"ZephyrScama": The Phishing-as-a-Service platform

This article is available in English only.

As part of its Cyber Threat Intelligence (CTI) operations, OWN conducts external attack surface monitoring to identify, among other threats, fraud attempts, typosquatting activity, and malicious campaigns targeting its clients.

In this context, OWN has observed since late 2025 highly active campaigns in France targeting major organizations. These campaigns rely on phishing kits actively shared across underground channels and distributed through smishing campaigns (SMS-based phishing).

This analysis illustrates a persistent threat landscape reality: despite its long history, smishing remains a particularly effective technique and is still widely exploited by cybercriminals.

This report focuses on a phishing kit identified as "ZephyrScama", a name derived from artefacts found within the associated administration panels. ZephyrScama appears to be a mature and actively maintained Phishing-as-a-Service (PhaaS) platform specifically engineered to primarily target French-speaking victims

The kit primarily impersonates high-trust French institutions and consumer services, including national health insurance such as Ameli, postal and delivery services such as La Poste, Mondial Relay and Colissimo, streaming platforms such as Netflix, Disney+, as well as energy providers such as EDF.

What is a phishing kit?

A phishing kit is a kit of ready-to-deploy toolkit (fake web pages, scripts, configuration files and visual assets). It enables cybercriminals to closely mimic the appearance of legitimate websites (banking portals, online services, social media platform’s) in order to deceive victims and steal credentials, personal data or payement information. Commonly sold, shared, or traded on underground forums and cybercrime marketplaces, these kits are designed for rapid deployment, and often require limited technical skills, which explains the massive proliferation of phishing campaigns in recent years. Their increasing sophistication (integration of administration panels, anti-detection mechanisms, and dynamic redirects) makes them one of the most widespread and effective threats in today's cybercrime ecosystem.

Starting Point

The investigation began with the identification of a malicious domain:  

• myaccount-login[.]com

The associated phishing page follows a classic yet effective approach. It relies on deliberately generic wording, suggesting a login to a user account, in order to broaden the pool of potential victims.

When accessing the page, the user is faced with a verification challenge via Cloudflare, including a CAPTCHA. This mechanism serves a dual purpose:

1. Strengthen the page's credibility by simulating legitimate protection

2. Filter automated scraping, crawling and analysis attempts, making detection difficult for security tools

This combination of social engineering and evasion techniques illustrates the level of maturity reached by modern phishing kits.

Analysis of the source code indicates that the verification step is fake and is designed to mimic the Cloudflare’s  legitimate security check. In this case, the mechanism is used as an anti-automation layer. Behind this façade, no legitimate check is performed. Instead, it act as a decoy designed to enhance the page's credibility and mislead the user.

After submitting the CAPTCHA, the user is prompted to solve a basic mathematical challenge, presented as an additional "human" verification step.

Although rudimentary, this process simulates an advanced security process while maintaining the illusion of a protected environment.

In this case, what caught our attention is that the entire challenge (CAPTCHA) is loaded directly wihtin the page's source code. The fake checkbox is displayed first, followed by the fake security code.  However, all of these functions are already loaded by default in the page This behavior is inconsistent with a legitimate CAPTCHA implementation, where challenge generation and validation are typically handled dynamically and not fully exposed client-side.

  const form = document.querySelector('#arec6gwt40 form'); 

  if (form) { 

    const input = document.getElementById('gfqex0g6'); 

    if (input) { 

      input.addEventListener('keypress', function (e) { 

        const code = e.which || e.keyCode; 

        if (code > 31 && (code < 48 || code > 57)) { 

          e.preventDefault(); 

        } 

      }); 

      input.addEventListener('paste', function (e) { 

        e.preventDefault(); 

        const paste = (e.clipboardData || window.clipboardData).getData('text'); 

        if (/^\d+$/.test(paste)) { 

          this.value = paste; 

        } 

      }); 

      input.addEventListener('input', function () { 

        this.value = this.value.replace(/[^0-9]/g, ''); 

      }); 

    } 

    form.addEventListener('submit', function (e) { 

      const errorBox = document.getElementById('cf2wi1p762'); 

 

      if (!input.value.trim()) { 

        e.preventDefault(); 

        errorBox.textContent = 'Veuillez saisir le code CAPTCHA.'; 

        errorBox.style.display = 'block'; 

        return; 

      } 

The code implements several input sanitization controls:

• a keypress filter for ASCII digits between 0-9;

• a paste filter (through the regex /^\d+$/);

• an input sanitizer to remove any non-numeric character.

