{"id":8645,"date":"2024-08-21T11:56:24","date_gmt":"2024-08-21T11:56:24","guid":{"rendered":"\/cybersecurity-blog\/?p=8645"},"modified":"2024-08-21T13:08:39","modified_gmt":"2024-08-21T13:08:39","slug":"phishing-campaigns-august-24","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/","title":{"rendered":"Recent Phishing Campaigns Discovered by ANY.RUN Researchers"},"content":{"rendered":"\n<p>At <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, we&#8217;re committed to staying at the forefront of cybersecurity threats. Our team continuously monitors and analyzes emerging phishing campaigns to keep our users informed and protected. We regularly share our findings on our X (formerly Twitter) account. &nbsp;&nbsp;<\/p>\n\n\n\n<p>In this article, we&#8217;ve compiled a selection of the most notable phishing campaigns we&#8217;ve seen recently. Let&#8217;s dive right in!&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tycoon 2FA&nbsp;<\/h2>\n\n\n\n<p><strong>Original sources:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/x.com\/anyrun_app\/status\/1818972716659093913\" target=\"_blank\" rel=\"noreferrer noopener\">X post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.linkedin.com\/posts\/any-run_tycoon-amazon-explorewithanyrun-activity-7224738509478113280-L48D?utm_source=share&amp;utm_medium=member_desktop\" target=\"_blank\" rel=\"noreferrer noopener\">Linkedin post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>We&#8217;ve identified an ongoing campaign involving the Tycoon 2FA Phish-kit, which attacks via compromised Amazon Simple Email Service accounts.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how the <a href=\"https:\/\/app.any.run\/tasks\/6fa7c7d7-a8fb-4c5d-87fb-1531c95d1465\" target=\"_blank\" rel=\"noreferrer noopener\">attack chain<\/a> works:&nbsp;<\/p>\n\n\n\n<p>Amazon-SES EML \u2192 CIS Social Network&nbsp;\u2192&nbsp;India Times&nbsp;\u2192&nbsp;Custom Redirector&nbsp;\u2192&nbsp;Main Phish Engine&nbsp;\u2192&nbsp;Email\/Password Sent to C2.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Initial Phishing Email&nbsp;<\/h3>\n\n\n\n<p>The phishing email originates from an Amazon-SES client and often includes a valid signature. The main characteristic of this email is that it contains two empty PDF files as attachments. <\/p>\n\n\n\n<p>In some cases, the emails fail to pass SPF and DKIM checks, but it is not recommended to rely solely on these checks as the source email may be compromised.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"623\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-1024x623.png\" alt=\"\" class=\"wp-image-8646\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-1024x623.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-300x182.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-768x467.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-370x225.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-270x164.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5-740x450.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-5.png 1250w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>The email typically features a header from Docusign with the text: &#8220;You have received a document to review and sign.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"485\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1024x485.jpg\" alt=\"\" class=\"wp-image-8647\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-1024x485.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-300x142.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-768x364.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-370x175.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-270x128.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image-740x351.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image.jpg 1072w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Redirection chain&nbsp;<\/h3>\n\n\n\n<p>The phishing link is often rewritten by Symantec Click-time URL Protection service. When a victim clicks the &#8220;Review Document&#8221; link, they are redirected through a long chain of redirects. This technique is employed to keep the final phishing domain hidden and avoid raising suspicion.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"195\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-1024x195.png\" alt=\"\" class=\"wp-image-8661\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-1024x195.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-300x57.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-768x146.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-370x70.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-270x51.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3-740x141.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-3.png 1108w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>We&#8217;ve traced the entire path of this attack, from the initial click in the email to the submission of the stolen user data, as it unfolds in the victim&#8217;s browser.