← Back to Blog
Cybersecurity Advisories
·3 min read

Phishing Alert: Malicious Campaign Impersonates Astound/RCN Using Webflow and Wix

SaberGuard identified and blocked an active phishing campaign impersonating Astound/RCN. The attackers abused compromised business email infrastructure and well-known web platforms to deliver a phishing lure and a silent malware dropper.

S
SaberGuard Threat Intelligence Team
PhishingThreat IntelligenceMalwareEmail SecurityIOC

SaberGuard has identified and blocked an active phishing campaign impersonating Astound/RCN. The attackers abused compromised business email infrastructure and well-known web platforms to deliver a phishing lure and a silent malware dropper. We are sharing this advisory publicly to raise awareness, as no other public disclosures of this threat were available at the time of discovery.

How the Attack Worked

Phishing Email

Victims received emails appearing to come from an RCN-branded sender. Technical headers show the message originated from an authenticated third-party business account that appears to have been compromised. Exact sender account and infrastructure details have been redacted for this public advisory.

Fake Astound Login Page

Users were directed to a malicious Webflow-hosted page mimicking an Astound login/update prompt.

URL (defanged): hxxps://myastound[.]webflow[.]io

Secondary Stage on Wix

After interaction, victims were redirected to a Wix-hosted site that delivered the malware and gathered credentials.

URL (defanged): hxxps://anisholi406[.]wixsite[.]com/my-site-2

Why This Matters

  • The campaign abused well-known hosting platforms, increasing its apparent trustworthiness
  • Emails sent via an authenticated third-party account bypassed basic filtering
  • Malware used Microsoft Edge command-line abuse for silent execution

Technical Summary

| Attribute | Detail | |---|---| | Execution | via msedge.exe with non-interactive flags | | Payload | Dropped files into hidden application folders | | Persistence | Registry keys under telemetry paths | | Techniques | Process injection (WriteProcessMemory, CreateRemoteThread) |

Key IOCs (Defanged)

Malicious URLs

  • hxxps://myastound[.]webflow[.]io
  • hxxps://anisholi406[.]wixsite[.]com/my-site-2

IP Addresses

  • 104.18.36.248
  • 146.20.161.107

File Hashes (SHA256)

  • 5f63beaaefa8bfa3a5564e970ab0b831cdcb0999b6c07f3c748f6674d005bc51
  • e873620645d6cfc6c5403a927609d6337aec31c0577e8c9248758b8cac582538

Email Indicators

  • From: [REDACTED EMAIL] (appeared as "MyAstound")
  • Authenticated Sender: [REDACTED]
  • SMTP Server: [REDACTED]
  • MIME: HTML with inline content

Detection (YARA)

We developed a YARA rule to detect this dropper, available in our GitHub advisory and VirusTotal collection.

What You Can Do

  1. Verify sender domains, not just display names
  2. Be cautious with login pages hosted on free/public platforms
  3. Enforce MFA on all business accounts
  4. Report suspicious emails promptly

If you're a SaberGuard MDR client, these IOCs have already been pushed to your security stack.

Final Note

SaberGuard normally keeps incident intelligence internal. In this case, due to the abuse of trusted platforms and potential impact to users, we are sharing this report to help the community defend against similar campaigns. We coordinated with affected vendors, who confirmed and executed takedowns promptly after being notified.

Stay alert. Stay safe.

— SaberGuard Threat Intelligence Team

Concerned your organization may be targeted? Get in touch →

Need help with your security posture?

Let's talk about how SaberGuard can protect your business.

Get in Touch