REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation
The REFUNDEE operation involves a publicly exposed Phishing-as-a-Service and RAT-as-a-Service platform named Shadow Panel, hosted on Bulgarian infrastructure. It targets Spanish and Portuguese-speaking victims using weaponized LNK, VBS, and AES-encrypted PowerShell payloads to deliver a remote access trojan. The platform offers extensive capabilities such as remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and supports multiple operators. The entire command-and-control panel frontend and API endpoints were accessible, revealing the platform's architecture. The operation has been linked to a known threat actor via WHOIS data and historical malicious domains dating back to 2021, indicating a long-running cybercriminal campaign with limited detection. No official patch or remediation is available as this is a criminal service platform rather than a software vulnerability.
AI Analysis
Technical Summary
An open directory at refundonex[.]com exposed Shadow Panel, a Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese speakers. The platform includes thousands of files with weaponized LNK, VBS, and encrypted PowerShell payloads delivering a remote access trojan. Shadow Panel provides attackers with remote shell access, screenshot capture, file management, credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel frontend JavaScript and 29 API endpoints were publicly accessible, revealing the platform's architecture. Infrastructure analysis linked the operation to an email address and malicious domains dating back to 2021, showing a persistent threat actor operating from Bulgarian infrastructure. This is a criminal service platform facilitating phishing and RAT campaigns rather than a software vulnerability with patches.
Potential Impact
The exposed Shadow Panel platform enables cybercriminals to conduct phishing campaigns and deploy remote access trojans with capabilities including remote shell execution, credential theft, and cryptocurrency wallet hijacking. This facilitates unauthorized access to victim systems, data theft, and potential financial loss. The long-running nature and minimal detection coverage increase the risk of ongoing victimization in Spanish and Portuguese-speaking regions. However, this is a criminal infrastructure exposure rather than a software vulnerability affecting legitimate products.
Mitigation Recommendations
Since this is a criminal phishing and RAT service platform exposed publicly, there is no direct patch or official fix. Organizations should focus on detecting and blocking phishing attempts and RAT payloads associated with this operation. Monitoring for indicators of compromise related to Shadow Panel and educating users in targeted language groups about phishing risks are recommended. Law enforcement and hosting providers should be notified to take down the exposed infrastructure. Patch status is not applicable; check threat intelligence sources for updates on takedown or disruption efforts.
Indicators of Compromise
- hash: 1009fac37240f16e01e552cf87e61dde
- hash: 4fd2128e4b4549c46e2c112e7dc34096
- hash: 88e5c48cd7d0ba596c136967b28803aa
- hash: db2fefe7fa768504ac64b8ef6942738b
- hash: f5847ed553b087a7a684de6d4dee3df1
- hash: 5fe202ed78618d14675cbdac6fd176848f74cc30
- hash: 8c7048e8df52ecbd4d3af59de3d37cf6a2a19e10
- hash: d06a579b6f79350104e5c0db253d24626f9991b3
- hash: f243b93714ae55372bb849f7193044e17d6b146f
- hash: ff6f3b93df69a7960cd9b20448dc522c5f715dd5
- hash: 010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a
- hash: 3a352caa662ec74a150e03ccc637eb347f4a0423f976837637ac1f2484f0d329
- hash: 439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965
- hash: 5a011813db8497a4db303c90cb5f1948fcf4fcdd8bbe16c0e029195e6734d4f2
- hash: a23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da
- hash: e47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73
- hash: ee5b302161c9a29defd0a9d3be674e831775099475dbf02d10949e4a4e8ae265
- hash: f74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d
- ip: 87.121.52.71
- ip: 87.121.52.72
- url: http://refundonex.com/cloud/
- url: https://refundonex.com/admin/
- url: https://refundonex.com/cloud/
- url: https://winup.su/
- url: https://winup.su/api/client/poll/
- url: https://winup.su/dashboard.html
- yara: c9223704fd2f8be6fccb0b8b75826f4c1b8e66ee
- yara: d74dfa84e2ab6f290e46a9ffd9a5393b39317a41
- domain: carweap.net
- domain: febystm.net
- domain: hchdko.net
- domain: mrchexp.net
- domain: refundonex.com
- domain: sifr-infso.club
- domain: winup.su
- email: nikola4010@proton.me
- domain: inst.refundonex.com
REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation
Description
The REFUNDEE operation involves a publicly exposed Phishing-as-a-Service and RAT-as-a-Service platform named Shadow Panel, hosted on Bulgarian infrastructure. It targets Spanish and Portuguese-speaking victims using weaponized LNK, VBS, and AES-encrypted PowerShell payloads to deliver a remote access trojan. The platform offers extensive capabilities such as remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and supports multiple operators. The entire command-and-control panel frontend and API endpoints were accessible, revealing the platform's architecture. The operation has been linked to a known threat actor via WHOIS data and historical malicious domains dating back to 2021, indicating a long-running cybercriminal campaign with limited detection. No official patch or remediation is available as this is a criminal service platform rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An open directory at refundonex[.]com exposed Shadow Panel, a Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese speakers. The platform includes thousands of files with weaponized LNK, VBS, and encrypted PowerShell payloads delivering a remote access trojan. Shadow Panel provides attackers with remote shell access, screenshot capture, file management, credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel frontend JavaScript and 29 API endpoints were publicly accessible, revealing the platform's architecture. Infrastructure analysis linked the operation to an email address and malicious domains dating back to 2021, showing a persistent threat actor operating from Bulgarian infrastructure. This is a criminal service platform facilitating phishing and RAT campaigns rather than a software vulnerability with patches.
