Cyble threat intelligence researchers have uncovered a phishing campaign targeting Hungarian government entities, which they later connected to broader global attacks aimed at the banking and logistics sectors. The campaign began with a phishing link that directed users to a fake login page impersonating HunCERT, Hungary’s Computer Emergency Response Team. According to a blog post published by Cyble, the login page was prefilled with the victim’s email address to increase the likelihood that they would enter their password.
Researchers determined that the phishing pages were created using the LogoKit phishing kit. These fake pages were hosted on Amazon S3, giving them a more credible appearance and helping them evade detection. To further enhance legitimacy, the attackers also integrated Cloudflare Turnstile, a verification tool designed to mimic security features.
Because of these tactics, the domain collecting user credentials managed to remain undetected. Cyble noted that VirusTotal showed no detections for it during their investigation. Cyble Research and Intelligence Labs (CRIL) reported that the phishing URLs contained legitimate-looking HunCERT email addresses already filled in the username field. Two of the URLs included in the campaign were:
- flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1.../he-opas.html?email=
عنوان البريد الإلكتروني هذا محمي من روبوتات السبام. يجب عليك تفعيل الجافاسكربت لرؤيته. - flyplabtk[.]s3.us-east-2.amazonaws.com/q8T1.../he-opas.html?email=
عنوان البريد الإلكتروني هذا محمي من روبوتات السبام. يجب عليك تفعيل الجافاسكربت لرؤيته.
The phishing page closely resembled an authentic login portal. Cloudflare Turnstile verification added to the deception, making users believe the site was secure. Once a user submitted the form, a fake error message appeared stating, “Error Submitting form. Please try again.”
Cyble also discovered that the phishing page used the Clearbit Logo API to fetch logos based on the domain name and Google’s S2 Favicon API to retrieve icons based on the email address. These elements helped make the pages look customized and trustworthy.
LogoKit is widely used in phishing campaigns because it simplifies the process of creating convincing phishing pages. It automatically embeds the victim’s email in the URL, generates matching layouts, and fetches logos and icons in real time. This automation allows threat actors to scale their attacks efficiently while keeping them visually convincing.
Once credentials were entered, they were sent to a malicious server at mettcoint[.]com/js/error-200.php. Researchers found an open directory on this domain containing multiple PHP files and phishing tools. One of the folders included a fake login page mimicking the WeTransfer file-sharing service.
Open-source intelligence revealed that mettcoint[.]com had been used in various phishing attacks. Other victims included Kina Bank in Papua New Guinea, the Catholic Church in the United States, and logistics companies in Saudi Arabia.
The domain was registered in October 2024 and has been actively involved in phishing campaigns since February 2025. Cyble reported that the domain still had zero detections on VirusTotal and remained live at the time of their analysis. This indicates that the campaign is likely still ongoing, with attackers continuing to pursue victims around the world.
Cyble warned that these phishing campaigns highlight a major vulnerability in cybersecurity: the human factor. While human users can be the first line of defense, they are also frequently exploited through believable and well-crafted attacks.
To help prevent phishing attacks, Cyble recommended several security practices:
- Be cautious when clicking on links in emails or text messages
- Use reputable antivirus and internet security tools on all devices
- Provide ongoing training to employees about phishing and malicious URLs
- Implement secure email gateways to detect and block harmful content
- Use multi-factor authentication (MFA) to reduce the impact of stolen credentials
- Monitor for unusual login activity or access from suspicious IP addresses
- Keep systems, applications, and devices updated with the latest security patches
These combined measures can help reduce the risk of phishing attacks and improve organizational security.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