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze <span class=\"highlight\">phishing and malware<\/span> in ANY.RUN sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=phishing_campaigns_august24&#038;utm_term=210824&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nSign up for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Domains in the Attack Chain<\/strong>&nbsp;<\/h3>\n\n\n\n<p><strong>Redirecting\/Rejecting:<\/strong><\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-141\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"6\"\n           data-wpID=\"141\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Clicktime.symantec[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Rewritten email link                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Away.vk[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Social media redirect abuse                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Brandequity.economictimes.indiatimes[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        News outlet redirect abuse                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Jyrepresentacao[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Custom unconditional target-domain-masking redirect                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T4yzv.vereares[.]ru                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Custom conditional redirect\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Challenges.cloudflare[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Turnstile Cloudflare Challenge                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-141'>\ntable#wpdtSimpleTable-141{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-141 td, table.wpdtSimpleTable141 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>Content Delivery Networks \/ Services:<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-142\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"142\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Code.jquery[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        jQuery script storage                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Cdn.socket[.]io                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Socket script storage                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Github[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Randexp script storage                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Dnjs.cloudflare[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Crypto-js script storage                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Httpbin[.]org                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        External IP lookup service                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Ipapi[.]co                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        IP information service                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Ok4static.oktacdn[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Static CDN storage                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Aadcdn.msauthimages[.]net                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Brand logo storage                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-142'>\ntable#wpdtSimpleTable-142{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-142 td, table.wpdtSimpleTable142 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><strong>Phishing Engine and C2&nbsp;<\/strong><\/p>\n\n\n\n<p>The phishing operation relies on two main domains:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-143\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"2\"\n           data-wpID=\"143\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        V4l3n.delayawri[.]ru                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Attackers' C2 server                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Keqil.ticemi[.]com                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Tycoon 2FA phish-kit's core engine                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-143'>\ntable#wpdtSimpleTable-143{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-143 td, table.wpdtSimpleTable143 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>The main engine code is split into two parts and obfuscated in two ways &#8211; the first part with XOR, the second with the obfuscator[.]io service.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">C2 Communication protocol&nbsp;<\/h3>\n\n\n\n<p>Request to C2 after entering victim&#8217;s email:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/&lt;email&gt;\/&lt;item&gt;\/&lt;app&gt;\/&lt;ipapi response data&gt;<\/code><\/pre>\n\n\n\n<p>Response in JSON:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"message\":&lt;status&gt;, &lt;interface elements&gt;, \"uid\":&lt;uid&gt;, \"token\":&lt;token&gt;  <\/code><\/pre>\n\n\n\n<p>Request to C2 after entering victim&#8217;s password:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/&lt;token&gt;\/&lt;password&gt;&nbsp; <\/code><\/pre>\n\n\n\n<p>Response (JSON):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"message\":&lt;status&gt;, &lt;interface elements&gt;, \"description\":&lt;description&gt;, \"token\":&lt;token&gt;<\/code><\/pre>\n\n\n\n<p>All communication with C2 is encrypted using AES in CBC mode.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"512\" height=\"190\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-4.png\" alt=\"\" class=\"wp-image-8648\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-4.png 512w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-4-300x111.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-4-370x137.