Command-and-Control Panel

A Rare Look Inside the Command-and-Control Panel Behind Modern Phishing Operations

Introduction

 

What if phishing wasn’t just a fake login page, but an entire Command-and-Control (C2) panel orchestrating every stage of a credential harvesting operation?

When phishing attacks are discussed, the focus is often on deceptive emails or fake login pages. However, these visible components represent only a small part of a much larger ecosystem operating behind the scenes.

During a recent threat intelligence investigation, the Threatactix research team identified an integrated phishing Command-and-Control (C2) panel that appeared to centralize multiple operational capabilities within a single web interface. Rather than relying on separate tools, the panel brought together campaign composition, phishing templates, email operations, lure generation, and activity management into a unified control environment.

The panel included templates impersonating widely used services such as Microsoft 365, Facebook, LinkedIn, Gmail, and PayPal, as well as modules for B2B email sending, email extraction, email validation, and phishing lure generation. It also included functionality for reviewing campaign activity and managing operational workflows, highlighting the increasing sophistication and operational maturity of modern phishing operations.

This research intentionally excludes infrastructure details, operational identifiers, and sensitive information. Instead, it focuses on understanding the panel’s capabilities and what they reveal about the evolution of modern phishing tradecraft.

Overview of the Integrated Command-and-Control (C2) Panel

 

The Command-and-Control (C2) panel analyzed during our investigation appeared to function as a centralized operational interface. Rather than supporting a single phishing page, it integrated multiple operational modules into one panel

  1. Threat Actor Profile

Discovery – Advanced Toolsets on the C2 server – June 2026

During our OSINT analysis, on 6th June 2026, we identified one of the Open DIR hosting multiple malicious tools and directories, which indicated this is one of the significant threat actors and is using these toolsets for large-scale compromise attempts.

https://urlscan.io/result/019e9a09-c558-7309-830f-d2204e8e3049/

Threatactix1

Further revalidation activity revealed that we observed this server was not reachable on 27th June 2026

https://urlscan.io/result/019f0703-58bd-75ed-9379-a6367f7a4a3d/

Threatactix 2

2. WachoGinx Web Panel – Demo

Based on the observed interface, the panel included functionality for:

  1. Cookie Manager
  2. B2B email sending
  3. Email extraction
  4. Email validation
  5. Phishing lure generation
demo-1.4

Phishing Templates Observed

 

One of the most significant observations during our investigation was the diverse collection of phishing templates available within the Command-and-Control (C2) panel. The panel included preconfigured templates impersonating several widely used online services, allowing operators to quickly select and deploy different social engineering themes.

The variety of templates also suggests support for multiple phishing scenarios, enabling operators to target different audiences through a single centralized Command-and-Control (C2) panel.

 1. Microsoft 365

Microsoft 365 was one of the primary brands observed within the Command-and-Control (C2) panel. The panel contained multiple preconfigured templates impersonating legitimate Microsoft account notifications, including:

  1. Your Office 365 Password Will Expire Today
  2. Office 365 Password Reset

These templates leverage urgency and routine account maintenance themes to encourage users to verify their accounts or submit their credentials. Their presence highlights the continued use of trusted enterprise services as common impersonation targets in phishing operations.

microsoft1
microsoft2

 2. Facebook

The Command-and-Control (C2) panel included a Facebook Security Alert template designed to impersonate legitimate account security notifications. By prompting users to verify their accounts in response to a perceived security issue, this template leverages trust in the Facebook brand and the urgency associated with account protection.

Facebook phishing1
Facebook phishing 2

 3. LinkedIn

The Command-and-Control (C2) panel also contained a LinkedIn Profile View Notification template. By imitating legitimate profile activity alerts, this template uses user curiosity and familiarity with professional networking notifications to encourage interaction.

linkdin 1
linkdin 2

 4. Gmail

The Command-and-Control (C2) panel included a Gmail Storage Full template that impersonates Google’s storage notifications. By creating a sense of urgency around limited mailbox capacity, the template encourages users to take immediate action to restore or maintain access to their email accounts.

gmail2

 5. PayPal

The Command-and-Control (C2) panel included a PayPal Account Limited template designed to mimic legitimate account restriction notifications. By prompting users to verify their account information, the template exploits concern about potential financial disruption and account access.

Paypal 1
Paypal 2

The presence of multiple brands within the same Command-and-Control (C2) panel suggests support for diverse phishing scenarios through a unified operational interface.

Integrated Operational Modules

 

Beyond phishing templates, the Command-and-Control (C2) panel incorporated several operational modules that appeared to support different stages of phishing campaign management.

  1. B2B Email Sender

The B2B Email Sender module appeared to provide functionality for composing, managing, and distributing email campaigns directly from the Command-and-Control (C2) panel. The interface suggests that operators could prepare email content, organize recipient lists, and manage campaign execution from a centralized location rather than relying on separate tools.

The integration of this module within the panel highlights how multiple operational functions can be consolidated into a single interface, streamlining the management of phishing campaigns.

  2. Email Extractor

The Email Extractor module appeared to support the collection and organization of email addresses for campaign planning. Its integration within the Command-and-Control (C2) panel suggests that recipient data could be managed alongside other campaign components, enabling operators to coordinate multiple stages of phishing operations from a single interface.

  3. Email Validator

The Email Validator module appeared to verify the validity of email addresses before they were used in campaigns. By filtering invalid or inactive email addresses, this functionality may help improve campaign preparation and organization.

  4. Lure Generator

The Lure Generator module appeared to assist in creating phishing email content using predefined themes and templates. By providing ready-to-use lures based on common social engineering scenarios, the module enables campaign content to be prepared within the same Command-and-Control (C2) panel, further centralizing phishing campaign management.

  5. Cookie Management

The Command-and-Control (C2) panel included a Cookie Management module, indicating support for organizing and managing browser session data associated with phishing operations.

  6. Mailbox Access

Mailbox Access module, indicating functionality related to managing or reviewing mailbox-related information within the panel.

Dashboard 1.4

Threat Intelligence

 

At the time of our investigation, we did not observe this attacker-associated IP address being identified as malicious by the security vendors included in our analysis. This highlights the challenges of relying solely on reputation-based detection for identifying emerging phishing infrastructure.

  1. Virustotal detection
virus total

2. Sicehice Detection

3. AlienVault Detection

4. Hybrid-Analysis Detection

hybrid image

Mitigation (high impact)

  1. Run Node/web apps as non-root, enforce SELinux/AppArmor
  2. Block outbound internet from web servers (allowlist only)
  3. Monitor and restrict access to secrets and metadata IP
  4. Patch FortiGate, enable remote logging to SIEM
  5. Enforce MFA for VPN, segment VPN users from core servers
  6. Enable PowerShell logging, audit admin share access
  7. Centralized logging to prevent log tampering impact

 

Conclusion

The integrated phishing Command-and-Control (C2) panel examined during this investigation demonstrates how phishing operations continue to evolve into centralized, feature-rich operational environments.

By consolidating campaign composition, phishing templates, email operations, lure generation, and campaign monitoring into a single panel, operators can manage multiple stages of phishing activities through one interface.

For defenders, analyzing Command-and-Control (C2) panels provides valuable insight into attacker workflows and helps identify opportunities to strengthen detection engineering, threat hunting, and incident response. As phishing operations continue to evolve, understanding the tools that support them remains essential for proactive cyber defense.

Explore Threat Hunting Hypothesis

Explore detailed Threat Hunting Hypothesis, MITRE ATT&CK mapping, behavioral indicators, and platform-specific detection queries on the Threatactix Threat Intelligence Portal.

Click Here