Contents
Find My phishing investigation (2026) · Part 2 of 2 · ← Investigation
Part 2 of 2. Read Part 1 — Inside a Find My smishing crew targeting Iran for the full investigation narrative. This page is the defender annex: defanged IoCs, pivots, detection signatures, timeline, and FAQ.
IoCs below are defanged ([.]) to prevent accidental navigation. Verify before production blocklists. To re-fang, replace [.] with . in your tooling — no other substitutions needed.
Aggregate statistics were reported to Apple Brand Protection in early May 2026. No victim IMEIs, phone numbers, or usable passwords appear here.
Key metrics
| Metric | Value |
|---|---|
| Phishing domains (operator-attributed) | 243 (221 from 2022 stealer + 22 breach-intel) |
| Domains resolving (6–7 May 2026) | 20 (10 Cloudflare) |
| Victim IMEIs in operator queue | 564 |
| Victim phone numbers (this operator's queue) | 748 (98.1% +98 Iran — one operator's slice of a Middle East-wide pattern) |
| Personalised smishing URLs generated | 589 |
| SMS / bulk-messaging accounts | 69 |
| Operator VPSes | 7 |
| Authoritative nameservers (reused) | 6 |
| Kit | PhantomUltimate (phantomsoftware[.]us) |
Disruption priority: (1) SMS aggregator closures, (2) Cloudflare/host abuse on live names, (3) kit-supplier takedowns, (4) platform IMEI blocklisting, (5) VPS abuse, (6) nameserver passive-DNS watch.
How to read this annex
Detection signals in this report sit on a leverage pyramid: a single pivot at the top buys you weeks of forward visibility; a single domain at the bottom buys you one takedown. Spend abuse-team time accordingly.
Threat actor handles (public edition)
- Machine:
DESKTOP-L9Q135V· timezone UTC+04:30 · Persian (Iran) keyboard · Kabul / Paghman autofill - Operational handles:
mikejohan45,lehisul1970,parwezyosofi,bilal_mzai,naeemtahiri01,gsmnazari786 - Infostealer logs brokered via
@Luffich_CloudROBOT/@expertsa11m(marketplaces — not confirmed as the phishing operators)
Reminder. These handles are operational identifiers from admin logins, not legal-name attribution. Whether they belong to one operator or a crew sharing one PC is not resolvable from this evidence alone.
Live domains (20) — defanged
Passive DNS only (getent hosts), 6–7 May 2026. DNS live ≠ confirmed active phishing page; some may be parked, registrar-held, or stale DNS pending re-resolution. Treat as high-priority candidates for HTTP-level verification by abuse desks.
Cloudflare-fronted (10) — file one consolidated CF abuse report
apple-id-maps[.]com
icloud-findmy[.]us[.]com
lcloud[.]com-id[.]us[.]com
location-lcloud[.]info
find-device[.]support
find-lphone[.]info
findmy-device[.]online
apple-login[.]info
findmyiphone[.]de[.]com
ifreeicloud[.]co[.]uk
Other resolving (10) — per-host abuse desks
apple[.]com-map[.]com (AWS Global Accelerator)
applelogin[.]co (AWS)
lcloud[.]com-id[.]be (OVH France)
source4apple[.]com (Hivelocity / TSS — US)
iimei[.]co[.]uk (UK hosting — verify via WHOIS)
imeiking[.]com (China — Hangzhou — verify via WHOIS)
com-eu[.]com (AWS)
ld-eu[.]com (DigitalOcean)
ld[.]co[.]us[.]com (verify via WHOIS)
located-icloud[.]com (verify via WHOIS)
ifreeicloud[.]co[.]uk, iimei[.]co[.]uk, and imeiking[.]com are primarily unlock/resale storefronts. They masquerade as legitimate businesses and may outlive phishing front-ends — they remain abuse-reportable to hosts and payment processors.
