October 3, 2023

Researchers have discovered a new threat actor named W3LL indulged in a large phishing empire completely hidden until now and compromising Microsoft 365 business email accounts over the past few years.

The threat actor was also running a hidden underground market with the name “W3LL Store” that served a phishing kit called “W3LL panel” and 16 other fully customized tools that can be used for Business Email Compromise Attacks.

Active since 2017, their first tool, W3LL SMTP Sender, was used for bulk email spam. They further developed their version of the phishing kit for targeting corporate Microsoft 365 accounts and opened their own Marketplace W3LL Store in 2018, which has 500 active users and nearly 3800 tools sold until now.


W3LL Panel tool that features adversary-in-the-middle functionality, API, source code protection, and other unique capabilities.

Many sophisticated threat actors currently use a three-month phishing kit subscription for $500 due to its high efficiency. Every copy of the W3LL Panel must be enabled via token-based authentication to prevent reselling and source code stealing.

More than 850 unique websites were found to be attributed to the W3LL Panel, and threat actors used this tool to initiate a Business Email Compromise Attack with over 56,000 corporate Microsoft 365 business accounts, and more than 8,000 (about 14.3%) of them ultimately compromised.


W3LL regularly updates its tools, adding new functionalities, improving anti-detection mechanisms, and creating new ones, which underlines the importance of staying up-to-date with the most recent changes in their TTPs.

This research was documented by researchers from Group-IB

Indicators of Compromise

  • w3ll2pt6dlqf4d2jlh6f6exp7o6pqlfrrldukpuwdg4fjmlk6c4on4yd[.]onion
  • xeoz7kbwkjbh467klpleuyxqpa5jemrbglfysgmdsxtm2o3e3eujiiqd[.] onion
  • w3ll[.]ws
  • w3ll[.]bz
  • w3ll[.]store
  • w3ll[.]site
  • w3llstore[.]co
  • 23.106.122[.]155

Leave a Reply

%d bloggers like this: