Kratos is a mature Phishing-as-a-Service operation targeting Microsoft 365 users across the US, Europe, and other regions. By combining trusted platforms, anti-bot checks, and convincing login pages, ithelps attackers steal credentials while delaying detection and response. For security leaders, that increases the risk of account takeover, fraud, data exposure, and higher incident response costs.
ANY.RUN researchers traced three generations of the kit, uncovered 1,484 previously unattributed detonations, and mapped its infrastructure, operator panel, and victim patterns. This article gives security teams practical fingerprints, exfiltration indicators, SIEM scoring rules, and response guidance to reduce exposure, speed up investigations, and make faster decisions when Kratos activity appears.
Key Takeaways
- Kratos is a turnkey phishing kit built to steal Microsoft 365 credentials and sold through a subscription model. Operator-side intelligence, including its admin panel and automated deployment features, shows that it operates as a full Phishing-as-a-Service (PhaaS) platform.
- ANY.RUN researchers identified 1,628 sandbox sessions across the two main Kratos generations. Only 156 had been manually tagged as Kratos, while 1,484 had not yet been attributed to the family. An earlier V0 branch adds another nine sessions.
- Kratos targets organizations across more than 20 countries, including the US. This research identified 148 suspected victim organizations, with a particularly strong concentration in US, Spain and Southern Europe.
- ANY.RUN was already detecting the malicious activity through generic phishing-kit signatures. The new technical fingerprint added family-level attribution, making it possible to track Kratos activity, run retrospective hunts, and build a clearer view of the wider operation.
- Two page assets became the key hunting indicator: barr.svg and lg.svg. They almost always appear together and are rarely seen separately. This single fingerprint provides 90% recall with a false-positive rate close to zero.
- Kratos has evolved through three page generations: V0, V1, and V2. Each uses different exfiltration code, and the kit continues to develop.
- Kratos has been visible in the ANY.RUN sandbox since January 2026. External data suggests that its operator panel has been active since September 2025.
- Operator-side OSINT uncovered an active Kratos admin panel. The service allows operators to deploy phishing domains in a few clicks, configure Telegram or email delivery, apply geographic restrictions, and choose between several anti-bot systems.
Victimology: Kratos Targeting US and European Organizations
Microsoft 365 is the main brand impersonated by Kratos. In total, 1,365 sandbox tasks led to login.live.com or microsoftonline.com, while 412 were classified as “Fake Microsoft Authentication Page”incidents. These figures come from the ELK queries included in the README and are counted at the analysis level.
Previous public research has documented Kratos activity across more than 20 countries, with around 33% of observed targeting linked to the United States. This confirms that the service has a broadinternational reach and poses a direct risk to US organizations.
TI Lookup query: threatName:”kratos”

ANY.RUN data adds a more detailed view of activity in Europe. We identified 148 suspected victim organizations based on SharePoint tenant names found in phishing lures. The targeting appears opportunistic and spans a wide range of sectors, including SMBs, law firms, schools, polytechnic institutions, industrial organizations, and others.
The strongest concentration in our dataset was in Southern Europe, particularly Spain. This assessment is based on the ccTLDs of suspected victim organizations, the language used on phishing pages, and the brands and services impersonated by attackers.
| Region | Sessions |
|---|---|
| Spain (.es, .cat, .eus) | 171 |
| International TLDs (.com, .org, .net) | ~162 |
| France | 31 |
| Sweden | 15 |
| Austria | 11 |
| Portugal | 10 |
| Italy, Germany, Norway, Slovenia, and Belgium | 4–5 each |
This geographic pattern does not suggest that Kratos is limited to Europe. Instead, it indicates that some affiliates represented in the sandbox data appear to specialize in Spain and Southern Europe. Spanish-language tokens found in URL paths, including factura, abogados, and dgt, provide further evidence of this regional focus.
How Kratos Turns Account Compromise into Business Risk
A stolen Microsoft 365 account can give attackers more than access to one inbox. It can create a trusted route into company data, financial processes, and relationships with employees, customers, and suppliers.

