Flying Phish

Exploration of a common Phishing campaign in the global flock.


In this blog post, we explore and analyze a current but prevalent phishing campaign targeting Twitter users that has been recurring over the last few years. Our goal is to characterize its behavior, intent, and ultimately demonstrate at least one set of ways one might go about investigating similar campaigns.

For some recent statistics on the issue of phishing in 2021, see the below report from the Anti-Phishing Working Group:

Figure 1: Phishing attacks have trended upwards over all of 2021.

The above trend as shown in Figure 1 demonstrates that phishing overall is on a steady rise.  This will continue unless we can begin to understand more about the most common attacks out there, hopefully allowing us as an industry to formulate more effective solutions to combat this behavior.

The example we chose is a campaign targeting the users of one of the world’s most popular social media platforms and one that has had no shortage of recent exposure in the media: Twitter. 


Our exploration begins with discovery; the most essential part of combating any phishing campaign is obtaining the knowledge that it exists. As such, it starts with one newly registered domain and one that triggered an alert in the DomainTools Iris Detect lookalike domain discovery platform.

  • Iris Detect Monitored Term: “Twitter”
  • Starting domain: “twitterreporterhelp[.]com”
  • Registered: 18th of Aug 2022
  • Discovered: 18th of Aug 2022 @16:24pm


Figure 2: The Twitter logo seen on this collected screenshot is subtly different to the genuine article. We will come back to this later.

After discovery, the DNS delegation and a screenshot were collected over the ensuing 6 minutes, see Figure 2 for the collected screenshot including a unique take on the Twitter logo. Based on communication and co-operation from Twitter’s Security Team, we have a domain that we know is not legitimate in nature and one that might represent an initial peek into what could be (spoiler, it is) a larger campaign. To proceed, we will break our research into two facets: passive and active analysis.

Passive Analysis

Here we will explore and enumerate any entities which show enough characteristic similarity to be grouped with this starting domain. That is, we will pivot out from this domain to find other related domains and infrastructure which may represent a targeted campaign rather than a random scattergun approach often seen in phishing and spam actors. 

We will utilize the DomainTools Iris Investigate platform as the effective case management and reporting tool for this investigation as well as a significant data source. This is because we will occasionally dip in and out of other tools that specialize in different datasets to acquire further pivots that will enumerate this campaign in the most complete way possible.

Some of those other tools we will user include but are not limited to:

  • A platform specializing in page content: URLScan
  • A platform specializing in malicious file detections and activity mapping: VirusTotal
  • An Online Swiss Army Knife: CyberChef

Starting in Iris Investigate

Initial pivoting on the Microsoft Corp. hosting IP address for this domain, 52.226.25[.]237, produced two additional interesting domains. This pivot at the time of writing shows 14 domains (Figure 3), the vast majority of which fit the same profile as our starting domain using the exact same lure (Figure 2) in most cases. These types of domains are still being created / re-registered regularly. Many are quickly discovered by 3rd party vendors and added to publicly available blocking and CTI threat feeds, however they can often remain active and unreported to the wider community for some time.

Figure 3. The first domain and its connections as seen through DomainTools Iris Investigate.
  • Hosting IP:

There are a wide variety of options to map this campaign, and in this article we’ll focus on one way to proceed: monitoring the page contents of the lure (Figure 2). As previously noted, the image used to represent Twitter’s logo (actually a GIF in most of these cases) looked unique and might be a key source of valuable pivoting.

Additional domains:

Figure 4. Other domains found not a part of this campaign but potentially controlled by the same actors.

There were a limited number of other domains using the same hosting and SSL patterns (Figure 4), as well as some circumstantial evidence to connect them to this campaign (some of these domains appear to impersonate legitimate a legitimate organization “” which was created by one of the original Twitter founders). Considering this we have medium confidence in a potential attribution at this time using discovered registrant details. We specifically note the domain ape-coin[.]us, whose registrant details were also found to be linked to accounts on Twilio as well as Spotify and Discord. These details are:

  • Registrant Name: Umut Can
  • Registrant Phone number: +905468342455 (VODAFONE Telekomunikasyon)
  • Registrant email address: emrecan3187@gmail[.]com

Reverse image searching and other intel from

The Twitter logo image used on these lures (Figure 2) pages is subtly different from the legitimate Twitter logo when seen via the DomainTools Iris Investigate sourced screenshots. Given the similarity of all of the remaining content in the source of these domains, the choice to use such a unique image was felt to be significant and likely a valuable pivot. 

