July 14, 2026
Investigation #001: Unmasking the Infrastructure Behind the 1-Trillion-VND VNeID Phishing Campaign
Seeing news reports about scammers stealing nearly 1 trillion VND from innocent people by impersonating online public services hits hard…

By Castiel.
5 min read
Seeing news reports about scammers stealing nearly 1 trillion VND from innocent people by impersonating online public services hits hard. They lure victims into installing malicious APK files, wiping out their bank accounts in minutes. I decided to dig into one of the active lookalike domains — vneid.com—to map out their backend architecture and find out where these threat actors are hiding.
Lừa đảo núp bóng dịch vụ công trực tuyến Mạo danh cơ quan công an, ngân hàng, Bảo hiểm xã hội (BHXH) để yêu cầu người dân cài đặt ứng dụng là một trong những…
The following section outlines the technical analysis and methodology used to map the threat actor's backend infrastructure.
1. The Lure & The "Sleeping Beauty" Tactic
Flawless Clones & Security Evasion
- The threat actors created a near-perfect visual replica of the official Ministry of Public Security's VNeID app download page. It's a classic, high-conversion lure site designed to trick users into downloading a malicious Android package (APK)
When I checked the URL on VirusTotal, the detection rate was a shocking 2/91. Only CRDF and Webroot flagged it, while major local and global security providers marked it as completely "Clean". This means the campaign is fresh, stealthy, and actively bypassing standard web filters.
The Aged Domain Trick
- Looking at the historical data on Urlscan, the domain
vneid.comwas actually registered way back on September 12, 2021. However, Certificate Transparency (CT) logs oncrt.shreveal that its SSL certificates (from Let's Encrypt and Google Trust Services) were all abruptly issued in early July 2026.
My CTI Take: This tactic leverages aged domain names to bypass reputation-based security controls. Threat actors frequently acquire or repurpose expired domains and leave them dormant for extended periods. Because automated security systems often assign higher trust scores to older domains compared to newly registered ones, activating a 2021 domain in July 2026 allows the campaign to evade standard anomaly detection mechanisms.
2. Bypassing Cloudflare via Operational Security (OPSEC) Deficiencies
The threat actors attempted to conceal their true origin server IP address behind Cloudflare's reverse proxy infrastructure. However, an operational security (OPSEC) deficiency in their mail server configuration exposed the underlying hosting environment.
The scammers tried to hide their real server IP behind Cloudflare's reverse proxy. But they made a classic operational security (OPSEC) blunder: they misconfigured their mail server.
The DNS Leak
During the analysis of the crt.sh logs, certificates were observed for subdomains including cpanel.vneid.com, webmail.vneid.com, and mail.vneid.com. This indicates the use of a standard commercial shared hosting environment managed via cPanel, rather than a customized, hardened infrastructure. The primary point of exposure was identified within the domain's Mail Exchanger (MX) record via dnstwist: hkg105.arandomserver.com.
While Cloudflare proxies HTTP/HTTPS web traffic, traditional mail protocols often expose the server's origin if they are not specifically routed through a secure mail proxy. Consequently, the backend mail server was left visible. The host prefix "hkg105" standardly designates a network routing location in Hong Kong (HKG).
Because Cloudflare protects web traffic but doesn't easily proxy traditional mail protocols without revealing origin points, their real mail server was left completely exposed. The prefix hkg105 was a massive hint suggested to Hong Kong (HKG).
Finding the Origin Server
I queried hkg105.arandomserver.com and successfully uncovered the underlying network infrastructure:
Origin Server IP (A Record): 172.96.185.129
Outbound Mail IP (SPF Record): 172.96.185.138
Both IPs reside within the same subnet (172.96.185.0/24). Cross-referencing the origin IP via Ipinfo revealed that this IP belongs to a commercial shared hosting node managed by Hawk Host Inc. under AS133752 (LEASEWEB HONG KONG LIMITED).
My CTI Take: The fact that Anycast routing is disabled confirms we have successfully bypassed Cloudflare's shielding to find the true backend hosting provider. However, because this is a Shared Hosting environment rather than a dedicated rogue server, the threat actors are merely operating as a single malicious tenant among potentially hundreds of legitimate websites sharing the same server node. This critical distinction changes our mitigation strategy completely.
