CodeStorm – A Microsoft 365 AiTM Phishing Kit with Storm-1167 Overlap

Executive Summary

Hexastrike has identified an ongoing adversary-in-the-middle (AiTM) phishing campaign targeting Microsoft 365 users that leverages a previously undocumented phishing kit, tracked by Hexastrike as CodeStorm. Analysis of the recovered server-side kit source code and associated deployment infrastructure indicates with moderate confidence that CodeStorm overlaps with infrastructure patterns previously associated with activity Microsoft tracks as Storm-1167. Based on direct code-level comparison conducted by Hexastrike, CodeStorm appears to be a distinct kit family separate from previously documented phishing frameworks such as the W3LL phishing kit, Sneaky 2FA (Sekoia, 2024) and Whisper 2FA (Barracuda, 2025). Stable code-level design patterns observed across multiple kit iterations are consistent with a single operator or tightly controlled developer group maintaining the tooling over time.

The threat actor leverages compromised Microsoft 365 accounts and tenants to facilitate phishing operations and infrastructure staging. Hexastrike has identified at least 400 attacker-controlled apex domains supporting approximately 12,000 subdomains used to scale operations. Initial campaign waves use broadly themed generic subdomains to capture opportunistic victims, followed by rapid pivoting to brand-specific subdomains aligned with named victim organizations for targeted spear-phishing. Within Hexastrike’s incident response telemetry, more than 100 confirmed tenant compromises have been linked to CodeStorm activity, providing direct evidence of post-authentication operator tradecraft analyzed in this report.

Phishing lures include PDF attachments and tailored HTML email attachments, frequently delivered via legitimate third-party platforms used as middle-stage redirectors. Observed compromises concentrate in Western Europe and North America, with substantially lower representation across the Asia-Pacific region.

CodeStorm incorporates multiple anti-analysis and anti-detection mechanisms to hinder security inspection and automated analysis. These include suppression of browser developer tools through right-click and keyboard shortcut handlers, persistent debugger detection loops, gating of user access through Cloudflare Turnstile challenges, and conditional session termination upon detection of analyst tools. The second-stage credential-harvesting JavaScript is hosted on Tencent Cloud Object Storage, consistent with infrastructure patterns previously associated with Storm-1167 activity.

Hexastrike assesses that the campaign has been active since at least January 2025 and remains ongoing. Real-time modifications to phishing infrastructure observed during the investigation indicate active operator management and continued investment in evasion and scalability.

Key Findings

• CodeStorm is a previously undocumented Microsoft 365 AiTM phishing kit used to capture credentials, intercept MFA, and obtain authenticated session material.
• Hexastrike assesses with moderate confidence that CodeStorm overlaps with activity Microsoft tracks as Storm-1167, based on Tencent cloud usage, Indonesian-language code artifacts, and aligned post-compromise tradecraft.
• The campaign has been active since at least January 2025 and remains ongoing, with evidence of real-time operator management and infrastructure changes.
• Hexastrike identified at least 400 attacker-controlled apex domains supporting approximately 12,000 subdomains, including generic Microsoft-themed lures and brand-specific subdomains targeting named organizations.
• More than 100 confirmed Microsoft 365 tenant compromises were linked to CodeStorm activity in Hexastrike incident response telemetry.
• Approximately 600 organizations were identified as targets through brand-specific lure infrastructure, concentrated primarily in North America and Western Europe.
• Delivery chains used compromised Microsoft 365 accounts, PDF and HTML lures, trusted SaaS redirectors, SharePoint-hosted content, QR codes, and link shorteners.
• CodeStorm uses Cloudflare Turnstile gating, JavaScript obfuscation, Tencent COS-hosted second-stage payloads, browser anti-analysis checks, and developer-tool suppression.
• Post-compromise activity included token reuse, mailbox rule creation, SharePoint reconnaissance, and onward phishing from compromised accounts.

Targeting and Victimology

Hexastrike’s view of CodeStorm targeting is built from two complementary data sources that we treat separately throughout this section.

The first is direct incident response telemetry. Across our IR engagements over the past 16 months (January 2025 through April 2026), we have forensically confirmed more than 100 tenant compromises linked to CodeStorm activity. For these cases, we have observed evidence of successful credential theft, attacker token reuse, or post-authentication operator activity within the affected tenant. This cohort forms the basis for the post-compromise tradecraft analysis presented later in this report.

The second data source is the operator-controlled lure subdomain pool. By mapping brand-specific subdomains back to the organizations they were tailored to impersonate, we attributed approximately 600 organizations as identified targets with high naming confidence. Where the candidate organization was uncertain or where the subdomain was generic and non-identifying, we excluded it from this set. We emphasize that targeting and compromise are distinct outcomes. The presence of a brand-specific subdomain demonstrates operator intent to phish a given organization, but does not by itself prove successful credential theft, token reuse, or tenant compromise.

The geographic distribution of identified targets shows a clear concentration in North America and Europe. The United States is the largest single jurisdiction, with France, the United Kingdom, Italy, Germany, and the Netherlands as the most-affected European jurisdictions. Identified targets in Asia, Africa, South America, and Australia confirm the campaign’s reach extends beyond its core targeting region, but these regions together account for a small fraction of the total.

The industry distribution of identified targets shows no clear concentration. Manufacturing, construction and real estate, and healthcare and pharma together account for roughly 30 percent of identified targets. The remaining share is spread thinly across more than ten additional sectors including financial services, technology and telecom, government and public, retail and distribution, energy, legal, education, and transport. The absence of a primary industry focus is consistent with opportunistic targeting where operators pursue whichever organization the next set of stolen credentials enables them to phish.

Infection Chain

Initial Access and Delivery

CodeStorm campaigns are consistently initiated via email-based delivery. Across the intrusions Hexastrike has investigated, operators used multiple campaign strains and lure formats, though observed activity clustered around a limited set of business themes. Invoicing and human resources lures were the most common, with subject lines and document content tailored to appear consistent with routine enterprise workflows.

Hexastrike observed three distinct delivery methods across CodeStorm campaigns.

The first method is direct linking to phishing infrastructure. Emails contained links pointing directly to attacker-controlled domains hosting CodeStorm credential-harvesting pages, with no intermediate stage between the email and the phishing destination.

The second method is redirection through legitimate third-party platforms. Emails directed victims to PDF lures hosted on legitimate platforms before redirecting to CodeStorm phishing infrastructure. Hexastrike observed this pattern across SharePoint, Microsoft Sway, allo.io, youengage.me, mixpanel.com, and gamma.app. The use of these platforms provided an additional layer in the delivery chain and increased the apparent legitimacy of the lure, since the first domain the victim encounters is well known and trusted. The abuse pattern across these platforms, whether via attacker-created accounts or compromised legitimate accounts, was not consistently determinable from Hexastrike’s telemetry.

The hosted PDF lures were frequently branded to match the targeted organization, including logos, color schemes, and plausible sender details. The documents contained embedded links that redirected victims to CodeStorm credential-harvesting pages.

The third method is HTML attachments delivered directly to inboxes. Operators sent credential-harvesting HTML attachments directly to victim inboxes. These attachments rendered phishing content when opened locally and were observed alongside the link-based delivery chains rather than replacing them. The coexistence of all three methods within the same operator infrastructure indicates CodeStorm operators rotate delivery tradecraft across campaigns rather than relying on a single initial access path.

Observed PDF lure themes included fake DocuSign signing requests, invoice notifications, OneDrive for Business sharing prompts, and human resources content. A subset of the PDFs used gated document patterns, displaying deliberately blurred content before prompting the victim to authenticate in order to view the full document.

Hexastrike also observed QR codes in a subset of lures, replacing embedded links and shifting the credential-harvesting flow onto a mobile device. This shift takes the subsequent authentication out of the visibility of corporate email gateways and endpoint detection controls, both of which are typically scoped to managed endpoints rather than personal mobile devices.

Link-shortening services were present in some CodeStorm delivery chains as additional middleware between the email and the final phishing destination. These services introduced further redirect steps and complicated reconstruction of the full delivery path during investigation.

PDF Metadata Analysis

Hexastrike reviewed metadata across PDF lures used in CodeStorm delivery chains. Multiple samples contained stripped or reduced author fields, limiting visibility into the user account or system that generated the document. Despite this metadata hygiene, several files retained recurring identifiers across otherwise distinct lures.

Recurring values included XMP MM Document ID c861fe4a-1dba-004e-883f-9a0be1a0af8b, XMP MM identifier 2565A930-FF27-4054-971A-C72E62DCEAF4, and PDF trailer ID values 2D728B14A9B308429EACADEA8D70EF32 and 7F013322168C589BBD87F4A2244D810E. The recurrence of these values across separate PDF lures may indicate shared tooling, a common generation workflow, or reuse of a document template.

The same corpus contained inconsistent creator and producer metadata. Observed values included WPS Writer, Microsoft Word, Microsoft Word for Microsoft 365, dompdf 2.0.0 with CPDF, wkhtmltopdf 0.12.6, Qt 5.15.13, Canva, and Skia PDF m141. Considered alongside the recurring document identifiers and stripped author fields, this variation is consistent with an automated pipeline that modifies visible creator and producer values while reusing underlying templates or generation components.

Hexastrike cannot determine with confidence whether this pipeline is part of a commercially available phishing kit, a private toolset, or tooling operated by a single actor. The recurring identifiers alone are not sufficient to attribute the activity to one operator. However, when combined with additional indicators described later in this report, these overlaps may support an assessment of shared operational control or common tooling across the observed CodeStorm campaigns.

Lure Infrastructure

CodeStorm operators used previously compromised Microsoft 365 mailboxes to send phishing emails. Messages originated from legitimate tenants and, in multiple Hexastrike investigations, from accounts with prior correspondence with the recipient organization. This allowed messages to arrive from known business partners or internal users while preserving normal email authentication results.

