New LogoKit Phishing Campaign Exploits Cloudflare Turnstile and Amazon S3 for Higher Success Rates

Cyble Research and Intelligence Labs (CRIL) recently discovered a very advanced phishing campaign that used the LogoKit phishing kit, which was initially discovered in 2021, to pose as reliable organizations such as Hungary’s Computer Emergency Response Team (HunCERT).

This ongoing operation targets a diverse range of sectors, including banking and logistics, with a global reach spanning organizations in Hungary, Papua New Guinea, the United States, and Saudi Arabia.

Sophisticated Tactics Target Global Entities

The campaign’s technical prowess lies in its use of legitimate cloud infrastructure and advanced deception techniques to maximize credential harvesting success.

By hosting phishing pages on Amazon Web Services (AWS) S3 buckets, attackers exploit the inherent trust associated with such platforms to remain undetected while enhancing the credibility of their malicious sites.

Additionally, the integration of Cloudflare Turnstile a CAPTCHA alternative creates a false sense of security, convincing victims of the site’s legitimacy and significantly increasing the likelihood of credential submission.

At the core of this campaign is the strategic design of phishing pages that closely mimic legitimate login portals, complete with prefilled email addresses of targeted organizations to bolster authenticity.

For instance, URLs identified by CRIL, such as those hosted on flyplabtk[.]s3.us-east-2.amazonaws.com, display HunCERT email addresses in the username field to deceive users into entering their passwords.

Persistent Threats

The LogoKit framework further streamlines the attack by automating logo retrieval through APIs like Clearbit and Google S2 Favicon, dynamically pulling branding elements based on the victim’s email domain.

This eliminates the need for manual customization, making the campaign scalable and adaptable across multiple targets.

Moreover, harvested credentials are funneled to a command-and-control (C&C) domain, mettcoint[.]com, which was registered in October 2024 and remains active with zero detections on VirusTotal as of July 2025, underscoring its stealthy operation.

Open directory paths on this domain revealed additional phishing pages impersonating services like WeTransfer, alongside evidence of attacks on entities such as Kina Bank in Papua New Guinea and logistics firms in Saudi Arabia.

The use of a fake error message post-submission “Error Submitting form. Please try again” further delays suspicion, giving attackers ample time to exploit stolen data.

The persistence of this campaign, combined with its undetected status, highlights the evolving sophistication of phishing tactics and the urgent need for proactive cybersecurity measures like brand intelligence solutions (e.g., Cyble Vision), multi-factor authentication (MFA), and employee awareness training to combat such threats.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.