Infoblox Threat Intel

Morphing Meerkat

Morphing Meerkat runs a sophisticated phishing-as-a-service (PhaaS) operation that has been active since at least 2020. It leverages DNS-over-HTTPS (DoH) and MX record queries to dynamically identify a victim’s email provider and serve targeted phishing pages. The platform supports over 114 brand-specific templates and offers automatic language translation to localize attacks.

Morphing Meerkat employs cloaking techniques to evade detection by redirecting suspicious traffic to legitimate sites. It often delivers phishing via compromised WordPress sites or open redirect links. Stolen credentials are exfiltrated in real time via email or messaging apps. Its use of DNS-layer obfuscation and modular design makes the PhaaS tool both stealthy and scalable.

Morphing Meerkat

Operating since: January 2020
Infoblox discovered: February 2025
Infoblox published: March 2025
Prevalence: Uncommon

Threat actor resources

Media Article

Forbes
March 31, 2025

FBI Alert Issued As Time Traveling Hackers Attack — Act Now

This story, originally published March 29, has been updated with further Medusa mitigation advice from the FBI as well as additional comment from Boris Cipot, and a report into another “as a service” threat, this time from the Morphing Meerkat threat which uses DNS over HTTPS to escape detection.

Media Article

Forbes
March 30, 2025

Google’s Gmail Upgrade—Good And Bad News For 3 Billion Users

Just days after Google confirmed it is bringing its next AI upgrade to Gmail, with major privacy implications, there’s more good and bad news for the 3 billion users relying on Google to deliver secure, spam-free email to their phones and computers.

Media Article

Bleeping Computer
March 28, 2025

Phishing-as-a-service operation uses DNS-over-HTTPS for evasion

A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.

Media Article

Techradar
March 28, 2025

Phishing Attack Tailors Messages to Resemble Businesses You Trust

Cybercriminals have created a new technique to serve phishing emails to business users which are almost indistinguishable from legitimate messages.

Blog

Infoblox Threat Intel
March 27, 2025

A Phishing Tale of DoH and DNS MX Abuse

Explore how Morphing Meerkat uses DNS MX records and cloaking to power phishing-as-a-service, spoof 100+ brands and steal credentials via email and messaging apps.

Infoblox Threat Intel

Morphing Meerkat

Threat actor resources

Media Article

FBI Alert Issued As Time Traveling Hackers Attack — Act Now

Media Article

Google’s Gmail Upgrade—Good And Bad News For 3 Billion Users

Media Article

Phishing-as-a-service operation uses DNS-over-HTTPS for evasion

Media Article

Phishing Attack Tailors Messages to Resemble Businesses You Trust

Blog

A Phishing Tale of DoH and DNS MX Abuse

Products

Solutions

Company

Resources

Get Infoblox Email Updates