After gaining mailbox access, operators sent phishing messages to other recipients within the same tenant and to external contacts harvested from the compromised user’s Outlook address book. In some cases, the same access was used to host lure documents in the compromised user’s SharePoint environment. These SharePoint-hosted documents then linked to operator-controlled credential-harvesting pages.

Hexastrike mapped CodeStorm lure infrastructure across at least 400 apex domains. We assess with high confidence that operators organized this infrastructure into three primary subdomain classes.

Lure class	URL pattern	Purpose
Harvester subdomains	<random>.<apex>/google.php	Credential-harvesting endpoint
Brand and tenant impersonation	<brand>.<apex>/<random>	Target-aligned naming for organization-specific lures
Generic decoy domains	office.<apex>/<random>, sharepoint.<apex>/<random>	Generic Microsoft-themed entry points

The generic decoy class did not follow a single naming convention. Microsoft-themed examples included microsoftlog, microsoftoffice, microsoftoffices, and microsoftonedrive. Other recurring themes included office, login, doc, share, admin, secure, outlook, onedrive, auth, sec, and cloud.

Operators also used misspellings and character substitution, including verfied, portfollio, 0ff1ce, and 0nedrlve. Several subdomains combined multiple trust signals in a single label, including secureddoc, office365onedrivestatement, and share0nedrlve0nlined0cument.

Kit Architecture: PHP Backend, Obfuscation, and Anti-Analysis

Hexastrike recovered a PHP file from a public malware repository that we assess to be a CodeStorm server-side render component. The file, named index-crypto-2.php (SHA-256 6bea63d580071f34e8e9a3267fb0aefbc1c0d678b90c5c24e1d40f7f9abf62a2, 24,113 bytes), produces lure page responses consistent with those observed across the operator pool. It handles both the initial GET request from the victim and the POST callback from the Cloudflare Turnstile challenge, generates the encrypted client-side payload, and embeds the per-render configuration that ties each deployment to its operator. Hexastrike could not directly verify that this file is the exact source running in production. However, the behaviors observed across captured live lure pages match the rendering logic in the recovered file at every comparison point examined, supporting high confidence that this file represents a production render component or a near-identical revision.

The remainder of this section walks through the URL surface presented to the victim, the credential-harvesting flow gated by Cloudflare Turnstile, the obfuscation layers applied to the served JavaScript, and the anti-analysis defenses embedded in the runtime payload.

URL Surface and Apex Behavior

Observed CodeStorm deployments served lure UI content from <sub>.<apex>/<5-character-token> and accepted credential submissions at <sub>.<apex>/google.php. The five-character path token was drawn from [A-Za-z0-9]{5} and reused the same alphabet as the in-page DOM anchor IDs, consistent with a single operator-side token generator driving both URL routing and page rendering.

When the random path was omitted, apex hosts returned content unrelated to the kit. Most returned the default AlmaLinux Apache test page served through Cloudflare in front of a default httpd backend. A subset returned a Cloudflare error 1020 (“Access denied”) response. A small number returned the Turnstile widget as a cold gate that failed to mount because the required kit session context was absent. None of these responses exposed kit content, meaning apex-level probing did not surface the phishing infrastructure during Hexastrike’s analysis.

Turnstile Gating

Observed CodeStorm deployments gated lure pages behind a Cloudflare Turnstile challenge before any credential-harvesting logic was delivered to the victim. On first request, the victim sees a blank page with a centered Turnstile widget and a randomized status message rendered below it. Until the challenge is solved, no credential UI, no Microsoft branding, and no harvesting logic is present in the rendered HTML.

The Cloudflare Turnstile sitekey and secret are declared as variables at the top of index-crypto-2.php ($cf_sitekey and $cf_secret). Observed deployments used operator-specific Turnstile credentials, meaning the sitekey observed on a given lure subdomain can serve as a per-operator identifier rather than a kit-wide constant. Sitekey values recur across distinct subdomains belonging to the same operator and provide a reliable pivot for enumerating additional operator infrastructure.

The PHP source declares two string arrays that drive the gate’s surface presentation. The first, $checkings, contains 30 English browser security check status messages such as variations on “Verifying secure browsing” and “Browser running safety protocols”. The kit selects one at random per render and displays it beneath the Turnstile widget as decoy status text. The second, $titles, contains 97 generic technology-themed keywords ranging from node and firewall to kubernetes and metadata, used to randomize the page’s HTML <title> element on every render.

Page Rendering and Obfuscation

After a successful Turnstile challenge, CodeStorm renders a fake Outlook login interface. The page displays an Outlook loading animation during the transition while client-side harvesting logic initializes.

Captured lure pages did not expose credential-harvesting logic in cleartext HTML. Instead, the served page contains an encrypted JavaScript payload and a runtime decoder. Hexastrike observed two obfuscation variants across active deployments. The earlier variant uses a custom encoding scheme that combines a linear congruential generator (LCG) with Caesar shift and XOR operations before decoding the payload in the browser. The newer variant uses an AES-256-CBC envelope with CryptoJS, replacing the hand-rolled cipher chain with a standard symmetric primitive.

Both variants reconstruct key JavaScript primitives at runtime, reducing the number of high-value strings visible in the served HTML. This reduces the utility of simple static detections based on substrings such as eval or atob in page source, though deobfuscated payload content remains available to dynamic analysis. After decoding, the payload loads the second-stage JavaScript from Tencent Cloud Object Storage and enables the anti-analysis controls described below. The Tencent COS stage and credential-harvesting flow are covered in the next section.

Anti-Analysis Defenses

CodeStorm lure pages include browser and analyst checks designed to disrupt manual review and automated detonation.

The runtime payload checks for automation and inspection indicators including navigator.webdriver, window.callPhantom, window._phantom, and user-agent strings containing Burp. If any condition matches, the page redirects to about:blank before the phishing interface renders. Because Burp Suite does not modify the user-agent by default, the Burp user-agent check is a low-fidelity tripwire most likely to catch analysts who have explicitly configured a Burp-identifying UA.

The kit also blocks common browser inspection actions. A keyboard handler intercepts shortcuts used to open developer tools or view source, including F12, Ctrl+U, Ctrl+Shift+I, Ctrl+Shift+J, Ctrl+Shift+C, Ctrl+Shift+K, Ctrl+H, and macOS equivalents including Cmd+Alt+I, Cmd+Alt+C, and Cmd+U. A context menu handler suppresses right-click access to browser inspection options.

CodeStorm also implements a debugger watchdog. A recurring timer invokes a debugger statement and measures execution delay with performance.now(). If the delay indicates that execution was paused, the kit redirects the session to a Microsoft-hosted Outlook URL. This removes the analyst from the kit context and may cause subsequent traffic to resemble normal Microsoft authentication activity.

AiTM Proxy and Credential-Harvesting Flow

Once the Turnstile gate is solved, the rendered lure transitions from the static obfuscated shell described in the previous section into a live adversary-in-the-middle proxy session. The transition is driven by client-side JavaScript loaded from Tencent COS, separating stage-two payload delivery from the lure host and allowing operators to rotate delivery infrastructure independently from harvester endpoints.

Stage-Two Delivery via Tencent Cloud Object Storage

After the Turnstile callback succeeds, the kit injects three external scripts into the rendered page: jQuery and Bootstrap from public CDNs, which serve as legitimate functional dependencies, and a third operator-controlled script that contains the harvesting logic.

In production, the third script resolves to a Tencent Cloud Object Storage (COS) URL in the ap-seoul region. Tencent COS is Tencent Cloud’s S3-compatible object storage service, and the myqcloud.com domain is the default hostname under which COS buckets are published when no custom domain is configured. The use of myqcloud.com for offensive payload hosting has previously been associated with Storm-1167 activity, and is one of the indicators supporting Hexastrike’s infrastructure overlap assessment. Across captured live lure sessions, Hexastrike observed stage-two delivery from the following bucket hostnames:

*-1388504898.cos.ap-seoul.myqcloud.com
*-1417693617.cos.ap-seoul.myqcloud.com
*-1317754460.cos.ap-seoul.myqcloud.com
*-1323985617.cos.ap-seoul.myqcloud.com

The numeric suffixes are Tencent Cloud account identifiers (APPIDs) and are tied to the underlying tenant rather than to a specific bucket name. The use of multiple APPIDs provides resilience against takedowns affecting a single Tencent Cloud account.

Stage-Two Payload and Per-Operator Harvester

The file delivered from Tencent COS is named bootstrap.min.js, a deliberate naming choice intended to blend with the legitimate Bootstrap library loaded earlier in the same script array. The file is unrelated to Bootstrap. It contains the kit’s full client-side credential-harvesting and MFA interception logic, applied through several layers of obfuscation including identifier mangling, control-flow flattening, and string array rotation.

In observed copies of bootstrap.min.js, the first executable statement was a single base64-encoded string variable that decoded to the operator’s PHP harvester URL. This single value was the per-operator differentiator across an otherwise identical payload. The same harvesting code was deployed across operators, with only the harvester URL varying between deployments. Decoded values observed by Hexastrike include for example https://fqgpm.stooping.com.de/google.php, confirming that the apex <sub>.<apex>/google.php endpoint serves as the back-channel for stage-two traffic rather than as a victim-facing URL. While /google.php was the dominant harvester path in the observed corpus, Hexastrike also observed a smaller number of deployments using alternate paths such as /next.php.

Real-Time Authentication Proxying

Once loaded, observed bootstrap.min.js samples replaced the document body with a fake Microsoft 365 login interface and proxied authentication state between the victim and Microsoft’s real authentication endpoints in real time. The proxy initiates a live session against login.microsoftonline.com using the victim’s submitted email, retrieves the tenant’s branding configuration from Microsoft’s own aadcdn.msftauth.net and logincdn.msftauth.net endpoints, and renders a tenant-specific branded login experience. By the time the victim sees the password field, the AiTM proxy has already opened a live session against the victim’s real tenant and primed itself to forward the password and any subsequent MFA artifacts in real time.

The kit also issues a pre-render handshake to the harvester before any UI is presented. The harvester response can instruct the kit to redirect the session away from the lure, giving operators a real-time kill switch over individual victim sessions before any credentials are captured.

