The display name said "K&H Bank." The sending domain was registered in Nepal. The body was written in Hungarian, except the Hungarian characters were broken. And the link in the email pointed to neither the bank nor Nepal, but to a completely unrelated domain. This attack made four geographic and linguistic leaps in a single message, and the character encoding mismatch in the phishing kit is what gave it away at a glance.
In April 2026, IRONSCALES detected a credential phishing campaign impersonating K&H Bank, one of Hungary's largest commercial banks. The email was sent from noreply@rstonline[.]com[.]np, a Nepali domain with no relationship to Hungarian banking. Despite the geographic mismatch, the attacker put effort into visual authenticity: the email hotlinked the real K&H Bank favicon directly from kh[.]hu, pulling the authentic brand icon into the message. The body text attempted Hungarian. The link pointed to ecstechs[.]net.
International bank impersonation phishing is not unusual. The FBI IC3 2024 Annual Report documented that financial institution impersonation ranked among the top five phishing pretexts, with losses exceeding $400 million annually. What makes this case instructive is not the impersonation itself, but the forensic trail the attacker left behind.
The attacker configured the email to pull kh[.]hu's favicon as an inline image. This is a common trick: rather than hosting a copy of the bank's logo on attacker infrastructure (which creates a new IOC to track), the email simply references the real bank's image URL. The recipient's email client fetches the icon from the legitimate domain, displaying an authentic brand mark without the attacker ever touching the image file.
The technique has a secondary benefit. Some email clients display sender favicons or logos in the inbox preview. A hotlinked favicon from the real kh[.]hu domain adds a layer of visual trust before the recipient even opens the message.
But the sending infrastructure told a different story. The email originated from noreply@rstonline[.]com[.]np, a .np (Nepal) country-code domain. SPF returned none for the sending IP 50[.]6[.]231[.]233, meaning the domain published no SPF record at all. No policy, no authorized senders list, no mechanism for the receiving server to validate the source. The message did carry a DKIM signature, which the attacker configured to pass validation, providing at least one authentication signal to help the email survive gateway filtering.
The Microsoft Digital Defense Report 2024 noted that attackers increasingly target domains in country-code TLDs with weak abuse reporting infrastructure, knowing that takedown requests to registrars in certain regions face longer processing times. Nepal's .np TLD is administered by a single organization, and abuse response timelines can extend well beyond those of major commercial registrars.
The body text was intended to read as a standard Hungarian banking notification. The greeting was generic (no recipient name, no account number, no personalization). The subject line and body referenced important account information, using the Hungarian phrase "Fontos informacio" (important information).
Except it did not render that way. The email displayed "Fontos informaciA3" instead. The accented "o" in "informacio" (which in proper Hungarian is "informacio" with an acute accent) rendered as a mojibake artifact: the raw byte value of the character displayed as literal text instead of the intended glyph.
This happens when a phishing kit encodes the email body in one character set (typically ISO-8859-1 or Windows-1252) but declares a different encoding in the Content-Type header (typically UTF-8). The email client trusts the declared encoding and interprets the bytes accordingly, producing garbled output for any character outside the basic ASCII range.
For a native Hungarian speaker, this is immediately suspicious. Hungarian uses accented characters extensively (a, e, i, o, u, o, u), and proper rendering is table stakes for legitimate banking communications. The encoding mismatch reveals that the phishing kit was likely built by a non-Hungarian speaker who tested the template in a Latin-character environment where the rendering issue would not be visible.
See Your Risk: Calculate how many threats your SEG is missing
The email's call to action linked to ecstechs[.]net. Not kh[.]hu. Not any domain resembling a Hungarian banking institution. The attacker apparently did not invest in a lookalike domain or typosquat. They simply pointed the link to available infrastructure.
This creates an interesting detection dynamic. Typosquat domains can fool visual inspection. A completely unrelated domain like ecstechs[.]net relies entirely on the recipient not checking the URL before clicking. According to the Verizon 2024 Data Breach Investigations Report, the median time between phishing email delivery and the first click is under 60 seconds. Most recipients who click do so without examining the destination.
MITRE ATT&CK maps this campaign across multiple techniques: T1566.001 (Phishing: Spearphishing Link) for the email vector, T1036.005 (Masquerading: Match Legitimate Name or Location) for the K&H Bank display name, and T1598.003 (Phishing for Information: Spearphishing Link) for the credential harvesting objective.
Themis, the IRONSCALES Adaptive AI, flagged multiple inconsistencies simultaneously: the display name claimed K&H Bank while the sender domain was Nepali, the link destination had no relationship to either the brand or the sending country, and SPF returned no policy. The DKIM signature alone could not overcome the behavioral pattern analysis that identified the message as a credential harvesting attempt. The message was quarantined before the recipient could interact with it.
Across the IRONSCALES community of over 35,000 security professionals, international bank impersonation campaigns represent a growing category. The IBM Cost of a Data Breach 2024 report found that financial sector breaches carry an average cost of $6.08 million, the second highest of any industry.
| Type | Indicator | Context |
|---|---|---|
| Display Name | K&H Bank | Impersonated Hungarian bank |
| Sender Email | noreply@rstonline[.]com[.]np | Nepali domain, no SPF record |
| Sending IP | 50[.]6[.]231[.]233 | SPF result: none |
| Link Domain | ecstechs[.]net | Credential harvesting destination |
| Hotlinked Favicon | kh[.]hu | Legitimate K&H Bank favicon |
| Encoding Artifact | "informaciA3" | Mojibake from encoding mismatch |
| DKIM | Signed and valid | Attacker-configured authentication |
| MITRE Technique | T1566.001 | Phishing: Spearphishing Link |
| MITRE Technique | T1036.005 | Masquerading: Match Legitimate Name |
| MITRE Technique | T1598.003 | Phishing for Information: Spearphishing Link |
Encoding errors are not just cosmetic flaws. They are forensic indicators. A legitimate bank operating in Hungary sends emails encoded correctly for Hungarian. A phishing kit assembled by a non-native speaker, hosted on infrastructure spanning three countries, tested in a Latin-only environment, will produce exactly the kind of mojibake this campaign exhibited.
Security teams evaluating DMARC posture should note that SPF none is not the same as SPF fail. A domain with no SPF record provides no signal at all, which means DMARC cannot use SPF alignment to make a policy decision. When the only passing authentication mechanism is a DKIM signature configured by the attacker, the entire trust chain rests on a single cryptographic check with no sender policy behind it. Encoding mismatches, geographic inconsistencies, and link-domain mismatches are the signals that fill that gap.