How I Uncovered a Phishing Mooncake Email Using Wireshark, Shodan, and OSINT

Around the Mid‑Autumn Festival the author received a company‑sent mooncake email that contained a clickable image. The mouse cursor changed to a hand, suggesting a link, which raised suspicion of a phishing test.

To investigate, the author launched a VMware virtual machine, opened Internet Explorer, and started Wireshark and Procmon to monitor network traffic. When attempting to open the URL, the page failed to load, indicating the link had been blocked.

The author then performed basic reconnaissance: a ping to the domain returned an IP address in the 103.210.23.* range. Using Shodan, the author discovered that the server, located in Hong Kong, had several open ports exposing FTP, SSH, web, and MySQL services.

Further threat‑intelligence checks on the IP revealed additional information, and a reverse DNS lookup uncovered a GitLab repository URL associated with the domain.

Domain registration lookup (via Tianyancha) identified the owner as a software studio named "活久见". Additional OSINT uncovered related phone numbers, WeChat IDs, and forum posts, though sensitive details were omitted.

The investigation concluded with a reminder to remain vigilant about unknown links, especially during holiday periods, as clicking such phishing links can lead to corporate security incidents.