Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure

**Executive Summary:** Group-IB discovered a sophisticated phishing-as-a-service kit impersonating Aruba.it that uses a four-stage flow (CAPTCHA anti-analysis, credential harvesting, fake payment form, and OTP/3D Secure interception) to steal account credentials and payment data; the kit uses pre-filled victim email links for realism and Telegram bots/chats for real-time exfiltration and distribution, illustrating an industrialized, supported phishing ecosystem.