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-4-270x100.png 270w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure><\/div>\n\n\n<p>The following third-level domains of Indiatimes.com have the redirector script \/etl.php installed:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-145\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"10\"\n           data-wpID=\"145\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        auto.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        b2bimg.economictimes.indiatimes[.]com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        cfo.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        cio.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        energy.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        realty.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        static.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        telecom.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        ciso.economictimes.indiatimes [.] com                     <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        brandequity.economictimes.indiatimes [.] com                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-145'>\ntable#wpdtSimpleTable-145{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-145 td, table.wpdtSimpleTable145 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>You can <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522commandLine:%255C%2522\/etl.php?url=%255C%2522%2520and%2520domainName:%255C%2522.economictimes.indiatimes.com%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">view the domains and associated sandbox sessions<\/a> in ANY.RUN&#8217;s TI lookup:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"866\" height=\"292\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3.png\" alt=\"\" class=\"wp-image-8649\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3.png 866w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3-300x101.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3-768x259.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3-270x91.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-3-740x250.png 740w\" sizes=\"(max-width: 866px) 100vw, 866px\" \/><\/figure>\n\n\n\n<p>You can also search ANYRUN sandbox&#8217;s public database of samples with tags <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#tag:phishing\" target=\"_blank\" rel=\"noreferrer noopener\">#phishing<\/a> <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#tag:amazon-ses\" target=\"_blank\" rel=\"noreferrer noopener\">#amazon-ses<\/a> <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#tag:tycoon\" target=\"_blank\" rel=\"noreferrer noopener\">#tycoon<\/a> to find more recent examples of this campaign.&nbsp;<\/p>\n\n\n\n<p><strong>A word of caution<\/strong>: Never enter real credentials into phishing forms, even when working inside the sandbox!&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Tycoon 2FA Evolved&nbsp;<\/h2>\n\n\n\n<p>After discovering the last Tycoon campaign, we kept looking for new samples. We soon found an evolved Tycoon variant using fake error messages to trick users into revealing their credentials.&nbsp;<\/p>\n\n\n\n<p>Original posts:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/x.com\/anyrun_app\/status\/1824056178940256654\" target=\"_blank\" rel=\"noreferrer noopener\">X post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.linkedin.com\/posts\/any-run_phishing-credentials-tycoon-activity-7229821799406960641-IrxU?utm_source=share&amp;utm_medium=member_desktop\" target=\"_blank\" rel=\"noreferrer noopener\">Linkedin post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-1024x576.png\" alt=\"\" class=\"wp-image-8650\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imaged-1-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>This Tycoon variant&nbsp;shows users fake error messages like &#8220;No Internet Connection&#8221; or &#8220;Error 500&#8221;. Here&#8217;s what happens:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users see a fake error message.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When they click &#8220;Try Again&#8221; or &#8220;Refresh Page&#8221;, they land on a fake Outlook login page.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users enter their credentials, thinking they&#8217;re fixing the error. Instead, they&#8217;re handing their login info to the attackers.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The attackers use several tricks to make their scheme look real. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-1024x576.png\" alt=\"\" class=\"wp-image-8651\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagee-1-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>Most of the attack happens on sites that look legitimate. They include a CAPTCHA step. This makes the process feel more trustworthy and helps avoid detection by automated security tools. And the actual phishing page only shows up at the very end.&nbsp;<br>&nbsp;<br>Interestingly, when these attackers detect traffic from a sandbox, they send users to real websites instead of their phishing pages. But&nbsp;our Residential Proxy feature can bypass this.&nbsp;<br>&nbsp;<\/p>\n\n\n\n<p>You can check out these samples we analyzed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/4aa9c4f4-bb91-4afc-9571-4b1f73bbc4ef\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">No Internet Connection<\/a> (with our Residential proxy)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/c193012e-6c26-4023-bbe9-3b672abdb26a\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">No Internet Connection<\/a> (without our Residential proxy)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/728d8561-e40e-4dfe-8640-978dfa681fe4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Error 500 message<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Fake Teams, another use of Tycoon&nbsp;<\/h2>\n\n\n\n<p>The Tycoon story doesn\u2019t end there. We&#8217;ve discovered yet another evolution of the Tycoon 2FA phishing campaign. This time, it&#8217;s targeting US government organizations by impersonating Microsoft Teams.