IronToll: Global Government-Impersonation PhaaS | PhishEye<br>Skip to main contentLoginStart Free
IronToll: Global Government-Impersonation PhaaS<br>PR<br>PhishEye Research<br>July 5, 2026 · 16 min read
Contents<br>Contents
TL;DR — Starting from one live phishing URL, PhishEye threat research mapped IronToll , a phishing-as-a-service (PhaaS) campaign of 90+ domains across 10+ countries and 15+ brands . It impersonates national e-government portals, tax authorities, traffic and parking fines, telecom operators, and parcel couriers to steal credentials, card data, and one-time passwords (OTPs) in real time . Every domain traces back to a small cluster of 7 Tencent/Alibaba C2 IPs and the commercial Chinese phishing kit that brands itself "Iron Man System" (钢铁侠) . This post documents the full IOC set and the passive-DNS hunting method that unravelled it.
About this research. The findings below come from first-hand threat hunting by the PhishEye anti-phishing team: we started from one live URL and independently verified the campaign's live domains and command-and-control (C2) IPs by DNS resolution and passive-DNS pivoting on 4 July 2026 . Kit-level details we did not observe directly are attributed to their original sources. See Methodology & verification and Related research & references.
Campaign at a glance
Tracker<br>IronToll, a slice of the Mouse / Haozi / Smishing-Triad PhaaS market
Kit<br>"Iron Man System" (钢铁侠): Chinese live-interception phishing-as-a-service
First verified<br>4 July 2026 · domains rotate every 1-2 days
Scale<br>73 mapped domains · 15+ brands · 10+ countries
Command & control<br>7 IPs · Tencent Cloud (AS132203) + Alibaba Cloud (AS45102)
Targets<br>Government fines / tax / e-gov, telecoms, parcel couriers
What it steals<br>Credentials, card data, and live SMS one-time passwords
Durable IOCs<br>The 7 C2 IPs + kit fingerprints (ETag, favicon, GoFrame+Caddy)
What is IronToll?
IronToll is the name PhishEye assigns to a sprawling phishing-as-a-service (PhaaS) operation that weaponises a commercial Chinese phishing kit — self-branded "Iron Man System" — to run government and brand impersonation at industrial scale. The campaign's common denominator is an urgent payment demand : an unpaid traffic fine, a parking penalty, a tax bill, a customs charge, or a parcel "redelivery fee." Victims are funnelled to a pixel-perfect clone of a real government or brand portal, where a live operator intercepts credentials, card details, and OTPs as they are typed — defeating SMS two-factor authentication in real time.
How the kit beats SMS 2FA: the one-time code is replayed on the real site in real time, so a static SMS OTP protects almost nothing here. Phishing-resistant auth (passkeys / FIDO2) does.<br>We first encountered IronToll through a single live URL, ekosova.gov-eg.my.id/eg, a fake "Digital Egypt" traffic-fine page. Public research by security researcher secfathy0x1 had already dissected the Egyptian cluster and the underlying "Iron Man System" kit. Pivoting on its infrastructure, we found the Egypt operation was one country in a much larger machine .
The lure: fake fines, taxes, and delivery fees
IronToll's psychology is consistent everywhere: a small, time-pressured payment you don't want to ignore. Across the clusters we mapped, the impersonated services include (each brand below is inferred from domain naming and lure context, not confirmed against a captured page):
National e-government portals — Egypt ("Digital Egypt"), Serbia ("eUprava"), and generic at-govt gateways.
Tax authorities — Spain's Agencia Tributaria.
Traffic, parking, and road-police fines — Morocco/France justice-fine portals, UK parking operators APCOA and Q-Park , and generic "road police / transport authority" fine pages.
Telecom operators — Vodafone, Australia's Telstra, Botswana's Orange.
Parcel couriers ("redelivery fee" scams) — DHL, DPD, Evri, GLS, and Chronopost.
Law enforcement — Ukraine's National Police (NPU).
Each lure is localised (language, currency, logo, even the cited legal statute, since the Egyptian pages quote Traffic Law №66 of 1973), which is exactly what a rented PhaaS kit makes cheap to do.
The Egyptian cluster: a pixel-perfect “Digital Egypt” (مصر الرقمية) traffic-fine clone at ekosova.gov-eg[.]my[.]id/eg, citing Traffic Law №66 of 1973 and dangling a 50% “early payment” discount to manufacture urgency. Captured live on 5 Jul 2026; URL defanged, form not submitted.
The same kit, re-skinned for Morocco: “Royaume du Maroc — Ministère de la Justice” at amendesjusticegovma[.]sbs/ma, warning of licence suspension or judicial action to pressure payment. Captured live on 5 Jul 2026; URL defanged, form not submitted.<br>Where IronToll fits: the Chinese PhaaS family tree
"Iron Man System" is not a wholly new phenomenon; it is one branch of the Chinese-language, live-interception phishing-as-a-service ecosystem that multiple vendors have tracked for over a year. It is best understood as a sibling of the "Mouse System" / "Magic...