By default, the inputs labels and messages are hardcoded in French within the loaded script, which may indicate code developed by French-speaking actors or specifically tailored for French underground markets.

Once this step is validated, the victim is redirected to the actual phishing page. As part of this analysis, the page impersonates Netflix. The interface closely replicates the official login page, both visually and functionally, in order to reduce suspicion and increase the likelihood of credential submission.

After submitting their login credentials, the victim is redirected to an intermediate page framed as a security measure. This page claims that certain account information must be updated, guiding the victim through several consecutive steps designed to maintain engagement and progressively collect additional information.

This multi-step process is designed to maximize the collection of sensitive data. As the victim progresses through the workflow, they are led to provide personal information, and then, subsequently, banking details. The entire process follows a strategy of progressive social engineering, aiming to establish a climate of trust before exfiltrating critical information.

Infrastructure used in this campaign

The domain myaccount-login[.]com was observed resolving to the IP address 45.74.47[.]7 between 13/02/2026 and 05/05/2026. By simply pivoting on this IP address, we can discover an initial cluster of 25 associated domains, all malicious and impersonating services or brands such as:

• Netflix

• La Poste / Colissimo (French postal and delivery service)

• Doctolib (French medical booking platform)

• Ameli (French National Health Insurance service)

• Mondial Relay (Delivery service provider)

Passive DNS data indicates that domains associated with this infrastructure were active over a relatively recent period, between February 17, 2026, and May 13, 2026, suggesting a campaign that is still ongoing and regularly renewed.

We also identified something particularly interesting. Before being used for phishing operations, the domain first exposed an endpoint:

• /setup

This endpoint temporarily exposed the configuration panel of a phishing kit with a reference at the bottom of the page: “@2025 Zephyr”

Another key indicator is present in the page title: “ZephyrScama | t.me/zephyr_scama”

This element provides an excellent starting point for expanding the search and identifying other similar infrastructures. By cross-referencing this information, two recurring endpoints emerge:

• /setup

• /login

“ZephyrScama” buying process

The entire purchasing workflow is handled through Telegram, significantly lowering the technical barrier to entry. Threat actors can interact with the @ZephyrScama_Bot AutoShop to browse available offerings and purchase phishing kits autonomously. This model removes the need for direct interaction with the seller, further streamlining distribution and enabling scalable access to the service.

Upon accessing the bot, prospective buyers are presented with a dashboard displaying their account balance and active licenses. To fund their account, the bot supports multiple cryptocurrency payment options, including : Bitcoin (BTC), Ethereum (ETH), USDT/USDC (ERC20), Solana (SOL), and Litecoin (LTC). The use of cryptocurrency payments reduces friction for buyers and provides a degree of pseudonymity. Pricing starts at €25 per kit, making the service accessible to low-skilled threat actors.

“ZephyrScama” panel

At this stage, the analysis revealed two distinct interfaces, characteristic of the kit's internal workings.

The phishing kit is not limited to generating fraudulent pages: it integrates a complete ecosystem, including:

• a distribution layer (showcase website + installer)

• a configuration interface

• a structured backend API

• automated exfiltration mechanisms via Telegram

• setup guides and support are available to help with setup

This organization reflects the shift towards Phishing-as-a-Service (PhaaS) models, where the entire attack chain is designed for reuse, scalability, and accessibility, enabling even low-skilled malicious actors to deploy them effectively.

Login page

The /login page acts as an access point to the dashboard. It is minimalist and limited to an input field requesting a 6-digit code. The user interface is consistent with that observed on the /setup page, confirming their belonging to the same ecosystem.

Setup page

The /setup page is significantly more detailed and exposes the kit’s internal architecture. It is divided into several sections: Global, Access, Security, Telegram, Language, and Options.  

