
Fiora Night (REZ) Credential Harvesting & Phishing Operation
Fiora Night (REZ) is a financially motivated,Go-based distributed scanning botnet that crawls the web for exposed secrets (.env files, Git configs, S3 URLs, JVM heap dumps)and verifies them live via provider APIs.High-value hits stream to a private Telegram C2 channel and feed an unauthenticated phishing console,"Ghost Mailer Pro," currently targeting GMX users.A single 62-minute scan of 35,072 domains yielded 3,333 verified credentials and 153,911 IOC lines across 5,387 victim domains in 75+ countries including live AWS, Stripe, GitHub, Anthropic, and OpenAI keys plus confirmed Log4Shell RCE on 395 hosts. Assessed as a novel, francophoneorigin actor.
Indicators of Compromise
Hashes (9)
1bc81f983b8095b2283c11c69da4ed0d4c14355f6d8c22f372b14e803977098fc60c13d160b7cdfee07e22081fb0671a542a041ecdc068c535062f0573389780cbcfdc383a8042e2dd7b10d7ffcfff8c655a37a03daea6cd06659f1c4efe0edfccef4cdee1a9ffd9019f5c9e6ae91a047c9a779e4b039c2039c70d420bcfb48ec327dc3248bdb17ea5668ee2bc4ce888adc2e7652f53b6fdd9d85051b27d67f3fadc1ffc8e8391c73922bd7ed5d99ae3f884f8dce2b3b2f893b427b91c28f28f86dba459ad0e7b25a0ffff688e9bf7b06e2d105e34f967c0a9660e083a3475926c5d2380d1e39c82219ea35818c4e38696864988b8ea68f8cc4368f2ef1bfbba5d13e579ab76afabc8cd514c05f99a764c3e53c4087b4573dd6cd9f0a3e96b73IPv4 (1)
195.178.110.223APT Groups
Fiora Night
Notes
<span id="docs-internal-guid-5bffeaef-7fff-d466-100e-b19086eb57c1"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(46, 46, 99); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Conclusion <span style="font-weight:normal;" id="docs-internal-guid-f4cf6c7d-7fff-f65c-b22a-a8a1b768e29e"><p style="line-height:1.2;margin-top:0pt;margin-bottom:8pt;"><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">Fiora Night (REZ) demonstrates how a single operator, working with off-the-shelf cloud APIs and a self-built Go toolchain, can compound credential theft into a self-funding, self-propagating botnet and a live phishing operation — all surfaced through one operational-security mistake: an unauthenticated open directory exposing the actor’s own C2 token. The combination of confirmed live AI, payment, and code-hosting credentials, a five-year-old RCE still working at scale, and a currently active phishing campaign with real victim clicks makes this a high-priority, time-sensitive notification case rather than a purely historical finding.</span></p><p style="line-height:1.2;margin-top:0pt;margin-bottom:8pt;"><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">SOCRadar customers can track this campaign across the </span><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline;"><a href="https://">SOCRadar</a></span><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;"> platform using IOC Radar (hash, domain, and IP hunting against 195.178.110.223 and associated indicators), Cyber Threat Intelligence (CTI) module (ongoing campaign and victim-domain tracking), Attack Surface Management (ASM) (exposure checks for .env/.git/backup files and unauthenticated Redis/Elasticsearch/ChromaDB instances), and Dark Web Monitoring (tracking the “REZ Smtp Only” channel and any successor C2 channels).</span></p><div><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;"><br></span></div></span></span></span>
Mitigation
<span id="docs-internal-guid-06675ab6-7fff-9c61-af38-6989ab738248"><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(31, 41, 51); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation <span style="font-weight:normal;" id="docs-internal-guid-3e443d90-7fff-cf5f-289b-91d1d98a38e2"><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;">The following mitigations apply to any organization with internet-exposed applications, cloud infrastructure, or accounts that may intersect with Fiora Night (REZ)’s opportunistic scanning, or that has identified itself among the victim indicators in this report. Controls are ordered by implementation priority.</span></span></span></span><div><span><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(31, 41, 51); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight:normal;"><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;"><br></span></span></span></span></div><div><span id="docs-internal-guid-a6aad010-7fff-ed37-1dc2-74ac2a7545f1"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(46, 46, 99); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Immediate Actions </span></span><span><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(31, 41, 51); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight:normal;"><span style="font-size: 11pt; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline;"></span></span></span></span></div><div><span id="docs-internal-guid-b31d5933-7fff-0e90-1649-d50e7f04b63a"><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Rotate every credential type catalogued in this report (.env-sourced AWS/GCP keys, GitHub/GitLab tokens, SMTP, Stripe, SendGrid, Resend, Mailjet, Twilio, OpenAI, and Anthropic keys) that has ever been committed to a public or semi-public location.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Treat password rotation alone as insufficient for any secret that also appears in Git commit history — full history rewriting (BFG Repo-Cleaner or git filter-branch) is required, since the historical value remains both in version control and in the actor’s own dump.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block 195.178.110.223 at the network perimeter and across all security tooling (EDR, proxy, firewall, secure email gateway).</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Audit any externally reachable Redis (6379) or Elasticsearch (9200) instance and enable authentication immediately — both are scanned unauthenticated by the actor’s advanced_probes.go module.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Check outbound connection logs for traffic to 195.178.110.223 from any host running ChromaDB, Ghost CMS, or a Java application with bundled Log4j — the actor’s four confirmed exploitation targets.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">If your organization uses GMX, Mailjet, Twilio, SendGrid, Resend, or Stripe, check whether any account matches the active phishing-sender or victim accounts listed in the Indicators of Compromise summary.</span></p></li></ul><div><font color="#000000"><span style="font-size: 14.6667px;"><br></span></font></div><div><span id="docs-internal-guid-f7809dc8-7fff-3db9-8470-88098c13f042"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(46, 46, 99); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Short-Term Controls</span></span><font color="#000000"><span style="font-size: 14.6667px;"></span></font></div><div><span><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(46, 46, 99); background-color: transparent; font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></span></div><div><span id="docs-internal-guid-3d066ef9-7fff-5a66-5c50-7abd6dd448af"><ul style="margin-top:0;margin-bottom:0;"><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remove secrets from .env, config.bak, settings.py.bak, and similar files in web-server document roots; block direct access to /.env, /.env.*, /.git/, /backup.*, and /config.bak at the web server or WAF layer.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Migrate secrets to a managed secrets store (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager) rather than flat configuration files.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Patch or network-isolate any internet-facing application with a bundled Log4j dependency; this actor confirmed live remote code execution on hosts unpatched five years after CVE-2021-44228 disclosure.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict ChromaDB and other vector-database deployments to internal networks only; never expose the default port (8000) externally without authentication.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable cloud audit-log alerting for API or secret usage originating from source IPs outside known CI/CD or office ranges, to catch reuse of stolen long-term IAM keys.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Review DNS zone-transfer (AXFR) configuration to ensure transfers are restricted to authorized secondary nameservers only.</span></p></li><li style="list-style-type: disc; font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:4pt;" role="presentation"><span style="font-size: 11pt; background-color: transparent; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Brief end users on the active “Your invitation is ready” phishing lure (sender persona “Jupiter”) currently targeting GMX, GMX.de, and related webmail accounts in Germany, Austria, Switzerland, and the UK.</span></p></li></ul></span></div></span></div>