In this episode of Breaking Badness, the crew investigates two escalating threats in the cybercrime ecosystem: the cleverly named phishing-as-a-service platform Morphing Meerkat, and the bulletproof hosting provider Proton66, a favorite among amateur cybercriminals.
First, they dig into how Morphing Meerkat uses DNS-over-HTTPS (DoH) and clever phishing kits to evade detection. Then, they shift focus to Proton66, a Russian-based bulletproof host that shelters a new generation of low-skill attackers, including a threat actor known as "ette" with ties to a group called Horrid.
Morphing Meerkat: Phishing-as-a-Service Gets an Upgrade
This week, the Breaking Badness crew explored a phishing-as-a-service (PhaaS) operation called Morphing Meerkat, a platform using DNS-over-HTTPS (DoH) to evade detection.
According to Tim Helming, Morphing Meerkat represents a growing trend where phishing kits are no longer built for elite hackers:
“You don’t have to have a lot of technical knowledge… you pay the sellers some money and then you sit back and reap the rewards.”
The phishing campaign uses a multi-stage process:
- Mass spam emails with links
- An MX record lookup via DoH to determine the user’s email provider
- A customized fake login page with branding that matches their provider (e.g. Outlook, AOL)
- A forced password retry screen to increase credential accuracy
- The actual stolen credentials are sent via email or Telegram bot
Why DNS-over-HTTPS (DoH) matters:
DoH obfuscates DNS queries, making it harder for defenders to inspect traffic.
Proton66 and Coquettte: Bulletproof Hosting for Amateur Cybercriminals
Next, Ian Campbell shared research from DomainTools on Proton66, a Russian-based bulletproof hosting provider.
“Bulletproof hosts are like the cool mom… if you also give mom your share of illicit goods,” Campbell joked.
Unlike more discreet hosting services, Proton66 openly tolerates malware, phishing sites, and criminal activity. Investigators found it to be a haven for low-skill attackers who otherwise might not maintain infrastructure.
One such actor is Coquettte (or “ettte” with three Ts), who was traced back to Proton66 via an OPSEC failure.
How was Coquettte exposed?
Hosted a fake antivirus product called Cyber Secure Pro
- Forgot to disable directory listing on the site, exposing malware, scripts, and infrastructure
- Pivoting from this led researchers to several related domains and shared analytics tags
- Revealed a loose affiliation with the group Horrid, described as a “cybercriminal collective fostering amateur threat actors”
“Whenever you take someone who has curiosity and a group that gives them belonging… that raises them from low-level actors to more dangerous ones,” said Campbell.
Why This Matters for Defenders
While Morphing Meerkat shows how phishing tools are becoming more sophisticated, Proton66 highlights the importance of behavioral detection and monitoring low-skill attacker infrastructure.
“This isn’t nation-state level tradecraft,” Helming noted, “but it’s still effective, and more people can do it now.”
Recommendations for defenders:
- Don’t ignore amateur attacker behavior. Coquettte-style actors are often overlooked but represent a growing risk.
- Maintain DNS visibility. Limit or monitor DoH usage in the enterprise.
- Use tools that allow domain pivoting, infrastructure mapping, and behavioral analysis of low-tier actors.
- Continue end-user phishing education. While not foolproof, it's still a front-line defense.
Resources:
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
Heading
