LogoKit
LogoKit is a phishing kit first identified in 2021. It is characterized by phishing URLs that embed the victim’s email address and by dynamically personalizing lure pages through real-time brand asset retrieval, including logos from Clearbit’s Logo API and favicons from Google’s S2 Favicon service. Reported LogoKit pages impersonate trusted organizations and prefill the victim’s email address in the login form to increase credibility and improve credential theft success.
Recent reporting describes ongoing LogoKit-based phishing campaigns that hosted phishing pages on trusted infrastructure such as Amazon S3 and used Cloudflare Turnstile to create a false sense of legitimacy while harvesting credentials. One documented lure impersonated HunCERT, Hungary’s national CERT, and submitted stolen credentials to attacker-controlled PHP endpoints on mettcoint[.]com, including /js/error-200.php; a related WeTransfer-themed flow posted credentials to /css/nk/error-404.php. Victims were then shown fake submission errors. An open directory on mettcoint[.]com reportedly exposed multiple phishing components, and the domain was described as a credential collection domain used in broader phishing activity.
The campaign was reported as globally targeted, including banking and logistics organizations, with examples impersonating HunCERT, Kina Bank in Papua New Guinea, the Catholic Church in the United States, and logistics companies in Saudi Arabia. Reported infrastructure and IOCs associated with this activity include mettcoint[.]com, flyplabtk[.]s3.us-east-2.amazonaws.com, jstplastoss-bk.s3[.]us-east-2.amazonaws.com, chyplast[.]onrender.com, and ecowhizz.co[.]za/ecowhizz.co.zaza/he-opas.html.
Separate research also used LogoKit as the basis for a proof of concept showing how a phishing page with LogoKit-like behavior could be generated dynamically at runtime via client-side calls to LLM services. In that discussion, the original LogoKit behavior was described as using static JavaScript to personalize the lure from the victim’s email address in the URL and exfiltrate captured credentials to an attacker-controlled server.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
2 techniques
Initial Access
Stealth
1 technique
Stealth
the credential-harvesting page queries sources such as business data aggregators and simple favicon lookup services to fetch the logo and other branding elements of the company being impersonated, sometimes even adding subtle visual cues or contextual details that further boost the ploy’s aura of authenticity.
Credential Access
2 techniques
Credential Access
Collection
2 techniques
Collection
Command and Control
1 technique
Command and Control
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A phishing kit/campaign that uses JavaScript to transform a benign-looking web form into a brand-impersonating phishing page, personalizes content based on victim email, and exfiltrates captured credentials to an attacker-controlled server.
A phishing kit used to generate credential-harvesting pages that dynamically pull victim-brand logos (e.g., via Clearbit Logo API and Google S2 Favicon) and often prefill the victim’s email in the URL/username field to increase credibility and scale campaigns.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.