstore.marina.am" or url like "serdegogozedeytidtelerstore.marina.am" or domainname like "arb-app.nero-network.eu" or siteurl like "arb-app.nero-network.eu" or url like "arb-app.nero-network.eu" or domainname like "srv229641.hoster-test.ru" or siteurl like "srv229641.hoster-test.ru" or url like "srv229641.hoster-test.ru"

    Detection Query 2 :

    dstipaddress IN ("109.95.159.70","23.239.109.118","45.77.157.140","192.250.229.24","31.28.24.131","185.208.164.121","185.25.23.155") or srcipaddress IN ("109.95.159.70","23.239.109.118","45.77.157.140","192.250.229.24","31.28.24.131","185.208.164.121","185.25.23.155")

    Reference: 

    https://www.group-ib.com/blog/uncover-phishing-italy/


    Tags

    MalwarePhishingItalyInformation TechnologyPaaSExfiltrationTelegramcredential stealers

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.