W-8BEN Themed Phishing Activity

    Tuesday, January 20, 2026 In: Threat Research Print

    Date: 01/20/2026

    Severity: High

    Summary

    We identified phishing emails impersonating financial institutions, framed as alerts about expired W-8BEN tax forms. The attackers rapidly rotate domains to evade detection. Phishing pages use cloaking techniques and remain active only briefly. Most domains were registered the same day or shortly before the emails were sent and capture user login credentials before redirecting to tax FAQ pages. All domains were registered via Gname.com Pte. Ltd., primarily between 2025-10-13 and 2025-11-07.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    rogerfreemanlaw.com

    ohenvironmental.com

    markmcmurray.com

    avgaffiliates.com

    us-etrade-access.com

    zemnlip.com

    qxcship.com

    mrjsmip.com

    ijdjgf.com

    dzjplpl.com

    daoaycz.com

    ltokuz.com

    wxydjha.com

    fuhmmip.com

    chqibip.com

    eorojkq.com

    batdnwi.com

    ftmpdtkv.com

    qczprfva.com

    tcirfray.com

    ufwycwdd.com

    bdshxuen.com

    oyedujxigl.com

    wckaxzuhq.com

    ycrlzerap.com

    llmkitkha.com

    xlakzip.com

    oztyrfw.com

    kmnwqdw.com

    fcettmf.com

    qobyzwd.com

    orkwmpd.com

    wbnoebe.com

    jildpwgip.com

    zrimeonk.com

    eyrlkeip.com

    dnzumsip.com

    boswlxtip.com

    ffmzdnip.com

    ncnhreip.com

    yzjiuzxs.com

    urtfwbnn.com

    tyowgtni.com

    hlnwtuxu.com

    zltkttzp.com

    jdbnfxzi.com

    cdzietsr.com

    eupciepv.com

    uaxaeixc.com

    papigwp.com

    qhpxhiqp.com

    gcbwiujs.com

    wnppffd.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "wckaxzuhq.com" or url like "wckaxzuhq.com" or siteurl like "wckaxzuhq.com" or domainname like "ffmzdnip.com" or url like "ffmzdnip.com" or siteurl like "ffmzdnip.com" or domainname like "wxydjha.com" or url like "wxydjha.com" or siteurl like "wxydjha.com" or domainname like "fcettmf.com" or url like "fcettmf.com" or siteurl like "fcettmf.com" or domainname like "ohenvironmental.com" or url like "ohenvironmental.com" or siteurl like "ohenvironmental.com" or domainname like "daoaycz.com" or url like "daoaycz.com" or siteurl like "daoaycz.com" or domainname like "orkwmpd.com" or url like "orkwmpd.com" or siteurl like "orkwmpd.com" or domainname like "ncnhreip.com" or url like "ncnhreip.com" or siteurl like "ncnhreip.com" or domainname like "zrimeonk.com" or url like "zrimeonk.com" or siteurl like "zrimeonk.com" or domainname like "papigwp.com" or url like "papigwp.com" or siteurl like "papigwp.com" or domainname like "qhpxhiqp.com" or url like "qhpxhiqp.com" or siteurl like "qhpxhiqp.com" or domainname like "llmkitkha.com" or url like "llmkitkha.com" or siteurl like "llmkitkha.com" or domainname like "xlakzip.com" or url like "xlakzip.com" or siteurl like "xlakzip.com" or domainname like "eupciepv.com" or url like "eupciepv.com" or siteurl like "eupciepv.com" or domainname like "us-etrade-access.com" or url like "us-etrade-access.com" or siteurl like "us-etrade-access.com" or domainname like "rogerfreemanlaw.com" or url like "rogerfreemanlaw.com" or siteurl like "rogerfreemanlaw.com" or domainname like "batdnwi.com" or url like "batdnwi.com" or siteurl like "batdnwi.com" or domainname like "eorojkq.com" or url like "eorojkq.com" or siteurl like "eorojkq.com" or domainname