Retrace Cyber Labs

This is a targeted campaign during the time of the tax payments etc. Stay vigilant and stay safe. #cybersecurity #phishing #HMRC #securityalert #infosec #scamalert #threatintelligence #RetraceLabs

hmrc[.]govukaccts[.]com - fertug[.]com, hmrc[.]fertug[.]com - govukemploystatus[.]com, hmrc[.]govukemploystatus[.]com - govukemployment[.]com, hmrc[.]govukemployment[.]com (Part 4)

🚨Phishing Alert 🚨 We identified a cluster of domains actively engaged in a HMRC phishing campaign. All of these are hosted on 78.159.131.6. IP address. More details and IOCs: (Part 1)

- Domains: - uk-accountants-payable[.]com, gov[.]uk-accountants-payable[.]com - xrphldlco[.]com, www[.]xrphldlco[.]com - govukaccts[.]com, hmrc[.]govukaccts[.]com - fertug[.]com, hmrc[.]fertug[.]com - govukemploystatus[.]com, hmrc[.]govukemploystatus[.]com

- TLS Certificate: Issued by R10 on February 18th, 2025, valid for 3 months. - Hostname: 43771[.]ip-ptr[.]tech - Shared Infrastructure: All domains share the same IP address: 78[.]159[.]131[.]6 . City: Tirana, Province: Tirana, Country: Albania. (part 2)