Domain portfolio breakdown
The full 243-domain portfolio falls into seven recognisable typo-squat clusters. The /admin/ panel fingerprint is consistent across all of them — a single PHP codebase mass-deployed.
apple-*" rule misses two-thirds of the portfolio.Live-status breakdown
Detection pivots
Confidence ladder (read this before deploying any rule)
| Pivot | Detection confidence | Notes |
|---|---|---|
| Nameserver = one of the 6 below | Very high | These NS pairs are operator-controlled; new delegations are crew infrastructure with very few false positives |
Email + password match on /admin/ |
High | Auth against the known cluster confirms operator; HTTP probing is appropriate only by authorised parties |
Kit HTML fingerprint (phish.report 467ab986) |
Medium | Catches all PhantomUltimate customers globally, not just this crew |
Admin path (/admin/install.php etc.) alone |
Low | Common across many phishing kit families; needs corroboration |
Naming family (apple.com-*, lcloud.com-*) alone |
Low | Useful for surfacing candidates; not sufficient for action |
Nameservers (passive DNS watch)
ns1[.]iserverdns[.]info
ns2[.]iserverdns[.]info
ns1[.]iserverdns[.]us
ns2[.]iserverdns[.]us
ns1[.]ispvds[.]com
ns2[.]ispvds[.]com
Phishing-kit admin paths (PhantomUltimate family)
/admin/
/admin/index.php
/admin/auth.php
/admin/login.php
/admin/install.php
High-volume smishing hosts (per-victim URLs in stealer log)
apple[.]login-track[.]live (72 URLs) · track-idevice[.]link (69) · apple[.]id-device[.]live (61) · support-findmy[.]link (59) · track-idevices[.]link (33) · apple[.]id-device[.]be (30) · apple[.]id-com[.]in (28)
Domain family patterns
apple[.]com-* · apple-* · apple[.]id-* · lcloud[.]com-* · icloud-* · track-idevice[.]* · find-device[.]* · support-findmy[.]* · findmy-device[.]*
Detection signature templates
These are starting points for SOC blue teams. Tune thresholds against your environment before deploying.
Sigma — detect end-user click on PhantomUltimate-family lure
title: Find My PhantomUltimate phishing host - HTTP request
id: 9c4f1e72-7e3f-4b62-8e9b-find-my-iphone-2026
status: experimental
description: Detects HTTP requests to known Find My / PhantomUltimate phishing
host families from endpoint or proxy telemetry.
references:
- https://phisheye.com/blog/unmasking-find-my-phishing-crew-icloud-operation
logsource:
category: proxy
detection:
selection_host:
destination.domain|contains:
- 'apple.com-'
- 'apple-id-'
- 'apple.id-'
- 'lcloud.com-'
- 'icloud-find'
- 'track-idevice'
- 'find-device'
- 'support-findmy'
- 'findmy-device'
- 'find-lphone'
- 'location-lcloud'
- 'apple-login'
- 'findmyiphone.de'
- 'located-icloud'
selection_path:
url.path|contains:
- '/admin/'
- '/admin/index.php'
- '/admin/auth.php'
- '/admin/install.php'
condition: selection_host or selection_path
falsepositives:
- Legitimate Apple developer / enterprise URLs (rare); verify destination IP and TLS cert against Apple infrastructure
level: high
tags:
- attack.t1566.002 # Spearphishing Link
- attack.t1606.001 # Forge Web Credentials
- attack.t1078 # Valid Accounts (downstream of credential capture)
KQL — Microsoft 365 / Sentinel surface query
let phantom_patterns = dynamic([
"apple.com-", "apple-id-", "apple.id-", "lcloud.com-",
"icloud-find", "track-idevice", "find-device",
"support-findmy", "findmy-device", "find-lphone",
"location-lcloud", "apple-login", "findmyiphone.de",
"located-icloud"
]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (phantom_patterns)
or RemoteUrl matches regex @"/admin/(index|auth|install)\.php"
| project Timestamp, DeviceName, AccountName, RemoteUrl, InitiatingProcessFileName
| order by Timestamp desc
Splunk — historical hunt
index=proxy OR index=dns
| eval is_phantom = if(match(url, "(apple\.com-|apple-id-|apple\.id-|lcloud\.com-|icloud-find|track-idevice|find-device|support-findmy|findmy-device|find-lphone|location-lcloud|apple-login|findmyiphone\.de|located-icloud)"), 1, 0)
| eval is_admin_path = if(match(url, "/admin/(index|auth|install)\.php"), 1, 0)
| where is_phantom=1 OR is_admin_path=1
| stats count by user, host, url, src_ip
| sort - count
Kit / supply chain
phantomsoftware[.]us
demo[.]phantomsoftware[.]us
phantom[.]software
YouTube: @phantomsoftware5023 · Kit fingerprint: phish.report 467ab986
Other PhantomUltimate customers (kit only — do not attribute to Afghan crew without clustering): India, Nepal, Bangladesh, Pakistan, Vietnam, Indonesia, Kenya-target .co.ke variants. The kit is also documented adjacent to AppleKit, MagicApp, ProKit, and the FMI.php / Devjo class kit family.