&nbsp;<\/p>\n\n\n\n<p><strong>Original posts:&nbsp;<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/x.com\/anyrun_app\/status\/1821912077079896538\" target=\"_blank\" rel=\"noreferrer noopener\">X post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.linkedin.com\/posts\/any-run_tycoon-2fa-phishing-activity-7227676616779272193-6WMe?utm_source=share&amp;utm_medium=member_desktop\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-1024x576.png\" alt=\"\" class=\"wp-image-8652\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagef-1-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>This is an evolution of the Tycoon 2FA phishing scheme we previously reported. The new variant adds a layer of filtering by targeted email addresses: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The list of targeted emails is stored at: hinifiejevyrinzelywbhj[.]pages[.]dev\/list.txt&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It includes addresses from 338 organizations within the .GOV domain.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Victims must enter their email on: MSOFT_DOCUSIGN_VERIFICATION_SECURED-DOC_OFFICE[.]zatrdg[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the email is listed, they&#8217;re redirected to a phishing domain requesting their Microsoft account password.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-768x1024.jpg\" alt=\"\" class=\"wp-image-8665\" width=\"621\" height=\"828\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-768x1024.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-225x300.jpg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-1152x1536.jpg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-1536x2048.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-370x493.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-270x360.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains-740x987.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/Tycoon-2FA-Phish-kit-stages-and-domains.jpg 1800w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/><\/figure><\/div>\n\n\n<p>Key domains in this attack: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>donostain[.]com &#8211; redirects to either a Tycoon 2FA phishing page or a legitimate domain. <a href=\"https:\/\/app.any.run\/tasks\/b7b7f02c-68f6-4a9e-9b95-28fafc611902\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Sandbox analysis<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>vereares[.]ru &#8211; persistent checker used by the attacker to decide on victim redirection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The attackers use legitimate services to enhance credibility:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mailmeteor[.]com and img[.]freepik[.]com for storing Teams logos and backgrounds&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>jsonip[.]com and ipapi[.]co for IP checks and information&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Communication with the C2 (muc7[.]lmfey[.]ru) is via POST request, encrypted using AES in CBC mode. Use <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=URL_Decode%28%29From_Base64%28'A-Za-z0-9%2B\/%3D',true,false%29AES_Decrypt%28%7B'option':'UTF8','string':'1234567890123456'%7D,%7B'option':'UTF8','string':'1234567890123456'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D%29&amp;input=WWJnWng0NUc3eUFTR1o2JTJCeVhlbiUyQndhTmZDTlplMCUyQmtjMXU0RDNYUDFuWTlyWmxQcWNJakh3R3k1V0dvU2hha05QZFpMVXZyWENNbklheTBOOEpHeTUlMkJ0dTYlMkI3OTlwUnlSMjNydFlGZ1RnJTNE\" target=\"_blank\" rel=\"noreferrer noopener\">this CyberChef<\/a> recipe to decrypt the phish-kit&#8217;s C2 communication.&nbsp;<\/p>\n\n\n\n<p>For additional sandbox sessions and IOCs, check these TI Lookup requests:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;<a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#%7B%2522query%2522:%2522domainName:%255C%2522vereares.ru%255C%2522%25C2%25A0%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">vereares.ru lookup query.<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#%7B%2522query%2522:%2522domainName:%255C%2522jxfav.ru%255C%2522%25C2%25A0%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">jxfav.ru lookup query.<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>While we can assume the actual victims are within the targeted set, it&#8217;s not possible to isolate this set from the overall list.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry all features of <span class=\"highlight\">ANY.RUN<\/span> sandbox with a 14-day trial&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=phishing_campaigns_august24&#038;utm_term=210824&#038;utm_content=linktodemo\/\" rel=\"noopener\" target=\"_blank\">\nRequest free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Fake Freshdesk&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ve uncovered a phishing campaign that exploits the customer support platform Freshdesk to create and host lure pages with phishing links and send emails to targets.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/x.com\/anyrun_app\/status\/1820807373746778442\" target=\"_blank\" rel=\"noreferrer noopener\">X post.