This analysis explores an ongoing phishing campaign targeting employee and member portals using a PHP-based phishing kit. The campaign has evolved from using client-side redirects to server-side credential validation, making detection more challenging. Multiple domains impersonating corporate login portals were identified, hosted on infrastructure linked to Chang Way Technologies Co. Limited. The phishing pages employ sophisticated tactics, including two-factor authentication bypasses and decoy content. The campaign's infrastructure and techniques suggest a persistent, possibly state-linked threat actor adapting their methods to evade detection and maintain access to enterprise environments.