Phishing Campaigns Using Advanced Kits Targeting Universities and Banks
Threat actors have launched a sophisticated phishing campaign targeting U.S. universities by leveraging the open-source Evilginx framework. At least 18 educational institutions have been affected since April 2025, with attackers using personalized emails containing TinyURL links that redirect to dynamically generated phishing pages. These pages closely mimic student single sign-on portals and employ advanced evasion techniques, such as expiring URLs, wildcard TLS certificates, bot filtering, and JavaScript obfuscation, making detection and mitigation increasingly difficult. The campaign demonstrates the growing accessibility of advanced phishing tools, enabling even unskilled actors to bypass multi-factor authentication and compromise sensitive credentials.
Simultaneously, a new phishing kit called Spiderman has emerged on the dark web, targeting customers of major European banks and cryptocurrency platforms. This full-stack kit allows attackers to easily clone login pages for dozens of financial institutions and conduct real-time credential theft across multiple countries. With a large user community and features that facilitate immediate data exfiltration and hybrid fraud operations, Spiderman represents a significant escalation in the scale and efficiency of phishing threats facing the financial sector. Both campaigns highlight the evolving landscape of phishing, where sophisticated toolkits are lowering the barrier to entry for cybercriminals and increasing the risk to organizations worldwide.
Timeline
Dec 12, 2025
Researchers identify broader wave of advanced phishing kits
Researchers disclosed four advanced phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—highlighting the growing industrialization of phishing. The report emphasized AI-assisted phishing, MFA bypass, anti-analysis features, and sales through Telegram and Signal as part of a wider trend toward scalable credential theft operations.
Dec 10, 2025
Researchers detail Spiderman's scale and operator ecosystem
Further reporting revealed that Spiderman is modular, supports interception of OTP and PhotoTAN codes, and provides a dashboard for real-time monitoring and export of stolen data. Researchers also observed a Signal group with roughly 750 members, indicating broad adoption among threat actors.
Dec 9, 2025
Researchers report Spiderman phishing kit targeting European banks
Varonis researchers identified the Spiderman phishing kit as a new phishing-as-a-service offering targeting major European banks and cryptocurrency platforms across at least five countries. The kit supports real-time theft of banking credentials, MFA codes, card data, and crypto wallet seed phrases while using geo-targeting and other evasion features.
Apr 1, 2025
Evilginx phishing campaign begins targeting U.S. universities
Threat actors began using the open-source Evilginx framework in April 2025 to target at least 18 U.S. universities and educational entities. The campaign used personalized phishing emails with TinyURL links leading to dynamically generated fake student SSO portals.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Emergence of New Cybercriminal Groups and Tools Targeting European Financial Sector
UK law enforcement is facing increased pressure from the simultaneous rise of young, English-speaking hackers such as those associated with 'Scattered Spider' and the continued threat from organized Russian-speaking ransomware groups. These new threat actors, often motivated by prestige and recruited from online communities, have been implicated in high-profile attacks on UK retailers, resulting in significant financial losses and straining the resources of authorities already challenged by budget constraints and evolving technology. The operational differences between these groups—Scattered Spider's focus on social engineering and the Russian-speaking groups' technical sophistication—are creating a complex threat landscape for the UK. Concurrently, a new phishing kit named 'Spiderman' has emerged, enabling cybercriminals to launch sophisticated phishing campaigns against dozens of European banks and cryptocurrency services. The kit allows attackers to create convincing replicas of legitimate banking and fintech sites, capture credentials and two-factor authentication codes, and even steal cryptocurrency wallet seed phrases. Its modular design and real-time control panel features make it a popular tool among cybercriminals, further complicating the security environment for financial institutions across Europe as they adapt to new e-banking authentication methods.
1 months ago
Phishing Campaigns Targeting US Universities and Higher Education
A coordinated phishing campaign targeted at least 18 American universities over several months used the open-source Evilginx phishing kit to bypass multi-factor authentication (MFA) and compromise student and staff accounts. Attackers employed adversary-in-the-middle (AiTM) tactics, leveraging personalized emails with short-lived TinyURLs that mimicked university single sign-on (SSO) portals. By capturing both credentials and session cookies, the attackers were able to fully take over accounts, despite MFA protections. The campaign demonstrated advanced operational security, including frequent changes to attack links and the use of services like Cloudflare to obscure infrastructure, as detailed in Infoblox's investigation. Separately, Harvard University experienced a breach of its Alumni Affairs and Development office systems, attributed to a successful mobile phishing ("mishing") attack. The attacker gained access to internal systems, which the university subsequently secured. This incident highlights the growing trend of mobile-first phishing strategies that bypass traditional desktop and network defenses, posing significant risks to organizations with distributed workforces and sensitive data. The breach underscores the need for dedicated mobile threat defense solutions, as standard MDM and UEM tools are insufficient against sophisticated mobile phishing attacks.
1 months ago
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
1 months ago