Network (operator VPS — verify assignment before action)
167.86.75.163 Contabo GmbH (rDNS: vmi3109110.contaboserver.net)
199.79.62.63 WebHostBox (Endurance) (rDNS: md-77.webhostbox.net)
136.243.153.61 Hetzner Online (rDNS: avia-dev-2.online-express.com)
45.131.46.135 MyVDS (RU) (rDNS: 638850.myvds.top)
82.146.40.61 UBS Technologies (RU) (rDNS: stand2.ubs-technologies.ru)
138.128.162.37 shared hosting (verify via WHOIS)
103.126.5.230 no rDNS (verify via WHOIS)
Highest-confidence abuse-reportable hosts: Contabo, WebHostBox, Hetzner. All three maintain established abuse-handling pipelines and respond to well-evidenced phishing reports.
Timeline
Defensive actions
- Block/monitor live domains and nameserver pivots above.
- Single Cloudflare abuse filing for the 10 CF-fronted names.
- Notify SMS aggregators (operator mailbox cluster in LE package).
- Ingest PhantomUltimate admin-path + HTML signatures (Sigma above).
- RDAP/passive-DNS alerts on 223 lapsed actor domains.
- Apple-side only: IMEI blocklisting at the activation layer (highest victim protection per unit effort).
FAQ
Does Apple send a text when your lost iPhone is found?
No. Unsolicited SMS with login links are scams.
What if I already entered my Apple ID on a link?
Reset password on a trusted device, review trusted devices, report to [email protected], contact your carrier.
Is this only an Iran problem?
No. The 98.1% +98 figure is this one operator's recovered queue — a regional feeder model, not a regional census. The same Find My / iCloud smishing playbook hits the entire Middle East: Egypt, Saudi Arabia, the UAE, Lebanon, Jordan, Iraq, and beyond. The kit family is also used by separate operators targeting India, Nepal, Bangladesh, Pakistan, Vietnam, Indonesia, and Kenya — each with their own national focus. Defenders anywhere in the region should treat the IoCs in this annex as relevant: even if a specific domain is on Iranian victims today, the kit fingerprint and nameserver pivots surface infrastructure aimed at other countries by other operators.
Why are Iranian victims overrepresented in this specific dataset?
This particular crew runs a feeder model with sources inside Iran (street theft, organised device acquisition) supplying IMEIs to an Afghanistan-based operator. Other operators of the same kit run feeder models centred on Cairo, Riyadh, Beirut, Dubai, and other regional cities — their recovered queues, if and when they leak, will show different national dominance for the same operational reason.
What is PhantomUltimate?
Commercial iCloud phishing kit (≥2017) with SMS APIs — multi-tenant; cluster by operator emails, not kit HTML alone.
What should SMS aggregators block?
Spoofed sender IDs Apple, iCloud, FindMy, FMI on routes tied to the operator mailbox cluster (evidence in LE package). Closing the operator's existing aggregator accounts is the highest-leverage single action available.
How should brands monitor nameserver pivots?
Passive DNS on the six iserverdns / ispvds hosts — new delegations often precede smishing waves. This is a Tier-1 watchlist item; alert on any new domain delegated to these NS pairs.
How quickly does the crew rotate domains?
Median lifetime of a sending host is days, not weeks — by design. The 223 NXDOMAIN tail is the campaign's burn rate made visible. Plan abuse workflows accordingly; long-form takedown processes are too slow.
Can SOCs detect this with existing telemetry?
Yes — see the Sigma / KQL / Splunk templates above. Proxy and DNS logs covering the host families and /admin/ paths surface most clicks. Tune false-positive controls against your environment.
References
- Part 1 — Investigation narrative
- Brian Krebs — If Your iPhone Is Stolen, These Guys May Try to iPhish You (Mar 2017) — foundational reporting on the iCloud-phishing-kit ecosystem
- Swiss NCSC — public advisory on "device located" smishing (Nov 2025)
- Malwarebytes — stolen iPhones and Apple ID phishing (Nov 2025)
- ClearPhish — Lost iPhone phishing (Nov 2025)
- phish.report — Apple iCloud kit fingerprint
467ab986
Methodology: passive stealer-log and breach-intel analysis; DNS-only live checks; no login attempts.
Report phishing: [email protected]