These IOCs were released as part of PTI team research.

PTI-252 consists of an interactive phishing panel with fake DHL payment pages that allows the attacker to interact with the victim by manually redirecting the victim to a fake credit card payment page and verification code page. After the victim enters credit card information, attackers can show the victim fake payment error codes to force the victim to enter other card information.

Having received the victim's credit card details, the attackers use them to withdraw funds, and the victim gets a notification on their phone device with a verification code. Using the panel, threat actors redirect the victim to a fake payment confirmation page, forcing the victim to submit a confirmation code. All information, including credit card details, confirmation codes and the victim's IP address, are displayed in the panel.

If the victim cannot use a credit card, the attackers redirect the victim to a fake cryptocurrency payment page. On this page, the payment amount is indicated as 1.85 euros, but to send cryptocurrency, the victim is asked to copy the amount of 0.04704 bitcoins, equivalent to more than a thousand dollars.

The domain names of the DHL phishing pages of PTI-252 are listed below.