Campaigns
Fiora Night (REZ) Credential Harvesting & Phishing Operation

Fiora Night (REZ) Credential Harvesting & Phishing Operation

Ghost Mailer ProTelegram C2Fiora NightPhishingCredential Harvesting
Fiora Night (REZ) is a financially motivated,Go-based distributed scanning botnet that crawls the web for exposed secrets (.env files, Git configs, S3 URLs, JVM heap dumps)and verifies them live via provider APIs.High-value hits stream to a private Telegram C2 channel and feed an unauthenticated phishing console,"Ghost Mailer Pro," currently targeting GMX users.A single 62-minute scan of 35,072 domains yielded 3,333 verified credentials and 153,911 IOC lines across 5,387 victim domains in 75+ countries including live AWS, Stripe, GitHub, Anthropic, and OpenAI keys plus confirmed Log4Shell RCE on 395 hosts. Assessed as a novel, francophoneorigin actor.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Fiora Night

A financially motivated threat actor running a credential-harvesting and phishing operation. Telegram persona "Fiora Night" (@fioraaaight), campaign self-branded "REZ." Operates a Go-based, distributed scanning botnet (Predator/cred_scanner v4.2) that crawls the open web for misconfigured services and exposed .env/.git/CI-CD files, harvests credentials, verifies them live against provider APIs, and feeds results in real time into a Telegram C2 channel. Verified credentials are then used to launch AI-assisted phishing campaigns via a self-built panel called "Ghost Mailer Pro." The operation was discovered through an unauthenticated HTTP directory exposing the actor's own toolkit and infrastructure. No indicators of state sponsorship or espionage — financial motivation only.

Rezsmtpponly

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation

Technique ID

Technique Name

Detection ID

Detection Name

Recommended Detection Action

T1595.002

Active Scanning: Vulnerability Scanning

DET0701

Mass Configuration-File Scanning

Alert on HTTP requests probing /.env, /.git/config, or /config.bak across many distinct domains from one source IP in a short window; cross-reference the Go-http-client/1.1 user-agent.

T1596

Search Open Technical Databases

DET0702

OSINT/CT-Log Harvesting Detection

Monitor bulk queries to crt.sh, Cisco Umbrella Top 1M, or similar domain-list services immediately preceding a spike in scanning traffic from the same source.

T1598

Phishing for Information

DET0703

Unsolicited AI-Key Validation Probe

Flag POST requests to AI-key test endpoints (e.g., /api/test/ai) submitting third-party sk-ant- / sk-proj- keys for testing.

T1583.003

Acquire Infrastructure: Virtual Private Server

DET0704

Known Actor VPS Infrastructure

Block and alert on traffic to/from 195.178.110.223 and any newly provisioned VPS exhibiting the same Go-http-client/1.1 scanning signature.

T1190

Exploit Public-Facing Application

DET0705

Exposed-Service Exploitation Detection

Correlate exploitation attempts against Log4j, ChromaDB (port 8000), Ghost CMS Admin API, and BeyondTrust with CVE-2021-44228 / CVE-2026-45829 / CVE-2026-26980 / CVE-2026-1731 signatures.

T1566.002

Phishing: Spearphishing Link

DET0706

Ghost Mailer Pro Lure Detection

Block/flag inbound mail matching the “Your invitation is ready” subject and sender persona “Jupiter”; inspect links for tracking-pixel redirectors tied to 195.178.110.223.

T1078

Valid Accounts

DET0707

Stolen Credential Reuse Detection

Alert on authentication to cloud, SMTP, or SaaS accounts from IPs inconsistent with prior account history, especially shortly after the credential type appears in a public exposure feed.

T1586

Compromise Accounts

DET0708

Compromised Sender Account Reuse

Monitor outbound mail volume/reputation for SMTP accounts (aerokod.ru, empor.fi, audisystemdelcaribe.co,qq.com domains) for bulk-send behavior inconsistent with baseline.

T1110.001

Brute Force: Password Guessing

DET0709

JWT Secret Brute-Force Detection

Alert on repeated JWT validation failures against one endpoint using a rotating list of common secrets.

T1552.001

Unsecured Credentials: Credentials In Files

DET0710

Exposed Credential File Access

Alert on any external request to /.env, /.env.bak, /config.bak, /settings.py.bak, or /database.php returning HTTP 200.

T1552.004

Unsecured Credentials: Private Keys

DET0711

Private Key Exposure Detection

Scan public-facing directories and repositories for PEM-formatted keys and id_rsa files; alert on any match in a web root.

T1528

Steal Application Access Token

DET0712

Application Token Theft Detection

Monitor GitHub/GitLab audit logs for token use from source IPs outside known CI/CD ranges, especially tokens with workflow or admin:org scope.

T1539

Steal Web Session Cookie

DET0713

Session/Token Theft via Heap Dump

Alert on externally reachable .hprof heap-dump files or exported Postman/Insomnia collections, both confirmed harvesting sources for live session material.

T1046

Network Service Discovery

DET0714

Unauthenticated DB Service Discovery

Alert on unauthenticated scans of Redis (6379) and Elasticsearch (9200) ports followed by a KEYS * or index-enumeration call.