This interface appears to serve as the main configuration panel used by operators to deploy and customize phishing campaigns, including the setup of data collection mechanisms and communication channels such as Telegram bots for data exfiltration.  

Attempts to fully access /setup page directly result in a redirection to /login, indicating that the interface is protected by a licensing system requiring both a UUID identifier (8-4-4-4-12 format) and a dedicated access path to the administration panel.

Another interesting point that will be useful later: this phishing-kit requires deployment on Apache servers or Apache+Plesk stack.

“ZephyrScama” inner working

At this stage of the investigation, one of the most relevant approaches was to analyze the phishing kit's front-end dependencies to better understand its inner workings. By reviewing the source code of the /login page, it's possible to identify a build manifest file listing all the resources used by the application. This file is accessible via the following path:

• http://{domain}/_next/static/{ID}/_buildManifest.js

This type of structure is characteristic of applications built with modern frameworks like Next.js. The manifest allows us to map the application's various routes and their associated JavaScript files (chunks), thus providing a comprehensive view of the client-side architecture.

Analysis of this file reveals several key routes associated with the kit's dashboard, including:

‍

Discovering internal API

The analysis of the different JavaScript chunks also reveals numerous references to an internal API, used to control all the functionalities of the phishing kit. This API appears to be organized into multiple modules, each covering a specific area. We therefore proceeded to enumerate all the identifiable APIs associated with this phishing kit:

Phishing-kit installation

As the investigation progressed, one of the key objectives was to trace the phishing kit back to its source to identify its installation mechanism.

Based on communications published on the official ZephyrScama Telegram channel, a crucial step in the process was mentioned: the use of an installer.

We therefore expanded the scope of the investigation to identify other areas more broadly associated with this campaign. By pivoting to other registered malicious domains, we identified screenshots¹ that had been taken and that displayed the promotional page of the scam discussed in this investigation. This site offers several ready-to-use kits, targeting various popular entities, including:

• Ameli

• Antai

• Colissimo

• DHL

• Disney+

• EDF  

This discovery confirms the existence of a structured ecosystem in which operators can easily select and deploy various phishing scenarios. Furthermore, the observed interfaces indicate that these kits are designed to be compatible with mobile devices, enhancing their effectiveness in smishing campaigns.

‍

ZephyrScama deployed remotely through an iframe injection

After the first CAPTCHA challenges are solved, analysis of the source code of this page highlights a key element: an iframe pointing to another domain that acts as a C2. This server is used to dynamically load phishing pages inside full-screen iframes. Some configuration files are also retrieved directly by querying the C2.

Another critical artifact was identified: the presence of a JWT (JSON Web Token) associated with a user named zephyr_user. This type of token is generally used to authenticate requests to an API.

‍

A valid token grants direct access to the phishing kit's backend. Injecting this token into HTTP requests (GET or POST), theoretically makes it possible to query internal endpoints and retrieve sensitive information.

Among all the identified routes, the following route is particularly interesting:

• /_internal/api/dashboard.php ?action=settings

This API allows retrieving a significant amount of data in JSON format, including:

• Telegram bot IDs (BotID)

• Chat IDs (ChatID)

These elements play a central role in the kit’s operation because, when a phishing attack succeeds, all collected information is automatically transmitted to a Telegram channel through a bot.

As an example, we managed to get our hands on a real data stream dedicated to the tracking of victims information’s:

Each message sent on the channel transmits a timestamp, the usurped service, the victim's IP address, a small fingerprint (OS/version) as well as a user-agent.

A second, far more sensitive, data stream centralizes all the information entered by the victims. As they progress through the fraudulent process, threat actors collect an impressive amount of information, including : full name, birth date, phone number, email, address and bank card information

How is the phishing delivered?

As part of this investigation, it was essential to understand the mechanisms behind phishing distribution from both the attackers’ and victims’ perspectives.

The analysis shows that the infrastructure associated with ZephyrScama primarily relies on smishing campaigns, meaning phishing attacks delivered via SMS. This method enables attackers to rapidly target many victims by exploiting a communication channel that is perceived as more personal and therefore more trustworthy.

