{
  "name": "REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation",
  "slug": "refundee-inside-a-shadow-panel-phishing-as-a-service-operation",
  "description": "An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.",
  "published": "2026-04-13T15:06:23.731000+00:00",
  "created_at": "2026-04-13T15:48:18.912000+00:00",
  "modified_at": "2026-04-13T13:48:33+00:00",
  "created_at_opencti": "2026-04-13T15:48:18.912000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "bulgarian-infrastructure",
    "cryptocurrency-theft",
    "phishing-as-a-service",
    "powershell",
    "rat-as-a-service",
    "refundee",
    "shadow panel",
    "shadow-panel",
    "spanish-portuguese-targeting",
    "webdav"
  ],
  "tags": [
    "2026-04-13",
    "bulgarian-infrastructure",
    "cryptocurrency theft",
    "phishing-as-a-service",
    "powershell",
    "rat-as-a-service",
    "refundee",
    "shadow panel",
    "spanish-portuguese-targeting",
    "webdav"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "8ee8d056-26b9-41a4-8f3c-9d2e146d4de4",
        "name": "https://winup.su/dashboard.html"
      },
      {
        "id": "598f4d56-f7d5-4d77-84c6-fda088a85841",
        "name": "http://refundonex.com/cloud/"
      },
      {
        "id": "5a162069-fcc1-4ccd-959b-c3914f2f7ced",
        "name": "https://winup.su/api/client/poll/"
      },
      {
        "id": "68fbcc54-9c37-43b7-af49-6b25892e7416",
        "name": "sifr-infso.club"
      },
      {
        "id": "88b8729c-9552-4acf-80da-b601260d2791",
        "name": "e47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73"
      },
      {
        "id": "fc33dd10-4723-429b-b5ed-bdc13439b831",
        "name": "refundonex.com"
      },
      {
        "id": "7d8ec52b-4a33-4e52-9394-d7d185b5596f",
        "name": "a23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da"
      },
      {
        "id": "6bf5bb5c-7a1a-457e-9e60-5edc8fcd530c",
        "name": "winup.su"
      },
      {
        "id": "0289d2f6-048e-4e94-803d-8675dd3328fa",
        "name": "87.121.52.71"
      },
      {
        "id": "a38824f2-f2b9-4a5e-8795-1454e63422f8",
        "name": "ee5b302161c9a29defd0a9d3be674e831775099475dbf02d10949e4a4e8ae265"
      },
      {
        "id": "e3a5a876-95ba-4ee2-99b0-a8d7ec0d42c6",
        "name": "hchdko.net"
      },
      {
        "id": "9929437e-0160-4fbf-a583-d74375329564",
        "name": "https://winup.su/"
      },
      {
        "id": "4eb93e95-d707-4983-931d-0bfa3be405e3",
        "name": "https://refundonex.com/admin/"
      },
      {
        "id": "6d5ed3db-8f9a-4c86-a28b-dbcda28c0415",
        "name": "010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a"
      },
      {
        "id": "c4ee0476-eb38-4f95-8672-375f8729489f",
        "name": "https://refundonex.com/cloud/"
      },
      {
        "id": "111be7bd-d8bc-4ca1-b4e9-9f8307818c72",
        "name": "febystm.net"
      },
      {
        "id": "4c326e1f-06a0-479d-9bb5-3ce06c88c393",
        "name": "carweap.net"
      },
      {
        "id": "28d97697-f3fb-40b8-be6d-c83a876c193e",
        "name": "f74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d"
      },
      {
        "id": "7bf1aea9-f122-4316-b6d6-d704ff37eb46",
        "name": "inst.refundonex.com"
      },
      {
        "id": "c288bf42-5078-437a-9306-4a3b0ba2ea39",
        "name": "mrchexp.net"
      },
      {
        "id": "91970f1a-6140-4721-bca5-aad9c3bc5cff",
        "name": "nikola4010@proton.me"
      },
      {
        "id": "09207c33-eda0-4eba-b957-06b48c6da5b3",
        "name": "439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965"
      },
      {
        "id": "f1e25d34-a602-46fc-90b5-712b6683a3af",
        "name": "5a011813db8497a4db303c90cb5f1948fcf4fcdd8bbe16c0e029195e6734d4f2"
      },
      {
        "id": "32b88b82-5a75-42bb-a4ea-dcf37ee3fa76",
        "name": "87.121.52.72"
      },
      {
        "id": "08ac9028-a713-4263-9888-0814d3c0e9d2",
        "name": "3a352caa662ec74a150e03ccc637eb347f4a0423f976837637ac1f2484f0d329"
      }
    ],
    "attack_patterns": [
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "f4a450ef-8297-42e5-9e47-01162138baa2",
        "name": "T1115"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "72131cdd-30b7-4d38-aead-41710141e6c3",
        "name": "Shadow Panel",
        "slug": "shadow-panel"