- Trusted-account abuse: Attackers can impersonate employees and use a legitimate mailbox to make fraudulent requests appear credible.
- Financial fraud: Access to invoices and payment conversations can support BEC, payment redirection, and supplier fraud.
- Data and partner exposure: Corporate email, SharePoint, and OneDrive may contain sensitive business data and information about third parties.
- Longer, costlier response: If attackers gain session access, changing the password alone may not remove them, increasing containment time and recovery costs.
How Kratos Attack Works: From Phishing Email to Stolen Password
Kratos rarely targets victims directly. The attack chain typically works as follows:

- Phishing email → often passes through corporate email filters
In 114 analysis sessions, the emails had already passed through corporate email filters or secure email gateways before being submitted to the sandbox.
Common subject lines include:
- “User N has shared a document with you”
- “Sign the document via DocuSign”
- “An invoice has been sent”
- Trust-building lure: a link to a legitimate service
- Microsoft SharePoint or OneDrive, the main delivery vector observed in 351 tasks
- Canva, Tilda, systeme.io, and Microsoft Forms used as intermediary pages
- Legitimate file-sharing services hosting phishing PDFs
- Redirect to a Kratos phishing page
- Cloudflare Turnstile verification
Victims are asked to prove that they are not bots. This step helps filter out sandboxes and automated scanners.
- Fake Microsoft 365 login page
Before the login form appears, the victim sees Kratos’s distinctive animated envelope screen with the message “Loading in progress…”
- Credential theft → POST request to a PHP endpoint
- V1: next.php
- V2: save.php
- V0: /PTT/SOft/mini.php
Some sessions also establish a WebSocket connection. This may indicate possible adversary-in-the-middle activity or live credential relaying, but a WebSocket connection alone does not prove sessiontheft.
One visual detail makes Kratos particularly recognizable: before displaying the login form, the page shows an animated envelope with the message “Loading in progress…” over a blurred invoice ordocument. The browser tab is also almost always titled Authentication.
These details may seem minor, but together they form a consistent and reliable fingerprint.
Check Kratos phishing attack and get relevant IOCs

The victim is given only three attempts to enter a password. After that, they are either redirected to a predefined URL, office.com in V1, or shown an “incorrect password” message.

ANY.RUN’s in-browser data investigation reveals this logic directly in the page code. Analysts can see the submitData() function sending the di and pr values to next.php, the redirect to office.com, and the handling of the #pass-err element. This confirms that the behavior is intentional and designed to filter out invalid or random submissions.
Evolution: Three Generations of Kratos
Kratos is not a static phishing kit. Based on public industry reports and ANY.RUN research, we identified three generations of its phishing pages. Each can be recognized by a distinct set of files and, more importantly, by its own exfiltration code:
| Generation | How to Identify It | Exfiltration Code | Sessions | Example |
|---|---|---|---|---|
| V0: PTT/SOft | URLs containing */PTT/SOft/; associated domain: dwbud.vilaribit.com; “Secure File Access” page asking the victim to verify their email over a blurred invoice | sendDataToPHP()→ POST to mini.php inside /PTT/SOft/ | 9 | TI Lookup query: SHA256:"c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb" AND SHA256:"cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea" |
| V1: Dominant generation | barr.svg + lg.svg + ani.gif + res.css + styles.css; direct imitation of the Microsoft Sign In page | submitData() → next.php, with variants including nex.php, n3xt.php, and officers*eur.php | 1,397 | TI Lookup query: SHA256:"c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb" AND SHA256:"cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea" |
| V2 | dsa.svg + sid.gif + imag.jpg + main.js; uses jQuery 4.0 beta; code is obfuscated | Deobfuscatedmain.js → fetch("save.php") | 231 | TI Lookup query: SHA256:"a3c298ccf2456989ceb080e661b01c3b00445902ae7bb3e58dad4d846334ff9c" AND SHA256:"9d1a1a5e3b5e5de8a6c76ded7a01fa01709d426232b0048c9ee6ba0c5c1b8b42" AND SHA256:"cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea" |
Check relevant ANY.RUN sandbox sessions:
The evolution of Kratos’s disguise is easy to see. V0 presents itself as a “Secure File Access” page, shown in the screenshot below. It asks the victim to verify their email address to open a document, with a blurred Excel invoice displayed in the background.

