After three months from the first detection, the Lampion origin was identified. A webserver named “portaldasfinancas” is available in Turkey and has been used to spread the threat in Portugal.