      },
      {
        "id": "a9d0bf11-eea7-45c4-bda7-3506232bb1aa",
        "name": "REFUNDEE",
        "slug": "refundee"
      }
    ],
    "observables": [
      {
        "id": "b6dab80a-53bb-46e6-88e3-25e52fd515c3",
        "name": "winup.su"
      },
      {
        "id": "9b6d2677-0004-4111-b316-07a26e60a491",
        "name": "refundonex.com"
      },
      {
        "id": "493c85f9-81a6-404e-b91f-e71260635bc2",
        "name": "sifr-infso.club"
      },
      {
        "id": "03dcdc41-1b1a-4da3-849b-6b12e4b8576a",
        "name": "mrchexp.net"
      },
      {
        "id": "f31bb437-5df5-4c7b-80dc-db22f099be1b",
        "name": "carweap.net"
      },
      {
        "id": "1286635b-748f-424d-bfee-de29b7b2f411",
        "name": "hchdko.net"
      },
      {
        "id": "c3d469a5-4c3c-4212-81e0-4a1b437e26dc",
        "name": "febystm.net"
      },
      {
        "id": "c123dcbc-366e-420d-9147-15e0970e5c49",
        "name": "nikola4010@proton.me"
      },
      {
        "id": "54079a04-0364-4965-928b-72971026c2eb",
        "name": "inst.refundonex.com"
      },
      {
        "id": "e4e96984-6a3c-4d6f-ab66-3e91d022d054",
        "name": "87.121.52.72"
      },
      {
        "id": "9379d94a-ba7d-4cd8-bbdf-e8e67b163bd8",
        "name": "87.121.52.71"
      },
      {
        "id": "f9b81a03-d2ad-47f8-a25f-1ea839f393a7",
        "name": "https://refundonex.com/admin/"
      },
      {
        "id": "69c252e4-0237-48ec-8827-20a0b88694df",
        "name": "https://winup.su/"
      },
      {
        "id": "41ee1780-e65e-451b-900c-40f779915961",
        "name": "https://refundonex.com/cloud/"
      },
      {
        "id": "caf2a31b-c6fa-4582-b40a-2ad7135f0182",
        "name": "https://winup.su/dashboard.html"
      },
      {
        "id": "692c436e-e142-4ddd-8222-8ccfffa5ed62",
        "name": "https://winup.su/api/client/poll/"
      },
      {
        "id": "ca87933b-b02c-41dd-8cab-0cfec52f6310",
        "name": "http://refundonex.com/cloud/"
      },
      {
        "id": "",
        "name": "e47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73"
      },
      {
        "id": "",
        "name": "a23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da"
      },
      {
        "id": "",
        "name": "ee5b302161c9a29defd0a9d3be674e831775099475dbf02d10949e4a4e8ae265"
      },
      {
        "id": "",
        "name": "010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a"
      },
      {
        "id": "",
        "name": "f74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d"
      },
      {
        "id": "",
        "name": "439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965"
      },
      {
        "id": "",
        "name": "5a011813db8497a4db303c90cb5f1948fcf4fcdd8bbe16c0e029195e6734d4f2"
      },
      {
        "id": "",
        "name": "3a352caa662ec74a150e03ccc637eb347f4a0423f976837637ac1f2484f0d329"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "sifr-infso.club"
      },
      {
        "id": "",
        "name": "refundonex.com"
      },
      {
        "id": "",
        "name": "winup.su"
      },
      {
        "id": "",
        "name": "hchdko.net"
      },
      {
        "id": "",
        "name": "febystm.net"
      },
      {
        "id": "",
        "name": "carweap.net"
      },
      {
        "id": "",
        "name": "inst.refundonex.com"
      },
      {
        "id": "",
        "name": "mrchexp.net"
      }
    ]
  },
  "external_refs": [
    {
      "id": "f585f871-56c7-46e9-9097-518900f3e53b",
      "standard_id": "external-reference--952afc34-e103-5df1-a35e-4af15b4abbfd",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69dd066f59e22e6d1ee7315b",
      "hash": null,
      "external_id": "69dd066f59e22e6d1ee7315b",
      "created": "2026-04-13T15:48:18.792Z",
      "modified": "2026-04-13T15:48:18.792Z",
      "createdById": null
    },
    {
      "id": "4cc7eab2-4ff6-4187-8153-dfc5d647d911",
      "standard_id": "external-reference--aa731754-9e33-5af6-a6b8-17ffc6a514bc",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://intel.breakglass.tech/post/refundonex-shadow-panel-phaas",
      "hash": null,
      "external_id": null,
      "created": "2026-04-13T15:48:18.833Z",
      "modified": "2026-04-13T15:48:18.833Z",
      "createdById": null
    }
  ]
}