MFA Interception

Observed CodeStorm stage-two payloads implemented multi-method MFA interception through three branch handlers, each corresponding to a distinct Microsoft Entra ID MFA challenge type. The dispatch logic inspects the MFA method advertised by Microsoft on the live session and routes the victim into the corresponding UI:

• An authenticator one-time passcode entry screen (“Verify your identity”) consistent with Microsoft Authenticator OTP challenges.
• An approval screen (“Approve sign in request”) consistent with Microsoft Authenticator push notification approval, including the two-digit number-matching challenge introduced by Microsoft in 2023.
• A generic code entry screen (“Enter code”) used for SMS-delivered codes, voice-call codes, and email OTPs.

Internal challenge type tokens preserved in the payload include PhoneAppOTP, PhoneAppNotification, and OneTimeCode. The presence of these handlers indicates the kit is designed to handle the MFA methods commonly encountered across Microsoft 365 tenants, including those configured through partner identity providers federated into Entra ID.

When the victim submits an MFA artifact, it is exfiltrated to the harvester together with the previously captured email and password and replayed in near real time against the live AiTM session. On successful replay, the operator obtains authenticated Microsoft 365 session material, including session cookies and tokens issued during the web authentication flow. The post-authentication tradecraft observed across confirmed CodeStorm compromises, including token reuse patterns, mailbox rule creation, and persistence establishment, is analyzed in the next section.

Session Hijacking and Post-Compromise Activity

Hexastrike’s engagements most often surfaced CodeStorm compromises through identity-side detections: impossible travel, sign-ins from non-compliant devices or unusual countries, Entra ID risky-user signals, and new inbox rule alerts.

Within seconds of credential and MFA capture, operators consistently created an Outlook inbox rule named LinkedIn that moved messages from the phishing sender into RSS Feeds and marked them read, suppressing replies and security alerts from the user’s view.

Most sessions then remained dormant. In a subset of cases, operators conducted keyword-driven reconnaissance against SharePoint (payment, credentials) and propagated phishing further by sharing OneNote notebooks containing CodeStorm lure links with internal and external contacts. Observed UAL operations across these stages included New-InboxRule, Set-InboxRule, MailItemsAccessed, FileAccessed, AttachmentAccessed and Send.

Attribution

Hexastrike assesses with moderate confidence that CodeStorm represents activity within the cluster Microsoft tracks as Storm-1167. Microsoft’s 2023 reporting on Storm-1167 named two distinctive infrastructure indicators: phishing-page hosting on Tencent cloud infrastructure and AiTM phishing infrastructure located on Indonesian IP addresses. CodeStorm uses Tencent Cloud Object Storage in the ap-seoul region for second-stage payload delivery, and the recovered server-side render component contains Indonesian-language code artifacts that are independent of the Tencent indicator.

Behavioral tradecraft observed across confirmed CodeStorm compromises, including abuse of trusted vendor or partner accounts, AiTM credential and MFA capture, session-cookie theft and replay, mailbox-rule persistence, and onward phishing from compromised accounts, aligns with the operational model Microsoft documented for the 2023 Storm-1167 campaign.

Hexastrike does not assess CodeStorm to be a copy or fork of any other publicly documented Microsoft 365 AiTM kit, and does not name an individual operator. The remainder of this section presents the supporting evidence and addresses the principal alternative hypothesis.

Phishing Kit Family Lineage

Hexastrike compared CodeStorm against four publicly documented Microsoft 365 AiTM kits with overlapping market positioning: W3LL Panel, Sneaky 2FA, FlowerStorm, and Whisper 2FA. The comparison covered server-side render logic, lure-page obfuscation, second-stage delivery model, harvester URL structure, MFA branch handling, and operator deployment pattern. No comparison surfaced code-level overlap sufficient to merge CodeStorm into an existing family.

W3LL Panel, documented by Group-IB in 2023, is one of the most established Microsoft 365 AiTM kits associated with BEC-focused phishing operations. Group-IB reported that W3LL operated the W3LL Store marketplace, supported a customer base of more than 500 cybercriminals, and sold W3LL Panel, also known as OV6, to compromise Microsoft 365 accounts and bypass MFA. Group-IB further reported that the actor behind W3LL participated in Indonesian-speaking hacking communities. In 2026, the FBI reported a joint disruption with Indonesian authorities against the W3LL phishing network, including the seizure of supporting infrastructure and the apprehension of an alleged developer.

Sekoia subsequently reported that Sneaky 2FA reused source code from W3LL Panel OV6 and retained a hardcoded reference to the w3ll[.]store domain in code responsible for Microsoft 365 authentication. Sekoia also reported that Sneaky 2FA was distributed through the Sneaky Log PhaaS model, with customers receiving licensed obfuscated source code and deploying phishing pages independently on compromised infrastructure, WordPress sites, and attacker-controlled domains. CodeStorm’s index-crypto-2.php does not contain the W3LL strings or structural artifacts that anchor Sekoia’s Sneaky-2FA-to-W3LL assessment, and Hexastrike’s comparison did not surface the OV6 source patterns Sekoia documented.

FlowerStorm and Whisper 2FA are separable from CodeStorm on technical grounds. Sophos reported FlowerStorm in late 2024 as a successor to Rockstar2FA with shared ancestry to the Tycoon/Rockstar lineage, including standardized use of next.php as the harvester filename. CodeStorm includes next.php as a minor harvester-path variant, but the dominant CodeStorm path is /google.php, and CodeStorm’s tokenized lure scheme drawn from [A-Za-z0-9]{5} and Tencent COS second-stage delivery model are not present in the FlowerStorm or Rockstar2FA corpora documented by Sophos. Barracuda reported Whisper 2FA in October 2025 as a Microsoft 365 credential-theft and MFA-token phishing kit with continuous AJAX-based exfiltration loops to a single C2 endpoint and multilayered Base64 and XOR encoding. CodeStorm overlaps with Whisper 2FA at the tradecraft level, including Microsoft 365 targeting and real-time MFA capture, but CodeStorm’s two-stage delivery model, Tencent COS hosting, per-operator harvester variable, and lure-page cipher variants are structurally distinct.

The CodeStorm-specific differentiators that support separate cluster tracking are the Tencent COS second-stage delivery model with multiple recurring APPIDs, the [A-Za-z0-9]{5} tokenized lure-path scheme, the dominant /google.php harvester path, the Turnstile sitekey-as-operator-identifier configuration model, and the $checkings and $titles arrays embedded in the recovered render component. The recurring PDF metadata identifiers documented earlier in this report are consistent with the same operator-pool model and provide an independent indicator of shared tooling across observed CodeStorm campaigns.

Indonesian Authorship Evidence

The recovered render component contains three Indonesian-language artifacts. The helper function random_str($panjang) uses panjang (“length”) as a parameter name. The lazy-loading logic includes the error string Gagal memuat (“failed to load”). The stage-two URL placeholder includes the directory token ASLI (“original,” “authentic”). These are code-level artifacts in the render component itself, not strings displayed to the victim.

Hexastrike treats these markers as evidence of an Indonesian-language development pipeline rather than proof of operator nationality. Language artifacts can be inherited through copied code, retained from a purchased kit, or introduced by a third-party developer. The markers are nevertheless independent of Microsoft’s 2023 Indonesia-related infrastructure observation, since one concerns source-code language artifacts and the other concerns the location of phishing infrastructure and follow-on sign-ins.

The Indonesian-language indicators are directionally consistent with the broader Microsoft 365 AiTM ecosystem. Group-IB documented W3LL’s Indonesian-speaking community ties in 2023, and the 2026 FBI disruption of the W3LL phishing network involved Indonesian authorities. Hexastrike did not identify equivalent public evidence establishing Indonesian authorship for Sneaky 2FA, FlowerStorm, or Whisper 2FA. The CodeStorm markers therefore add a CodeStorm-specific data point to a regional development ecosystem previously documented in the same direction, without establishing a code-lineage relationship to W3LL.

Mapping to Storm-1167

Microsoft publicly described Storm-1167 as the developer, maintainer, and operator of an AiTM phishing kit used in a multi-stage phishing and BEC campaign. The 2023 campaign began with phishing email from a trusted vendor, used Canva-hosted lure content, redirected victims to a Tencent-hosted phishing page, captured credentials and MFA responses, replayed session cookies, modified MFA methods, created inbox rules, and supported follow-on phishing from compromised accounts.

CodeStorm exhibits the same operational model across multiple independent dimensions. CodeStorm operators used compromised Microsoft 365 accounts to send phishing email, including from vendor and partner tenants with prior correspondence with the recipient organization. Lure content was staged through SharePoint and other trusted SaaS platforms. Microsoft 365 session material was captured through AiTM proxying with multi-method MFA interception. Post-authentication access supported onward phishing and mailbox-rule persistence. These overlaps are behavioral and infrastructure-based rather than code-level. They support mapping CodeStorm to the Storm-1167 operational model, but do not prove exclusive actor control.

Microsoft’s January 2026 reporting on a multi-stage AiTM and BEC campaign targeting energy-sector organizations documented closely aligned tradecraft, including SharePoint-staged lures, trusted-identity abuse, inbox-rule persistence, and the requirement to revoke active session cookies in addition to resetting passwords. The 2026 post did not publicly name Storm-1167. Hexastrike therefore uses this reporting as corroborating tradecraft context for the continuing relevance of the Storm-1167 operational model, not as a named Storm-1167 update.

The infrastructure indicators supporting the CodeStorm-to-Storm-1167 assessment are Tencent cloud usage and Indonesian-linked development and infrastructure artifacts. Microsoft’s 2023 report stated that Storm-1167 redirected victims to phishing pages hosted on Tencent cloud infrastructure and that the AiTM phishing pages were hosted on IP addresses located in Indonesia, with follow-on sign-ins observed from the same IP addresses. CodeStorm uses Tencent COS in the ap-seoul region for second-stage delivery and contains Indonesian-language source artifacts in the recovered render component. Neither indicator is unique in isolation. Their joint occurrence in a kit that also exhibits the behavioral overlap above narrows the population of activity clusters meaningfully consistent with these indicators.