Potential Impact
The exposed Shadow Panel platform enables cybercriminals to conduct phishing campaigns and deploy remote access trojans with capabilities including remote shell execution, credential theft, and cryptocurrency wallet hijacking. This facilitates unauthorized access to victim systems, data theft, and potential financial loss. The long-running nature and minimal detection coverage increase the risk of ongoing victimization in Spanish and Portuguese-speaking regions. However, this is a criminal infrastructure exposure rather than a software vulnerability affecting legitimate products.
Mitigation Recommendations
Since this is a criminal phishing and RAT service platform exposed publicly, there is no direct patch or official fix. Organizations should focus on detecting and blocking phishing attempts and RAT payloads associated with this operation. Monitoring for indicators of compromise related to Shadow Panel and educating users in targeted language groups about phishing risks are recommended. Law enforcement and hosting providers should be notified to take down the exposed infrastructure. Patch status is not applicable; check threat intelligence sources for updates on takedown or disruption efforts.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://intel.breakglass.tech/post/refundonex-shadow-panel-phaas"]
- Adversary
- null
- Pulse Id
- 69dd066f59e22e6d1ee7315b
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash1009fac37240f16e01e552cf87e61dde | — | |
hash4fd2128e4b4549c46e2c112e7dc34096 | — | |
hash88e5c48cd7d0ba596c136967b28803aa | — | |
hashdb2fefe7fa768504ac64b8ef6942738b | — | |
hashf5847ed553b087a7a684de6d4dee3df1 | — | |
hash5fe202ed78618d14675cbdac6fd176848f74cc30 | — | |
hash8c7048e8df52ecbd4d3af59de3d37cf6a2a19e10 | — | |
hashd06a579b6f79350104e5c0db253d24626f9991b3 | — | |
hashf243b93714ae55372bb849f7193044e17d6b146f | — | |
hashff6f3b93df69a7960cd9b20448dc522c5f715dd5 | — | |
hash010601e408a090be561e10c23ae17342d8d82ca65b2b280215bb9268bae8381a | — | |
hash3a352caa662ec74a150e03ccc637eb347f4a0423f976837637ac1f2484f0d329 | — | |
hash439391f35a6cffcfa1c6cb3e5e8f25ed4055cd10664a7e9ed438dd0fdcda9965 | — | |
hash5a011813db8497a4db303c90cb5f1948fcf4fcdd8bbe16c0e029195e6734d4f2 | — | |
hasha23bd8eab005a0c7759ffa344b55a3e1fd83a871817d51621c97eee0b511b3da | — | |
hashe47b9382d9ac1ba3992308d75993b69255b1e4f4fe47c2e2b6cf6a7ec266da73 | — | |
hashee5b302161c9a29defd0a9d3be674e831775099475dbf02d10949e4a4e8ae265 | — | |
hashf74128de852336b27069a677eebbf7e4ee751c294b96b17c1200cbd65a90793d | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip87.121.52.71 | — | |
ip87.121.52.72 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://refundonex.com/cloud/ | — | |
urlhttps://refundonex.com/admin/ | — | |
urlhttps://refundonex.com/cloud/ | — | |
urlhttps://winup.su/ | — | |
urlhttps://winup.su/api/client/poll/ | — | |
urlhttps://winup.su/dashboard.html | — |
Yara
| Value | Description | Copy |
|---|---|---|
yarac9223704fd2f8be6fccb0b8b75826f4c1b8e66ee | — | |
yarad74dfa84e2ab6f290e46a9ffd9a5393b39317a41 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincarweap.net | — | |
domainfebystm.net | — | |
domainhchdko.net | — | |
domainmrchexp.net | — | |
domainrefundonex.com | — | |
domainsifr-infso.club | — | |
domainwinup.su | — | |
domaininst.refundonex.com | — |
| Value | Description | Copy |
|---|---|---|
emailnikola4010@proton.me | — |
Threat ID: 69dd0fea82d89c981f0adb42
Added to database: 4/13/2026, 3:46:50 PM
Last enriched: 4/13/2026, 4:01:52 PM
Last updated: 4/14/2026, 8:14:30 AM
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.