Several public reports have identified concrete examples of this distribution strategy. The domain consigne-vitale[.]com, for example, was already reported:

Another similar case was identified involving the domain assurance-maladie-public[.]com. In this case, the SMS originated from the number +590690080249, associated with Saint-Martin. The message followed the same scenario, urging the victim to update their information under the pretext of a problem with their health insurance card.

Despite the deletion of the main Telegram channel, the sales bot remains active today.

It is also possible to reconstruct some of its activity using  third-party sources that indexed and preserved some of its content. These traces allow us to identify approximately seven posts issued by the ZephyrScama bot, whose main objective was to promote and distribute the phishing kit to channel members:  

Infrastructure

As part of our trademark protection and typosquatting monitoring activities, we tracked a significant portion of this infrastructure. At the time of writing, our research revealed an infrastructure segment of more than 400 domains distributed across over 147 unique IP addresses.

These IP addresses are distributed across 37 autonomous systems (ASNs). Part of this infrastructure relies on hosting providers such as Cloudflare and AWS-based VPS environments, while other components leverage dynamic DNS providers to generate phishing subdomains:

• service-livraison-france.zachbania[.]co

• mrelay-hublogin.3utilities[.]com

• report-agricole.myvnc[.]com

• support-ameli.sytes[.]net²

‍

We also identified some old messages from the “ZephyrScama” telegram accounts that advertise another account “@tcpbest” to buy the plesk server and/or domain names.  

The domain “tcp[.]best” is still active:

‍

We discovered that legacy CNAME records were still pointing “ok.tcp.best” to “net.sltcv[.]xyz”, where sltcv is short for the French phrase “salut ça va” (“Hi what’s up ?”).

Although the domain resolved to IP addresses hosted on AWS, we also identified several subdomains resolving the following IP address: 45.139.104[.]97. This single IP address has been resolved for the last two years by at least 1,090 domain names: all typosquatted, all malicious.

The infrastructure is hosted by “49.3 Networking LLC” under ASN399979. The company name might be a reference to the French constitutional mechanism “49.3,”³ strongly suggesting that the operators behind this bulletproof VPS provider are French.  

‍

Additionally, all identified IP addresses are geolocated in the United States and concentrated within a single subnet, 45.139.104.0/24.

Spamhaus already posted about this ASN and the specific /24 subnet in April 2025:

This does not appear to have significantly affected the operators who continue to use this bulletproof hosting provider. Spamhaus, however, appears to have been indirectly targeted through the registration of the domain “spamhaussuckd***.top” which also hosted a ZephyrScama command-and-control server (C2).

‍

During our investigation, we also observed the deployment of the phishing kit on servers previously purchased through a service well-known for phishing attacks in France: mezohost.

The website of this bulletproof hosting provider was previously hosted on mezohost[.]cc and was probably taken down recently. It is still available on mezohost[.]info (since May 2026) and mezohost[.]net (since February 2026)

‍

‍

We won't elaborate on this provider because there would be far too many malicious campaigns to identify within the networks associated with these providers.

Smishing campaigns

One last interesting piece of information, however: some IP addresses that are part of a few ASN we identified previously exposing ZephyrScama panels (AS213441, AS399979 or AS202412) also occasionally expose "SMS Gateway" panels:

Although a direct link with ZephyrScama was not established, these panels are often associated with tools designed to support large-scale SMS distribution campaigns.

This type  of software, typically deployed on remote servers, enables users to transform their own mobile phones and SIM cards into SMS distribution gateways. Configuration on the mobile device is straightforward and only requires installing an application that communicates with a centralized management server. Through this centralized interface, operators can manage campaigns, define target lists, adjust sending frequency, and monitor operations remotely.

‍

Using a simple Excel file as input, the platform can process and distribute tens of thousands of SMS messages at scale. Often marketed as legitimate bulk messaging solution, this kind of software also appears to play a central role in large-scale smishing operations.

Conclusion

The ZephyrScama phishing kit represents and actively maintained Phishing-as-a-Service (PhaaS) platform specifically engineered to target French-speaking victims, with a primary focus on impersonating high-trust institutions (ANTAI), national health insurance (Ameli), postal and delivery services (La Poste, Mondial Relay, Colissimo), streaming platforms (Netflix, Disney+), and energy providers (EDF).

