An exposed .git folder let us dox a phishing campaign
5 comments
·November 16, 2025ArcHound
It is great that they got taken down. From my experience, these sites are usually parasites on misconfigured Wordpresseses.
We're you able to get the phishing data so that you can help the victims? Is it a good idea to try and do so?
Also, can you please share some bits of the phishing kit for easier detection?
Thank you for your efforts!
spirovskib
Thanks for the kind words. We discussed whether to pull the data. We didn't for two reasons: 1. It's not trivial to process that data safely, and all the people in the server are volunteers that pitch in as much as they can. It won't be fair to burden them more. 2. The bots were posting to what appeared to be private or moderated channels. We didn't find an easy way in. Maybe there was a way in, but see item 1 above. So we went with "nuke it from orbit"
poly2it
Could've traced the attacker for a bit before burning all bridges.
ekjhgkejhgk
Sounds like they got off easy.
spirovskib
They probably did. But it's a volunteer effort, we all contrinbute as much each individual's time permits.
This past Friday afternoon, a member in our Discord server reported a phishing email pointing to a fake login page.
We took up to research it and because of clumsy decisions by the attacker we got their GitHub and their operational Telegram bot.
Screenshots: https://imgur.com/a/FTy4mrH
Sometimes the attacker incompetence can be a defender's best weapon ¯\_(ツ)_/¯
The phishing page was a standard clone of an "email", unbranded anf generic service. A bit of gobuster reconnaissance and we got the site's .git directory publicly accessible and listing its contents.
Inspecting of the requests also got us the first Telegram bot token. This is the digital equivalent of leaving the blueprints to your entire operation, including past versions and deleted files, lying on the front lawn.
We pulled the repository, found automated deployments and multiple fake pages with different hardcoded Telegram bot tokens and Chat IDs.
With the source code, repo and the active Telegram bot token, we filed detailed abuse reports:
- GitHub: We reported the repository containing the phishing kit's source code. It was taken down for violating TOS.
- Telegram: We reported the bot using the provided token and chat ID, leading to its removal.
- Hosting Provider: The malicious site was reported and taken offline.
Lesson learned? Never deploy a .git folder to production. Even if you are a criminal.
Acknowledgement: This was a collaborative effort by members of the BeyondMachines Discord community. The crowdsourced speed and collaboration helped us take this down very fast.