3. The TLD Strategy: Why Scammers Love ".com"
Why did the attackers choose vneid.com instead of trying to spoof the official .gov.vn country-code extension? It boils down to economics and frictionless scaling:
- Zero Verification Barriers: Registering a .gov.vn domain requires strict Know-Your-Customer (KYC) vetting by the Vietnam Internet Network Information Center (VNNIC), including official state credentials and physical paperwork. It's impossible to do anonymously. On the flip side, commercial gTLDs like .com can be bought in bulk via automated registrar APIs in seconds using fake names and stolen credit cards.
- Exploiting Takedown Latency: If a rogue .vn domain pops up, local authorities (NCSC, VNNIC) can execute a manual or automated DNS suspension within minutes. By going international with a .com registry, the attackers exploit jurisdictional gaps. International abuse handling takes hours or even days, giving the campaign a wider "golden window" to harvest victims.
- Hacking Human Psychology & Truncated UIs: The everyday user suffers from a familiarity heuristic — they blindly trust .com because it's the global default for the internet, forgetting that government platforms always reside on state domains. Furthermore, mobile users usually click these phishing links inside in-app browsers (like Zalo, Telegram, or Facebook Messenger), which automatically cut off or completely hide the URL address bar, leaving only the brand name vneid visible.
- Disposable Infrastructure: Modern Malware-as-a-Service (MaaS) operations treat domains as low-cost, disposable assets. Losing a $10 .com domain doesn't hurt their bottom line when they are pulling in massive criminal profit margins.
Infrastructure vs. Payload: A Note on the APK Delivery Chain
While this investigation successfully maps the network infrastructure of the lookalike landing page, a critical component of this campaign relies on the malicious Android Package (APK) itself. In professional threat intelligence, it is common to see threat actors separate their web frontends from their actual payload delivery or Command and Control (C2) servers.
A crucial next step in this intelligence cycle involves performing static and dynamic analysis on the malicious VNeID APK. Extracting hardcoded C2 domains, secondary IP addresses, or embedded Telegram Bot API tokens from the malware configuration will provide the missing link to map out the threat group's wider operational ecosystem.
MITRE ATT&CK Matrix Mapping
To contextualize the threat actor's behaviors, the observed tactics and techniques have been mapped to the standardized MITRE ATT&CK framework:
- Resource Development::T1583.001 (Domains): Acquired an aged domain (
vneid.com) registered in 2021 to exploit historical domain reputation systems and bypass standard security trust metrics (The "Sleeping Beauty" play). - Resource Development::T1588.003 (Digital Certificates): Obtained valid SSL/TLS certificates from Let's Encrypt and Google Trust Services to mimic legitimate, encrypted web traffic.
- Initial Access::T1566.002 (Spearphishing Link): Conducted brand impersonation by directing victims to a highly accurate visual replica of the official government portal to facilitate malicious downloads.
- Defense Evasion::T1090 (Proxy): Leveraged Cloudflare's reverse proxy infrastructure to conceal the true location and identity of the origin hosting backend.
Conclusion & Action Taken
While mitigating human-centric social engineering vectors remains a complex challenge, systematically disrupting the technical infrastructure underlying these campaigns is highly effective.
Having mapped the exposed backend infrastructure to a specific Hawk Host shared hosting node in Hong Kong, I am transforming this data into actionable intelligence. I have compiled the technical findings, archived the passive DNS logs, and submitted a targeted abuse report to the hosting provider's designated contact (netabuse@as20068.net). Rather than asking to block the entire IP, which would cause massive collateral damage to innocent websites on that shared node, the request explicitly demands the immediate suspension of the specific cPanel tenant account hosting the phishing assets and the revocation of the vneid.com domain mapping. This disrupts their operation at the source, neutralizing the immediate threat while forcing the scammers to spend more time and capital to rebuild their setup.
Indicators of Compromise (IOCs)
Domain: vneid[.]com
Subdomain:
- vneid[.]com
- mail[.]vneid[.]com
- cpanel[.]vneid[.]com
IPv4 Address:
- 172.96.185[.]129
- 172.96.185[.]138
ASN: AS133752 (LEASEWEB HONG KONG LIMITED)