There were two variants of this logo seen at this time, the first of which is shown on Figure 5, which was loaded from a different domain hosted on Amazon. Pivoting in this platform on the specific image link above surfaced ~9 domains (Figure 6). The second variant of the logo is shown in Figure 7, and is also loaded again from a third-party domain, this time from DigitalOcean. Pivoting in URLScan on the second image link above surfaced 33 domains ranging in age from less than a month to a year (Figure 8).

Figure 5. HTTP Resources page of for this initial domain showing the twitter logo image used in this lure
Figure 6. Other domains in this campaign, all linked by the use of the same GIF resource and confirmed by the use of the same lure page (Figure 2)
Figure 7. A domain in this campaign as seen from the resource page of that displays an image resource variant.

This adds to the GIF / image resources from which we have found valuable pivots. See current resource list below:

  • Twitter-gif-2.gif
  • Techtree_News_04_8.png?itok=nR8UCrz0
    • www.techtree[.]com/sites/default/files/styles/story_page_315_236/public/2014/6/
Figure 8. Domains obtained from a pivot on the domain resource variant seen in Figure 7.

When examining these newly discovered domains in Figure 8,  they are largely all using the same lure (Figure 2) and are indeed a part of a much larger campaign with a defined set of targets.  It is telling that these image links are so unique that they have only ever been used in domains involved in this campaign.

Now that we have made our decision that this is very likely to be a campaign with malicious intent, we will next begin searching through the dataset of another data vendor that specializes in malicious file detections and activity mapping.

Pivots from VirusTotal

Beginning with our starting domain (“twitterreporterhelp[.]com”) we searched in VirusTotal and found a downloaded file for a domain that had been added on September 1, 2022 (Figure 9). Pivoting on this file in VirusTotal surfaced 17 domains observed downloading this file in the wild closely resembling those already discovered via Iris Investigate, as shown in Figure 10.

Figure 9. Downloaded file sample from VirusTotal for our initial domain.
Figure 10. Additional domains found via a pivot on the file discovered in Figure 9

There were some additional potentially unrelated domains:

  • Markoliviaa[.]com
  • Vakifbank-turkiye[.]com

All domains discovered through these different tools or threads of research are being returned to Iris Investigate and tagged with “TwitterPhish” for later de-duplication and reporting. These various threads are all represented in the Investigation History panel of the Iris Investigate platform, as shown in Figure 11.

Figure 11. Collating recent discoveries using different threads, within the same investigation inside DomainTools Iris Investigate for reporting and case management purposes.

VirusTotal File Analysis

We analyzed the common file downloaded from these domains:

  • “/var/www/clean-mx/virusesevidence/output.195135302.txt”

A historical detection in VirusTotal of this file produced the below table of data shown in Figure 12, as well as seven seemingly unrelated domains. The raw contents of the file is provided below in Figure 13.

Figure 12. A listing of domains extracted from the common file. Due to the nature of the connection here, we are inclined to categorize these as potential command and control (C2) for this campaign.

Raw Data:

Figure 13. Raw file contents in txt.

When parsing this raw content for strings, we found the following:

  • Sign.php
  • douglas.walker@mitie[.]com
  • data=04|01|
  • emilie_garcia@paramount
  • script>
  • typo=1
  • Noemie
  • Apps
  • andrew.spriet@voyav[.]com
  • VirusShare_c77192ce3ea8610df69cb880424dd538

Further decoding of this raw data using the “From Base64” recipe in the online tool CyberChef provides these additional strings:

  • ngreg.goodman@uni
  • ncasey.horton@motiva[.]com
  • monica.copeland@motiva[.]com
  • jphish@test[.]com
  • franco[.]ma
  • ovjhiggins@tiaa-cref[.]org
  • carolinek@strathmore[.]ca

Further recipe decoding using CyberChef shows simplified chinese character output, which may not be relevant to this exploration but is still worthy of note. Though the multiple layers of encoding is significant, it is believed that there is further encoding in the raw data that is as yet undiscovered. Finally, pivoting in VirusTotal on the last bulleted item from the raw content list in Figure 13 links us to the compressed parent file:

  • Pivot: VirusShare_c77192ce3ea8610df69cb880424dd538
  • Compressed Parent:
  • VirusTotal Hash: 674d1e3bbc6039855f4fb2874ddb7274905ae3ca598edd1cfeb2d347a2e6b669

Content of

Figure 14. Lure (Figure 2) website structure.

