Ongoing Phishing Campaign Utilizes LogoKit for Credential Harvesting

Key Takeaways

• The initial phishing link we identified mimicked the Hungary CERT login page, with the victim’s email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission.
• The phishing pages were hosted on Amazon S3 (AWS) to stay under the radar and increase credibility among potential victims.
• The phishing pages integrate Cloudflare Turnstile to create a false sense of security and legitimacy, increasing the success rate of credential harvesting.
• At the time of analysis, the domain harvesting victim credentials were active and had zero detections on VirusTotal.
• Further investigation revealed this to be an ongoing campaign targeting Banking and Logistics firms, showing a global and diverse targeting strategy.
• These phishing links were built using the Logokit phishing kit. The target logo was extracted from the victim’s email domain using Clearbit and Google Favicon.

Technical Analysis

Cyble Research and Intelligence Labs (CRIL) has identified a targeted phishing campaign link directed at the Government of Hungary. The campaign involved threat actors impersonating HunCERT, Hungary’s official Computer Emergency Response Team.

CRIL has identified the following phishing URLs being used in this campaign:

• flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1vRzW3L7XpK0Mb9CfN6hJ2sUYgZAxewoQpHDVlt5BmnEjOrGiScFuYXdAv349/he-opas.html?email=cert@govcert.hu
• flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1vRzW3L7XpK0Mb9CfN6hJ2sUYgZAxewoQpHDVlt5BmnEjOrGiScFuYXdAv349/he-opas.html?email=csirt@nki.gov.hu

These phishing pages are hosted on Amazon Web Services (AWS) infrastructure, specifically using Amazon S3 buckets to appear trusted and stay under the radar.

The credential-harvesting phishing links were crafted using a legitimate HunCERT email address prefilled in the username field to enhance credibility and increase the likelihood of credential submission (see Figure 1).

The phishing page is designed to closely resemble a legitimate login portal, prompting users to enter their passwords. To increase credibility, it integrates Cloudflare Turnstile, a CAPTCHA alternative, to simulate human verification. This added layer of legitimacy may deceive users into believing the page is secure.

The victim’s credentials are being sent to mettcoint[.]com/js/error-200.php (see Figure 2).

Lastly, the victim is presented with a fake error message that displays “Error Submitting form. Please try again” (See Figure 3).

Phishing page – Logokit relation

Upon analyzing the phishing page, we found that the phishing site uses Clearbit and Google S2 Favicon in the following method (see Figure 4).

• The Clearbit Logo API is used to fetch the logo from the domain of the targeted organizations.
• Google S2 Favicon is leveraged to retrieve the Favicon icon by extracting the domain from the email address in the URL.

The LogoKit phishing kit, first identified in 2021, is characteristic of leveraging URLs embedded with the victim’s email address, identical layouts, and real-time logo fetching from services like Clearbit and Google’s favicon API.

LogoKit remains actively used in phishing campaigns because of its simplicity and automation. By automatically retrieving branding icons based on the URL’s domain, threat actors avoid the need to manually locate and update icons or logos within the phishing kit, making the process more scalable, convincing, and efficient.

Ongoing Phishing campaign

During our research, we were able to identify an open directory path in mettcoint[.]com containing several php files and attack elements (see Figure 5).

One of the directories contained a phishing page impersonating the WeTransfer file-sharing portal – mettcoint[.]com/css/nk/index-822929.html (see Figure 6).

Upon clicking the “Access Files” option, the victim is presented with a login page where the user credentials are uploaded to “mettcoint[.]com/css/nk/error-404.php”.

OSINT intel also revealed the domain “mettcoint[.]com” has been used in other phishing attacks, indicating this to be a currently ongoing campaign. In addition to targeting HunCERT, this ongoing phishing campaign has also targeted multiple entities across different countries, impersonating Kina Bank in Papua New Guinea, the Catholic Church in the United States, and logistics companies in Saudi Arabia (See Figure 7).

mettcoint[.]com was registered in October 2024 and has been actively leveraged in phishing campaigns since February 2025. Notably, the domain currently has zero detections on VirusTotal, allowing it to operate stealthily. As of this writing, the domain is still live and functional. Its ongoing availability and undetected status indicate that the phishing campaign is likely still active, with threat actors continuing to target victims on a global scale.

Conclusion

This ongoing phishing campaign, identified by Cyble Research and Intelligence Labs (CRIL), demonstrates how threat actors continue to refine their tactics by impersonating trusted entities like HunCERT, Kina Bank, and charitable organizations. By hosting phishing pages in cloud services such as Amazon S3 and Render and leveraging techniques like Cloudflare Turnstile, the attackers enhance the credibility of their phishing pages.

The human element remains both the strongest and weakest link in cybersecurity, with cautious and responsible use preventing compromises by cyber threats. Campaigns such as this, however, exploit that element by appearing credible, making them a primary concern for even cyber-savvy employees.

The ongoing use of the C&C domain mettcoint[.]com across multiple campaigns highlights a sustained, global operation. This case underscores the growing sophistication of phishing attacks and the need for constant vigilance, user awareness, and strong security controls to mitigate such threats.

Our Recommendations

The ideal way to avoid threats like this is to take a proactive stance instead of a reactive one. Dedicated Brand Intelligence solutions in CTI solutions, such as  Cyble Vision, specifically empower users with rapid takedowns by helping them avoid falling prey to phishing attacks or business email compromise, all relevant to the user’s brand, supply chain, and clients.  

Cyble Vision users can leverage the platform in the following ways:

• Cyble Vision’s proprietary threat intelligence feeds proactively identify and block domains, IPs, and infrastructure components associated with this or any other tracked phishing campaign, ensuring rapid response and reduced exposure time.
• Cyble’s deep and dark web reconnaissance capabilities keep you a step ahead by monitoring the proliferation of LogoKit-based phishing kits across underground forums and marketplaces, enabling early detection and disruption of similar threat campaigns.
• Vision’s extensive Threat Actor library correlates attackers’ TTPs with profiles of threat actors tracked by Cyble, allowing for attribution, helping clients understand the broader context and motivation behind a campaign.

While there is no substitute for a competent CTI solution, we have listed some essential cybersecurity best practices that create the first line of control against attackers.

We recommend that our readers follow the best practices given below:

• Be wary of opening any links received via SMS or emails delivered to your phone.
• Use reputable anti-virus and internet security software on your connected devices, including your PC, laptop, and mobile device.
• Educate employees on protecting themselves from threats like phishing/untrusted URLs.
• Use secure email gateways to detect and block phishing emails with malicious links or attachments.
• Use multi-factor authentication (MFA) to reduce the impact of stolen credentials.
• Monitor for unusual login behavior or access from suspicious IP addresses.
• Keep your devices, operating systems, and applications updated.

Indicators of Compromise (IOCs)