Sophisticated mobile-targeted spearphishing campaigns used DocuSign impersonation, multi-stage redirects, CAPTCHA and device fingerprinting to deliver cloned sign-in pages and harvest executive credentials. The attack chain abused legitimate services and recently created infrastructure (Cloudflare-backed hosting) and used PDF-embedded links to evade controls. #DocuSign #Cloudflare
Keypoints
- Attackers targeted corporate executives via mobile-focused spearphishing, using prior reconnaissance to craft convincing, urgent DocuSign-themed messages.
- The initial phishing link was served from a legitimate marketing domain (clickme.thryv.com) and redirected to a compromised high-reputation university domain to evade detection.
- Multiple-stage redirections, CAPTCHA checks, and device fingerprinting were used to deliver different payloads to mobile users versus desktop users.
- On mobile, victims were shown a cloned Google sign-in page to harvest credentials; on desktop they were often redirected to legitimate Google sites to avoid suspicion.
- PDF-based phishing documents were used in parallel to embed concealed deep links, bypass URL scanners, and exploit user trust in business documents.
- The final phishing domain diitalwave[.]ru was created and certified in early December 2024 and hosted on Cloudflare IP space (104.21.71[.]155), demonstrating rapid, ephemeral infrastructure rotation.
- Related infrastructure and IPs were previously used in phishing campaigns targeting brands like USPS and WhatsApp, indicating reuse of malicious hosting resources.
MITRE Techniques
- [T1566.001] Spearphishing Link – Initial delivery via targeted email link impersonating DocuSign. (‘The initial payload was disguised as a DocuSign document requiring immediate review’)
- [T1566.002] Spearphishing Attachment – PDF-based phishing used to embed deep links and mimic DocuSign workflows. (‘carefully crafted PDF documents designed to mimic legitimate DocuSign workflows, containing embedded phishing URLs’)
- [T1204.002] User Execution: Malicious File – PDFs relied on user interaction and trust in business documents to execute the phishing flow. (‘PDF-based phishing is becoming a prevalent method, leveraging user trust in business documents’)
- [T1027] Obfuscated Files or Information – Multi-stage redirects and use of legitimate/compromised domains to hide true destination and evade scanners. (‘Attackers utilized legitimate domains and advanced evasion techniques to bypass security measures’)
- [T1102] Web Service – Abuse of legitimate web/CDN services (Cloudflare, marketing platforms) and compromised university site to host and deliver phishing content. (‘Cloudflare is a well-known content delivery network… When attackers abuse this infrastructure, they exploit its strengths for malicious purposes’)
Indicators of Compromise
- [Domain] phishing/redirect hosts – clickme.thryv.com, diitalwave[.]ru, elckg.kidsavancados[.]com, and 6 more domains (wplusoriginal[.]com, oecoress[.]click, arrcom[.]top, o2-prepay[.]com, uspzlc[.]top, usuali[.]shop)
- [IP / CIDR] hosting – 104.21.71[.]155 (Cloudflare), CIDR 104.21.0[.]0/17
- [Phishing URL] embedded link example – https[:]//elckg[.]kidsavancados[.]com/ (noted as offline during analysis)
- [Compromised / legitimate domain] redirection/credibility sources – …college[.]gov[.]bd (creation record 1999-05-20 00:00:00) and legitimate Google sites used as benign redirects (support.google.com, mail.google.com, drive.google.com)
- [Domain metadata] recently-created infrastructure – diitalwave[.]ru (created 2024-12-05; SSL issued December 6, 2024)
Read more: https://www.hendryadrian.com/mobile-spear-phishing-targets-executive-teams/