Server-Side Phishing: How Credential Theft Campaigns Are Hiding in Plain Sight

Credential theft through phishing continues to be one of the most reliable paths into enterprise environments. Stolen usernames and passwords are frequently used for initial access, internal pivoting, and account abuse-often long before alerts are triggered.

This post examines an ongoing phishing campaign targeting employee and member portals. The cloned pages are designed to steal credentials using a PHP-based phishing kit. In previously observed activity, a client-side redirect was used to validate submitted credentials. Now, these checks are completed server-side-likely a deliberate effort to hinder analysis and limit visibility.

Using HuntSQL™'s Crawler dataset and guided by prior reporting, we surfaced several live pages exhibiting this behavior. We also identified a standalone healthcare-themed page on the same infrastructure, which may have been used to throw off researchers, or could indicate a new target of interest for the operators.

Research Origins

Our investigation began with an observation from a Malwarebytes blog post detailing a malvertising campaign that used Google Ads to phish employees at Lowe's. Within the HTML of one of the webpages, researchers noted a reference to a PHP script, xxx.php, which serves as the phishing kit.

This past December, Silent Push published similar findings tied to a campaign they refer to as "Payroll Pirates." Their reporting noted that phishing pages were often exposed behind an /online directory. We decided to explore further and use these two indicators as a starting point.

Using HuntSQL™, we constructed a targeted query across the crawler dataset to identify recently captured pages that mirrored the above structure. Specifically, we searched for pages containing references to xxx.php within the HTML and /online in the URL path:

SELECT *
FROM crawler
where body like '%xxx.php%' and url like '%/online%' and timestamp > NOW - 14 DAY

The query returned 10 results. For this analysis, we chose to begin with myinfoaramapay[.]com-a domain impersonating Aramark's MyAccess login portal. This page, and others uncovered in the dataset, share common themes and technical traits that will be detailed in the next section.

Phishing Page Analysis

The domain myinfoaramapay[.]com/online, configured with Cloudflare DNS and resolving to Cloudflare IPs, presents a cloned login portal for Aramark's MyAccess system-a legitimate employee access point used by one of the largest U.S.-based food service and facilities companies. The phishing page is a near-identical match to the authentic site, replicating layout, fonts, and branding. One notable omission is the virtual assistant feature, which is present on the legitimate page but removed in the malicious version.

Attempting to access the root domain without the /online path returns a 403 Forbidden error, likely a deliberate decision to limit unwanted attention from scanners, researchers, or takedown services.

A review of the page's source reveals JavaScript code that captures the username and password entered into the form, sending the data to xxx.php, the backend PHP script associated with the phishing kit.

After harvesting the credentials, the script redirects the user to Aramark's actual Single Sign-On page. This line can be seen in the screenshot above starting with the line of code underlined in yellow.

This setup mimics many common phishing kits, but the campaign diverges from past variants in how it handles credential validation-a shift explored in the next section.

Updated Code Logic

Another domain uncovered through our query- forurbestexper[.]com-hosts a page impersonating Frances Online, the Oregon Employment Department's unemployment claim portal.

The domain resolves to IP address 80.64.30[.]101, operated by Chang Way Technologies Co. Limited, in Russia. This server hosts multiple similarly structured domains serving phishing pages that target login portals. We'll expand on these domains in the following section.

Reviewing the source code reveals JavaScript code consistent with our earlier find, except for one detail: the credential theft logic no longer includes a client-side redirect to the legitimate website.

As in earlier versions, the victim's credentials are captured via a POST request to xxx.php, likely for backend exfiltration. However, this version introduces a new behavior: the entered username is stored in localStorage, suggesting it may be reused or referenced by additional scripts or pages across the kit.

Once credentials are submitted, the script begins polling a new endpoint, check.php, once per second. The likely purpose is to validate the submitted credentials on the server side, with logic that operates as follows:

• If the response is "success": the user is redirected to ./verify/ - mimicking a legitimate workflow.

• If the response is "error": the user receives an alert and the page reloads.

• If there's no response (""): polling continues silently.

By eliminating client-side validation and relocating the decision logic to the server, the actors obscure key detection points defenders previously relied on; such as redirects to login portals hardcoded into JavaScript. For sandboxes, scanners, and human analysts alike, this move makes it harder to trace the full phishing flow, but not impossible.

getUpdates2fa()

A more advanced variant of the phishing kit was observed on hignmarkedmemb[.]com, a domain hosted on the same infrastructure ( 80.64.30[.]101) as other employee portal phishing pages. This site impersonates Highmark-a major U.S. healthcare provider and insurance organization-with a malicious login page that simulates a two-factor authentication (2FA) flow.

