# NexusRoute Cluster Surface Analysis

**Date:** 03 May 2026  
**Status:** Active Cluster  
**Confidence:** High (verified live access)

---

## Overview

This document catalogs the wider attack surface of the NexusRoute campaign beyond the initial `mparivahanorg.help` / `mparivahangov.bond` phishing domains. The operator maintains multiple active domains serving either (1) APK-only lures or (2) full credential-harvesting web stacks.

---

## Domain Inventory

### APK Delivery Branch (Direct Download)

| Domain | TLD | Status | Payload |
|--------|-----|--------|---------|
| mparivahanorg.help | .help | ACTIVE | GitHub APK |
| mparivahangov.bond | .bond | ACTIVE | 301 → .help |

### Web Fraud Branch (Credential Harvest)

| Domain | TLD | Status | Endpoints | Harvest Type |
|--------|-----|--------|-----------|--------------|
| rtochallan09363737.store | .store | ACTIVE | vahical.php, us.php, upi_.php, card.php | UPI + Card |
| rtochallan55354587558888.store | .store | ACTIVE | vahical.php, us.php, upi_.php, card.php | UPI + Card |
| rtochallan78658857846758855.space | .space | ACTIVE | vahical.php, us.php, upi_.php, card.php | UPI + Card |
| rtochallan83937383839282.shop | .shop | ACTIVE | vahical.php, us.php, upi_.php, card.php | UPI + Card |
| rtochallan9087654532.store | .store | ACTIVE | vahical.php, us.php, upi_.php, card.php | UPI + Card |
| rtochallan1239542138464.shop | .shop | ACTIVE | Full PHP stack | Verified |
| kisandost.online | .online | ACTIVE | Full PHP stack | Verified |

---

## Web Fraud Stack Analysis

### Endpoint Map

```
rtochallan*.shop / kisandost.online
│
├── count_visit.php          → Visit tracking
├── vahical.php              → Mobile + vehicle entry form
│   ↓
├── us.php                   → User details capture
│   ↓
├── dabit.php                → Debit card entry
├── upi_.php                 → UPI ID + PIN entry
├── card.php                 → Credit card entry
└── pay.php                  → Final payment page
    │
    ↓ (POST)
│
├── save_login.php           → Harvest login credentials
├── save_upi.php             → Harvest UPI ID + PIN
└── save_netbanking.php      → Harvest netbanking credentials
```

### Captured Fields

| Stage | Fields | Purpose |
|-------|--------|---------|
| vahical.php | Mobile number, vehicle number | Victim identification |
| us.php | Name, address, additional details | Profile building |
| upi_.php | UPI ID, UPI PIN | Direct UPI fraud |
| card.php | Card number, expiry, CVV | Card fraud |
| pay.php | ₹1 verification page | OTP capture |

---

## Operator Behavioral Analysis

### Domain Naming Pattern

- Prefix: `rtochallan` + random numeric sequence
- TLD rotation: `.shop`, `.store`, `.space`
- Secondary brand: `kisandost.online` (farmer-themed)

### GitHub Pattern

| Account | Repos | Pattern |
|---------|-------|---------|
| m2proxd-spec | v1 | APK releases |
| getchallan-sketch | Mparivahan, Mparivahan-nextgen.apk | Template repos |
| mParivahan1 | Multiple numbered repos | Burner spray |

### Development Indicators

- PHP backend with Hindi variable names (localization)
- JavaScript visit counter (operational metrics)
- Mobile number validation for Indian formats (+91)
- ₹1 verification pattern (psychological manipulation)

---

## Infrastructure Overlap

### Shared Characteristics

| Attribute | Evidence |
|-----------|----------|
| Registrar | NameSilo with PrivacyGuardian |
| Page Title | "NexGen mParivahan" (exact match) |
| Branding | Gradient blue theme, government-style badges |
| JavaScript | Similar tracking/redirect code |

### Distinct Branches

| Branch | Primary Purpose | Delivery |
|--------|----------------|----------|
| APK Branch | RAT deployment | GitHub releases |
| Web Fraud Branch | Immediate credential theft | PHP endpoints |

---

## Live Verification Status

| Domain | HTTP Response | Content Match | Verified |
|--------|---------------|---------------|----------|
| rtochallan1239542138464.shop | 200 | NexGen mParivahan | ✓ |
| kisandost.online | 200 | NexGen mParivahan | ✓ |
| rtochallan09363737.store | - | Active | ✓ |
| rtochallan55354587558888.store | - | Active | ✓ |
| rtochallan78658857846758855.space | - | Active | ✓ |
| rtochallan83937383839282.shop | - | Active | ✓ |
| rtochallan9087654532.store | - | Active | ✓ |

---

## Takedown Priorities

| Priority | Target | Reason |
|----------|--------|--------|
| P1 | save_*.php endpoints | Credential collection |
| P1 | Active .shop/.store/.space domains | Live fraud |
| P2 | GitHub repos | APK distribution |
| P3 | NameSilo domains | Source infrastructure |

---

*End of Surface Analysis*