216.73.217.80

REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation

· Published 13/04/2026 17:06 · Modified 13/04/2026 15:48

Export JSON

Essential information

Published
13/04/2026 17:06
Modified
13/04/2026 15:48
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
bulgarian-infrastructure cryptocurrency-theft phishing-as-a-service powershell rat-as-a-service refundee shadow panel shadow-panel spanish-portuguese-targeting webdav
Tags
2026-04-13 bulgarian-infrastructure cryptocurrency theft phishing-as-a-service powershell rat-as-a-service refundee shadow panel spanish-portuguese-targeting webdav
Related entities
25 indicators, 25 observables, 20 techniques (mitre), 2 malware, 8 others

Description

An open directory discovery at refundonex[.]com exposed a complete and platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted payloads delivering a remote access trojan. The platform, called , operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.

External references