As of 9/14/2025, several distinct Wordpress domains submitted to artifact collection platforms (PhishTank, urlscan.io, OpenPhish, etc.) have been infected with the Jennie007Greene.php web shell. To mitigate the risk of further exploitation and defacement, no specific domains will be discussed; however, general Indicators of Compromise are available below.

Any interaction with sites using Jennie007Greene.php inherently carries a high level of risk and should not be done without proper safeguards and preparation. SqueakyFlotilla highly cautions against interacting with these sites, and are not liable for compromised information or incurred damages should others seek to experiment with the site.

---

The volume of compromised domains allow the threat actor access to wide swathes of data, including victim emails, usernames, and passwords. In addition to using hard-coded email credentials to exfiltrate victim data, Telegram bots are used to send data to attacker-controlled Telegram chats – the bulk of Telegram bot API keys and channel IDs captured during research are identical, hinting at a single group or individual being responsible for the breaches.

A section of the Telegram bot configuration files often included the header of the message sent to the attacker-controlled channel Files; a significant portion of these headers include the string “@SMARTMACBOOKBOT*TFCU”. After inspecting the data enumerated from attacker-controlled chats, we determined that messages containing this string began appearing on August 21st of 2025, though was preceeded by messages without the string. We may therefore mark 08/21/25 as a general point at which this iteration of the threat actor’s phishing campaigns started.

Indicators of Compromise:

• Endpoints commonly seen accompanying Jennie007Greene.php-compromised sites:
  • hxxps[://]domain[.]com/.../ss[.]html
  • hxxps[://]domain[.]com/.../details[.]html
  • hxxps[://]domain[.]com/.../otp[.]html
  • hxxps[://]domain[.]com/.../personal[.]html
  • hxxps[://]domain[.]com/.../otp2[.]html
  • hxxps[://]domain[.]com/.../otp3[.]html
• Hashes of Jennie007Greene.php:
  • 3bb4dd755a1495466d09c9a3767b13f6
  • 758f8a46738f0167b10610558e2c675ada0543c7
  • 66070940681148e6f80640dcd8d194cd4b54cbf614355130765d561423cb337d
  • 9c7f37eabc54c3ffe84cc74377e6870294f95e83cab91e7f17479e74eba7ead3189905dcd917f6141dfeb7a1873acab0afd9f4da37ea961c6e012d0d7d2e5285
• Common hash IOCs between domains (as per urlscan.io):
  • 06dee56fb4e2677948bc2f6ce7e20e9900e3c7431843ae3d9c9d975ff03889a7
  • 4e2bcd3f2e35e841bece706f0426cc746ac77cfd2148ea365ce05eebd5124a45
  • 75d3513cd72651dab00071d36b00c1546142fa141167f7fc770af9bce061028e
  • a0ed31680bc7f4621bdc1189abb0930e6e3213c00920003c0c7bd766e1d06e09
  • a44ee19cced78f183c40a52367159e6e5284ee2367f5ea06f72bfd64feaff848
  • b732cce907baa80850c8857d858358284883f9ea9b7239fc6a5ed6e7eaa9b5b1
  • e80a28e260de3fa02ff629d2ae4a84c50a5e159f40807ca8c61b108cb2899880
  • f555d3efaa4e368224cc19b0b261b00da4183e8a5247d3858e8ce7e2aa764558
  • f5b383a6ca50aad2cd676d209b104cff2cb429d08f46ed5021d83e67e6597139
  • f6734f8177112c0839b961f96d813fcb189d81b60e96c33278c1983b6f419615
  • f6fca06e2aac270b488f73bcf0a10d249e2722a015135e60dbb49360c5335a72
An in-depth analysis of Jennie007Greene.php will be available shortly.

---