Active since late February 2026 and rapidly adopted by cybercriminals, TDR analysts believe EvilTokens will become a serious competitor in the phishing and BEC landscape.
#TDR analysts uncovered an emerging Phishing-as-a-Service (#PhaaS) platform called
#EvilTokens, which offers device code phishing pages and AI-augmented features to automate and scale
#BEC workflows.
⬇️
https://buff.ly/RvF5Kux EvilTokens device code phishing pages allows attackers to capture Microsoft refresh and access token, weaponise them, harvest victims' mailbox, and automatically craft BEC emails using AI.
Agile and persistent, Silver Fox successfully blends into the noise of traditional cybercrime while maintaining the capacity for advanced intelligence collection.
Key findings:
🎣 Deceptive Lures: Consistently impersonates national taxation authorities or uses fake payroll documents to trick victims into executing payloads.
🌊 3-Wave Arsenal Evolution: Between 2025 and 2026, their attack chains shifted significantly to evade detection.
In this deep-dive analysis, our Threat Detection & Research (#TDR) team unmasks their massive 2025-2026 campaign and rapidly evolving infection chains.
#SilverFox is a China-based intrusion set operating on a unique "dual-track" model. While often tracked for their APT-style espionage, our telemetry shows they continuously run broad, opportunistic cybercrime campaigns targeting entities across South Asia.
https://buff.ly/KPXIytD 🛠️ RMM Abuse: Transitioned from deploying ValleyRAT via malicious PDFs to abusing Chinese RMM tools.
🐍 Custom Payloads: Recently observed dropping a custom Python-based stealer embedded in a Python installer.
🎭 Advanced Evasion: Packed with TextShell for enhanced obfuscation (custom LZMA); utilizes API "hammering" and anti-debug traps to bypass detection and delay manual analysis.
🔐 Custom Obfuscation: Leverages non-standard Base64 encoding with randomized shifts to evade automated detection.
🖼️ Steganography: Hides payloads within innocuous-looking icon images retrieved from the C2.
