Automated Phishing Kit Impersonates Aruba S.p.A. for Credential and Payment Theft
Researchers have identified a sophisticated phishing kit that impersonates the Italian IT and web services provider Aruba S.p.A. to steal user credentials and credit card information. The kit is designed to mimic the official Aruba webmail login portal, using spear-phishing emails that create a sense of urgency—such as warnings about expiring services or failed payments—to lure victims into entering their credentials. The phishing infrastructure is fully automated, employing features like CAPTCHA filtering to evade security scans, pre-filled victim data to increase credibility, and Telegram bots for exfiltrating stolen information.
This campaign exemplifies the growing trend of phishing-as-a-service, where attackers leverage industrialized, automated platforms to conduct large-scale credential theft with minimal technical skill. The kit's architecture and use of Telegram for data exfiltration highlight how phishing operations are increasingly mirroring legitimate SaaS business models, enabling sustained and efficient attacks against a wide range of targets, particularly those using Aruba's services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Additional reporting highlights broader targeting of Italian entities
Follow-up reporting described the same phishing kit as a new threat aimed at Italian organizations, reinforcing that the operation was active and using automated phishing infrastructure. This appears to be additional coverage of the same campaign rather than a separate incident.
Researchers identify phishing kit impersonating Aruba S.p.A.
Security researchers uncovered a phishing-as-a-service kit designed to mimic Aruba S.p.A. login and payment pages in order to steal user credentials and credit card data. The campaign was reported as targeting Italian entities and users.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Leveraging Pre-Filled Login Pages and Telegram for Credential Theft
Researchers have identified sophisticated phishing campaigns targeting users of major web hosting and email services, employing advanced techniques to steal credentials and payment information. In one case, customers of Aruba S.p.A., a leading Italian web hosting provider, were targeted with phishing emails that mimicked official notifications about expiring services or failed payments. Victims were directed to fake login and payment pages, where their email addresses were pre-filled to enhance credibility. The phishing kit used in this campaign incorporated CAPTCHA filtering to evade detection and utilized Telegram bots for real-time exfiltration of stolen credentials and credit card details. A parallel campaign has been observed where users receive fake spam filter alerts, claiming that important emails have been blocked due to a supposed system upgrade. These emails, appearing to originate from the recipient's own domain, prompt users to log in via a link to a spoofed webmail page, again with pre-filled email addresses. The phishing sites employ tactics such as repeated invalid login prompts to harvest passwords and use obfuscated code and websockets for instant credential theft. In both campaigns, Telegram is used as the primary channel for attackers to receive stolen data, highlighting a trend in the use of messaging platforms for cybercriminal coordination and data exfiltration.
Mar 21, 2026
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
Mar 21, 2026
Phishing Campaigns Using Advanced Kits Targeting Universities and Banks
Threat actors have launched a sophisticated phishing campaign targeting U.S. universities by leveraging the open-source Evilginx framework. At least 18 educational institutions have been affected since April 2025, with attackers using personalized emails containing TinyURL links that redirect to dynamically generated phishing pages. These pages closely mimic student single sign-on portals and employ advanced evasion techniques, such as expiring URLs, wildcard TLS certificates, bot filtering, and JavaScript obfuscation, making detection and mitigation increasingly difficult. The campaign demonstrates the growing accessibility of advanced phishing tools, enabling even unskilled actors to bypass multi-factor authentication and compromise sensitive credentials. Simultaneously, a new phishing kit called Spiderman has emerged on the dark web, targeting customers of major European banks and cryptocurrency platforms. This full-stack kit allows attackers to easily clone login pages for dozens of financial institutions and conduct real-time credential theft across multiple countries. With a large user community and features that facilitate immediate data exfiltration and hybrid fraud operations, Spiderman represents a significant escalation in the scale and efficiency of phishing threats facing the financial sector. Both campaigns highlight the evolving landscape of phishing, where sophisticated toolkits are lowering the barrier to entry for cybercriminals and increasing the risk to organizations worldwide.
Mar 21, 2026