With this new set of indicators we can see that at least one of the historical iterations of this campaign has previously been reported to VirusTotal. As shown in Figure 14, we can see the structure of files called by these lure (Figure 2) web pages. We can use this to compare newly discovered domains and link them to this campaign with a high degree of confidence. This will make effective mitigation easier and more efficient.

We now have a much greater understanding of the structure of these phishes and that they do appear to be engaged in credential harvesting with the potential for more.

To finish our passive analysis, we conducted online searching for text matches to some of the strings we identified on the possibility that this could surface useful context. GoogleDorks can be used effectively for this, but were not extensively audited in this exploration.

One interesting item discovered using this method was an Alienvault Pulse for Phishing domains that mentions one of our more unique strings as a URL parameter. Specifically, Alienvault “Domains used in Phishing” pulse shows a link to one of the artifacts found in “/var/www/clean-mx/virusesevidence/output.195135302.txt” (Figure 15):

When we look for “more details” in the Alienvault pulse (Figure 16) we see the servers’ response and certificate information for this domain on the date discovered / reported (August 6, 2021), we see that the subject name for that certificate has a similar but different domain name mentioned: rfhv8[.]xyz compared to aps5[.]xyz: 

  • subject: {“common_name”:”rfhv8[.]xyz”}
Figure 15. An Alienvault match to a string found in the output file shown in Figure 13
Figure 16. Alienvault additional details for the matching URl parameter   (“[email protected]”) on domain “rfhv8[.]xyz”

Bringing this new domain back to Iris Investigate we observe that the DNS SOA email address for this domain as well as the hosting IP and NS IPs reveal relationships to a large number of similar domains which have the appearance of being created with a DGA, see Figures 17 and 18.

Figure 17. Domain discovered via Alienvault details as seen through DomainTools Iris Investigate. Note the IP addresses and SOA email address highlighted in blue.

Possible DGA Domains:

Figure 18. Pivoting on the leaked DNS/SOA email address and hosting IP address offers this list of potentially related domains.

The domains in Figure 18 are only relevant to this campaign depending on whether “[email protected]” represents either a victim or the actor. We currently cannot confirm either case.

Active Analysis

In this phase of our exploration, we obtained what we believe to be two of the most recent examples of this campaign as represented by the lure (Figure 2) sites. To do this, we visited these domains and presented them with whatever they required clicking through their interface. For the purposes of this stage of the experiment, 3 sock puppets were created, 2 of which would be used as victims to feed to these domains and one would act as the control and observer.

These sock puppet personas were created with legitimate email addresses and Twitter accounts. They were designed to be diverse, given unique interests that each followed, and the accounts tweeted about various subjects on occasion. They were also given AI-generated profile images consistent with their defined age and personal profile.

We selected two active domains in this campaign to feed each victim. We did this to compare behavior across domains to provide support that this is indeed a coherent campaign. The two domains we selected were:

  • twitter-helpings[.]com
  • twitterhelpers[.]com

Below are the domains seen in our case management and overall repository, DomainTools Iris Investigate (Figure 19). The domains allow us to make further pivots to identify new hosting infrastructure that is likely to represent new tactics, techniques, and procedures (TTPs) for this actor, as well as further add to the cumulative list of domains both historically and actively involved in this campaign.

Figure 19. Domains for active analysis and their connections as seen through DomainTools Iris Investigate.

Resolving these domains show their intent is to harvest both email credentials and Twitter usernames. Email credentials are requested first after clicking confirm, then Twitter credentials are requested. The flow for twitter-helpings[.]com is shown in Figures 20 and 21. It was noted that while resolving this domain that pages tend to resolve in a very jagged way, starting with basic HTML then applying the CSS slowly. Another interesting note is that this page was using the Twitter API to confirm an account as genuine; we received a page never before seen when entering incorrect data–wrong.php. 


Figure 20. Screenshot of twitter-helpings[.]com as resolved in a live test environment. This page wanted an email address and password.
Figure 21. Screenshot of page delivered after clicking “Confirm Account” on  twitter-helpings[.]com. This page asks for the Twitter handle and password.

The flow for the second domain, twitterhelpers[.]com, is shown in Figures 23, 24, and 25.  In a variation of this flow, a phone number is also requested.


Figure 23. Second domain for active analysis, twitterhelpers[.]com, as resolved in a live test environment
Figure 24. Second page served by twitterhelpers[.]com after clicking “Next” as seen above in Figure 23.
Figure 25. Final page served by this domain before being redirected to the official and genuine Twitter Help page.

All of the requested information was supplied for our two victim personas. After all of the information was submitted and inputs clicked, the user is then auto-navigated to the official Twitter Help page, presumably to give the appearance of legitimacy and thus forgotten. We monitored our environment for changes in a number of ways in the off chance these domains were doing more than was immediately apparent. It was also observed that the Twitter logo being used on these latest members of the campaign has changed and might represent another addition to this actor’s TTP (Figure 26). 

Figure 26. New and more recent domains discovered as part of this campaign using a new GIF resource 
  • https://cdn.dribbble[.]com/users/652798/screenshots/1846570/media/84230547bc98b3390e9e4a6f18690fdd.gif

Pivoting on these in DomainTools Iris Investigate brings our total of campaign domains and potentially related domains to 153. The full list can be replicated in your own instance of DomainTools Iris Investigate via the import hash found in the Appendix.

Data Gathered

All gathered lists of domains and samples will be made available via Github in the Appendix.

In this section we detail the tools used and the data captured that can be used to infer the behavior of this campaign with regard to a local machine that resolves one of these lures. Using a virtual machine environment with its own independent access to the Internet for this test meant that we could run several tools while performing our active analysis. These might allow us to capture the impact and indeed presence of any malicious resources this campaign might cause to be downloaded.

Several OSINT Tools were used to accomplish this sample gathering, but some of the most useful were:

  • Regshot
  • ProcMon
  • Wireshark
  • And more….

We can see from the results in our screenshots below that in both iterations of our test several new registry keys were either added or modified. Patterns matching known malware families were not detected in this data. These registry changes can be examined in detail using the github link in the Appendix.

Regshot result from twitter-helpings[.]com is shown in Figure 27, and one for twitterhelpers[.]com is in Figure 28. 

Figure 27. Comparison of a clean registry in the test environment with a post first domain experiment registry.
Figure 28. Comparison of a clean registry in the test environment with a post second domain experiment registry.

Unusual network behavior was also observed in Wireshark where this domain called our in DNS to try to resolve subdomains of the following organizations:

  • Instagram
  • Googleapis

This pattern is common to both tests and could become a part of an eventual detection signature to be used by an automated playbook with the goal of finding and guarding against new iterations of this campaign. See Figure 29 for a short example snippet from Wireshark.

Figure 29. Wireshark snippet for the initial domain test.

Process Monitor also displayed several interesting new file creations but again no pattern matching any known malware family was observed (Figure 30). As before this does not mean that there is none present to be observed, or that some other malicious content is here to be seen. We suspect there is indeed something here of note, this is another reason that we have included all of this data in the Appendix.

Figure 30. ProcMon snippet from Test (Security Accounts Manager Client DLL)

Sample files uploaded to VT

Below we can see confirmation that our freshly gathered sample data from this most recently created campaign iteration is indeed malicious and matches samples gathered by other researchers in earlier iterations of this campaign. Including a previously unseen sample “wrong[.]php”. Figures 31-34 show details from VirusTotal for the PHP files username.php, mail.php, a CSS resource, and wrong.php, respectively for Twitter-helpings[.]com. Identical detections for the samples gathered for twitterhelpers[.]com were seen when uploading to VirusTotal and so we will not present those here.