Starting with V1, shown in the screenshot below, the kit moves to direct brand impersonation, closely replicating the Microsoft Sign In window. According to comments in the code, the goal of these changes was to make the page resemble Microsoft’s login window more closely and restructure the code to evade existing vendor signatures.

Most importantly, the three generations appear to belong to the same Kratos service rather than three separate actors. The link between V1 and V2 is particularly strong at the operator level:
- The same domains, including razen[.]online, theoceanac[.]online, jumpast[.]es, and enerdizerandtron.de, serve both V1 and V2 pages.
- The lg.svg file used in V1 is byte-for-byte identical to dsa.svg in V2.
- A shared hash for the styles.css file, loaded by the fake Microsoft Sign In page, connects 636 tasks across both generations.
Check this TI Lookup query based on the lg.svg and styles.css hashes:
Here is also an example of the V2 login page:

The Investigation: How One Indicator Exposed the Entire Campaign
We started with the data already available to us: 156 analysis sessions that had been tagged as Kratos. After examining their network traffic in detail, we noticed that the browser loaded nearly the same setof page assets from the /assets/ directory on almost every landing page. Two files had particularly unusual names: barr.svg and res.css.
The next step was simple but important: we checked how exclusively these files appeared together.
- barr.svg and lg.svg in the same session: 1,397 times
- lg.svg without barr.svg: 2 times
- barr.svg without lg.svg: 12 times
Even before our hunt, the ANY.RUN engine had already been detecting these pages with generic signatures. The numbers below refer to signature detections, not individual sessions:
- PHISHING [ANY.RUN] Generic Phishkit related URL chain observed (/assets/img/*) — 866
- PHISHING [ANY.RUN] Generic Phishkit exfil activity observed (/next.php) — 232
- PHISHING [ANY.RUN] Domain chain identified as Phishing (challengepoint) — 495
In other words, the activity had been detected all along, but only through generic Generic Phishkit signatures. The analysis sessions remained hidden within that broader category because they had not yetbeen attributed to a specific family. Our fingerprint closed this attribution gap by linking the generic phishing-kit activity to Kratos.
| Month (2026) | Kratos V1 Sessions |
|---|---|
| January | 93 |
| February | 90 |
| March | 217 |
| April | 221 |
| May | 373 |
| June | 393 |
| July (partial) | 10 |
The current detection engine also includes Kratos-specific signatures, such as Kratos related URL chain observed, Kratos exfil activity, and Xbit Setter for barr.svg.
This enables security teams to run retrospective hunts, group related activity and create more accurate detection rules without relying on short-lived domains alone.
Behind the Scenes: How the Kratos “Business” Operates
The sandbox reveals the victim side of the attack. But Kratos also has an operator-facing side, which we were able to investigate through OSINT.
How We Located the Panel
Victim-side sandbox analysis does not expose the panel because it is designed for operators. However, every web panel has a favicon.
By searching public internet indexes for services whose page titles contained the word Kratos, we identified a distinctive icon in the favicon results: a stylized Kratos logo.

The icon led to active Kratos login panels displaying “© 2026 Kratos” and the message “Enter the realm of power.”This was an operator-side finding, not a conclusion drawn from victim-side sandbox data.