<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.linkedin.com\/posts\/any-run_phishing-explorewithanyrun-freshdesk-activity-7226572808049356800-xZI9?utm_source=share&amp;utm_medium=member_desktop\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn post.<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Here&#8217;s how the campaign works:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li>Attackers create a new article in Freshdesk&#8217;s knowledge base (freshdesk[.]com\/support\/solutions\/articles\/) as a lure, with phishing links.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li>The lure is sent to the victim&#8217;s email via Freshdesk&#8217;s email API.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>You can see an analysis of the malicious email and lure in <a href=\"https:\/\/app.any.run\/tasks\/895c86d3-f942-4849-999d-0409d6d3530b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN sandbox<\/a>.&nbsp;<\/p>\n\n\n\n<p>After clicking a link in the PDF, the victim goes through a series of redirects:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-2.png\" alt=\"\" class=\"wp-image-8654\" width=\"460\" height=\"525\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-2.png 748w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-2-263x300.png 263w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-2-370x422.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-2-270x308.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image5-2-740x845.png 740w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><\/figure><\/div>\n\n\n<p>The link inside the email redirects the victim to the lure, where they are asked to click a link to review a PDF document.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"531\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-1024x531.png\" alt=\"\" class=\"wp-image-8655\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-1024x531.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-300x156.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-768x398.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-1536x797.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-370x192.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-270x140.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1-740x384.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1-1.png 1590w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>After clicking a link in the PDF, the victim is sent through a chain of redirects.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The sequence of redirects<\/h3>\n\n\n\n<p>The first redirect hides the actual phishing domain through seahorse-app-3lu8r[.]ondigitalocean[.]app, which is a small HTML file hosted on DigitalOcean App.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"776\" height=\"223\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2.png\" alt=\"\" class=\"wp-image-8656\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2.png 776w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2-300x86.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2-768x221.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2-370x106.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2-270x78.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-2-740x213.png 740w\" sizes=\"(max-width: 776px) 100vw, 776px\" \/><\/figure>\n\n\n\n<p>Next, at dadb737ad11[.]jandeclek-shakerjd-djhsn[.]ru\/s\/dd6bb7173, a loader script is downloaded. It makes a POST request with registration. If verified, it gets the obfuscated C2 communication engine, the second part of the script. Otherwise, the victim is redirected to a site like Wikipedia.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The phishing loader contains the following procedures:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/document writer&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/write loader to screen&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/set the sign&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/detect bot first&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/shows error&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/session getter&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/\/post to endpoint&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>It registers the victim with a POST request to the address: dadb737ad11[.]jandeclek-shakerjd-djhsn[.]ru\/r\/&lt;random&gt;?session=&lt;session&gt;&nbsp;<\/p>\n\n\n\n<p>POST request is in the picture below:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"775\" height=\"282\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2.png\" alt=\"\" class=\"wp-image-8657\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2.png 775w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2-300x109.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2-768x279.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2-370x135.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2-270x98.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-2-740x269.png 740w\" sizes=\"(max-width: 775px) 100vw, 775px\" \/><\/figure><\/div>\n\n\n<p>In response, it gets the second part of the script, the module for encrypted C2 communication obfuscated with obfuscator[.]io.&nbsp;<\/p>\n\n\n\n<p>It opens a WebSocket connection to the address: dadb737ad11[.]jandeclek-shakerjd-djhsn[.]ru\/p\/&lt;random&gt;?session=&lt;session&gt;&nbsp;<\/p>\n\n\n\n<p>WebSocket&#8217;s messages with the C2 are masked by XORing each byte of the message three times with random bytes. These three random bytes are then appended to the end of the message.