Hooking the Archipelago: Dissecting a Phishing Campaign Targeting Philippine Banking Users

## Executive summary: Group-IB discovered an adaptive phishing operation (active 2024–2026) targeting Philippine bank customers that leverages compromised email accounts, reputable web services (Google Business, AMP CDN), Cloudflare-managed domains, URL shorteners, and a hijacked .ph educational subdomain to host high-fidelity phishing pages; the kit hotlinks legitimate bank assets and uses Telegram bots to exfiltrate credentials, PII, and OTPs in real time, enabling immediate unauthorized fund transfers and impacting over 400 victims with more than 900 malicious links distributed since January 2024.