This version reintroduces the redirect behavior seen in earlier kits but only after a valid OTP is submitted, mimicking typical SSO workflows to avoid suspicion.

Several traits stand out in this variant that defenders can use to hunt for similar pages used by this threat actor:

• Material Design styling, including mat-form-field, ng-valid, and simulated "trusted device" checkboxes, replicating common enterprise UI frameworks.

• JavaScript-controlled OTP submission, triggered via the #submit-otp-button and the getUpdates2fa() function.

• Use of type=3 in POST requests to xxx.php, used to separate OTP collection from initial credentials.

• Redirect after OTP validation, triggered only when msg == " success2", often forwarding to a real corporate portal (e.g., https[:]//employer.highmark[.]com).

These updates show a deliberate attempt to bypass environments protected by two-factor authentication. Detection teams should monitor for POST requests to suspicious endpoints like xxx.php and check.php, as well as traffic containing type=3 parameters-especially when followed by a redirect.

Infrastructure Analysis

In addition to the phishing pages described above, a total of 12 domains are currently hosted on 80.64.30[.]101, including sites spoofing AT&T, AFLAC, and other corporate login portals. The full list of domains is included in the IOC section at the end of this post.

Visiting the IP directly (without a domain) returns a single-page website titled "Technology Pharmacy CVS"-a professionally styled page with no login functionality. While not inherently malicious, the page likely serves as a decoy to confuse researchers or present a benign legitimate webpage to hosting providers.

Interestingly, the address listed on the page is 1600 Pennsylvania Avenue NW, Washington, D.C.-the location of the White House. This could be intentional misdirection or an artifact of a reused template, and may serve as an additional threat hunting indicator when reviewing similarly themed infrastructure.

A review of historical SSL certificate data for this IP via Hunt.io revealed several certificates, including those:

• Targeting domains like United Airlines,

• Using 80.64.30 as the common name, and

• Issued by an unusual organization name, " XX", on ports 993 and 995 (typically reserved for IMAP and POP3 services).

Using this combination of certificate fields and the JA4x fingerprint, we identified an adjacent server at 80.64.30[.]100 hosting similar domains:

SELECT ip, port
FROM certificates
WHERE subject.common_name LIKE '%80.64.30%' AND subject.organization == 'XX'
  AND ja4x.full == 'c9d784bbb12e_c9d784bbb12e_795797892f9c' AND timestamp > NOW - 30 DAY
GROUP BY ip, port

Given the sequential IPs and configuration similarities, it's likely these servers were procured via the same reseller or deployed using automation.

Infrastructure hosted at 80.64.30[.]100 includes more domains spoofing employee login portals, such as:

• A Canadian E-Services login page,

• An airline employee portal for United Airlines, and

• Additional enterprise-themed login templates.

ASN Background

Chang Way Technologies Co. Limited (AS57523) is a Hong Kong-registered ASN previously linked to Android and Windows malware distribution (e.g., Hydra, SectopRAT), Citrix Netscaler exploitation (CVE-2023-3519), and phishing targeting financial and government sectors. While smaller than more established bulletproof providers, it remains a recurring source of malicious infrastructure.

Tips for Defenders

• Flag POST requests to suspicious PHP scripts such as xxx.php and check.php, particularly when paired with domains mimicking enterprise or employee login portals.

• Look for type=3 values in request bodies, which may indicate OTP phishing flows targeting 2FA-enabled logins.

• Review traffic to IP-hosted login pages, especially when paths include /online or when redirects follow successful credential submission.

• Investigate TLS certificates that use portions of IP addresses as common names, and issuer values like O=XX, or are served over unexpected ports such as 993/995.

• Monitor infrastructure from ASN Chang Way Technologies, especially when combined with cloned login pages, decoy content, or reused phishing templates.

Final thoughts

The infrastructure outlined in this post reflects how persistent, state-linked threat actors continue to administer and evolve their operational footprint. From Gamaredon's flux-like DNS activity to the reuse of ShadowPad-linked certificates and staging scripts, each cluster provides a window into how adversaries prepare access points long before payloads are delivered.

Understanding how threat actors shape and maintain their infrastructure offers defenders an opportunity to detect activity earlier in the intrusion lifecycle. While payloads may change, the operational habits behind staging, delivery, and control often remain consistent-and that's where long-term visibility matters most.

Employee Portal Phishing Network Observables and Indicators of Compromise (IOCs)