&nbsp;<\/p>\n\n\n\n<p>The encryption code is shown below:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"526\" height=\"235\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-2.png\" alt=\"\" class=\"wp-image-8658\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-2.png 526w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-2-300x134.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-2-370x165.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-2-270x121.png 270w\" sizes=\"(max-width: 526px) 100vw, 526px\" \/><\/figure><\/div>\n\n\n<p>And here\u2019s a <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Hexdump%28%29Register%28'%28%5B%5C%5Cs%5C%5CS%5D%29..$',true,false,false%29Register%28'%28%5B%5C%5Cs%5C%5CS%5D%29.$',true,false,false%29Register%28'%28%5B%5C%5Cs%5C%5CS%5D%29$',true,false,false%29Drop_bytes%280,-3,false%29XOR%28%7B'option':'UTF8','string':'$R0'%7D,'Standard',false%29XOR%28%7B'option':'UTF8','string':'$R1'%7D,'Standard',false%29XOR%28%7B'option':'UTF8','string':'$R2'%7D,'Standard',false%29&amp;input=MDAwMCAgIDZkIDM0IDdmIDcyIDM0IDJjIDM0IDI3IDI3IDI2IDJlIDIyIDM0IDNhIDM0IDdiCjAwMTAgICA3MyA2NSA2NSA3NyA3MSA3MyAzNCAyYyA2ZCAzNCA3MyA3YiA3NyA3ZiA3YSAzNAowMDIwICAgMmMgMzQgNjIgNzMgNjUgNjIgNTYgNjIgNzMgNjUgNjIgMzggNzUgNzkgN2IgMzQKMDAzMCAgIDNhIDM0IDY2IDYxIDM0IDJjIDM0IDY2IDc3IDY1IDY1IDYxIDc5IDY0IDcyIDM0CjAwNDAgICA2YiAzYSAzNCA2NiA3NyA2MiA3ZSAzNCAyYyAzNCAzOSA3YSA3OSA3MSA3ZiA3OAowMDUwICAgMzQgNmIgMmQgMmYgMTQK\" target=\"_blank\" rel=\"noreferrer noopener\">universal decryptor recipe<\/a> for WebSocket C2 communication.&nbsp;<\/p>\n\n\n\n<p>Example of sending an email:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\"id\":&lt;ID&gt;,\"message\":{\"email\":&lt;Email&gt;},\"path\":\"\/email\"}<\/code><\/pre>\n\n\n\n<p>Example of sending a password:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\"id\":&lt;ID&gt;,\"message\":{\"email\":&lt;Email&gt;,\"pw\":&lt;Password&gt; },\"path\":\"\/login\"}<\/code><\/pre>\n\n\n\n<p>Frameworks used in the phishing scripts:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FingerprintJS v4.3.0\u202f &nbsp;<\/li>\n\n\n\n<li>Fingerprint\u202fBotD \u202fv1.9.1&nbsp; &nbsp;<\/li>\n\n\n\n<li>Query\u202fv3.1.1&nbsp; &nbsp;<\/li>\n\n\n\n<li>Font\u202fAwesome\u202f4.7.0 &nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Fake SharePoint&nbsp;<\/h2>\n\n\n\n<p>Here, we\u2019ve noticed a huge phishing campaign that uses SharePoint to store PDFs with phishing links. The volume of phishing exploiting this technique is enormous \u2014 in just 24 hours before the original post our service has seen over 500 public sandbox sessions with SharePoint phishing!&nbsp;<\/p>\n\n\n\n<p><strong>Original posts:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/x.com\/anyrun_app\/status\/1811405911820218803\" target=\"_blank\" rel=\"noreferrer noopener\">X post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.linkedin.com\/posts\/any-run_phishing-sharepoint-phish-activity-7217165860627513344-2qsZ?utm_source=share&amp;utm_medium=member_desktop\" target=\"_blank\" rel=\"noreferrer noopener\">Linkedin post<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-1024x576.png\" alt=\"\" class=\"wp-image-8659\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image11-1-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This campaign is very dangerous because it looks trustworthy at every step. It uses the legitimate SharePoint service for hosting phishing PDFs. An additional layer of protection may request email confirmation for the link provided. Since all actions take place on legitimate websites, detection by security mechanisms and solutions is more challenging. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-1024x576.png\" alt=\"\" class=\"wp-image-8660\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image12-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>The usual chain is as follows: &nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First, the user receives a phishing email containing a link.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Clicking the link leads to a SharePoint page hosting a PDF.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The user may then be required to solve a CAPTCHA.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Finally, the user lands on the main phishing page, which mimics the Microsoft login page.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>In some cases, the links are targeted, and the victim needs to enter a one-time code.&nbsp;<\/p>\n\n\n\n<p>Currently, such documents are also tagged as <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#tag:possible-phishing\" target=\"_blank\" rel=\"noreferrer noopener\">possible-phishing<\/a> to notify users about danger. Due to the large influx of such phishing attacks which use SharePoint, we have introduced a new tag <a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#tag:sharepoint\" target=\"_blank\" rel=\"noreferrer noopener\">sharepoint<\/a>. We also added a notification in sandbox sessions: &#8220;Be cautious! Do not enter your credentials.&#8221;&nbsp;<\/p>\n\n\n\n<p>Interestingly, if traffic comes from a hosting provider, the phishing kit may redirect users to a legitimate website.&nbsp;<\/p>\n\n\n\n<p>You can find more info about this campaign below:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/1f7e6340-5a20-4a94-8dce-97c2a42a4c0a\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Analysis with residential proxy.