T1619

Cloud Storage Object Discovery

DET0715

S3 Bucket / Signed-URL Enumeration

Alert on S3 bucket enumeration and signed-URL parameter harvesting from non-application source IPs.

T1530

Data from Cloud Storage Object

DET0716

Public Bucket Data Exfiltration

Alert on bulk GET requests against public-read S3 buckets, especially objects named .env or .env.bak.

T1213

Data from Information Repositories

DET0717

Heap-Dump Collection Detection

Alert on .hprof creation/access on Cloudflare Pages/Workers deployments followed by outbound transfer.

T1071.001

Application Layer Protocol: Web Protocols

DET0718

Telegram Bot API C2 Detection

Flag outbound HTTPS to api.telegram.org from server-side hosts with no legitimate Telegram dependency; cross-reference bot ID 8549009104.

T1132

Data Encoding

DET0719

Encoded C2 Payload Detection

Inspect outbound traffic to known C2 infrastructure for base64-style encoded payloads inside otherwise normal HTTPS requests.

T1496

Resource Hijacking

DET0720

Self-Propagating Cloud Resource Abuse

Alert on new EC2/Compute instances launched with a long-term IAM/service-account key shortly after exposure, paired with anomalous billing spikes.

Observed Countries250

AD (663)
AE (138)
AF (673)
AG (513)
AI (874)
AL (924)
AM (280)
AO (122)
AQ (679)
AR (682)
AS (513)
AT (219)
AU (364)
AW (791)
AX (147)
AZ (870)
BA (457)
BB (450)
BD (155)
BE (884)
BF (626)
BG (342)
BH (41)
BI (369)
BJ (962)
BL (141)
BM (200)
BN (264)
BO (318)
BQ (540)
BR (939)
BS (117)
BT (17)
BV (209)
BW (830)
BY (730)
BZ (537)
CA (168)
CC (360)
CD (12)
CF (452)
CG (892)
CH (801)
CI (285)
CK (41)
CL (34)
CM (853)
CN (117)
CO (572)
CR (922)
CU (104)
CV (128)
CW (217)
CX (278)
CY (695)
CZ (949)
DE (236)
DJ (33)
DK (891)
DM (45)
DO (204)
DZ (109)
EC (25)
EE (159)
EG (541)
EH (875)
ER (119)
ES (542)
ET (146)
FI (463)
FJ (130)
FK (444)
FM (922)
FO (691)
FR (279)
GA (993)
GB (211)
GD (243)
GE (950)
GF (962)
GG (478)
GH (475)
GI (495)
GL (167)
GM (699)
GN (832)
GP (406)
GQ (999)
GR (501)
GS (398)
GT (518)
GU (275)
GW (20)
GY (114)
HK (850)
HM (18)
HN (648)
HR (261)
HT (73)
HU (690)
ID (362)
IE (125)
IL (390)
IM (384)
IN (395)
IO (854)
IQ (554)
IR (684)
IS (119)
IT (735)
JE (654)
JM (414)
JO (598)
JP (85)
KE (125)
KG (457)
KH (757)
KI (697)
KM (203)
KN (902)
KP (335)
KR (697)
KW (37)
KY (673)
KZ (501)
LA (154)
LB (907)
LC (907)
LI (102)
LK (913)
LR (384)
LS (981)
LT (374)
LU (557)
LV (165)
LY (871)
MA (515)
MC (231)
MD (105)
ME (282)
MF (703)
MG (15)
MH (341)
MK (75)
ML (699)
MM (823)
MN (558)
MO (590)
MP (988)
MQ (700)
MR (334)
MS (336)
MT (539)
MU (104)
MV (623)
MW (406)
MX (407)
MY (943)
MZ (474)
NA (441)
NC (352)
NE (303)
NF (577)
NG (896)
NI (896)
NL (995)
NO (894)
NP (487)
NR (572)
NU (611)
NZ (564)
OM (439)
PA (530)
PE (50)
PF (555)
PG (407)
PH (560)
PK (669)
PL (70)
PM (482)
PN (197)
PR (999)
PS (253)
PT (132)
PW (69)
PY (520)
QA (455)
RE (369)
RO (969)
RS (870)
RU (141)
RW (367)
SA (5)
SB (140)
SC (588)
SD (964)
SE (15)
SG (456)
SH (347)
SI (916)
SJ (473)
SK (768)
SL (837)
SM (39)
SN (264)
SO (970)
SR (254)
SS (85)
ST (366)
SV (645)
SX (359)
SY (270)
SZ (360)
TC (96)
TD (312)
TF (642)
TG (623)
TH (838)
TJ (164)
TK (164)
TL (420)
TM (428)
TN (129)
TO (566)
TR (804)
TT (630)
TV (451)
TW (646)
TZ (538)
UA (392)
UG (808)
UM (532)
US (189)
UY (444)
UZ (417)
VA (265)
VC (313)
VE (23)
VG (347)
VI (673)
VN (443)
VU (360)
WF (436)
WS (884)
XK (162)
YE (955)
YT (163)
ZA (192)
ZM (260)
ZW (103)