
Fiora Night (REZ) Credential Harvesting & Phishing Operation
Indicators of Compromise
No domains found for this campaign
APT Groups1
A financially motivated threat actor running a credential-harvesting and phishing operation. Telegram persona "Fiora Night" (@fioraaaight), campaign self-branded "REZ." Operates a Go-based, distributed scanning botnet (Predator/cred_scanner v4.2) that crawls the open web for misconfigured services and exposed .env/.git/CI-CD files, harvests credentials, verifies them live against provider APIs, and feeds results in real time into a Telegram C2 channel. Verified credentials are then used to launch AI-assisted phishing campaigns via a self-built panel called "Ghost Mailer Pro." The operation was discovered through an unauthenticated HTTP directory exposing the actor's own toolkit and infrastructure. No indicators of state sponsorship or espionage — financial motivation only.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Technique ID | Technique Name | Detection ID | Detection Name | Recommended Detection Action |
|---|---|---|---|---|
T1595.002 | Active Scanning: Vulnerability Scanning | DET0701 | Mass Configuration-File Scanning | Alert on HTTP requests probing /.env, /.git/config, or /config.bak across many distinct domains from one source IP in a short window; cross-reference the Go-http-client/1.1 user-agent. |
T1596 | Search Open Technical Databases | DET0702 | OSINT/CT-Log Harvesting Detection | Monitor bulk queries to crt.sh, Cisco Umbrella Top 1M, or similar domain-list services immediately preceding a spike in scanning traffic from the same source. |
T1598 | Phishing for Information | DET0703 | Unsolicited AI-Key Validation Probe | Flag POST requests to AI-key test endpoints (e.g., /api/test/ai) submitting third-party sk-ant- / sk-proj- keys for testing. |
T1583.003 | Acquire Infrastructure: Virtual Private Server | DET0704 | Known Actor VPS Infrastructure | Block and alert on traffic to/from 195.178.110.223 and any newly provisioned VPS exhibiting the same Go-http-client/1.1 scanning signature. |
T1190 | Exploit Public-Facing Application | DET0705 | Exposed-Service Exploitation Detection | Correlate exploitation attempts against Log4j, ChromaDB (port 8000), Ghost CMS Admin API, and BeyondTrust with CVE-2021-44228 / CVE-2026-45829 / CVE-2026-26980 / CVE-2026-1731 signatures. |
T1566.002 | Phishing: Spearphishing Link | DET0706 | Ghost Mailer Pro Lure Detection | Block/flag inbound mail matching the “Your invitation is ready” subject and sender persona “Jupiter”; inspect links for tracking-pixel redirectors tied to 195.178.110.223. |
T1078 | Valid Accounts | DET0707 | Stolen Credential Reuse Detection | Alert on authentication to cloud, SMTP, or SaaS accounts from IPs inconsistent with prior account history, especially shortly after the credential type appears in a public exposure feed. |
T1586 | Compromise Accounts | DET0708 | Compromised Sender Account Reuse | Monitor outbound mail volume/reputation for SMTP accounts (aerokod.ru, empor.fi, audisystemdelcaribe.co,qq.com domains) for bulk-send behavior inconsistent with baseline. |
T1110.001 | Brute Force: Password Guessing | DET0709 | JWT Secret Brute-Force Detection | Alert on repeated JWT validation failures against one endpoint using a rotating list of common secrets. |
T1552.001 | Unsecured Credentials: Credentials In Files | DET0710 | Exposed Credential File Access | Alert on any external request to /.env, /.env.bak, /config.bak, /settings.py.bak, or /database.php returning HTTP 200. |
T1552.004 | Unsecured Credentials: Private Keys | DET0711 | Private Key Exposure Detection | Scan public-facing directories and repositories for PEM-formatted keys and id_rsa files; alert on any match in a web root. |
T1528 | Steal Application Access Token | DET0712 | Application Token Theft Detection | Monitor GitHub/GitLab audit logs for token use from source IPs outside known CI/CD ranges, especially tokens with workflow or admin:org scope. |
T1539 | Steal Web Session Cookie | DET0713 | Session/Token Theft via Heap Dump | Alert on externally reachable .hprof heap-dump files or exported Postman/Insomnia collections, both confirmed harvesting sources for live session material. |
T1046 | Network Service Discovery | DET0714 | Unauthenticated DB Service Discovery | Alert on unauthenticated scans of Redis (6379) and Elasticsearch (9200) ports followed by a KEYS * or index-enumeration call. |
T1619 | Cloud Storage Object Discovery | DET0715 | S3 Bucket / Signed-URL Enumeration | Alert on S3 bucket enumeration and signed-URL parameter harvesting from non-application source IPs. |
T1530 | Data from Cloud Storage Object | DET0716 | Public Bucket Data Exfiltration | Alert on bulk GET requests against public-read S3 buckets, especially objects named .env or .env.bak. |
T1213 | Data from Information Repositories | DET0717 | Heap-Dump Collection Detection | Alert on .hprof creation/access on Cloudflare Pages/Workers deployments followed by outbound transfer. |
T1071.001 | Application Layer Protocol: Web Protocols | DET0718 | Telegram Bot API C2 Detection | Flag outbound HTTPS to api.telegram.org from server-side hosts with no legitimate Telegram dependency; cross-reference bot ID 8549009104. |
T1132 | Data Encoding | DET0719 | Encoded C2 Payload Detection | Inspect outbound traffic to known C2 infrastructure for base64-style encoded payloads inside otherwise normal HTTPS requests. |
T1496 | Resource Hijacking | DET0720 | Self-Propagating Cloud Resource Abuse | Alert on new EC2/Compute instances launched with a long-term IAM/service-account key shortly after exposure, paired with anomalous billing spikes. |