Three people, two men and one woman, are smiling in front of a blue gradient background. The text reads, "DNS: DOH OR DOHNT?" with a nod to DFIR foundations on the "Breaking Badness Podcast" logo in the top right corner.
Podcasts

Inside Morphing Meerkat and Proton66: How Cybercrime Is Getting Easier

04/30/2025
iTunes SoundCloud Spotify RSS

In this episode of Breaking Badness, the crew investigates two escalating threats in the cybercrime ecosystem: the cleverly named phishing-as-a-service platform Morphing Meerkat, and the bulletproof hosting provider Proton66, a favorite among amateur cybercriminals.

First, they dig into how Morphing Meerkat uses DNS-over-HTTPS (DoH) and clever phishing kits to evade detection. Then, they shift focus to Proton66, a Russian-based bulletproof host that shelters a new generation of low-skill attackers, including a threat actor known as “ette” with ties to a group called Horrid.

Morphing Meerkat: Phishing-as-a-Service Gets an Upgrade

This week, the Breaking Badness crew explored a phishing-as-a-service (PhaaS) operation called Morphing Meerkat, a platform using DNS-over-HTTPS (DoH) to evade detection.

According to Tim Helming, Morphing Meerkat represents a growing trend where phishing kits are no longer built for elite hackers:
“You don’t have to have a lot of technical knowledge… you pay the sellers some money and then you sit back and reap the rewards.”

The phishing campaign uses a multi-stage process:

  • Mass spam emails with links
  • An MX record lookup via DoH to determine the user’s email provider
  • A customized fake login page with branding that matches their provider (e.g. Outlook, AOL)
  • A forced password retry screen to increase credential accuracy
  • The actual stolen credentials are sent via email or Telegram bot

Why DNS-over-HTTPS (DoH) matters:

DoH obfuscates DNS queries, making it harder for defenders to inspect traffic.

Proton66 and Coquette: Bulletproof Hosting for Amateur Cybercriminals

Next, Ian Campbell shared research from DomainTools on Proton66, a Russian-based bulletproof hosting provider.

“Bulletproof hosts are like the cool mom… if you also give mom your share of illicit goods,” Campbell joked.

Unlike more discreet hosting services, Proton66 openly tolerates malware, phishing sites, and criminal activity. Investigators found it to be a haven for low-skill attackers who otherwise might not maintain infrastructure.

One such actor is Coquettte (or “ettte” with three Ts), who was traced back to Proton66 via an OPSEC failure.

How was Coquettte exposed?

Hosted a fake antivirus product called Cyber Secure Pro

  • Forgot to disable directory listing on the site, exposing malware, scripts, and infrastructure
  • Pivoting from this led researchers to several related domains and shared analytics tags
  • Revealed a loose affiliation with the group Horrid, described as a “cybercriminal collective fostering amateur threat actors”

“Whenever you take someone who has curiosity and a group that gives them belonging… that raises them from low-level actors to more dangerous ones,” said Campbell.

Why This Matters for Defenders

While Morphing Meerkat shows how phishing tools are becoming more sophisticated, Proton66 highlights the importance of behavioral detection and monitoring low-skill attacker infrastructure.

“This isn’t nation-state level tradecraft,” Helming noted, “but it’s still effective, and more people can do it now.”

Recommendations for defenders:

  • Don’t ignore amateur attacker behavior. Coquette-style actors are often overlooked but represent a growing risk.
  • Maintain DNS visibility. Limit or monitor DoH usage in the enterprise.
  • Use tools that allow domain pivoting, infrastructure mapping, and behavioral analysis of low-tier actors.
  • Continue end-user phishing education. While not foolproof, it’s still a front-line defense.

Resources:

Watch on YouTube

That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!

Related Content

Two smiling hosts, a woman with glasses and a man with a beard, appear on a blue background. Text reads: "SWAGLESS IN SAN FRANCISCO: FROM MORPHING MEERKAT TO WINS," "BREAKING BADNESS PODCAST," and "RSAC 2025 EDITION.
Podcasts

Hacking the Stage: John Donovan on RSAC, BSides SF, and the Human Side of Cybersecurity

Listen Now
Five people are shown in black and white at the bottom of a blue gradient background. Text reads "DFIRSIDE CHAT: PART 2," highlighting a DFIR discussion. The top right corner features the "Breaking Badness Podcast" logo.
Podcasts

DFIR Foundations: Real-World Lessons in Containment, Eradication, and Recovery

Listen Now
Five smiling people are shown in black and white below the text “DFIRSide Chat: Part 1” on a blue gradient background. In the top right, the “Breaking Badness Podcast” logo appears, hinting at a discussion on Russian disinformation.
Podcasts

DFIRside Chat: Lessons from the Frontlines of Incident Response

Listen Now
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap

OSZAR »