Threat Research

Ongoing Phishing Campaign Utilizes LogoKit for Credential Harvesting

Cyble
Ongoing Phishing Campaign Utilizes LogoKit for Credential Harvesting

Keypoints

  • The phishing campaign targets Hungary’s government CERT (HunCERT) by mimicking its login page with victim email prefilled to increase trust.
  • Phishing pages are hosted on Amazon S3 to avoid detection and hosted credible infrastructure like Cloudflare Turnstile to simulate CAPTCHA verification.
  • Threat actors use the Logokit phishing kit, which automates logo and favicon fetching via Clearbit and Google S2 Favicon API for convincing branding.
  • The campaign also impersonates other organizations such as Kina Bank (Papua New Guinea), the Catholic Church (USA), and logistics firms (Saudi Arabia), showing a global reach.
  • Victim credentials are exfiltrated to the domain mettcoint[.]com, which has been active since February 2025 and remains undetected on VirusTotal.
  • Open directories and multiple phishing pages on mettcoint[.]com indicate a sustained and ongoing phishing operation.
  • Recommendations include user education, multi-factor authentication, and using threat intelligence platforms like Cyble Vision for proactive detection and takedowns.

MITRE Techniques

  • [T1566] Phishing – Employed by crafting realistic phishing pages mimicking HunCERT login portals and pre-filling victim email addresses to harvest credentials (“…mimicked the Hungary CERT login page, with the victim’s email address prefilled in the username field…”).
  • [T1110] Brute Force / Password Guessing – By collecting credentials via phishing pages with automated branding and capturing input for unauthorized access (“…credential-harvesting phishing links… victim credentials being sent to mettcoint[.]com/js/error-200.php…”).
  • [T1598] Phishing via Cloud Services – Using Amazon S3 buckets to host phishing sites stealthily and increase user trust (“…phishing pages were hosted on Amazon S3 (AWS) to stay under the radar…”).
  • [T1588] Obtain Capabilities – Use of publicly available tools such as Logokit phishing kit for ease and automation of phishing campaigns (“…Logokit phishing kit…automatically retrieving branding icons using Clearbit and Google’s favicon API…”).

Indicators of Compromise

  • [URL] Phishing URLs targeting HunCERT and others – flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1vRzW3L7XpK0Mb9CfN6hJ2sUYgZAxewoQpHDVlt5BmnEjOrGiScFuYXdAv349/he-opas.html, hxxps://chyplast[.]onrender.com/clastk-chy.html
  • [URL] Command and Control domain used for data exfiltration – mettcoint[.]com, including paths such as /js/error-200.php and /css/nk/error-404.php

Read more: https://cyble.com/blog/logokit-being-leveraged-for-credential-theft/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint