Ten Operators, Nine Campaigns, and a Backend With No Password: How a Single Vercel URL Exposed a Two-Year Korean Phishing Syndicate
Contents
Ten Operators, Nine Campaigns, and a Backend With No Password: How a Single Vercel URL Exposed a Two-Year Korean Phishing Syndicate
arnptec.com has directory listing enabled with ten named operator directories, nine phishing campaigns, and two years of activity
@skocherhan flagged a Vercel-hosted phishing page: curly-spoon-sigma[.]vercel[.]app
. An auto-generated project name on a free-tier platform. We expected a throwaway credential harvester. What we found was a fully exposed backend revealing a ten-person phishing operation that has been running for two years.
The Backend Has No Door
The phishing page at curly-spoon-sigma[.]vercel[.]app
impersonates a Naver login. Credentials entered by victims are POSTed — via base64-encoded AJAX — to arnptec[.]com/team24/nvvvr/mab/send.php
.
We visited arnptec[.]com
. Directory listing is enabled. No authentication. No .htaccess restrictions. The entire operation is browsable:
/team24/
/alfred/
/brian/
/bsktdrp/
/ethan/
/gates/
/jeremy/
/kk/
/mab/
/stv/
/stvcooper/
Ten operator directories. Each containing phishing kits, exfiltration scripts, and campaign files. A second tree at /fresh/
serves as a template repository — clean copies of kits ready for deployment.
Ten Named Operators
The directory structure …
arnptec.com has directory listing enabled with ten named operator directories, nine phishing campaigns, and two years of activity
@skocherhan flagged a Vercel-hosted phishing page: curly-spoon-sigma[.]vercel[.]app
. An auto-generated project name on a free-tier platform. We expected a throwaway credential harvester. What we found was a fully exposed backend revealing a ten-person phishing operation that has been running for two years.
The Backend Has No Door
The phishing page at curly-spoon-sigma[.]vercel[.]app
impersonates a Naver login. Credentials entered by victims are POSTed — via base64-encoded AJAX — to arnptec[.]com/team24/nvvvr/mab/send.php
.
We visited arnptec[.]com
. Directory listing is enabled. No authentication. No .htaccess restrictions. The entire operation is browsable:
/team24/
/alfred/
/brian/
/bsktdrp/
/ethan/
/gates/
/jeremy/
/kk/
/mab/
/stv/
/stvcooper/
Ten operator directories. Each containing phishing kits, exfiltration scripts, and campaign files. A second tree at /fresh/
serves as a template repository — clean copies of kits ready for deployment.
Ten Named Operators
The directory structure …
IoC
http://directoriesarnptec.com/fresh/
http://scaling-octo-chainsaw.vercel.app
http://arnptec.com/team24/nvvvr/mab/send.php
http://phishingarnptec.com
http://endpointarnptec.com/team24/
http://crispy-fortnight-mocha.vercel.app
http://curly-spoon-sigma.vercel.app
http://arnptec.com
[email protected]
http://scaling-octo-chainsaw.vercel.app
http://arnptec.com/team24/nvvvr/mab/send.php
http://phishingarnptec.com
http://endpointarnptec.com/team24/
http://crispy-fortnight-mocha.vercel.app
http://curly-spoon-sigma.vercel.app
http://arnptec.com
[email protected]