Host long and prosper🖖

The report documents a hunt starting from Prospero’s ASN (91.202.233.0/24 and 91.215.85.0/24), uncovering clusters of active phishing infrastructure with shared characteristics (Plesk/FASTPANEL pages, consistent JARM and SSH fingerprints) and cryptocurrency exchange impersonation sites. By correlating a specific header hash (a9a3fc8fbb20598112c8) and banner hash (55e090957d46b51d03547dba1763cdf0), the author expands beyond Prospero to multiple ASNs, identifying 206 fresh IoCs associated with a single coordinated campaign impersonating exchanges (e.g., Yukitale, cryptavex) that pull live prices via the Binance API.