Pulse Detail — Threat Intelligence

PULSE NAME

IOC - The Mycelial Mage: Tracing a Spanish-Speaking Credential Theft Operation

WHITE celestre 2025-12-30 Modified: 2026-01-29

IOCs

MEDIUM VOLUME

In this scroll, I record the beginning of a hunt that took shape in August 2025, when early signs of a Spanish-speaking phishing kit surfaced from obscurity. What followed revealed clear targeting patterns, operational fingerprints, and subtle indicators of AI-assisted development, along with the use of Telegram and Discord as command and control channels, a trend increasingly common in the wild

Indicators of Compromise (24)

All URL domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://aquiverif-outoksmail2025.gamer.gd/	—	2025-12-30
URL	http://verification-email2025.iceiy.com/	—	2025-12-30
URL	http://verification-email2025.iceiy.com/_index.html	—	2025-12-30
URL	http://iniciar-sesion-email2.iceiy.com/	—	2025-12-30
URL	http://livequranlearner.com/	—	2025-12-30
URL	http://portal-online.net/	—	2025-12-30
URL	http://proceso-de-cobro-micro-personal.infy.uk/	—	2025-12-30
URL	https://aquiverif-outoksmail2025.gamer.gd/	—	2025-12-30
URL	https://aterymaganthr.zya.me/?i=1	—	2025-12-30
URL	https://aterymaganthr.zya.me/?i=2	—	2025-12-30
URL	https://renovacion365out.zya.me/?i=1	—	2025-12-30
URL	https://renovacion365out.zya.me/?i=2	—	2025-12-30
URL	https://www.alertacomunicado365.es/	—	2025-12-30
domain	livequranlearner.com	—	2025-12-30
domain	portal-online.net	—	2025-12-30
email	dwedwedangelo_0@live.cl	—	2025-12-30
hostname	aquiverif-outoksmail2025.gamer.gd	—	2025-12-30
hostname	aterymaganthr.zya.me	—	2025-12-30
hostname	iniciar-sesion-email2.iceiy.com	—	2025-12-30
hostname	proceso-de-cobro-micro-personal.infy.uk	—	2025-12-30
hostname	renovacion365out.zya.me	—	2025-12-30
hostname	verification-email2025.iceiy.com	—	2025-12-30
hostname	www.alertacomunicado365.es	—	2025-12-30
hostname	www.portal-online.net	—	2025-12-30

References (1)

↗ https://sagehollow.world/posts/adversary-tracking/mycelial-mage/#a-cursed-harvest