Detection Opportunities

CodeStorm detection should focus on post-authentication activity, compromised-account propagation, and infrastructure patterns rather than sender reputation alone. Across investigated cases, operators used legitimate Microsoft tenants, trusted SaaS platforms, and AiTM proxying to reduce the value of conventional phishing indicators.

Identity and Session Activity

• Token replay or session reuse after successful MFA.
• Anomalous session activity after an otherwise successful sign-in.
• Impossible travel or sign-ins inconsistent with the user’s normal geography.
• New device fingerprints or unfamiliar browser characteristics.
• Sign-ins from unfamiliar ASNs or hosting providers.
• Suspicious sign-in properties after successful MFA.
• Initial attacker logons from Tencent ASNs in investigated cases, consistent with infrastructure used elsewhere in the CodeStorm delivery chain.

Mailbox and SharePoint Activity

• Bursts of outbound mail from a user shortly after anomalous sign-in.
• New SharePoint links created or sent following anomalous sign-in.
• Mailbox rule creation shortly after anomalous sign-in, particularly rules named LinkedIn or similar that route incoming mail into folders such as Read or RSS Feeds.

Lure and Infrastructure Patterns

• Requests to CodeStorm-specific paths such as /google.php.
• Browser requests to tokenized lure paths matching /[A-Za-z0-9]{5}.
• Microsoft-themed or document-themed subdomain naming, including terms such as office, sharepoint, login, secure, doc, onedrive, and related variants.
• Redirect chains involving trusted SaaS platforms. These domains should not be treated as automatically benign when they redirect to external credential infrastructure.

Hardening and Mitigation Guidance

The recommendations below are scoped to the specific tradecraft observed across CodeStorm intrusions. They prioritize controls that disrupt AiTM-based session theft, reduce the post-authentication blast radius, and improve detection coverage for the delivery patterns documented in this report. Baseline phishing controls, including email filtering, user reporting workflows, and security awareness training, remain useful, but they should not be treated as sufficient against CodeStorm because the kit relies on legitimate tenants, trusted SaaS platforms, and real-time session interception.

Session Theft and AiTM Resistance

• Prioritize phishing-resistant authentication for privileged users, finance users, executives, and other high-risk groups.
• Prefer FIDO2 security keys, Windows Hello for Business, passkeys, or certificate-based authentication over OTP and push-based MFA for high-risk access.
• Avoid fallback paths that allow users to downgrade from phishing-resistant authentication to SMS, email OTP, or push approval.

Microsoft’s Conditional Access authentication strengths can be used to require phishing-resistant methods such as FIDO2 security keys, Windows Hello for Business, passkeys, and certificate-based authentication.

Conditional Access and Session Controls

• Require compliant or managed devices for sensitive Microsoft 365 applications.
• Use Conditional Access policies that combine user risk, sign-in risk, device compliance, location, and application sensitivity.
• Treat trusted locations as a supporting signal, not a primary defense.
• Enable Continuous Access Evaluation where supported to improve enforcement after password resets, account disablement, location changes, and session revocation.
• Review Token Protection for supported native application scenarios, but do not treat it as complete coverage for browser-based AiTM phishing because Microsoft currently states browser-based applications are not supported.

Microsoft Continuous Access Evaluation can improve near-real-time enforcement for supported services, while Token Protection should be treated as a targeted control for supported native application scenarios rather than complete coverage for browser-based AiTM phishing.

Conclusion

CodeStorm is an actively maintained Microsoft 365 AiTM phishing kit that Hexastrike assesses with moderate confidence to fall within the Storm-1167 cluster. Its operational strength lies less in technical novelty than in the disciplined integration of trusted infrastructure abuse, real-time MFA interception, and lightweight but consistent post-authentication tradecraft. Conventional perimeter and reputation-based controls offer limited protection because the kit relies on legitimate tenants, trusted SaaS platforms, and live session theft. Effective defense requires phishing-resistant authentication, Conditional Access policies anchored on device and session signals, and detection logic that correlates identity, mailbox, and SharePoint activity.

Acknowledgements

• Steven Lim, for additional threat intelligence and corroborating data points.
• Sekoia Threat Detection & Research, for prior public reporting on Sneaky 2FA.
• Barracuda Threat Analyst Team, for prior public reporting on Whisper 2FA.
• Microsoft Threat Intelligence, for prior public reporting on the Storm-1167 cluster.

Disclosure Timeline

Date	Recipient
May 13, 2026	Affected customers and identified victim organizations
May 14, 2026	Cloudflare Abuse
May 14, 2026	Tencent Cloud Abuse
May 19, 2026	Microsoft Security Response Center
May 20, 2026	Public release

MITRE ATT&CK Mapping

Tactic	ID	Technique	CodeStorm
Resource Development	T1583.001	Acquire Infrastructure: Domains	Operators used attacker-controlled apex domains and subdomains for lure and harvester infrastructure.
Resource Development	T1583.006	Acquire Infrastructure: Web Services	Tencent COS was used to host CodeStorm stage-two JavaScript payloads.
Resource Development	T1586.002	Compromise Accounts: Email Accounts	Compromised Microsoft 365 mailboxes were used to send phishing emails from trusted senders.
Initial Access	T1566.002	Phishing: Spearphishing Link	Phishing emails contained links to CodeStorm lure infrastructure.
Initial Access	T1566.001	Phishing: Spearphishing Attachment	HTML attachments were delivered directly to victim inboxes.
Initial Access	T1566.003	Phishing: Spearphishing via Service	Lures were delivered through trusted SaaS platforms including SharePoint, Microsoft Sway, allo.io, youengage.me, mixpanel.com, and gamma.app.
Initial Access / Persistence / Defense Evasion / Lateral Movement	T1078.004	Valid Accounts: Cloud Accounts	Operators used compromised Microsoft 365 accounts and stolen authenticated session material to access victim tenants.
Execution	T1204.001	User Execution: Malicious Link	Victims were required to open lure links or QR-code destinations to reach CodeStorm phishing pages.
Execution	T1059.007	Command and Scripting Interpreter: JavaScript	CodeStorm executed client-side JavaScript in the victim browser to render the phishing UI and drive credential-harvesting logic.
Persistence	T1098	Account Manipulation	Operators modified compromised mailboxes by creating or changing inbox rules after successful account access.
Persistence / Defense Evasion	T1564.008	Hide Artifacts: Email Hiding Rules	The same post-compromise rule activity was used for concealment, including an Outlook inbox rule named LinkedIn that moved phishing-related messages into RSS Feeds and marked them read.
Defense Evasion / Lateral Movement	T1550.004	Use Alternate Authentication Material: Web Session Cookie	Operators reused stolen Microsoft 365 session cookies or tokens after successful MFA.
Defense Evasion	T1027	Obfuscated Files or Information	CodeStorm used encrypted and obfuscated JavaScript payloads, runtime decoding, string reconstruction, and obfuscated stage-two JavaScript.
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	CodeStorm decoded runtime payloads using LCG/Caesar/XOR logic in one variant and AES-256-CBC with CryptoJS in another.
Defense Evasion	T1497.001	Virtualization/Sandbox Evasion: System Checks	CodeStorm checked for navigator.webdriver, PhantomJS indicators, Burp-related user-agent strings, and debugger-induced execution delays.
Defense Evasion	T1620	Reflective Code Loading	CodeStorm reconstructed and executed decoded JavaScript payloads at runtime and dynamically loaded stage-two scripts.
Credential Access	T1557	Adversary-in-the-Middle	CodeStorm proxied Microsoft 365 authentication in real time to intercept credentials, MFA artifacts, and session material.
Credential Access	T1539	Steal Web Session Cookie	CodeStorm obtained authenticated Microsoft 365 session material during the web authentication flow.
Credential Access / Collection	T1056.003	Input Capture: Web Portal Capture	The fake Microsoft 365 login interface captured email addresses, passwords, and MFA artifacts.
Command and Control	T1102	Web Service	Tencent COS / myqcloud.com was used as a web service for hosting stage-two payloads.
Command and Control / Exfiltration	T1071.001	Application Layer Protocol: Web Protocols	CodeStorm used HTTPS web traffic for Tencent COS stage-two payload retrieval and communication with harvester endpoints such as /google.php and /next.php.
Collection	T1114.002	Email Collection: Remote Email Collection	Operators accessed Microsoft 365 mailbox content after compromise.
Collection	T1530	Data from Cloud Storage	Operators accessed SharePoint-hosted cloud content after compromise.
Collection	T1213.002	Data from Information Repositories: SharePoint	Operators conducted keyword-driven SharePoint reconnaissance, including searches for payment- and credential-related content.
Discovery	T1087.003	Account Discovery: Email Account	Operators harvested contacts from compromised users’ Outlook address books.
Discovery	T1087.004	Account Discovery: Cloud Account	Operators used compromised Microsoft 365 context to identify tenant users, contacts, and cloud-account relationships.
Lateral Movement	T1534	Internal Spearphishing	Operators sent phishing messages to additional recipients within the same compromised tenant.

Indicators of Compromise

Note: First Seen and Last Seen values reflect Hexastrike’s observation window for each indicator and do not necessarily represent creation date, registration date, first malicious use, or the full period of operator control.