like "oztyrfw.com" or url like "oztyrfw.com" or siteurl like "oztyrfw.com" or domainname like "hlnwtuxu.com" or url like "hlnwtuxu.com" or siteurl like "hlnwtuxu.com" or domainname like "ijdjgf.com" or url like "ijdjgf.com" or siteurl like "ijdjgf.com" or domainname like "ufwycwdd.com" or url like "ufwycwdd.com" or siteurl like "ufwycwdd.com" or domainname like "markmcmurray.com" or url like "markmcmurray.com" or siteurl like "markmcmurray.com" or domainname like "dzjplpl.com" or url like "dzjplpl.com" or siteurl like "dzjplpl.com" or domainname like "zemnlip.com" or url like "zemnlip.com" or siteurl like "zemnlip.com" or domainname like "qxcship.com" or url like "qxcship.com" or siteurl like "qxcship.com" or domainname like "avgaffiliates.com" or url like "avgaffiliates.com" or siteurl like "avgaffiliates.com" or domainname like "mrjsmip.com" or url like "mrjsmip.com" or siteurl like "mrjsmip.com" or domainname like "kmnwqdw.com" or url like "kmnwqdw.com" or siteurl like "kmnwqdw.com" or domainname like "tyowgtni.com" or url like "tyowgtni.com" or siteurl like "tyowgtni.com" or domainname like "gcbwiujs.com" or url like "gcbwiujs.com" or siteurl like "gcbwiujs.com" or domainname like "uaxaeixc.com" or url like "uaxaeixc.com" or siteurl like "uaxaeixc.com" or domainname like "tcirfray.com" or url like "tcirfray.com" or siteurl like "tcirfray.com" or domainname like "cdzietsr.com" or url like "cdzietsr.com" or siteurl like "cdzietsr.com" or domainname like "zltkttzp.com" or url like "zltkttzp.com" or siteurl like "zltkttzp.com" or domainname like "urtfwbnn.com" or url like "urtfwbnn.com" or siteurl like "urtfwbnn.com" or domainname like "eyrlkeip.com" or url like "eyrlkeip.com" or siteurl like "eyrlkeip.com" or domainname like "ltokuz.com" or url like "ltokuz.com" or siteurl like "ltokuz.com" or domainname like "jildpwgip.com" or url like "jildpwgip.com" or siteurl like "jildpwgip.com" or domainname like "oyedujxigl.com" or url like "oyedujxigl.com" or siteurl like "oyedujxigl.com" or domainname like "dnzumsip.com" or url like "dnzumsip.com" or siteurl like "dnzumsip.com" or domainname like "chqibip.com" or url like "chqibip.com" or siteurl like "chqibip.com" or domainname like "wnppffd.com" or url like "wnppffd.com" or siteurl like "wnppffd.com" or domainname like "ftmpdtkv.com" or url like "ftmpdtkv.com" or siteurl like "ftmpdtkv.com" or domainname like "jdbnfxzi.com" or url like "jdbnfxzi.com" or siteurl like "jdbnfxzi.com" or domainname like "boswlxtip.com" or url like "boswlxtip.com" or siteurl like "boswlxtip.com" or domainname like "qczprfva.com" or url like "qczprfva.com" or siteurl like "qczprfva.com" or domainname like "bdshxuen.com" or url like "bdshxuen.com" or siteurl like "bdshxuen.com" or domainname like "qobyzwd.com" or url like "qobyzwd.com" or siteurl like "qobyzwd.com" or domainname like "fuhmmip.com" or url like "fuhmmip.com" or siteurl like "fuhmmip.com" or domainname like "ycrlzerap.com" or url like "ycrlzerap.com" or siteurl like "ycrlzerap.com" or domainname like "wbnoebe.com" or url like "wbnoebe.com" or siteurl like "wbnoebe.com" or domainname like "yzjiuzxs.com" or url like "yzjiuzxs.com" or siteurl like "yzjiuzxs.com"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-01-16-W-8BEN-themed-phishing-activity.txt


    Tags

    MalwarePhishingTAXFinancial Services

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.