The service includes the following components, based on operator-side OSINT, public industry reports, and ANY.RUN research. The panel has been active since at least September 10, 2025:
- Main domain: A central dashboard showing users and sales statistics.
- deploy.* subdomain: Used to deploy phishing domains to a VPS in just a few clicks. The panel’s component code shows that operators can:
- Choose between a “PHP-based Office 365 page”, which uses a traditional PHP backend, and a “Node.js redirect server with anti-bot”, which functions as a reverse proxy with anti-bot protection and an admin dashboard.
- Upload page files.
- Install SSL certificates.
- Modify DNS records.
- Execute commands on the server.
- Manage VPS status.

- API component: The panel code directly exposes the following endpoints: /vps/* for CRUD operations, health checks, and cleanup, /domains/* for DNS verification, SSL installation, and SSL virtual host configuration

- Data delivery settings: Operators can choose between a Telegram bot and email. Stolen data is packaged as JSON and sent to the attacker’s Telegram channel. This configuration is handled server-sideand is not visible in victim-side traffic.
- Anti-bot protection: Operators can choose between reCAPTCHA, Cloudflare Turnstile, and hCaptcha.
- Geographic restrictions: Country-based whitelisting is handled through geoplugin.net.
- Panel protection: The admin panel itself is protected with a master password and Telegram-based two-factor authentication.
Infrastructure and Affiliate Fingerprints
Kratos deployments fall into several clear clusters:
- Newly registered, randomly named domains on low-cost TLDs such as .horse, .cfd, .sbs, .today, .fit, and .online: 235 deployments linked to disposable attacker infrastructure.
- Compromised legitimate websites, mainly German .de and Spanish .es domains, often running WordPress: 140 deployments. In these cases, the kit is usually placed in a subdirectory such as /factura/.
- *bgados* subdomains, derived from the Spanish word abogados (“lawyers”), suggesting a legal-themed lure.
- *files* and *docs* subdomains with 64-character paths, associated with document-themed lures.
- Wildcard domains such as klenpare.com, uvarnix.cfd, and xavon.sbs, which rotate through randomly generated subdomains.
The front end is almost always hidden behind Cloudflare, while the actual origin infrastructure is hosted on standard cloud providers such as Azure, Google Cloud, and Host4Geeks.
The infrastructure patterns suggest that several affiliates may be operating in parallel. Persistent tokens found in URL paths provide indirect evidence of these different affiliate fingerprints:
| Token | Sessions | Meaning |
|---|---|---|
| factura | 141 | Spanish/Portuguese for “invoice” |
| dgt | 38 | Reference to Spain’s traffic authority |
| Clbsrus / Svgclur | 33 / 24 | Pattern associated with V2 |
| Suclers | 25 | Distinctive token linked to the kit |
| paidoffice | 23 | Microsoft 365-themed token |
| yhwh + elroi | 20 | Biblical names that may indicate a specific campaign or operator style, but do not confirm actor attribution |
It is important to note that this is proxy-based segmentation, not confirmed actor attribution. The true actor-level identifier, the Telegram bot or email address that receives the stolen data, is configured server-side through the same panel.
Kratos also shares hosting infrastructure with other AiTM phishing kits, including Tycoon, Flowerstorm, Sneaky2FA, and EvilProxy. The same VPS servers, and sometimes even the same SharePoint pages, mayhost vax/qen DGA families, Spanish-language kits, and other campaigns behind the same Cloudflare infrastructure.
However, their code is different, and neighboring domains do not serve barr.svg. At the analysis level, there is no overlap between Kratos tags and these other families.
A shared IP address confirms co-hosting, but it does not prove that the campaigns are operated by the same actor. Kratos should therefore be tagged only when its asset pattern is present. Otherwise, unrelated campaigns may be incorrectly attributed to the family.
How to Detect Kratos: Ready-to-Use Detection Methods
Kratos can be identified through a combination of asset fingerprints, content hashes, exfiltration endpoints, engine signatures, and browser-level behavior.
1. Asset Fingerprint
This is the primary detection method, with 90% recall and a false-positive rate close to zero in negative-control testing.
- V1: HTTP requests to both */assets/img/barr.svg and */assets/img/lg.svg within the same sandbox analysis session
- V2: HTTP requests to *dsa.svg, *sid.gif, and *imag.jpg within the same session
2. Asset Content Hashes
These hashes remain useful even when the files are renamed:
- lg.svg = cd231b895bbcd7154b81df1e065bf02f1ec667b920c8b6d23308cd509833b5ea
- barr.svg = 949895df17148c5ea29f190d2619a14b3ec648425b9cc3c5a1423553c16f3898
- ani.gif = 9d1a1a5e3b5e5de8a6c76ded7a01fa01709d426232b0048c9ee6ba0c5c1b8b42
- styles.css = c447e75f1029ed7a5882add16bcd13ad44be3bd47c93c830ff39185e23d25ebb
The styles.css hash connects 636 tasks across V1 and V2.
3. Exfiltration Endpoints
- V0: */SOft/mini.php
- V1: */next.php, */nex.php, */n3xt.php, */officers*eur.php
- V2: */save.php
4. Existing ANY.RUN Engine Signatures
These signatures can already be used to trigger retrospective detection:
- PHISHING [ANY.RUN] Kratos related URL chain observed (M1 / M2 / M3 / Docusign Variant)
- PHISHING [ANY.RUN] Kratos exfil activity observed (M1) — /next.php
- PHISHING [ANY.RUN] Kratos exfil HTTP activity observed — /SOft/mini.php
- NOALERT [ANY.RUN] Xbit Setter for barr.svg / lg.svg / ani.gif / bg.png
5. In-Browser Data Investigation
ANY.RUN’s in-browser data investigation helps analysts confirm how the phishing page behaves after it loads. Inside the sandbox, they can inspect the page code, loaded assets, DOM changes, redirects, and network requests without relying only on the initial page appearance.