Category	Type	Value	Comment	First Seen	Last Seen
Network activity	domain	advantagedigitalstrength.de	CodeStorm phishing apex domain	2026-04-14	2026-04-30
Network activity	domain	afemalesewedblessings.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-03
Network activity	domain	ancientexplorer.de	CodeStorm phishing apex domain	2026-04-07	2026-04-07
Network activity	domain	apptoimprovesecurity.de	CodeStorm phishing apex domain	2026-05-13	2026-05-13
Network activity	domain	astronautosogni.de	CodeStorm phishing apex domain	2026-03-28	2026-04-05
Network activity	domain	astronomy.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-22
Network activity	domain	awomanknitaspirations.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-03
Network activity	domain	bell.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-15
Network activity	domain	bending.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-16
Network activity	domain	blooming.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-11
Network activity	domain	blossom.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-27
Network activity	domain	breathlessness.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-15
Network activity	domain	builtinlayers.de	CodeStorm phishing apex domain	2026-04-12	2026-04-30
Network activity	domain	caringprecision.de	CodeStorm phishing apex domain	2026-04-12	2026-04-13
Network activity	domain	cephalexinv.de	CodeStorm phishing apex domain	2026-04-30	2026-04-30
Network activity	domain	certifiedconnect.de	CodeStorm phishing apex domain	2026-04-27	2026-05-11
Network activity	domain	childrenreadclouds.de	CodeStorm phishing apex domain	2026-05-10	2026-05-10
Network activity	domain	chiminghour.de	CodeStorm phishing apex domain	2026-04-03	2026-04-04
Network activity	domain	clarityfirstdigital.de	CodeStorm phishing apex domain	2026-03-31	2026-04-12
Network activity	domain	clarityinbranding.de	CodeStorm phishing apex domain	2026-04-09	2026-04-27
Network activity	domain	clarityindesign.de	CodeStorm phishing apex domain	2026-04-21	2026-05-14
Network activity	domain	clearbrandmessage.de	CodeStorm phishing apex domain	2026-05-02	2026-05-02
Network activity	domain	clearcommunicationhub.de	CodeStorm phishing apex domain	2026-04-01	2026-04-27
Network activity	domain	clearconceptsdesign.de	CodeStorm phishing apex domain	2026-03-31	2026-04-27
Network activity	domain	clearinterfacedesign.de	CodeStorm phishing apex domain	2026-05-01	2026-05-09
Network activity	domain	clearlayout.de	CodeStorm phishing apex domain	2026-03-24	2026-04-16
Network activity	domain	clearmodern.de	CodeStorm phishing apex domain	2026-04-19	2026-04-24
Network activity	domain	clickconfidence.de	CodeStorm phishing apex domain	2026-05-03	2026-05-03
Network activity	domain	codeforsecurity.de	CodeStorm phishing apex domain	2026-03-19	2026-03-19
Network activity	domain	colorfullandscapetrain.de	CodeStorm phishing apex domain	2026-03-24	2026-04-12
Network activity	domain	confidencehub.de	CodeStorm phishing apex domain	2026-05-10	2026-05-11
Network activity	domain	confidenceinbuild.de	CodeStorm phishing apex domain	2026-04-17	2026-04-20
Network activity	domain	confidenceindetail.de	CodeStorm phishing apex domain	2026-04-13	2026-04-23
Network activity	domain	confidencesphere.de	CodeStorm phishing apex domain	2026-05-08	2026-05-08
Network activity	domain	confidentlyexecuted.de	CodeStorm phishing apex domain	2026-04-13	2026-04-27
Network activity	domain	consistentcollaborators.de	CodeStorm phishing apex domain	2026-04-17	2026-04-24
Network activity	domain	consistenthostingsolutions.de	CodeStorm phishing apex domain	2026-04-24	2026-05-09
Network activity	domain	consistentlystructured.de	CodeStorm phishing apex domain	2026-03-30	2026-04-27
Network activity	domain	contemplative.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-20
Network activity	domain	correspondence.com.de	CodeStorm phishing apex domain	2025-04-04	2025-12-16
Network activity	domain	counteddown.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-12
Network activity	domain	createsdependability.de	CodeStorm phishing apex domain	2026-04-13	2026-05-11
Network activity	domain	creations.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-25
Network activity	domain	credbilityandidentity.de	CodeStorm phishing apex domain	2026-04-17	2026-04-20
Network activity	domain	credibilityhub.de	CodeStorm phishing apex domain	2026-04-02	2026-04-20
Network activity	domain	credibilityprotected.de	CodeStorm phishing apex domain	2026-04-16	2026-04-20
Network activity	domain	crediblemarketsignals.de	CodeStorm phishing apex domain	2026-04-27	2026-05-03
Network activity	domain	crediblesecure.de	CodeStorm phishing apex domain	2026-04-13	2026-04-29
Network activity	domain	crystalharbor.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-05
Network activity	domain	curated.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-12
Network activity	domain	current.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-24
Network activity	domain	curved.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-10
Network activity	domain	customersafenet.de	CodeStorm phishing apex domain	2026-04-01	2026-04-23
Network activity	domain	cyberprofessionalism.de	CodeStorm phishing apex domain	2026-05-05	2026-05-05
Network activity	domain	daybreak.com.de	CodeStorm phishing apex domain	2025-04-04	2025-12-04
Network activity	domain	definedarchitecture.de	CodeStorm phishing apex domain	2026-04-14	2026-05-03
Network activity	domain	delivered.com.de	CodeStorm phishing apex domain	2025-04-04	2025-12-10
Network activity	domain	dependablecreativity.de	CodeStorm phishing apex domain	2026-04-24	2026-05-03
Network activity	domain	dependableinnovations.de	CodeStorm phishing apex domain	2026-04-16	2026-05-01
Network activity	domain	designreducesuncertainty.de	CodeStorm phishing apex domain	2026-05-01	2026-05-12
Network activity	domain	designyourpeace.de	CodeStorm phishing apex domain	2026-05-05	2026-05-05
Network activity	domain	detail-oriented.de	CodeStorm phishing apex domain	2026-03-23	2026-04-21
Network activity	domain	digitalbrandclarity.de	CodeStorm phishing apex domain	2026-04-14	2026-04-27
Network activity	domain	digitalconduct.de	CodeStorm phishing apex domain	2026-05-01	2026-05-14
Network activity	domain	digitalcredibilityhub.de	CodeStorm phishing apex domain	2026-05-10	2026-05-13
Network activity	domain	digitaleffectiveness.de	CodeStorm phishing apex domain	2026-05-03	2026-05-03
Network activity	domain	digitalforceadvantage.de	CodeStorm phishing apex domain	2026-04-14	2026-05-13
Network activity	domain	digitalframeworksforsuccess.de	CodeStorm phishing apex domain	2026-04-14	2026-05-09
Network activity	domain	digitallyempowered.de	CodeStorm phishing apex domain	2026-04-14	2026-05-11
Network activity	domain	digitallygerman.de	CodeStorm phishing apex domain	2026-04-09	2026-05-03
Network activity	domain	digitalmarkettransparency.de	CodeStorm phishing apex domain	2026-05-12	2026-05-12
Network activity	domain	digitalpresenceexpert.de	CodeStorm phishing apex domain	2026-05-11	2026-05-11
Network activity	domain	digitalproficiency.de	CodeStorm phishing apex domain	2026-04-17	2026-05-03
Network activity	domain	digitalreputationclarity.de	CodeStorm phishing apex domain	2026-04-15	2026-04-27
Network activity	domain	digitalstrengthhub.de	CodeStorm phishing apex domain	2026-04-14	2026-05-01
Network activity	domain	digitalsuccessframeworks.de	CodeStorm phishing apex domain	2026-04-18	2026-05-09
Network activity	domain	digitaltrustbase.de	CodeStorm phishing apex domain	2026-05-02	2026-05-14
Network activity	domain	digitaltrustlayer.de	CodeStorm phishing apex domain	2026-05-13	2026-05-13
Network activity	domain	diligentdomain.de	CodeStorm phishing apex domain	2026-04-11	2026-04-26
Network activity	domain	disappeared.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-13
Network activity	domain	domainfoundation.de	CodeStorm phishing apex domain	2026-04-22	2026-05-10
Network activity	domain	domaintrustlayer.de	CodeStorm phishing apex domain	2026-04-10	2026-05-07
Network activity	domain	dreamscapes.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-11
Network activity	domain	dreamsintheframe.de	CodeStorm phishing apex domain	2026-05-07	2026-05-14
Network activity	domain	dreamycloudletters.de	CodeStorm phishing apex domain	2026-03-27	2026-03-27
Network activity	domain	dynamicgrowthsystems.de	CodeStorm phishing apex domain	2026-04-13	2026-05-08
Network activity	domain	echoednostalgia.de	CodeStorm phishing apex domain	2026-04-09	2026-04-19
Network activity	domain	echoesoftheevening.de	CodeStorm phishing apex domain	2026-04-07	2026-05-05
Network activity	domain	ecofriendlycommunication.de	CodeStorm phishing apex domain	2026-04-14	2026-05-10
Network activity	domain	efficiencyworks.de	CodeStorm phishing apex domain	2026-05-03	2026-05-03
Network activity	domain	efficientlycompetitive.de	CodeStorm phishing apex domain	2026-04-24	2026-05-03
Network activity	domain	effortlessdesignclarity.de	CodeStorm phishing apex domain	2026-05-12	2026-05-12
Network activity	domain	elevatebrandimage.de	CodeStorm phishing apex domain	2026-04-14	2026-05-08
Network activity	domain	embodied.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-01
Network activity	domain	encapsulated.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-19
Network activity	domain	encouraged.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-18
Network activity	domain	enlightenment.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-22
Network activity	domain	envelope.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-25
Network activity	domain	etched.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-05
Network activity	domain	eurotrustsignals.de	CodeStorm phishing apex domain	2026-05-09	2026-05-09
Network activity	domain	evoked.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-09
Network activity	domain	exactbusiness.de	CodeStorm phishing apex domain	2026-04-23	2026-05-12
Network activity	domain	exactwebpresence.de	CodeStorm phishing apex domain	2026-03-30	2026-04-16
Network activity	domain	executionwithconfidence.de	CodeStorm phishing apex domain	2026-05-14	2026-05-14