<\/a> &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/08c46524-3d10-4ce9-98d5-23514651a945\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Without residential proxy.<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/submissions\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktoservice#tag:sharepoint\" target=\"_blank\" rel=\"noreferrer noopener\">Find more samples<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Interact with samples in real time.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Collaborate with your team&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phishing_campaigns_august24&amp;utm_term=210824&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Request free trial \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At ANY.RUN, we&#8217;re committed to staying at the forefront of cybersecurity threats. Our team continuously monitors and analyzes emerging phishing campaigns to keep our users informed and protected. We regularly share our findings on our X (formerly Twitter) account. &nbsp;&nbsp; In this article, we&#8217;ve compiled a selection of the most notable phishing campaigns we&#8217;ve seen [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":8663,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34,40],"class_list":["post-8645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Recent Phishing Campaigns Discovered by ANY.RUN Researchers - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"See ANY.RUN&#039;s overview of the most notable phishing campaigns active in August of 2024 and collect IOCs and other intel on these threats.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stas Gaivoronskii, Jane, Electron and khr0x\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\"},\"author\":{\"name\":\"Stas Gaivoronskii, Jane, Electron and khr0x\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Recent Phishing Campaigns Discovered by ANY.RUN Researchers\",\"datePublished\":\"2024-08-21T11:56:24+00:00\",\"dateModified\":\"2024-08-21T13:08:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\"},\"wordCount\":1826,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\",\"name\":\"Recent Phishing Campaigns Discovered by ANY.RUN Researchers - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-08-21T11:56:24+00:00\",\"dateModified\":\"2024-08-21T13:08:39+00:00\",\"description\":\"See ANY.RUN's overview of the most notable phishing campaigns active in August of 2024 and collect IOCs and other intel on these threats.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Recent Phishing Campaigns Discovered by ANY.RUN Researchers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Stas Gaivoronskii\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png\",\"caption\":\"Stas Gaivoronskii\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Jane\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg\",\"caption\":\"Jane\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Electron\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744-150x150.png\",\"caption\":\"Electron\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg\",\"caption\":\"khr0x\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Recent Phishing Campaigns Discovered by ANY.RUN Researchers - ANY.RUN&#039;s Cybersecurity Blog","description":"See ANY.RUN's overview of the most notable phishing campaigns active in August of 2024 and collect IOCs and other intel on these threats.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/","twitter_misc":{"Written by":"Stas Gaivoronskii, Jane, Electron and khr0x","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/"},"author":{"name":"Stas Gaivoronskii, Jane, Electron and khr0x","@id":"https:\/\/any.run\/"},"headline":"Recent Phishing Campaigns Discovered by ANY.RUN Researchers","datePublished":"2024-08-21T11:56:24+00:00","dateModified":"2024-08-21T13:08:39+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/"},"wordCount":1826,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/","url":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/","name":"Recent Phishing Campaigns Discovered by ANY.RUN Researchers - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-08-21T11:56:24+00:00","dateModified":"2024-08-21T13:08:39+00:00","description":"See ANY.RUN's overview of the most notable phishing campaigns active in August of 2024 and collect IOCs and other intel on these threats.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/phishing-campaigns-august-24\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Recent Phishing Campaigns Discovered by ANY.RUN Researchers"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Stas Gaivoronskii","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png","caption":"Stas Gaivoronskii"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jane","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/Jane-150x150.jpg","caption":"Jane"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Electron","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/05\/6394744-150x150.png","caption":"Electron"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1-150x150.jpg","caption":"khr0x"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8645"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8645"}],"version-history":[{"count":5,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8645\/revisions"}],"predecessor-version":[{"id":8723,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8645\/revisions\/8723"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8663"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}