Rectifyq📃Title: GhostCargo, a 5-years campaign
📅Date: 2026-04-21
🔗References:
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: intrusion-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- financial-fraud=“Phishing”
- financial-fraud=“Fake Website”
- financial-fraud=“Distraction”
- financial-fraud=“Scam”
- financial-fraud=“Merchant Fraud”
- financial-fraud=“Compromised Personally Identifiable Information (PII)”
- target-information=“Malaysia”
- country=“indonesia”
- country=“venezuela”
- country=“australia”
- online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
- online-service=“01031d3f-c9c9-4288-bb58-234c38e4246e”
- mitre-attack-pattern=[‘T1657’, ‘T1056’, ‘T1204.001’, ‘T1036’, ‘T1593’, ‘T1566.002’]
MISP event uuid: 9c16b2b8-dd25-4533-958e-97d8d1c92cca
Indicator of Compromise (IoCs)
type,value,comment
hostname, bnk.ing-boa.pro, 'Active fake Barclays portal'
domain, ing-boa.pro, 'Parent domain; wildcard cert *.ing-boa[.]pro issued Feb 2026'
domain, jetexpressdeliveries.com, 'Fake logistics front (Drupal + transpix theme)'
hostname, barcl.ays-uk.com, 'Predecessor Barclays portal (Jun 2024 to May 2025, now NXDOMAIN)'
domain, ays-uk.com, 'Parent of predecessor; same Hostinger IP'
hostname, ban.king-en.com, 'Predecessor bank portal (Feb 2023, now NXDOMAIN)'
domain, king-en.com, 'Parent domain; wildcard cert from Dec 2020'
domain, topexpresdelivery.com, 'Predecessor delivery domain (Sep 2020, HTTrack source)'
domain, doorcargoexpress.com, 'Predecessor tracking page template (Feb 2023)'
domain, ermontexpressdelivery.com, 'Same-Actor Domain - Fake delivery; same NS, IP, registrar'
domain, fastlinkquickdelivery.com, 'Same-Actor Domain - Fake delivery; same NS, IP, registrar'
domain, firstcredituni.pro, 'Same-Actor Domain - Fake bank; confirmed Bankpro default deployment, .pro TLD match'
domain, suntrustcomunityfcu.com, 'Fake credit union'
domain, cresttcredit.com, 'Fake credit institution'
domain, trusteqbank.com, 'Fake bank'
domain, metropolis-credit.com, 'Fake credit'
domain, finestostandard.com, 'Fake financial institution'
domain, digitaltradechainpro.com, 'Fake trading platform'
domain, expert-traders.net, 'Fake trading'
domain, coinbaseminingfarm.com, 'Coinbase impersonation / crypto scam'
domain, greenfund.live, 'Fake charity / investment'
domain, futurezioncharity.org, 'Fake charity'
domain, daltevintransact.online, 'Fake transaction service'
domain, zeltextransact.click, 'Fake transaction service'
domain, hiltonacessglobal.com, 'Fake Hilton access / global services'
domain, zenixtransit.online, 'Fake transit / logistics'
domain, royalgatesschools.com, 'Fake school with finance admin portal'
domain, credixrise.com, 'Fake banking (Cloudflare NS, same IP)'
ip-dst, 198.251.89.82, 'Primary hosting IP (FranTech AS53667, Cheyenne WY)'
ip-dst, 91.108.101.78, 'barcl.ays-uk[.]com hosting IP (Hostinger, Paris)'
ip-dst, 46.202.172.167, 'jetexpressdeliveries[.]com hosting IP (Hostinger)'
hostname, ns115.my-control-panel.com, 'Hosted on same IP as scam domains'
hostname, ns116.my-control-panel.com, 'Hosted on same IP as scam domains'
domain, zentroid.com, 'unrelated sites'
domain, ultraviewvault.com, 'unrelated sites'
email-src, admin@ing-boa.pro, 'Operator contact'
email-src, support@indigenousservice.com, 'Contact email on firstcredituni[.]pro'
email-src, support@dirtyscripts.shop, 'Bankpro kit default admin login'
Full IOCs available in Rectifyq’s MISP