โ† Back to Dashboard
May 04, 2026

Daily Threat Report โ€” French Financial Sector

2
IOCs
8
TTPs
4
KQL Queries
Executive Summary

French financial institutions face active threats from financially-motivated and state-sponsored actors leveraging phishing infrastructure, unpatched vulnerabilities, and live C2 endpoints. Immediate action is required to block identified IOCs and hunt for compromise across network and endpoint telemetry.

#1

Active Financial Phishing Campaign Targeting Banking & Crypto Credentials

CRITICAL TA505

Multiple phishing URLs impersonating banking, Netflix, and cryptocurrency platforms (Coinbase, KuCoin, Swissborg) have been identified, consistent with TA505 credential-harvesting operations targeting French financial users. These sites are hosted on Webflow, Vercel, and GoDaddy infrastructure to evade reputation-based filtering.

๐Ÿ”ด Indicators of Compromise
URL http://coensqureulogin.webflow.io/ Phishing โ€” banking credential harvest
URL http://login-netcoin-ca.webflow.io/ Phishing โ€” crypto/banking hybrid lure
URL http://authswiisborgwallet.webflow.io/ Phishing โ€” Swissborg wallet credential theft
URL http://kkucoin-en-webpage.webflow.io/ Phishing โ€” KuCoin exchange impersonation
URL http://www.jexi-bank.vercel.app/ Phishing โ€” banking portal impersonation
URL http://support91.partner-invoice-network.com/ Phishing โ€” invoice/partner network lure
URL http://netflix-clone-coral-three.vercel.app/ Phishing โ€” Netflix credential harvest
URL http://netflix-ui-clone-iota.vercel.app/ Phishing โ€” Netflix credential harvest
URL http://www.uuphuldlugin.godaddysites.com/ Phishing โ€” plugin/credential lure
URL http://projectlicks-box07.vercel.app/ Phishing โ€” generic credential harvest
๐ŸŸฃ MITRE ATT&CK TTPs
T1566.002 Spearphishing Link MITRE โ†’
T1078 Valid Accounts MITRE โ†’
T1027 Obfuscated Files or Information MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect User Navigation to Phishing Domains

Identifies endpoint DNS or HTTP requests to known phishing domains associated with this campaign.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteUrl has_any ('coensqureulogin.webflow.io','login-netcoin-ca.webflow.io','authswiisborgwallet.webflow.io','kkucoin-en-webpage.webflow.io','jexi-bank.vercel.app','support91.partner-invoice-network.com','netflix-clone-coral-three.vercel.app','netflix-ui-clone-iota.vercel.app','uuphuldlugin.godaddysites.com','projectlicks-box07.vercel.app') | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP | order by TimeGenerated desc
SENTINEL Detect Phishing Domain Access via Proxy or Firewall Logs

Correlates CommonSecurityLog entries for outbound requests to identified phishing infrastructure.

CommonSecurityLog | where TimeGenerated > ago(7d) | where RequestURL has_any ('coensqureulogin.webflow.io','login-netcoin-ca.webflow.io','authswiisborgwallet.webflow.io','kkucoin-en-webpage.webflow.io','jexi-bank.vercel.app','support91.partner-invoice-network.com','netflix-clone-coral-three.vercel.app','netflix-ui-clone-iota.vercel.app','uuphuldlugin.godaddysites.com','projectlicks-box07.vercel.app') | project TimeGenerated, SourceIP, SourceUserName, RequestURL, DestinationHostName | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Block all identified phishing URLs at web proxy and DNS filtering layers immediately
โ†’ Alert SOC to monitor for credential reuse attempts following any confirmed user visits to these URLs
โ†’ Notify customer-facing security teams to issue user awareness alerts regarding fake banking and crypto portals
โ†’ Submit phishing URLs to Webflow, Vercel, and GoDaddy abuse teams for takedown
#2

Active C2 Infrastructure Linked to State-Sponsored Financial Threat Actor

CRITICAL Lazarus Group

Five C2 IP addresses actively associated with threat actor campaigns have been identified, with Lazarus Group and FIN7 TTPs consistent with targeting of SWIFT infrastructure, cryptocurrency platforms, and French financial institutions. Immediate network-level blocking and retrospective hunting are required to identify potential beaconing or lateral movement.

