Credential Theft and Evasion Techniques Across Phishing, Webmail Exploitation, and Commodity Malware
Threat actors are continuing to prioritize credential theft while using defensive and trusted services to evade detection. DomainTools reported a Microsoft 365 phishing operation that weaponizes Cloudflare protections (including Turnstile human verification) to block automated analysis and security crawlers, then selectively serves a credential-harvesting flow only to “clean” visitors. The infrastructure used additional gatekeeping such as IP reputation checks (including lookups via api.ipify.org), hardcoded blocks for security-vendor and cloud-provider ranges, and user-agent filtering that returns a fake 404 page to bots, with the theft logic hidden behind heavy obfuscation.
Separately, Hunt.io documented Operation Roundish, assessed with medium-high confidence as aligned to APT28 (Fancy Bear), after discovering an exposed open directory hosting a Roundcube exploitation toolkit used against Ukrainian targets (including mail.dmsu.gov.ua). The toolkit included XSS payloads, a Flask-based C2, and modules for credential harvesting, mail forwarding persistence, bulk email exfiltration, address book theft, and 2FA secret extraction, plus a Go-based Linux implant (httd) found on a compromised Ukrainian web application. In parallel reporting on credential-access tradecraft, Flashpoint analysis highlighted the low-cost DarkCloud infostealer (sold for about $30) that steals browser logins/cookies and other data and exfiltrates via common channels (email/FTP/Telegram/HTTP), while Aryaka Threat Labs described the BlackSanta campaign using steganographic lures and BYOVD techniques to disable EDR and enable stealthy data theft over HTTPS—underscoring that credential access and defense evasion remain common precursors to broader enterprise compromise.
Timeline
Mar 24, 2026
Phishing campaign targets TikTok for Business accounts
Push Security reported a phishing campaign targeting TikTok for Business users with Cloudflare-hosted pages, Google Storage redirects, and Cloudflare Turnstile checks to evade analysis. The operation uses reverse-proxy phishing pages to steal credentials and session cookies, enabling account hijacking even when two-factor authentication is enabled, with attacker domains registered on 2026-03-24.
Mar 12, 2026
DomainTools identifies Cloudflare-assisted Microsoft 365 phishing campaign
DomainTools reported a Microsoft 365 credential-harvesting campaign that used Cloudflare Turnstile, IP filtering, and user-agent checks to block bots and researchers before serving phishing pages to real users. The campaign hid credential theft logic in an obfuscated custom virtual machine and could be tracked via a shared Turnstile sitekey.
Jan 1, 2026
Researchers discover exposed Roundish exploitation server
In January 2026, researchers found an open directory on 203.161.50[.]145:8889 containing a full Roundcube exploitation toolkit, operator artifacts, a Flask-based C2, a CSS-injection side-channel server, and a Go-based Linux implant. The server also contained exfiltrated data from blog.pentagonteam[.]com, including source code and secrets.
Dec 31, 2025
APT28-linked Roundish toolkit targets Ukraine's State Migration Service
The Roundish toolkit was used against mail.dmsu.gov.ua, the webmail system of Ukraine's State Migration Service, to steal credentials, exfiltrate mail and contacts, extract 2FA secrets, and establish persistence through Sieve mail-forwarding rules. Researchers assessed the activity with medium-high confidence as aligned with APT28 based on overlaps with Operation RoundPress.
Mar 10, 2025
BlackSanta campaign begins targeting HR recruitment workflows
Aryaka Threat Labs reported that the BlackSanta campaign has been active for about a year, using resume-themed ISO files in recruiting channels to deliver malware. The intrusion chain culminates in a BYOVD-based payload that disables AV/EDR, Microsoft Defender protections, and system logging to support stealthy theft.
Jan 1, 2022
DarkCloud infostealer begins circulating on Telegram and public storefronts
Flashpoint reported that the low-cost DarkCloud infostealer has been circulating since 2022, sold for about $30 through Telegram and public storefronts. The malware steals browser credentials, cookies, financial data, and email-application details, lowering the barrier for credential theft.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
1 months ago
Credential Theft and Identity-Based Intrusions Surge Across Enterprises
**Credential compromise** and identity abuse are increasing as attackers rely more on stolen logins, session artifacts, and phishing rather than noisy exploitation alone. Recorded Future reported a sharp rise in exposed credentials during 2025, including nearly **2 billion** credentials indexed from malware combo lists, with the second half of the year up **50%** over the first and Q4 up **90%** over Q1. The trend is being driven by the industrialization of **infostealer malware**, malware-as-a-service ecosystems, and AI-enabled phishing and social engineering, while weak identity governance continues to expand the attack surface. A separate survey of UK organizations found **77%** fail to promptly disable former employees' accounts, **34%** grant overly broad access, and many still use manual processes such as spreadsheets for account validation, creating persistent opportunities for unauthorized access. A targeted phishing attempt against **Outpost24** illustrates how these identity-focused attacks are being operationalized against even security vendors. Attackers used a convincing fake JP Morgan email, valid **DKIM** authentication via Amazon SES infrastructure, and a **seven-stage redirect chain** leveraging trusted brands including Cisco to steer a C-suite executive toward a Microsoft Office credential-harvesting page while evading email defenses. The broader threat environment shows the same shift toward access abuse and stealthier post-compromise tradecraft: Google Threat Intelligence Group found ransomware actors increasingly favor native Windows tools over **Cobalt Strike**, with data theft present in **77%** of incidents and exploitation of VPNs and firewalls still common for initial access. Together, the reporting shows attackers are increasingly **logging in rather than breaking in**, then using legitimate access and built-in tools to deepen compromise and extort victims.
1 weeks ago
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
1 months ago