Network activity	domain	exemplaryexecution.de	CodeStorm phishing apex domain	2026-04-13	2026-05-01
Network activity	domain	exploring.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-12
Network activity	domain	extensioneurope.de	CodeStorm phishing apex domain	2026-04-27	2026-04-27
Network activity	domain	faintly.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-06
Network activity	domain	fantasies.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-19
Network activity	domain	fierce.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-15
Network activity	domain	findingtheearth.de	CodeStorm phishing apex domain	2026-02-22	2026-03-21
Network activity	domain	firelight.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-01
Network activity	domain	flawlessoperations.de	CodeStorm phishing apex domain	2026-05-12	2026-05-12
Network activity	domain	fondness.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-27
Network activity	domain	fostered.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-27
Network activity	domain	fosteringtrust.de	CodeStorm phishing apex domain	2026-03-31	2026-04-27
Network activity	domain	foundationforprofessionals.de	CodeStorm phishing apex domain	2026-03-31	2026-04-25
Network activity	domain	foundationofprofessionals.de	CodeStorm phishing apex domain	2026-03-31	2026-04-21
Network activity	domain	fracturedmoon.de	CodeStorm phishing apex domain	2026-02-20	2026-03-20
Network activity	domain	frameworksforsuccess.de	CodeStorm phishing apex domain	2026-04-23	2026-05-12
Network activity	domain	friendlystray.de	CodeStorm phishing apex domain	2026-05-06	2026-05-06
Network activity	domain	futurereadyinfrastructure.de	CodeStorm phishing apex domain	2026-04-21	2026-04-25
Network activity	domain	futures.com.de	CodeStorm phishing apex domain	2020-03-07	2026-02-04
Network activity	domain	germanidentityhub.de	CodeStorm phishing apex domain	2026-05-08	2026-05-08
Network activity	domain	girlwithanotebook.de	CodeStorm phishing apex domain	2026-04-11	2026-04-17
Network activity	domain	glimmeringreflections.de	CodeStorm phishing apex domain	2026-03-28	2026-03-29
Network activity	domain	glinting.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-24
Network activity	domain	glisten.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-27
Network activity	domain	globalpreparedness.de	CodeStorm phishing apex domain	2026-05-03	2026-05-03
Network activity	domain	goalorientedhub.de	CodeStorm phishing apex domain	2026-04-08	2026-05-02
Network activity	domain	gradualquality.de	CodeStorm phishing apex domain	2026-04-03	2026-04-19
Network activity	domain	gurgled.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-24
Network activity	domain	halo.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-01
Network activity	domain	happycloudmessages.de	CodeStorm phishing apex domain	2026-04-29	2026-05-14
Network activity	domain	healing.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-27
Network activity	domain	heavensentrain.de	CodeStorm phishing apex domain	2026-03-19	2026-03-21
Network activity	domain	heavyraindaily.de	CodeStorm phishing apex domain	2026-04-01	2026-04-28
Network activity	domain	heeding.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-04
Network activity	domain	hints.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-14
Network activity	domain	hopped.com.de	CodeStorm phishing apex domain	2025-04-04	2025-12-07
Network activity	domain	identityestablished.de	CodeStorm phishing apex domain	2026-04-17	2026-04-21
Network activity	domain	identityprofessional.de	CodeStorm phishing apex domain	2026-04-18	2026-04-18
Network activity	domain	incandescence.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-07
Network activity	domain	infrastructureplus.de	CodeStorm phishing apex domain	2026-04-14	2026-05-03
Network activity	domain	innovatestructure.de	CodeStorm phishing apex domain	2026-05-12	2026-05-13
Network activity	domain	innovativewege.de	CodeStorm phishing apex domain	2026-04-25	2026-05-12
Network activity	domain	inquisitive.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-29
Network activity	domain	instinctivecredibility.de	CodeStorm phishing apex domain	2026-05-08	2026-05-08
Network activity	domain	integratedbranding.de	CodeStorm phishing apex domain	2026-04-04	2026-05-02
Network activity	domain	intent.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-09
Network activity	domain	intentfocusgroup.de	CodeStorm phishing apex domain	2026-04-13	2026-05-10
Network activity	domain	intentionalmarketgroup.de	CodeStorm phishing apex domain	2026-05-09	2026-05-10
Network activity	domain	interlaced.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-19
Network activity	domain	intermittent.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-15
Network activity	domain	internationalreadiness.de	CodeStorm phishing apex domain	2026-04-27	2026-05-03
Network activity	domain	intuitiveplatform.de	CodeStorm phishing apex domain	2026-05-09	2026-05-09
Network activity	domain	invigorated.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-19
Network activity	domain	joviality.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-23
Network activity	domain	justkeepgoing.de	CodeStorm phishing apex domain	2026-04-06	2026-04-06
Network activity	domain	kept.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-03
Network activity	domain	lamented.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-24
Network activity	domain	lasted.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-14
Network activity	domain	lastingtrustsecure.de	CodeStorm phishing apex domain	2026-03-31	2026-04-28
Network activity	domain	lavender.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-15
Network activity	domain	leading.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-02
Network activity	domain	lifesaverapp.de	CodeStorm phishing apex domain	2026-05-01	2026-05-01
Network activity	domain	liveliness.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-28
Network activity	domain	localtrustworldwide.de	CodeStorm phishing apex domain	2026-05-10	2026-05-10
Network activity	domain	longhaulconsistency.de	CodeStorm phishing apex domain	2026-04-24	2026-04-24
Network activity	domain	longings.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-15
Network activity	domain	longtermvaluesafe.de	CodeStorm phishing apex domain	2026-05-01	2026-05-01
Network activity	domain	luciddesigns.de	CodeStorm phishing apex domain	2026-03-31	2026-04-27
Network activity	domain	lustrous.com.de	CodeStorm phishing apex domain	2025-04-04	2025-12-01
Network activity	domain	marketidentityconsistency.de	CodeStorm phishing apex domain	2026-04-14	2026-05-12
Network activity	domain	masteringprecision.de	CodeStorm phishing apex domain	2026-04-13	2026-05-08
Network activity	domain	maximizevisibility.de	CodeStorm phishing apex domain	2026-05-10	2026-05-10
Network activity	domain	melodized.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-25
Network activity	domain	melted.com.de	CodeStorm phishing apex domain	2025-04-04	2025-09-06
Network activity	domain	mementos.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-03
Network activity	domain	memoriesofwishes.de	CodeStorm phishing apex domain	2026-03-04	2026-03-29
Network activity	domain	mended.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-27
Network activity	domain	merged.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-14
Network activity	domain	merriment.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-09
Network activity	domain	modernbrandclarity.de	CodeStorm phishing apex domain	2026-04-09	2026-04-24
Network activity	domain	morningmelody.de	CodeStorm phishing apex domain	2026-03-27	2026-03-31
Network activity	domain	mountainrainreport.de	CodeStorm phishing apex domain	2026-04-28	2026-05-05
Network activity	domain	murmuringriver.de	CodeStorm phishing apex domain	2026-05-13	2026-05-13
Network activity	domain	musicalememorie.de	CodeStorm phishing apex domain	2026-04-26	2026-04-26
Network activity	domain	mycredibledomain.de	CodeStorm phishing apex domain	2026-04-19	2026-04-19
Network activity	domain	mysticalnight.de	CodeStorm phishing apex domain	2026-03-28	2026-03-29
Network activity	domain	mythsoftheglade.de	CodeStorm phishing apex domain	2026-04-23	2026-04-23
Network activity	domain	naturesbreath.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-09
Network activity	domain	night.com.de	CodeStorm phishing apex domain	2020-07-21	2026-04-27
Network activity	domain	nighttime.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-24
Network activity	domain	nightwishdomain.de	CodeStorm phishing apex domain	2026-03-21	2026-03-29
Network activity	domain	northernrainwatch.de	CodeStorm phishing apex domain	2026-04-29	2026-05-14
Network activity	domain	notebookofsecrets.de	CodeStorm phishing apex domain	2026-04-03	2026-04-12
Network activity	domain	officedatasolutions.de	CodeStorm phishing apex domain	2026-04-29	2026-04-29
Network activity	domain	onlinepresencematters.de	CodeStorm phishing apex domain	2026-04-03	2026-04-24
Network activity	domain	onlinesecurityapps.de	CodeStorm phishing apex domain	2026-04-20	2026-04-20
Network activity	domain	optimumoperations.de	CodeStorm phishing apex domain	2026-03-31	2026-04-29
Network activity	domain	orderlydesigns.de	CodeStorm phishing apex domain	2026-04-07	2026-05-03
Network activity	domain	orderlysystems.de	CodeStorm phishing apex domain	2026-04-15	2026-05-14
Network activity	domain	organizedenterprise.de	CodeStorm phishing apex domain	2026-05-10	2026-05-12
Network activity	domain	overcame.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-04
Network activity	domain	partnersincommunication.de	CodeStorm phishing apex domain	2026-05-05	2026-05-05
Network activity	domain	partnersinconsistency.de	CodeStorm phishing apex domain	2026-04-24	2026-04-24
Network activity	domain	patienceintherain.de	CodeStorm phishing apex domain	2026-04-29	2026-04-29
Network activity	domain	pattered.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-05
Network activity	domain	pause.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-01
Network activity	domain	pearlfilledshoes.de	CodeStorm phishing apex domain	2026-03-27	2026-03-27
Network activity	domain	pearlsandshoes.de	CodeStorm phishing apex domain	2026-03-27	2026-04-04