๐Ÿ”ด Indicators of Compromise
IP 162.243.103.246 Active C2 โ€” DigitalOcean hosted, associated with malware beaconing
IP 50.16.16.211 Active C2 โ€” AWS EC2, potential payload delivery or C2 channel
IP 34.204.119.63 Active C2 โ€” AWS EC2, command and control node
IP 178.62.3.223 Active C2 โ€” DigitalOcean, lateral movement or exfiltration endpoint
IP 27.133.154.218 Active C2 โ€” APAC-hosted, consistent with Lazarus Group infrastructure patterns
๐ŸŸฃ MITRE ATT&CK TTPs
T1071.001 Application Layer Protocol: Web Protocols MITRE โ†’
T1041 Exfiltration Over C2 Channel MITRE โ†’
T1021.002 Remote Services: SMB/Windows Admin Shares MITRE โ†’
T1486 Data Encrypted for Impact MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect Outbound Connections to Active C2 IPs

Identifies any endpoint making outbound network connections to the five known active C2 IP addresses.

DeviceNetworkEvents | where TimeGenerated > ago(7d) | where RemoteIP in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') | project TimeGenerated, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc
SENTINEL Detect C2 Communications via Firewall and NSG Flow Logs

Correlates network flow and firewall logs for any traffic to or from identified C2 infrastructure.

union CommonSecurityLog, AzureNetworkAnalytics_CL | where TimeGenerated > ago(7d) | where DestinationIP in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') or SrcIP_s in ('162.243.103.246','50.16.16.211','34.204.119.63','178.62.3.223','27.133.154.218') | project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Immediately block all five C2 IPs at perimeter firewall, NGFW, and cloud security group level
โ†’ Conduct retrospective 30-day hunt across all network logs for historical connections to these IPs
โ†’ Escalate any positive hits to Incident Response with priority focus on SWIFT-connected systems and core banking infrastructure
โ†’ Share IOCs with CERT-FR and sectoral ISAC for coordinated response
#3

Critical Vulnerability Exploitation Risk โ€” cPanel, ScreenConnect, and Linux Kernel

HIGH APT28

CISA advisories for Linux Kernel, cPanel/WHM/WP2, and ConnectWise ScreenConnect represent active exploitation vectors used by APT28 and FIN6 to achieve initial access and privilege escalation in financial sector environments. French institutions running internet-exposed management interfaces or unpatched Linux systems are at elevated risk of compromise.

๐Ÿ”ด Indicators of Compromise
IP 50.16.16.211 C2 associated with exploitation follow-on activity โ€” AWS hosted
IP 34.204.119.63 C2 used post-exploitation for payload staging
๐ŸŸฃ MITRE ATT&CK TTPs
T1190 Exploit Public-Facing Application MITRE โ†’
T1068 Exploitation for Privilege Escalation MITRE โ†’
T1133 External Remote Services MITRE โ†’
T1059.004 Command and Scripting Interpreter: Unix Shell MITRE โ†’
๐ŸŸข Hunt Queries
MDE Detect ScreenConnect or cPanel Process Anomalies

Identifies suspicious child processes spawned by ScreenConnect or web server processes indicative of exploitation.

DeviceProcessEvents | where TimeGenerated > ago(7d) | where InitiatingProcessFileName has_any ('ScreenConnect.ClientService.exe','ScreenConnect.WindowsClient.exe','cpaneld','whostmgrd') or InitiatingProcessCommandLine has_any ('screenconnect','cpanel','whm') | where FileName in ('cmd.exe','powershell.exe','bash','sh','python','python3','wget','curl') | project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine | order by TimeGenerated desc
SENTINEL Detect Linux Kernel Exploitation and Privilege Escalation Indicators

Hunts for syslog and audit log indicators of kernel exploit attempts or unexpected privilege escalation on Linux hosts.

Syslog | where TimeGenerated > ago(7d) | where Facility == 'kern' or ProcessName in ('sudo','su','bash','sh') | where SyslogMessage has_any ('segfault','kernel BUG','RIP:','exploit','privilege','uid=0','euid=0','setuid') | project TimeGenerated, HostName, ProcessName, SyslogMessage | order by TimeGenerated desc
โœ… Recommended Actions
โ†’ Apply all available patches for ConnectWise ScreenConnect (CVE-2024-1709/1708), cPanel/WHM, and Linux Kernel as emergency priority
โ†’ Audit internet-exposed management interfaces and restrict access to known IP ranges or VPN only
โ†’ Deploy detection rules for ScreenConnect and cPanel process anomalies across all managed endpoints
โ†’ Engage vulnerability management team for immediate scan of all Linux systems for kernel patch compliance