For Kratos, this makes it possible to see:
- The submitData() function and the di and pr parameters
- POST requests to endpoints such as next.php or save.php
- Password-attempt handling through the #pass-err element
- Redirects to predefined destinations such as office.com
- Obfuscated scripts and the logic used to send stolen credentials
This browser-level view helps confirm that the page is part of the Kratos family and gives analysts evidence they can use for triage, hunting, and response.
6. Behavioral Indicators
Additional behavioral signs include:
- Cloudflare Turnstile, identified as challengepoint
- DOMPurify 3.2.6
- The “Fake Microsoft Authentication Page” incident
- WebSocket activity in some analysis sessions
WebSocket activity should be treated as a risk indicator, not as proof of an AiTM attack.
SIEM Scoring Rule
Instead of using a simple binary match, apply a cumulative scoring model to assign confidence levels:
| Indicator | Score |
|---|---|
| barr.svg + lg.svg for V1, or dsa.svg + sid.gif + imag.jpg for V2 | +80 |
| Matching asset content hash | +80 |
| POST request to next.php, save.php, or officers*.php for V1/V2, or */PTT/SOft/mini.php for V0 | +35 |
| “Fake Microsoft auth,” page title Authentication, or Einvoice Beta footer | +30 |
| Turnstile displayed before the login form | +15 |
| Lure delivered through SharePoint, an email gateway, or Microsoft Forms | +10 |
| Tags associated with another kit, such as stealc, vidar, clickfix, tycoon, or sneaky2fa | −80 |
Recommendations for Defenders
Use a tiered response model instead of blocking everything by default.
Infrastructure Response
- Disposable attacker-controlled domains, including DGA domains, should be blocked.
- Shared parent domains such as crm-technik.de, klenpare.com, and uvarnix.cfd should be blocked only after review, as they may also host legitimate subdomains.
- Compromised legitimate websites should be reported for takedown rather than blocked outright.
- Cloudflare edge infrastructure and broad ASNs should be monitored, not blocked.
Response to Account Compromise
The response should also depend on the type of credential theft observed.
- For a basic credential harvester, reset the user’s password and verify their MFA settings.
- For confirmed or likely AiTM activity, such as reverse-proxy behavior, spoofing of login.microsoftonline.com, cookie or session relaying, or a suspicious authentication-relay endpoint, revoke activesessions and refresh tokens.
A password reset alone may not be enough if the attacker has already obtained a valid session.
Email and Link Analysis
Analyze suspicious links using both static verdicts and observed behavior. Train employees not to open suspicious links and to submit them to the internal security team for review.
When needed, use the ANY.RUN interactive sandbox to investigate the link safely. Never enter real authentication credentials during analysis.
Recommendations for CISOs and SOC Leaders
Kratos shows how credential phishing can remain visible as isolated detections without being understood as a wider operation. Security leaders should make sure their teams can connect technical evidenceto business risk and take consistent action before one compromised account becomes a broader incident.
