Cloudflare Turnstile & Amazon S3 Exploited in Sophisticated New LogoKit Phishing Campaign

Cybersecurity researchers have uncovered a sophisticated phishing campaign targeting government agencies and organizations worldwide, exploiting trusted cloud services and security tools to enhance credibility and evade detection.

The campaign, identified by Cyble Research and Intelligence Labs, demonstrates how threat actors are increasingly leveraging legitimate infrastructure to conduct malicious activities.

Advanced Evasion Techniques Target Government Entities

The phishing campaign initially targeted Hungary’s Computer Emergency Response Team (HunCERT), using carefully crafted URLs hosted on Amazon S3 buckets to appear legitimate and avoid detection.

The attackers employed a multi-layered approach, prefilling victim email addresses in username fields and integrating Cloudflare Turnstile as a CAPTCHA alternative to simulate human verification processes.

The phishing pages closely mimicked legitimate login portals, with URLs such as flyplabtk[.]s3.us-east-2.amazonaws.com containing specific targeting parameters.

These pages were designed to harvest credentials through mettcoint[.]com/js/error-200.php, subsequently presenting victims with fake error messages to maintain the illusion of legitimacy while successfully capturing sensitive information.

LogoKit Infrastructure Enables Global Targeting

Technical analysis revealed the campaign’s use of the LogoKit phishing kit, first identified in 2021, which automatically retrieves organizational branding through Clearbit’s Logo API and Google’s S2 Favicon service.

This automation allows threat actors to dynamically generate convincing phishing pages without manually updating logos or icons, making the operation highly scalable and efficient.

The campaign’s infrastructure centers around mettcoint[.]com, registered in October 2024 and actively used in phishing operations since February 2025.

Open directory analysis revealed multiple attack components, including a WeTransfer impersonation page and various PHP files used for credential harvesting.

The domain currently maintains zero detections on VirusTotal, enabling continued operations under the radar.

Widespread Impact Across Multiple Sectors

The investigation uncovered the campaign’s global reach, targeting diverse organizations, including Kina Bank in Papua New Guinea, religious institutions in the United States, and logistics companies in Saudi Arabia.

This broad targeting strategy demonstrates the threat actors’ ability to adapt their tactics across different geographical regions and industry sectors.

The ongoing nature of this campaign highlights the persistent threat posed by sophisticated phishing operations that leverage trusted cloud infrastructure.

The use of Amazon S3 for hosting and Cloudflare Turnstile for legitimacy represents an evolution in phishing tactics, making detection and prevention increasingly challenging for traditional security measures.

Organizations are advised to implement comprehensive security awareness training, deploy secure email gateways, and utilize multi-factor authentication to mitigate the risks associated with such sophisticated phishing campaigns.

The continued operation of the mettcoint[.]com domain underscores the urgent need for proactive threat intelligence and rapid response capabilities in combating evolving cyber threats.

Indicators of Compromise (IOCs)