๐จ๐ฆ ๐๐ฎ๐ป๐ธ๐ถ๐ป๐ด ๐จ๐๐ฒ๐ฟ๐ ๐ง๐ฎ๐ฟ๐ด๐ฒ๐๐ฒ๐ฑ ๐ถ๐ป ๐๐ฎ๐ฟ๐ด๐ฒ-๐ฆ๐ฐ๐ฎ๐น๐ฒ ๐ข๐ง๐ฃ ๐ฃ๐ต๐ถ๐๐ต๐ถ๐ป๐ด ๐๐ฎ๐บ๐ฝ๐ฎ๐ถ๐ด๐ป
A large-scale phishing campaign has been targeting U. S. banking users since November 2025 by impersonating ESL Federal Credit Union and potentially other financial institutions. The campaign uses a multi-step phishing flow to steal usernames, passwords, one-time passwords (OTPs), and email verification data, increasing the risk of account takeover and fraud. It employs over 230 phishing domains with rotating infrastructure, primarily in . sbs, . cfd, and . click domains. Victim data is exfiltrated through chained POST requests and forwarded to attacker-controlled Telegram bots. The campaign remains active with reusable phishing page assets and endpoint structures, making it trackable despite frequent domain changes.
AI Analysis
Technical Summary
This threat describes an ongoing, large-scale phishing campaign targeting U.S. banking users by impersonating ESL Federal Credit Union and other financial organizations. The attackers use a multi-step phishing process to harvest login credentials, OTPs, and email verification information, facilitating account takeover and fraud. The campaign infrastructure is highly reusable and rotates through hundreds of phishing domains, mainly in less common top-level domains. Data exfiltration involves chained POST requests and Telegram bots controlled by the attackers. Despite frequent domain changes, consistent phishing page assets allow tracking of the campaign. The campaign has been active since November 2025 with sustained high-volume activity.
Potential Impact
The campaign poses a significant risk of account takeover and financial fraud for targeted U.S. banking users by stealing credentials and OTPs. The multi-step phishing flow increases the likelihood of successful credential harvesting and bypassing of multi-factor authentication. The use of numerous rotating domains and persistent infrastructure complicates detection and takedown efforts. However, this is a phishing campaign rather than a software vulnerability or exploit, so the impact is limited to social engineering and credential theft.
Mitigation Recommendations
No official patch or vendor advisory is available for this phishing campaign. Mitigation should focus on user education to recognize phishing attempts, monitoring for suspicious login activity, and employing strong multi-factor authentication methods that do not rely solely on OTPs sent via SMS or email. Financial institutions should monitor for and report phishing domains impersonating their services to domain registrars and take down fraudulent sites. Users are advised to verify URLs carefully and avoid entering credentials on suspicious sites. Since this is a phishing campaign, technical patching is not applicable.
๐จ๐ฆ ๐๐ฎ๐ป๐ธ๐ถ๐ป๐ด ๐จ๐๐ฒ๐ฟ๐ ๐ง๐ฎ๐ฟ๐ด๐ฒ๐๐ฒ๐ฑ ๐ถ๐ป ๐๐ฎ๐ฟ๐ด๐ฒ-๐ฆ๐ฐ๐ฎ๐น๐ฒ ๐ข๐ง๐ฃ ๐ฃ๐ต๐ถ๐๐ต๐ถ๐ป๐ด ๐๐ฎ๐บ๐ฝ๐ฎ๐ถ๐ด๐ป
Description
A large-scale phishing campaign has been targeting U. S. banking users since November 2025 by impersonating ESL Federal Credit Union and potentially other financial institutions. The campaign uses a multi-step phishing flow to steal usernames, passwords, one-time passwords (OTPs), and email verification data, increasing the risk of account takeover and fraud. It employs over 230 phishing domains with rotating infrastructure, primarily in . sbs, . cfd, and . click domains. Victim data is exfiltrated through chained POST requests and forwarded to attacker-controlled Telegram bots. The campaign remains active with reusable phishing page assets and endpoint structures, making it trackable despite frequent domain changes.
Reddit Discussion
Weโre tracking a large-scale phishing campaign impersonating ESL Federal Credit Union, a U.S. financial institution, with ongoing high-volume activity observed since November 2025. The infrastructure and flow are highly reusable and can be quickly adapted to impersonate other financial organizations.
The campaign uses a multi-step phishing flow to steal usernames, passwords, OTP codes, and email verification data, creating serious account takeover and fraud risk at this scale.
Unlike short-lived phishing operations, this activity has remained active for months with constantly rotating infrastructure. More than 230 phishing domains have already been identified, most registered in .sbs, .cfd, and .click zones.
After credential submission, victim data is sent through a chain of POST requests and forwarded to Telegram bots through attacker-controlled iframe responses. The campaign then moves into a second phishing stage focused on email verification, adding another layer of credential harvesting and OTP interception.
See the phishing flow, credential exfiltration chain, and collect IOCs: https://app.any.run/tasks/57a49b17-1d88-458c-9f16-005fd9837fee/
Even with constant domain rotation, the campaign keeps reusing the same phishing-page images, endpoint structure, and multi-step authentication flow. These repeating artifacts make the activity trackable across newly deployed phishing sites.
Hunt for related phishing infrastructure using recurring campaign artifacts in TI Lookup: (url:"/chc.png" AND url:"/member-fdic.svg" AND url:"/equal-housing-lender.svg" AND url:"/image.png")%2522,%2522dateRange%2522:180%7D)
Celebrate ANYRUNโs 10th anniversary with us! Explore special offers: https://app.any.run/plans/
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat describes an ongoing, large-scale phishing campaign targeting U.S. banking users by impersonating ESL Federal Credit Union and other financial organizations. The attackers use a multi-step phishing process to harvest login credentials, OTPs, and email verification information, facilitating account takeover and fraud. The campaign infrastructure is highly reusable and rotates through hundreds of phishing domains, mainly in less common top-level domains. Data exfiltration involves chained POST requests and Telegram bots controlled by the attackers. Despite frequent domain changes, consistent phishing page assets allow tracking of the campaign. The campaign has been active since November 2025 with sustained high-volume activity.
Potential Impact
The campaign poses a significant risk of account takeover and financial fraud for targeted U.S. banking users by stealing credentials and OTPs. The multi-step phishing flow increases the likelihood of successful credential harvesting and bypassing of multi-factor authentication. The use of numerous rotating domains and persistent infrastructure complicates detection and takedown efforts. However, this is a phishing campaign rather than a software vulnerability or exploit, so the impact is limited to social engineering and credential theft.
Mitigation Recommendations
No official patch or vendor advisory is available for this phishing campaign. Mitigation should focus on user education to recognize phishing attempts, monitoring for suspicious login activity, and employing strong multi-factor authentication methods that do not rely solely on OTPs sent via SMS or email. Financial institutions should monitor for and report phishing domains impersonating their services to domain registrars and take down fraudulent sites. Users are advised to verify URLs carefully and avoid entering credentials on suspicious sites. Since this is a phishing campaign, technical patching is not applicable.
Technical Details
- Source Type
- Subreddit
- ThreatIntelligence+threatintel+websecurityresearch
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":32,"reasons":["external_link","established_author"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a13498fa5ae1af1aab6949a
Added to database: 5/24/2026, 6:55:11 PM
Last enriched: 5/24/2026, 6:55:27 PM
Last updated: 5/24/2026, 8:02:50 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console โ Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.