Part 2 of our #EvilTokens in-depth analysis is out!

This blog post details the AI-augmented features significantly facilitating #BEC fraud.

I believe that this AI-augmented post-compromise tooling represent a genuine breakthrough in the #PhaaS ecosystem.

blog.sekoia.io/eviltokens-a...

Rapidly adopted by cybercriminals, we already observed multiple EvilTokens cases in @sekoia.io's telemetry, and hunted various attachments that delivered its pages worldwide.

Part 2 will focus on the AI-augmented pipeline that significantly facilitates and scales BEC fraud.

New widespread EvilTokens kit: device code phishing as-a-service - Part 1 Uncover the new sophisticated EvilTokens device code phishing as-a-service, with AI-augmented features facilitating BEC fraud

In early March 2026, we uncovered #EvilTokens, a new #PhaaS offering device code phishing pages and AI-driven features to automate and scale BEC workflows.

Part 1 of our analysis provides a technical analysis of the EvilTokens kit ⬇️

blog.sekoia.io/new-widespre...

Our latest TDR report on the #IClickFix framework:

📊 3,800+ WordPress sites compromised worldwide
⚙️ Multi-stage JavaScript loader
🚦 Abusing YOURLS as TDS
🖱️ Fake Cloudflare CAPTCHA and #ClickFix lure
🦠 #NetSupport RAT payload

bsky.app/profile/seko...

ddeddbeae5599b0419aa25ada1b1f678f870ae9d696f32663abd6eb3de7cc2a6 > webmil.duckdns.]org/partner/corperate/

Outlook and Zimbra phishing pages are distributed via email using malicious SVG files that contain obfuscated JavaScript (common phishing TTP nowadays), e.g.

ec7a3247bc86636c6b08bef9a1568b63c289a2d72464c9adebcf16ccfc2ce0f3 > zimbrastorage.duckdns.]org/BJ/zimbra/

⬇️

spaceoptimize.duckdns[.]org
spaceup.duckdns[.]org
spaceupstorage.duckdns[.]org
webmaii.duckdns[.]org
webmailstorage.duckdns[.]org
webmil.duckdns[.]org
zimbrastorage.duckdns[.]org
zirmbra.duckdns[.]org
zlmbrastorage.duckdns[.]org
spaceupzimbra.chickenkiller[.]com

⬇️

Open directory at 104.168.81.]229/BJ/ containing phishing pages for Zimbra, Outlook, Adobe, and various Chinese services

104.168.81.]229

microsoftstorage.duckdns[.]org
outllook.duckdns[.]org
outlookspace.duckdns[.]org
patnerrshipp.duckdns[.]org

⬇️

#TDR analysts dig into a modus operandi targeting the hospitality industry and the related cybercrime ecosystem that facilitates #phishing and #fraud campaigns.

blog.sekoia.io/phishing-cam...

📝 Our latest #TDR report delivers an in-depth analysis of Adversary-in-the-Middle (#AitM) #phishing threats - targeting Microsoft 365 and Google accounts - and their ecosystem.

This report shares actionable intelligence to help analysts detect and investigate AitM phishing.

Community/IOCs/Interlock at main · SEKOIA-IO/Community Welcome to the SEKOIA.IO Community repository! . Contribute to SEKOIA-IO/Community development by creating an account on GitHub.

As usual, we share multiple IoCs and YARA rules in our blog post and on our community GitHub: github.com/SEKOIA-IO/Co...

Threat actors misuse Node.js to deliver malware and other malicious payloads | Microsoft Security Blog Since October 2024, Microsoft Defender Experts has observed and helped multiple customers address campaigns leveraging Node.js to deliver malware and other payloads that ultimately lead to information...

By the way, Microsoft Threat Intelligence published an analysis yesterday on the same infection chain leveraging new PowerShell loader/backdoor (without associating it with Interlock?)

www.microsoft.com/en-us/securi...

Check out our new blog post by the TDR team, presenting the latest TTPs used by the #Interlock ransomware group!

It includes their use of the ClickFix tactic, PyInstaller, Node.js, Cloudflare Tunnels, and new PowerShell loader/backdoor ⬇️

bsky.app/profile/seko...

