crep1x

@[email protected]
55 Followers
54 Following
32 Posts
crep1xJun 16

We published an in-depth analysis on the #ErrTraffic framework, detailing two specific clusters ("Beer" and "Analytics"), campaigns compromising WordPress sites to deploy this malicious #ClickFix framework, as well as others impersonating AI platforms

Since that report was written, the operator "LenAI" has released ErrTraffic v4.

We shared some IoCs on our Community GitHub, and and I can share the latest ones, feel free to reach out!

https://github.com/SEKOIA-IO/Community/tree/main/IOCs/errtraffic

https://infosec.exchange/@sekoia_io/116758846525821124

Community/IOCs/errtraffic at main ยท SEKOIA-IO/Community

Welcome to the SEKOIA.IO Community repository! . Contribute to SEKOIA-IO/Community development by creating an account on GitHub.

GitHub
crep1xJun 16
SekoiaJun 16

#TDR analysts published a new report detailing #ErrTraffic, a widespread #ClickFix malware distribution framework.

ErrTraffic injects malicious JavaScript into compromised WordPress and malicious sites to serve ClickFix lures.

https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/

crep1xJun 16
Show threadSekoiaJun 16

Our forensic analysis of compromised WordPress servers helped us to cluster ErrTraffic and map affiliates' TTPs and backdoors.

We notably identified two distinct clusters: "Analytics" operated by a single threat actor, and "Beer" likely operated by LenAI for affiliates.

crep1xApr 8

Part 2 of our #EvilTokens in-depth analysis is out!

This blog post details the AI-augmented features significantly facilitating #BEC fraud.

I believe that this AI-augmented post-compromise tooling represent a genuine breakthrough in the #PhaaS ecosystem.

https://blog.sekoia.io/eviltokens-an-ai-augmented-phishing-as-a-service-for-automating-bec-fraud-part-2/

crep1xMar 30

In early March 2026, we uncovered #EvilTokens, a new #PhaaS offering device code phishing pages and AI-driven features to automate and scale BEC workflows.

Part 1 of our analysis provides a technical analysis of the EvilTokens kit โฌ‡๏ธ

https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/

Rapidly adopted by cybercriminals, we already observed multiple EvilTokens cases in @sekoia_io 's telemetry, and hunted various attachments that delivered its pages worldwide.

Part 2 will focus on the AI-augmented pipeline that significantly facilitates and scales BEC fraud.

crep1xJan 29

Our latest TDR report on the #IClickFix framework:

๐Ÿ“Š 3,800+ WordPress sites compromised worldwide
โš™๏ธ Multi-stage JavaScript loader
๐Ÿšฆ Abusing YOURLS as TDS
๐Ÿ–ฑ๏ธ Fake Cloudflare CAPTCHA and #ClickFix lure
๐Ÿฆ  #NetSupport RAT payload

https://infosec.exchange/@sekoia_io/115977607660963600

crep1xDec 1, 2025

Open directory at 104.168.81.]229/BJ/ containing phishing pages for Zimbra, Outlook, Adobe, and various Chinese services

104.168.81.]229

microsoftstorage.duckdns[.]org
outllook.duckdns[.]org
outlookspace.duckdns[.]org
patnerrshipp.duckdns[.]org
spaceoptimize.duckdns[.]org
spaceup.duckdns[.]org
spaceupstorage.duckdns[.]org
webmaii.duckdns[.]org
webmailstorage.duckdns[.]org
webmil.duckdns[.]org
zimbrastorage.duckdns[.]org
zirmbra.duckdns[.]org
zlmbrastorage.duckdns[.]org
spaceupzimbra.chickenkiller[.]com
...

Outlook and Zimbra phishing pages are distributed via email using malicious SVG files that contain obfuscated JavaScript (common phishing TTP nowadays), e.g.

ec7a3247bc86636c6b08bef9a1568b63c289a2d72464c9adebcf16ccfc2ce0f3 > zimbrastorage.duckdns.]org/BJ/zimbra/

crep1xNov 7, 2025
SekoiaNov 6, 2025

#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.

https://blog.sekoia.io/phishing-campaigns-i-paid-twice-targeting-booking-com-hotels-and-customers/

crep1xJul 9, 2025
SekoiaJul 8, 2025

A few weeks ago, we published our global analysis of Adversary-in-the-Middle #phishing threats, providing actionable intelligence on multiple #AitM phishing kits.

This report includes 11 sheets covering the most widespread #AitM phishing kits as of Q1 2025.

crep1xJun 11, 2025
SekoiaJun 11, 2025

๐Ÿ“ Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem.

This report shares actionable intelligence to help analysts detect and investigate AitM phishing.