Get started
Phishing Websites Hosted on OVH Server

In this post, we’ll break down how Cypex AIM’s blend of passive behavior data, active scanning and machine‑learning scoring helped us identify and track this phishing network. You’ll get a clear view of what we saw, how we saw it, and why catching these signals early matters.

Phishing Websites Hosted on OVH Server
Introduction

Phishing remains one of the simplest yet most effective cyber‑attacks out there – and spotting the infrastructure behind it can make all the difference. Recently, our Cypex AIM platform flagged an OVH-hosted IP in France that was quietly serving up dozens of “.es” domains posing as legitimate Spanish sites. Weeks before this IP showed up on any public blocklist, we’d already calculated its high risk and alerted our users.

Get the full report
Timeline & Discovery
  • February 22, 2025: Cypex AIM flagged IP 51.210.156[.]30 – an OVH‑hosted server in France – as “high risk” based on emerging behavioral indicators.
  • March 13, 2025: That IP finally appeared on public feeds as an IOC – three weeks after our initial detection.
Technical Findings

Infection Chain

  • ZIP → Malicious DLL → Shellcode: The attached ZIP unpacked a DLL that ran an initial shellcode.
  • Embedded C2 IPs: That shellcode contained C2 server IPs and downloaded a secondary shellcode.
  • Fortinet’s Public Report (Feb 27, 2025): Listed several C2 IP addresses, domain names (e.g. twzfw[.]vip) and hashes.

Technical Findings

  • Server Fingerprint

    Running multiple services (Nginx, Apache HTTP Server, Dovecot, ProFTPD, OpenSSH 8.0, Plesk Sw Cp Server) that an active scan detected.

  • Domain Cluster

    Dozens of domains resolving to 51.210.156[.]30 in recent months - predominantly “.es” sites.

  • Behavioral Signals

    Unusual “human‑like” interaction patterns.
    Use of one‑time registration tools (temporary e‑mail services) that is common in this type of activity.

image
Impact & Response
  • Proactive Detection: By surfacing this infrastructure almost a month before public blocklists, Cypex AIM enabled proactive alerts to clients running Spanish-facing networks – dramatically shrinking the window of exposure.
  • Phishing Evidence: Screenshots captured of the phishing pages showed suspicious looking websites.
About the Cypex AIM Platform
At Cypex, we’ve built a unified Attacker Infrastructure Monitoring (AIM) solution to detect threats like this one in real time. Below is a high‑level look at how AIM works:

1. Data Collection

  • Passive Sensors: We deploy human‑behavior sensors across data centers, VPNs, TOR exit nodes and select ISPs to capture real traffic patterns and service banners.
  • Active Scanning Grid: Daily, we scan the entire IPv4 space on over 3,000 TCP/UDP ports—pulling banners, CPE metadata, SSH keys, TLS certificates and more.
  • Domain Intelligence: Continuous harvesting of new FQDNs (via DNS resolvers, CT logs) plus weekly zone‑wide sweeps keeps our domain inventory up to date.

2. Central CTI Data Lake

  • All raw feeds are ingested into a multi‑tenant, schema‑driven store with full lineage and “first seen/last seen” metadata—so you always know how fresh each indicator is.

3. Analytics & Risk Scoring

  • Static Features: WHOIS age, lexical profiles (entropy, homoglyphs), DNS anomalies, certificate metadata, hosting reputation.
  • Behavioral Features: Traffic spikes, honeypot captures, human vs. bot tagging.
  • ML & Graph Correlation: Supervised classifiers for phishing, malware, spam and DGA detection; graph‑based propagation of risk across shared IPs, nameservers and registrants.

4. Real‑Time API & Dashboard

  • Domain/IP Lookup: Instantly retrieve risk scores, tags, historical changes, related assets and raw banner data.
  • Bulk Export & Webhooks: Automate alerts into SIEM/SOAR workflows (e.g., Palo Alto Cortex) or schedule regular CSV/API reports.
  • AIM Dashboard: Interactive maps, time‑series histograms, risk‑trend KPIs and “human vs. bot” traffic sliders give you full visibility at a glance.

5. Alerting & Integration

  • Set custom rules (e.g., “new .es domain <30 days old resolving on my ranges”) and receive email/SMS/webhook notifications the moment something risky appears.
Conclusion

Cypex AIM detected a phishing infrastructure weeks before public blocklists, enabling early alerts and reduced exposure. By combining passive data, active scanning, and ML analytics, AIM quickly flagged suspicious behavior and domain clusters—giving defenders a critical head start.

Curious to learn more?
Submit your request, and we'll gladly provide you with a personalized product presentation
Thank you for your request
Thank you for your request.
We've received your request, we will contact you soon.