✍️ @kseznec.bsky.social

Since the apparition of the #Interlock ransomware, the Sekoia #TDR team observed its operators evolving, improving their toolset (#LummaStealer and #BerserkStealer), and leveraging new techniques such as #ClickFix to deploy the ransomware payload.

blog.sekoia.io/interlock-ra...

Current decoy pages used since 18 March, changing every 3/4 weeks since the beginning of 2025:

urlscan.io/search/#page...

Tycoon 2FA (a prominent AitM phishing kit), targeting Microsoft and Google accounts, uses a new CAPTCHA page instead of the custom Cloudflare Turnstile page

e.g.
hxxps://ymi.bvyunz.]ru/3v4jfQ-cUo/
hxxps://xau.kolivax.]ru/ckYHFJN/
hxxps://ffqt.lzirleg.]es/VajlR/

⬇️

CTI tip: monitor transactions from the Ethereum address 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA to identify new PowerShell commands distributed by ClearFake - and block/detect any traffic to malicious domains!

As usual, feedback is greatly appreciated!

Here is our in-depth analysis of the latest #ClearFake variant using the Binance Smart Chain and two new ClickFix lures.

ClearFake is injected into thousands of compromised sites to distribute the #Emmental Loader, #Lumma, #Rhadamanthys, and #Vidar.

⬇️

bsky.app/profile/seko...

ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery ClearFake spreads malware via compromised websites, using fake CAPTCHAs, JavaScript injections, and drive-by downloads.

TDR analysts published an analysis of the new #ClearFake variant that relies on compromised websites injected with the malicious JavaScript framework, the #EtherHiding technique, and the #ClickFix social engineering tactic.

buff.ly/vbiVbsN

5. Further downloading and executing Rhadamanthys from:

bytes.microstorage.]shop/code.bin (virustotal.com/gui/file/a88...)

6. Communicating with C2 at:

91.240.118.]2:9769

Public analysis of the recent ClearFake variant: security.szustak.pl/etherhide/et...

3. Malicious PowerShell command is copied into the user's clipboard data to be executed in the Run dialog box

4. Downloading Emmenhtal from:

bytes.microstorage.]shop (1st stage)
w66.discoverconicalcrouton.]shop (2nd stage)

⬇️

#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.

cc @plebourhis.bsky.social @sekoia.io

1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding

2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic

⬇️

This is not planned at the moment! 😅

For those who did not monitor the supply chain attack against Chrome extensions in December 2024, our article provides an overview of:

- the targeted phishing attack against extension developers
- malicious code
- the adversary's infrastructure

⬇️

bsky.app/profile/seko...

TDR analysts analysed the supply chain attack targeting Chrome browser extensions, which potentially affected hundreds of thousands of end users in December 2024.

https://buff.ly/4auQ0HN

Full domain list:

gist.githubusercontent.com/qbourgue/071...

Distribution URLs:
hxxps://reddit-15.gmvr.]org/topic/inxcuh?engine=opentext+encase+forensic
hxxps://wettransfer80.tynd.]org/file/abbstd

Lumma Stealer C2:
weighcobbweo.]top

Triage analysis:
tria.ge/250120-vzdzz...

Around 1,000 malicious domains are hosting webpages impersonating Reddit and WeTransfer, redirecting users to download password-protected archives

These archives contain an AutoIT dropper, we internally named #SelfAU3 Dropper at @sekoia.io, which executes #Lumma Stealer

IoCs ⬇️

We confirm that the WikiKit phishing pages correspond to those of the Sneaky Log service, which we chose to name Sneaky 2FA!

In late December 2024, TRACLabs analysed a Sneaky 2FA phishing campaign and dubbed the kit "WikiKit".

Meanwhile, we investigated another campaign that led to the discovery of Sneaky 2FA code, as well as the Telegram bot advertising and selling it.

Our last article exposes the new AiTM phishing kit Sneaky 2FA, sold by the cybercrime service "Sneaky Log"!

We provide an in-depth analysis of the phishing pages, the associated service, detection opportunities and multiple IoCs.

⬇️

bsky.app/profile/seko...