GoPhish Framework Leveraged to Target Polish Government Regulator and Energy Sector

Phishing remains a common entry point in both targeted and opportunistic campaigns, often supported by open-source frameworks that simplify credential harvesting at scale.

During a review of known C2-related data in Hunt.io, we identified infrastructure associated with domains spoofing Polish organizations in the energy sector, including both a national regulator and a private renewable energy firm. While the infrastructure was no longer serving phishing content at the time of analysis, its configuration and thematic focus suggest deliberate preparation for sector-specific credential collection.

This post details the discovery process, domain characteristics, and targeting themes to assist defenders in identifying similar infrastructure in future investigations.

For a comprehensive list of Indicators of Compromise (IOCs) identified during this investigation, refer to the IOC section at the end of this post.

Discovery via HuntSQL™

As part of our continuous effort to identify staging and command-and-control infrastructure, we regularly query Hunt.io's malware dataset for anomalous hostnames. During one such review, we ran a HuntSQL™ query targeting hostnames, including the keyword gov-a common pattern in phishing infrastructure impersonating government services.

SELECT timestamp, ip, hostname, malware.name
FROM malware
WHERE hostname LIKE '%gov%'
GROUP BY timestamp, ip, hostname, malware.name

The query returned over 1,000 results. One entry stood out: uregov[.]pl. Polish government domains typically follow the gov.pl convention, such as ure[.]gov[.]pl. In contrast, this hostname reverses this structure-an unlikely format for official infrastructure. The domain appears intended to spoof Poland's Energy Regulatory Office (URE), the agency responsible for overseeing the country's electricity and gas markets.

At the time the domain was observed, it resolved to a Microsoft IP address in the Netherlands: 40.67.208[.]154. A review of the infrastructure revealed an exposed administrative panel running on port 3333, associated with the open-source GoPhish framework. While often deployed in legitimate security testing, the tool is also used in credential phishing due to its ease of setup and flexible landing page design.

For detection strategies and hunting techniques, see our GoPhish Detection Guide.

Keyword-based threat hunting like this can reveal infrastructure aligned with specific industry themes, even in the absence of live payloads. In this case, the combination of a phishing framework and sector-themed domains offers a view into which organizations may have been of interest during the reconnaissance phase.

Domain Patterns & Entities Targeted

In addition to uregov[.]pl-the domain that initiated this investigation-we identified 18 additional domains resolving to the same infrastructure. The earliest of these, nomad-electric[.]com, was originally registered in 2021 and pointed to IP address 185.253.212[.]22 before being updated to 40.67.208[.]154 in February 2025.

A total of 8 domains we observed were themed around Nomad Electric, a Polish energy company specializing in renewable energy infrastructure and large-scale photovoltaic (PV) system implementation.

Several were registered between late 2024 and February 2025, using PublicDomainRegistry (PDR Ltd), a common registrar that at times has been abused to provision infrastructure tied to malware and phishing operations.

The Nomad Electric-themed domains and subdomains included:

• nomad-electric[.]com

• nomadelectri[.]com

• bhp.nomadelectri[.]com

• auth-nomadelectric[.]com[.]pl

• microsoft.nomadelectri[.]com

• auth.nomadelectri[.]com

• xn-nomadelectri-8qb[.]com (nomadelectrí[.]com)

• bhp.xn-nomadelectri-8qb[.]com (bhp.nomadelectrí[.]com)

Subdomains such as auth., bhp., and microsoft. suggest attempts to impersonate both internal portals and trusted third-party services. The use of Punycode to introduce accented characters (í) is a known tactic for bypassing simple domain-matching defenses while maintaining a near-identical appearance to the legitimate brand.

The pairing of a private energy provider and a national-level organization within the same sector suggests targeted interest in energy-related infrastructure or communications. This kind of overlap-between operational and administrative entities-is often seen in phishing campaigns designed to collect credentials from users across different layers of a supply chain or regulatory environment.

Beyond the energy sector, additional domains tied to the server included lookalikes for a fitness gym, a catering service, and an apparent intellectual property law firm. These stand apart from the earlier energy- and government-themed domains and may indicate opportunistic targeting or infrastructure reuse.

A full list of domains is provided in the IOC section at the end of this post.

The targeting continued into early March 2025, when the domain mercedes-portal[.]pl was registered alongside a subdomain, microsoft-m365[.]mercedes-portal[.]pl. Both appear intended to spoof Mercedes-Benz and associated cloud services.

The shift toward impersonating globally recognized brands suggests either a broader credential-harvesting effort or an expansion beyond Poland-specific organizations. While no active phishing content was identified on these domains, the pattern of registrations indicates continued maintenance and possible repurposing of the server for multiple campaigns.

Infrastructure Characteristics

Hosting and Services

The server at 40.67.208[.]154, hosted on Microsoft infrastructure, exposed the following ports:

• 22/tcp (SSH)

• 443/tcp (HTTPS)

• 3333/tcp (GoPhish administrative panel)

Port 3333 served the GoPhish login interface, confirming the presence of the phishing framework.

Hosting and Services

Requests to the associated domains over HTTPS consistently returned a default "404 Page Not Found" response. This behavior was observed across all spoofed hostnames and suggests that if phishing content was ever live, it had been removed or disabled by the time of review. No additional web content or externally accessible services were identified.

TLS Certificates

TLS certificate intelligence data from Hunt.io shows that the first observed certificate on this server was issued via Let's Encrypt in February 2024. The Common Name (CN) was testin[.]rqower[.]solar, likely intended to impersonate a testing environment linked to R.Power Renewables, a European company focused on utility-scale solar and battery storage projects.

Additional certificates followed in early 2025, using CNs for nomad-electric[.]com and mercedes-portal[.]pl. These certificates remained active for only a few days at a time before being replaced.

Targeting multiple energy sector entities, including R.Power and Nomad Electric, alongside a domain referencing Mercedes-Benz, may reflect overlapping themes: credential harvesting against high-trust industries and opportunistic registration of recognizable brands. The configuration points to infrastructure designed for flexibility, with short-lived certificates supporting rapidly cycled phishing setups.

Taken together, the use of short-lived certificates, rotating domain themes, and exposed administrative services points to infrastructure staged for credential phishing or impersonation activity. Although it was not actively serving content during the review, the configuration and continued domain registration suggest it remains viable for future use.

Final thoughts

This post examined a phishing infrastructure cluster built around the GoPhish framework and tied to domains impersonating Polish energy entities, legal services, and global brands. While the server was not serving phishing content at the time of review, its configuration, domain usage, and certificate activity suggest it was actively maintained and positioned for credential collection.

Defender Recommendations:

• Monitor for suspicious domain registrations, especially those resembling internal systems or partner organizations.

• Track certificate transparency logs and passive DNS for infrastructure reuse or rotation.

• Use threat intel feeds to enrich visibility into newly registered or high-risk domains.

• Ensure anti-phishing controls are tuned for sectors frequently impersonated, including energy, legal, and enterprise SaaS platforms.

Visibility into how phishing infrastructure is configured-even in the absence of active content-remains critical for identifying patterns and preparing defensive measures.

GoPhish Campaign Network Observables and Indicators of Compromise (IOCs)