Network activity	domain	perceive.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-20
Network activity	domain	perched.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-16
Network activity	domain	performancedelivery.de	CodeStorm phishing apex domain	2026-04-13	2026-05-04
Network activity	domain	performancepredictor.de	CodeStorm phishing apex domain	2026-04-15	2026-04-19
Network activity	domain	performancetactics.de	CodeStorm phishing apex domain	2026-04-27	2026-04-27
Network activity	domain	phantasmagoric.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-02
Network activity	domain	phosphorescence.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-01
Network activity	domain	platformclarity.de	CodeStorm phishing apex domain	2026-05-03	2026-05-07
Network activity	domain	platformconsistency.de	CodeStorm phishing apex domain	2026-03-30	2026-04-22
Network activity	domain	platformease.de	CodeStorm phishing apex domain	2026-03-31	2026-04-15
Network activity	domain	platformperformancehub.de	CodeStorm phishing apex domain	2026-03-30	2026-04-27
Network activity	domain	playfulcloudwords.de	CodeStorm phishing apex domain	2026-04-23	2026-05-14
Network activity	domain	portrayed.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-04
Network activity	domain	possibilities.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-20
Network activity	domain	powerfulpresence.de	CodeStorm phishing apex domain	2026-03-23	2026-04-13
Network activity	domain	powerfultrustbrands.de	CodeStorm phishing apex domain	2026-04-01	2026-04-17
Network activity	domain	prayerfulprecipitation.de	CodeStorm phishing apex domain	2026-04-19	2026-04-19
Network activity	domain	precisionandreliability.de	CodeStorm phishing apex domain	2026-03-30	2026-04-21
Network activity	domain	precisionandtrust.de	CodeStorm phishing apex domain	2026-04-29	2026-04-29
Network activity	domain	primedomainauthority.de	CodeStorm phishing apex domain	2026-04-12	2026-04-13
Network activity	domain	proclienthub.de	CodeStorm phishing apex domain	2026-04-14	2026-04-21
Network activity	domain	prodesigncertainty.de	CodeStorm phishing apex domain	2026-05-01	2026-05-12
Network activity	domain	professionalassurance.de	CodeStorm phishing apex domain	2026-05-04	2026-05-04
Network activity	domain	professionalprecision.de	CodeStorm phishing apex domain	2026-04-15	2026-04-28
Network activity	domain	professionalpresencenow.de	CodeStorm phishing apex domain	2026-04-13	2026-05-13
Network activity	domain	professionalresultsnow.de	CodeStorm phishing apex domain	2026-03-31	2026-04-27
Network activity	domain	progressiveplatforms.de	CodeStorm phishing apex domain	2026-05-09	2026-05-09
Network activity	domain	protectyourcred.de	CodeStorm phishing apex domain	2026-04-13	2026-05-12
Network activity	domain	purelysophisticated.de	CodeStorm phishing apex domain	2026-04-17	2026-04-17
Network activity	domain	purposefului.de	CodeStorm phishing apex domain	2026-04-12	2026-04-13
Network activity	domain	qualityclientconnect.de	CodeStorm phishing apex domain	2026-04-14	2026-05-03
Network activity	domain	qualitygermanbrand.de	CodeStorm phishing apex domain	2026-04-29	2026-05-08
Network activity	domain	quantifiableexecution.de	CodeStorm phishing apex domain	2026-03-31	2026-04-27
Network activity	domain	quivered.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-25
Network activity	domain	rainydayreflections.de	CodeStorm phishing apex domain	2026-03-18	2026-04-13
Network activity	domain	react.com.de	CodeStorm phishing apex domain	2025-04-04	2025-10-08
Network activity	domain	realities.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-27
Network activity	domain	recognizeable.de	CodeStorm phishing apex domain	2026-05-01	2026-05-02
Network activity	domain	recollect.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-14
Network activity	domain	reflective.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-09
Network activity	domain	reflectiveriver.de	CodeStorm phishing apex domain	2026-04-10	2026-04-11
Network activity	domain	reinforcesintegrity.de	CodeStorm phishing apex domain	2026-04-13	2026-05-11
Network activity	domain	relayed.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-13
Network activity	domain	reliabilityhub.de	CodeStorm phishing apex domain	2026-04-03	2026-04-26
Network activity	domain	reliabledigitalfootprint.de	CodeStorm phishing apex domain	2026-03-30	2026-04-27
Network activity	domain	reliablehostinggrowth.de	CodeStorm phishing apex domain	2026-04-24	2026-05-08
Network activity	domain	reliableplatforms.de	CodeStorm phishing apex domain	2026-03-30	2026-04-27
Network activity	domain	reliablevisibility.de	CodeStorm phishing apex domain	2026-03-30	2026-04-27
Network activity	domain	remembered.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-23
Network activity	domain	rendered.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-12
Network activity	domain	reputationenhancer.de	CodeStorm phishing apex domain	2026-05-08	2026-05-09
Network activity	domain	respectusertime.de	CodeStorm phishing apex domain	2026-04-13	2026-05-09
Network activity	domain	rested.com.de	CodeStorm phishing apex domain	2025-04-04	2025-12-11
Network activity	domain	retained.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-04
Network activity	domain	reverberations.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-17
Network activity	domain	revisin.de	CodeStorm phishing apex domain	2026-04-03	2026-04-25
Network activity	domain	rhythmed.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-02
Network activity	domain	rooftopreflections.de	CodeStorm phishing apex domain	2026-04-06	2026-04-06
Network activity	domain	rumble.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-21
Network activity	domain	ruminatingbrook.de	CodeStorm phishing apex domain	2026-03-20	2026-04-16
Network activity	domain	sacredraindrops.de	CodeStorm phishing apex domain	2026-03-24	2026-04-16
Network activity	domain	sacredshowers.de	CodeStorm phishing apex domain	2026-03-19	2026-03-21
Network activity	domain	safety.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-08
Network activity	domain	safetyfirstsystems.de	CodeStorm phishing apex domain	2026-04-21	2026-04-27
Network activity	domain	saluted.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-04
Network activity	domain	sanfte-schatten-art.de	CodeStorm phishing apex domain	2026-04-18	2026-04-22
Network activity	domain	sanfteslicht.de	CodeStorm phishing apex domain	2026-04-18	2026-04-22
Network activity	domain	scalableinnovations.de	CodeStorm phishing apex domain	2026-05-13	2026-05-13
Network activity	domain	scalableplatforms.de	CodeStorm phishing apex domain	2026-05-11	2026-05-11
Network activity	domain	scattered.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-16
Network activity	domain	secondsofchime.de	CodeStorm phishing apex domain	2026-04-10	2026-04-11
Network activity	domain	secretsinthewind.de	CodeStorm phishing apex domain	2026-02-25	2026-03-21
Network activity	domain	securedigitalsuccess.de	CodeStorm phishing apex domain	2026-05-10	2026-05-10
Network activity	domain	securedomainreliability.de	CodeStorm phishing apex domain	2026-04-25	2026-05-07
Network activity	domain	secureenvirotrust.de	CodeStorm phishing apex domain	2026-03-31	2026-04-18
Network activity	domain	secureidentityonline.de	CodeStorm phishing apex domain	2026-04-15	2026-04-27
Network activity	domain	secureplatforms.de	CodeStorm phishing apex domain	2026-04-11	2026-04-11
Network activity	domain	secureuserguard.de	CodeStorm phishing apex domain	2026-04-13	2026-05-12
Network activity	domain	secureusertrust.de	CodeStorm phishing apex domain	2026-04-16	2026-04-29
Network activity	domain	securewebsolution.de	CodeStorm phishing apex domain	2026-05-13	2026-05-13
Network activity	domain	secureyouronlinepresence.de	CodeStorm phishing apex domain	2026-04-23	2026-04-23
Network activity	domain	serenades.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-26
Network activity	domain	showcased.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-18
Network activity	domain	sighed.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-05
Network activity	domain	silhouetted.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-24
Network activity	domain	simplicitymastered.de	CodeStorm phishing apex domain	2026-04-17	2026-04-21
Network activity	domain	simplisticallysophisticated.de	CodeStorm phishing apex domain	2026-04-17	2026-04-20
Network activity	domain	simplysophisticatedonline.de	CodeStorm phishing apex domain	2026-04-16	2026-05-08
Network activity	domain	skylandobservatory.de	CodeStorm phishing apex domain	2026-05-11	2026-05-12
Network activity	domain	skyopenedeyes.de	CodeStorm phishing apex domain	2026-04-07	2026-04-30
Network activity	domain	slipped.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-27
Network activity	domain	snoop.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-11
Network activity	domain	soft.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-07
Network activity	domain	softmorningtown.de	CodeStorm phishing apex domain	2026-05-14	2026-05-14
Network activity	domain	softness.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-11
Network activity	domain	softwhispersofnature.de	CodeStorm phishing apex domain	2026-04-08	2026-05-07
Network activity	domain	solidreputation.de	CodeStorm phishing apex domain	2026-05-11	2026-05-12
Network activity	domain	sophisticatedsimplicity.de	CodeStorm phishing apex domain	2026-03-22	2026-04-18
Network activity	domain	specters.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-13
Network activity	domain	splash.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-04
Network activity	domain	stabledigitalframeworks.de	CodeStorm phishing apex domain	2026-04-17	2026-04-28
Network activity	domain	stablegrowthfoundation.de	CodeStorm phishing apex domain	2026-04-21	2026-04-21
Network activity	domain	stablegrowthhost.de	CodeStorm phishing apex domain	2026-04-24	2026-05-09
Network activity	domain	stargazing.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-16
Network activity	domain	stayedlit.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-14
Network activity	domain	steadfastpartnerships.de	CodeStorm phishing apex domain	2026-04-24	2026-05-11