- Measure time to confident attribution, not only time to detection. Detecting phishing is important, but linking related activity helps teams understand campaign scale, affected users, and business exposure.
- Add browser-level investigation to phishing workflows. Give analysts visibility into page code, redirects, DOM changes, and credential-exfiltration behavior that may not appear in static analysis.
- Define separate response playbooks for credential harvesting and AiTM activity. Password resets may be enough for a basic harvester, while suspected session theft requires session and refresh-token revocation.
- Turn Kratos indicators into repeatable controls. Add asset fingerprints, hashes, exfiltration endpoints, and confidence scoring to SIEM, SOAR, and retrospective hunting workflows.
- Avoid broad infrastructure blocking. Shared cloud, Cloudflare, and compromised legitimate domains require targeted review to reduce disruption and unnecessary business impact.
Conclusion
Kratos shows how a single stolen Microsoft 365 account can create wider business risk, from fraud and data exposure to costly incident response. Its repeatable assets and infrastructure patterns givesecurity teams a practical way to detect the kit earlier, connect related activity, and respond with greater confidence.
By combining sandbox analysis, browser-level evidence, and family-level attribution, organizations can reduce investigation time, avoid unnecessary blocking, and contain account compromise before itdevelops into a larger incident.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps organizations investigate threats faster and make response decisions based on clear behavioral evidence.
Its solutions include the Interactive Sandbox for enterprise-scale malware and phishing analysis, along with Threat Intelligence products built on investigation data from more than 15,000 organizations. This intelligence helps security teams enrich alerts, uncover active threats earlier, and add relevant context to detection, investigation, and response workflows.
ANY.RUN is SOC 2 Type II attested, demonstrating its commitment to strong security controls and customer data protection. For SOCs, MSSPs, and enterprise security teams, the platform helps reduce investigation uncertainty, accelerate triage, and turn threat analysis into actionable findings.
IOCs and Artifacts
- Fingerprint: */assets/img/barr.svg + */assets/img/lg.svg for V1; *dsa.svg + *sid.gif + *imag.jpg for V2
- Exfiltration: */next.php, */save.php, */officers*eur.php, and POST requests to */PTT/SOft/mini.php
- Early domain: dwbud.vilaribit.com for V0 (/PTT/SOft)
- Operator IP: 41.128.0.142 (Egypt)
- abal[.]my
- starwellmedia[.]com
- aabiz[.]de
- aspireglobal[.]ltd
- buenne[.]de
- dufllot[.]sbs
- enerdizerandtron[.]de
- espaciocf[.]de
- ihrsupportcenter[.]de
- ilersls[.]org
- aaalen[.]de
- rundwasser[.]de
- smartcontrolengineer[.]com
- sonnenbrillenspot[.]de
- trisrnareprjdocz[.]com

ShiFu
I'm a Threat Intelligence Analyst focused on tracking cybercriminal groups and other malicious activity clusters. I previously worked as an Application Security Engineer and have a background in CTF competitions, with experience in offensive security, malware analysis, and application security.




0 comments