The infrastructure analysis uncovered approximately 400 malicious domains distributed across 147 unique IP addresses and 37 ASNs, active since at least mid-2025 and remained operational at the time of writing. The deliberate use of bulletproof hosting providers, most notably ASN399979 ("49.3 Networking LLC"), whose name is itself an overt cultural reference to French political mechanisms combined with dynamic DNS providers and Cloudflare/AWS abuse, demonstrates a clear intent to maximize resilience against takedown efforts.

The kit's architecture combines a Next.js-based frontend, a structured internal PHP API, token-based authentication, an automated Telegram exfiltration pipeline, and a fully automated purchasing workflow via the @ZephyrScama_Bot Telegram shop. This design drastically lowers the barrier to entry, enabling low-skilled threat actors to deploy targeted smishing campaigns with minimal friction, starting at just €25 per kit.

The progressive data harvesting strategy guiding victims through fake verification steps before collecting personally identifiable information (PII) and banking credentials maximizes the volume and quality of stolen data, which is exfiltrated in real time to operator-controlled Telegram channels.

Despite the takedown of the main Telegram channel and the deactivation of the installer endpoint, the bot and associated infrastructure remain active. The campaign shows no signs of slowing, with observed malicious domains being registered and rotated on an ongoing basis.

Overall, ZephyrScama illustrates the growing professionalization of the crimeware ecosystem: the shift from ad-hoc phishing pages to structured, scalable, service-based tooling represents a persistent and evolving threat that warrants continued monitoring, proactive domain takedown efforts, and coordinated reporting to relevant national CERTs and brand protection teams.
‍

ZephyrScama YARA rule

The following YARA rule can be used to scan crawled HTML pages, JavaScript chunks, exposed manifests, PHP files, and API responses related to ZephyrScama deployments.

rule PHISH_ZephyrScama_WebArtifacts 

{ 

    meta: 

        description = "Detects ZephyrScama phishing-kit web artifacts" 

        author = "OWN CTI" 

        confidence = "high" 

        scope = "HTML, JavaScript, PHP, API responses" 

 

    strings: 

        $id_1 = "ZephyrScama" nocase 

        $id_2 = "@2025 Zephyr" nocase 

        $id_3 = "t.me/zephyr_scama" nocase 

        $id_4 = "zephyr_user" nocase 

 

        $next_1 = "/_next/static/" nocase 

        $next_2 = "_buildManifest.js" nocase 

 

        $route_1 = "/dashboard/telegram" nocase 

        $route_2 = "/dashboard/security" nocase 

        $route_3 = "/dashboard/stats" nocase 

        $route_4 = "/setup" nocase 

        $route_5 = "/login" nocase 

 

        $api_1 = "/_internal/api/auth.php?action=login" nocase 

        $api_2 = "/_internal/api/auth.php?action=verify-token" nocase 

        $api_3 = "/_internal/api/setup.php?action=license" nocase 

        $api_4 = "/_internal/api/dashboard.php?action=settings" nocase 

        $api_5 = "/_internal/api/notifications.php?action=list" nocase 

 

        $tg_1 = "BotID" nocase 

        $tg_2 = "ChatID" nocase 

        $tg_3 = "telegram_notifications" nocase 

        $tg_4 = "telegram_actions" nocase 

 

    condition: 

        filesize < 5MB and 

        ( 

            any of ($id_*) or 

            ( 

                any of ($next_*) and 

                2 of ($route_*) and 

                2 of ($api_*) 

            ) or 

            ( 

                3 of ($api_*) and 

                2 of ($tg_*) 

            ) 

        ) 

} 

This rule should be used on collected web artifacts rather than raw DNS or proxy logs. A match should be enriched with passive DNS, iframe source domain, Telegram identifiers, ASN, screenshots, and smishing evidence before takedown or blocking.

IoCs

Indicators of compromise (IoC) are available in a separate document, which can be found here.

‍

‍

Footnotes

[1] https://urlscan.io/screenshots/019ce164-a89d-7598-9021-3056421a72c7.png

[2] sytes[.]net is freeddns.noip.com domain name

[3] https://www.nytimes.com/2023/03/16/world/europe/france-constitution-article-49-3.html