Get complimentary access to the Gartner® report: Hype Cycle™ for Security Operations 2026

Threat actors disproportionately target a handful of supermajors and critical infrastructure providers, likely due to their immense financial footprint and vast vendor ecosystems.

The following table outlines the distribution of sector-specific malicious lookalike domains:

Other impacted brands include: Phillips 66 (8, 1.14%), Diamondback Energy (19, 2.71%), Antero (12, 1.71%), Targa Resources (19, 2.71%), ONEOK (4, 0.57%), Hilcorp (6, 0.86%), ConocoPhillips (13, 1.85%), Occidental (9, 1.28%), Kinetik Holdings (7, 1.00%), Marathon Petroleum (7, 1.00%), Kinder Morgan (7, 1.00%), Devon (8, 1.14%), Murphy Oil (5, 0.71%), Colonial Pipeline (2, 0.29%), Ovintiv (4, 0.57%), Expand Energy (6, 0.86%), Cheniere Energy (3, 0.43%), and Western Midstream (1, 0.14%).

An analysis of the domain permutations and registrar data reveals several distinct tactical patterns used by adversaries staging infrastructure:

The observed domain ecosystem suggests that threat actors are preparing infrastructure ahead of key business and geopolitical events rather than deploying it immediately. Many of these domains appear positioned to take advantage of future opportunities such as earnings announcements, mergers, AI-related initiatives, and regional expansion activities when employee engagement and external communications are likely to increase.

At the time of analysis, both domains anteroresource[.]com and murphyoilcorporationltd[.]com appear inactive from an operational perspective, displaying either default hosting pages or generic “under construction” content. However, their naming conventions closely resemble established energy-sector organizations, including Antero Resources and Murphy Oil, creating a potential foundation for future impersonation activity. Dormant infrastructure frequently serves as a staging environment that allows operators to prepare future campaigns that could later be used for business Email Compromise (BEC), vendor fraud, energy-sector based supply chain attacks, etc.

The third example is particularly interesting because it demonstrates a common redirection and cloaking pattern often observed in scam ecosystems. In the screenshot, the user is presented with a Wildberries-themed giveaway page (a major Russian e-commerce platform) advertising prizes and cash rewards. This suggests potential abuse of a trusted corporate identity and serves as multi-purpose scam infrastructure, supporting traffic redirection, promotional fraud, credential harvesting, or future employment-themed social engineering campaigns.

The domain incorporates the “Shell” trademark and fuel-station terminology. Creates an instant association with legitimacy associated with the energy sector. The domain on the website acts as a traffic forwarding mechanism, separating the lure domain from the final destination. The victim is further redirected to betting-related content and gambling advertisements.

The observed infrastructure hosted on clubeshell[.]com appears to mimic a promotional rewards program associated with Shell. Rather than immediately requesting payment or personal information, the campaign employs a staged engagement process designed to increase user participation and perceived legitimacy.

Rather than immediately granting the promised reward, the user is informed that activation of the reward requires enrollment in the Club Shell membership program. This technique is commonly observed in “Spin-the-Wheel” and lottery based domains, where a small upfront payment is required to “unlock” a significantly larger reward.

The final stage requests personal details such as full name, email address, CPF number, mobile number, and payment information. The campaign transitions from engagement to data collection and monetization. Unlike traditional phishing campaigns that immediately request credentials, this campaign leverages a progressive commitment model. By the time payment information is requested, the user has already completed multiple interactions and may perceive the process as legitimate.

In addition to this, not all rewards-themed campaigns rely on multi-stage lottery mechanisms or gamified engagement. In some cases, threat actors establish domains that directly imitate legitimate loyalty and rewards programs while maintaining consistent branding throughout the user journey. The domain exxonmobilfuels[.]com demonstrates this approach by presenting a straightforward rewards-focused experience.