Network activity	domain	steadystatebranding.de	CodeStorm phishing apex domain	2026-04-27	2026-04-29
Network activity	domain	stellarremembrances.de	CodeStorm phishing apex domain	2026-05-07	2026-05-07
Network activity	domain	stooping.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-13
Network activity	domain	strategicdigitalclarity.de	CodeStorm phishing apex domain	2026-05-01	2026-05-12
Network activity	domain	straykindnessproject.de	CodeStorm phishing apex domain	2026-04-06	2026-04-07
Network activity	domain	streamlineduserexp.de	CodeStorm phishing apex domain	2026-04-13	2026-05-13
Network activity	domain	strengthendigitalposition.de	CodeStorm phishing apex domain	2026-04-06	2026-04-16
Network activity	domain	strengthensrelationships.de	CodeStorm phishing apex domain	2026-04-13	2026-05-01
Network activity	domain	strengthenyourbrand.de	CodeStorm phishing apex domain	2026-04-10	2026-04-27
Network activity	domain	strengthindigital.de	CodeStorm phishing apex domain	2026-04-14	2026-04-29
Network activity	domain	strongframeworks.de	CodeStorm phishing apex domain	2026-03-31	2026-04-17
Network activity	domain	strongscales.de	CodeStorm phishing apex domain	2026-03-31	2026-04-29
Network activity	domain	strongsystems.de	CodeStorm phishing apex domain	2026-04-22	2026-05-08
Network activity	domain	structuredperformance.de	CodeStorm phishing apex domain	2026-05-04	2026-05-04
Network activity	domain	structuredsuccess.de	CodeStorm phishing apex domain	2026-05-10	2026-05-13
Network activity	domain	structureforusability.de	CodeStorm phishing apex domain	2026-03-31	2026-04-06
Network activity	domain	supported.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-18
Network activity	domain	survived.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-26
Network activity	domain	suspense.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-22
Network activity	domain	suspension.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-13
Network activity	domain	sustainabledialogue.de	CodeStorm phishing apex domain	2026-04-20	2026-05-05
Network activity	domain	sustainablegrowthforce.de	CodeStorm phishing apex domain	2026-04-02	2026-04-17
Network activity	domain	sustainscalable.de	CodeStorm phishing apex domain	2026-04-28	2026-05-13
Network activity	domain	swaying.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-21
Network activity	domain	systematicperformance.de	CodeStorm phishing apex domain	2026-04-15	2026-04-19
Network activity	domain	talesofthemoon.de	CodeStorm phishing apex domain	2026-04-29	2026-04-29
Network activity	domain	thewindnames.de	CodeStorm phishing apex domain	2026-03-15	2026-04-02
Network activity	domain	thoroughness.de	CodeStorm phishing apex domain	2026-04-24	2026-04-27
Network activity	domain	thoughtfulprecision.de	CodeStorm phishing apex domain	2026-05-11	2026-05-11
Network activity	domain	timeinleaves.de	CodeStorm phishing apex domain	2026-03-20	2026-03-22
Network activity	domain	townclockannounces.de	CodeStorm phishing apex domain	2026-05-12	2026-05-12
Network activity	domain	traditionmeetsinnovation.de	CodeStorm phishing apex domain	2026-04-02	2026-04-12
Network activity	domain	traditions.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-04
Network activity	domain	traditionsofinnovation.de	CodeStorm phishing apex domain	2026-05-07	2026-05-08
Network activity	domain	transform.com.de	CodeStorm phishing apex domain	2025-04-04	2026-03-12
Network activity	domain	transformation.com.de	CodeStorm phishing apex domain	2025-04-04	2025-07-30
Network activity	domain	transparentconversations.de	CodeStorm phishing apex domain	2026-04-01	2026-04-02
Network activity	domain	treeofribbons.de	CodeStorm phishing apex domain	2026-05-03	2026-05-03
Network activity	domain	triumphed.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-19
Network activity	domain	trustabledomains.de	CodeStorm phishing apex domain	2026-04-10	2026-05-07
Network activity	domain	trustedbrandinsight.de	CodeStorm phishing apex domain	2026-04-01	2026-04-27
Network activity	domain	trusteddesignpro.de	CodeStorm phishing apex domain	2026-05-12	2026-05-12
Network activity	domain	trusteddomainhub.de	CodeStorm phishing apex domain	2026-04-20	2026-04-30
Network activity	domain	trustedengagement.de	CodeStorm phishing apex domain	2026-04-27	2026-04-27
Network activity	domain	trustedmarket.de	CodeStorm phishing apex domain	2026-05-10	2026-05-10
Network activity	domain	trustenvironmentsecurity.de	CodeStorm phishing apex domain	2026-03-31	2026-04-27
Network activity	domain	trustfostering.de	CodeStorm phishing apex domain	2026-04-29	2026-05-12
Network activity	domain	trustshieldplatforms.de	CodeStorm phishing apex domain	2026-04-16	2026-05-13
Network activity	domain	trustthroughconsistency.de	CodeStorm phishing apex domain	2026-04-19	2026-04-24
Network activity	domain	trustworthybranding.de	CodeStorm phishing apex domain	2026-04-01	2026-04-09
Network activity	domain	trustworthygrowthhost.de	CodeStorm phishing apex domain	2026-05-08	2026-05-08
Network activity	domain	trustydomain.de	CodeStorm phishing apex domain	2026-05-09	2026-05-09
Network activity	domain	under.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-24
Network activity	domain	understanding.com.de	CodeStorm phishing apex domain	2025-04-04	2026-02-03
Network activity	domain	uninterruptedops.de	CodeStorm phishing apex domain	2026-05-03	2026-05-03
Network activity	domain	unsurelantern.de	CodeStorm phishing apex domain	2026-04-06	2026-04-06
Network activity	domain	unwaveringplatform.de	CodeStorm phishing apex domain	2026-04-17	2026-04-20
Network activity	domain	uplifting.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-03
Network activity	domain	veil.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-18
Network activity	domain	verifieddomainspace.de	CodeStorm phishing apex domain	2026-04-23	2026-05-10
Network activity	domain	verifiedidentityaddress.de	CodeStorm phishing apex domain	2026-04-17	2026-04-17
Network activity	domain	verstndnisvoll.de	CodeStorm phishing apex domain	2026-04-25	2026-05-02
Network activity	domain	visibilitydriven.de	CodeStorm phishing apex domain	2026-05-10	2026-05-11
Network activity	domain	visiblityboost.de	CodeStorm phishing apex domain	2026-04-27	2026-05-05
Network activity	domain	vision.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-26
Network activity	domain	vitality.com.de	CodeStorm phishing apex domain	2025-04-04	2026-01-05
Network activity	domain	wander.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-13
Network activity	domain	watched.com.de	CodeStorm phishing apex domain	2025-04-04	2025-11-06
Network activity	domain	webprofessionalism.de	CodeStorm phishing apex domain	2026-03-31	2026-04-24
Network activity	domain	welloptimized.de	CodeStorm phishing apex domain	2026-05-10	2026-05-10
Network activity	domain	whimsicalclouds.de	CodeStorm phishing apex domain	2026-03-28	2026-03-28
Network activity	domain	whiskers.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-13
Network activity	domain	whisperingwater.de	CodeStorm phishing apex domain	2026-04-26	2026-04-26
Network activity	domain	whispersofthewind.de	CodeStorm phishing apex domain	2026-03-04	2026-03-29
Network activity	domain	wishful.com.de	CodeStorm phishing apex domain	2025-04-04	2026-05-03
Network activity	domain	worldwidepreparedness.de	CodeStorm phishing apex domain	2026-04-15	2026-04-15
Network activity	domain	xdreamgifthouse.de	CodeStorm phishing apex domain	2026-05-03	2026-05-10
Network activity	domain	yielded.com.de	CodeStorm phishing apex domain	2025-04-04	2026-04-13
Payload delivery	sha256	6bea63d580071f34e8e9a3267fb0aefbc1c0d678b90c5c24e1d40f7f9abf62a2	CodeStorm server-side render component (24113 bytes) (filename: index-crypto-2.php)
Payload delivery	filename	index-crypto-2.php	CodeStorm server-side render component filename
Payload delivery	filename	bootstrap.min.js	CodeStorm stage-two credential harvesting payload (masquerades as Bootstrap library, hosted on Tencent COS)
Payload delivery	other	XMP-MM-DocumentID: c861fe4a-1dba-004e-883f-9a0be1a0af8b	Recurring XMP MM Document ID across CodeStorm PDF lures
Payload delivery	other	XMP-MM-InstanceID: 2565A930-FF27-4054-971A-C72E62DCEAF4	Recurring XMP MM Instance ID across CodeStorm PDF lures
Payload delivery	other	PDF-Trailer-ID: 2D728B14A9B308429EACADEA8D70EF32	Recurring PDF trailer /ID value across CodeStorm PDF lures
Payload delivery	other	PDF-Trailer-ID: 7F013322168C589BBD87F4A2244D810E	Recurring PDF trailer /ID value across CodeStorm PDF lures
Network activity	pattern-in-traffic	/google.php	CodeStorm primary credential harvester endpoint path
Network activity	pattern-in-traffic	/next.php	CodeStorm alternate credential harvester endpoint path
Network activity	pattern-in-traffic	pattern:/[A-Za-z0-9]{5}	CodeStorm tokenized lure URL path pattern (5 random alphanumeric chars)
Artifacts dropped	text	Outlook inbox rule named LinkedIn moving messages to RSS Feeds	CodeStorm post-compromise persistence – inbox rule created within seconds of credential capture
Network activity	domain	cos.ap-seoul.myqcloud.com	Tencent COS ap-seoul region – CodeStorm stage-two payload hosting domain
Network activity	domain	*-1388504898.cos.ap-seoul.myqcloud.com	Tencent COS bucket hostname pattern used for CodeStorm stage-two payload hosting
Network activity	domain	*-1417693617.cos.ap-seoul.myqcloud.com	Tencent COS bucket hostname pattern used for CodeStorm stage-two payload hosting
Network activity	domain	*-1317754460.cos.ap-seoul.myqcloud.com	Tencent COS bucket hostname pattern used for CodeStorm stage-two payload hosting
Network activity	domain	*-1323985617.cos.ap-seoul.myqcloud.com	Tencent COS bucket hostname pattern used for CodeStorm stage-two payload hosting
Network activity	text	APPID 1388504898 – Tencent COS bucket (ap-seoul)	Tencent Cloud account hosting CodeStorm stage-two payloads
Network activity	text	APPID 1417693617 – Tencent COS bucket (ap-seoul)	Tencent Cloud account hosting CodeStorm stage-two payloads
Network activity	text	APPID 1317754460 – Tencent COS bucket (ap-seoul)	Tencent Cloud account hosting CodeStorm stage-two payloads
Network activity	text	APPID 1323985617 – Tencent COS bucket (ap-seoul)	Tencent Cloud account hosting CodeStorm stage-two payloads