  • Username.php from Twitter-helpings[.]com
  • Hash: 1c2ed10af13441b48ae65abb975acfde2c6712d81308a8cd45bd2b6e0bc8ac2c
Figure 31. VirusTotal upload result for username.php from Twitter-helpings[.]com 
  • Mail.php from twitter-helpings[.]com
  • Hash: 49ddcb8734a8477ce0916ec4cb081a4c0e0dbd0c167450a140ab1f4e41d028de
Figure 32. VirusTotal upload result for mail.php from Twitter-helpings[.]com
  • Interesting YARA Rule match for one of the css files from twitter-helpings[.]com:
    • After_Click_Challenge_e6dcc76c8eaf.css
  • Hash: 16c16a825280d02191f5bfa3b9084965ccfe31ca16621354c2625fd0e7e15dd3
Figure 33. VirusTotal upload result for a CSS resource after initiating a click action on the page from Twitter-helpings[.]com
  • Wrong.php from twitterhelpers[.]com.
  • Hash: 872efa01ea9d55db43a9ebce2eeef6fb84dfc8fb6f0b25f4349112c69255c2c6
Figure 34. VirusTotal upload result for wrong.php from Twitter-helpings[.]com

**Last note from findings: Potential C2 connection called out earlier in this blog was not confirmed during the course of this research. The status of “andrew.spriet@voyav[.]com” as a potential victim or actor here also remains unconfirmed and as such the list of connected domains should be approached with the knowledge that they may represent a red herring for the purposes of this research.

Consideration of Findings

As of December 2022, all victim email and Twitter accounts were still accessible, meaning they had not been hijacked and credentials remained unchanged. This leads us to believe that the primary motive could be one of a few possibilities. First is to collect credentials for later sale in bulk. Second would be for the creation of “sleeper” Twitter accounts, which could be activated en masse to perform some operation or action. In both scenarios, the actors hope the theft will go unnoticed as the final step of their process drops you at the official Twitter Help page.

In addition, there were no obvious indicators of malware observed within the test environment. There were a great number of registry keys and processes spun up during the process of this experience that cannot be ruled out. It is possible that malware was dropped and it determined that it was in a test environment and removed itself. To facilitate future research, we are providing logs and data files of what we observed.

Given the behavior of new domain registrations and old domain re-registrations, as well as the consistency in lure variations detected by VirusTotal, we feel this may represent a long running Phishkit. This is something that can often be bought and operated by a wide variety of individuals and organizations with a multitude of purposes. Such purchases tend to happen in Dark Web forums and other similarly restricted-entry marketplaces. Further research will be required to determine the true nature of this campaign as well as a strategy for combating the same on an ongoing basis.


We do not believe this is a new campaign targeting Twitter users for their credentials but rather one that has been around for some time. This is likely a new wave / phase of that campaign which is displaying growth and complexity over time. We feel this is relevant to highlight given recent media coverage of Twitter as well as the sheer number of similar phishing campaigns at large today and not to mention the fairly open and brazen nature of this campaign. It suggests that we as a community need to continually assess the complexity of these campaigns if we are to find success in combating them.

Potential C2 connection called out earlier in this blog was not confirmed during the course of this research. The status of “andrew.spriet@voyav[.]com” as a potential victim or actor here also remains unconfirmed and as such the list of connected domains should be approached with the knowledge that they may represent a red herring for the purposes of this research.

Mitigation of this campaign could take many forms but one that we will suggest here is to create an automated playbook that can leverage both the DomainTools Iris Investigate API as well as the URLScan API to use what we have discovered here in terms of unique infrastructure-based as well as content-based artifacts to hunt for new variants of this campaign over time and defend ourselves against them.

One could also choose to further the research presented here by providing your own unique research perspective on this experiment, beginning with the linked evidence in the Appendix. This might allow for further mitigation techniques such as the creation of YARA rules for any files dropped as well as creating DNS filters for the somewhat unique network traffic structure observed in our network capture evidence.

We would like to thank the Twitter Security team for their valuable support during the course of this research.


GitHub Link to gathered samples and log evidence from experiments for both active analysis domains:

DomainTools Iris Investigate, import hash listing all domains discovered in this blog: