Morphing Meerkat Phishing Kits: An In-Depth Look at DNS MX Record Exploitation

TL;DR

• Morphing Meerkat phishing kits exploit DNS MX records to deliver spoofed login pages, targeting over 100 brands.
• The platform has been active for at least five years, using centralized tactics and resources.
• It employs techniques such as open redirects, compromised domains, and dynamic translations to evade security measures.

Morphing Meerkat Phishing Kits: An In-Depth Look at DNS MX Record Exploitation

Infoblox researchers have uncovered a sophisticated phishing-as-a-service (PhaaS) platform known as Morphing Meerkat. This platform generates multiple phishing kits that exploit DNS mail exchange (MX) records to deliver fake login pages, targeting over 100 brands¹.

Exploiting DNS Techniques for Enhanced Phishing Attacks

Threat actors behind Morphing Meerkat are leveraging advanced DNS techniques to enhance their phishing attacks. By using MX records, they can dynamically serve spoofed login pages. Additionally, they abuse open redirects, compromised domains, and distribute stolen credentials via Telegram¹.

A Long-Running Operation

The PhaaS platform behind Morphing Meerkat kits has been active for at least five years. Despite its longevity, the use of MX records for phishing has remained largely unreported. The platform consistently employs the same tactics and core resources, suggesting a centralized operation rather than multiple independent actors¹.

Centralized Phishing Campaigns

Researchers believe that Morphing Meerkat has sent thousands of spam messages. These messages are sent from relatively centralized email servers, mainly belonging to internet service providers (ISPs) iomart (United Kingdom) and HostPapa (United States). The consistent tactics suggest a centralized PhaaS platform¹.

Large-Scale Phishing and Spam Campaigns

Morphing Meerkat enables large-scale phishing and spam campaigns by utilizing compromised WordPress sites, open redirects, and MX records to tailor fake login pages. The platform bypasses security measures with obfuscated code, dynamic translations, and redirects suspicious users to real sites. Stolen credentials are distributed via email and chat¹.

Evolution of Morphing Meerkat

The early versions of Morphing Meerkat, discovered in January 2020, could only serve phishing web templates disguised as five email brands: Gmail, Outlook, AOL, Office 365, and Yahoo. Over time, the platform expanded its library of templates and currently supports 114 different brand designs. By July 2023, the kits could dynamically load phishing pages based on DNS MX records and translate text into over a dozen languages¹.

Global Targeting and Security Evasion

The PhaaS platform sends spam emails with malicious links, targeting users globally, including high-profile professionals. The phishing kits use DNS MX records to serve dynamic login pages and can redirect victims to real sites for security evasion. Attackers adapt phishing pages into over a dozen languages using a JavaScript translation module, enabling large-scale attacks across different regions¹.

Tactics for Evading Detection

Phishing emails use generic or spoofed logos, often impersonating banks or shipping services with scare tactics. To evade detection, they embed links in compromised sites, URL shorteners, and abuse DoubleClick’s open redirects. The platform tailors phishing pages by dynamically loading HTML based on the victim’s email provider’s MX records, using Cloudflare and Google DNS over HTTPS¹.

Exploiting Open Redirects and Ad Tech Platforms

Morphing Meerkat exploits open redirects on ad tech platforms like Google DoubleClick, using fake domains and compromised sites. It queries the victim’s email domain’s MX record via DoH (Google/Cloudflare) to load a tailored phishing page with the email pre-filled for credibility¹.

Advanced Security Evasion Techniques

Morphing Meerkat’s PhaaS platform blocks security analysis, obfuscates code, and dynamically serves phishing pages based on DNS MX records. The platform supports more than 114 login templates and harvests credentials via email, PHP scripts, AJAX, or Telegram, often deleting evidence in real time¹.

Credential Exfiltration and Accuracy

Morphing Meerkat exfiltrates stolen credentials via AJAX requests, PHP scripts, or Telegram bot webhooks. To ensure accuracy, victims see an “Invalid Password” error, prompting them to re-enter credentials. After submission, they are redirected to the legitimate login page to avoid suspicion¹.

Conclusion

Morphing Meerkat is a long-running operation that is difficult to detect at scale. The platform exploits security blind spots via open redirects on adtech, DoH communication, and popular file-sharing services. This highlights the need for enhanced security measures to counter such sophisticated phishing attacks¹.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

References

1. Infoblox (2025). “A phishing tale of DoH and DNS MX abuse”. Infoblox Blogs. Retrieved 2025-03-31. ↩︎ ↩︎² ↩︎³ ↩︎⁴ ↩︎⁵ ↩︎⁶ ↩︎⁷ ↩︎⁸ ↩︎⁹ ↩︎¹⁰ ↩︎¹¹ ↩︎¹²