Monday, May 12, 2025
Homecyber securityNew Phishing Framework Attack Multiple Brands Login Pages To Steal Credentials

New Phishing Framework Attack Multiple Brands Login Pages To Steal Credentials

Published on

SIEM as a Service

Follow Us on Google News

Researchers have identified a sophisticated phishing tactic leveraging Cloudflare’s workers.dev, a free domain name service, to execute credential theft campaigns.

The modus operandi involves a generic phishing page that can impersonate any brand, with significant technical ingenuity aimed at deceiving unsuspecting users and evading detection.

The phishing page, hosted on the URL “workers-playground-broken-king-d18b.supermissions.workers.dev,” is designed to harvest credentials from victims.

- Advertisement - Google News

The attackers employ a clever customization technique to make the generic phishing page appear as if it belongs to a specific brand.

By appending an employee’s email address to the URL, separated by a “#” symbol, the page dynamically takes on the appearance of a targeted brand’s login portal.

For instance, adding “#ahshs@google.com” to the URL transforms the page into a fake Google login interface.

The phishing page uses the free screenshot generation service, Thum.io, to fetch an image of the legitimate organization’s domain (e.g., google.com).

New phishing Framework
A Generic Looking Phishing Page to Steal Credentials

This image is then used as the background for the phishing site to enhance its authenticity and fool victims into believing they are on a genuine login page.

Credential Exfiltration

When victims input their credentials on the phishing page, the stolen data is exfiltrated to a remote endpoint hosted at “hxxps://kagn[.]org/zebra/nmili-wabmall.php.”

New phishing Framework
exfiltration from the impersonated phishing page to a remote server controlled by the scammers

The phishing page’s Document Object Model (DOM) is obfuscated using JavaScript (file: myscr939830.js) to prevent detection by scam engines.

Although the obfuscation lacks sophistication and was easily deobfuscated by researchers, the measure effectively deters less advanced detection methods.

Once deobfuscated, the source code revealed how the page dynamically generates backgrounds using free services like Google’s favicon fetcher and Thum.io to create brand-specific phishing interfaces.

Additionally, the phishing page blocks users from viewing its source code, further complicating detection and analysis efforts.

This functionality is achieved by manipulating JavaScript controls to disable source code access, a tactic frequently used to frustrate security teams.

Broader Use of Phishing Tactics

The analysis of the JavaScript file (myscr939830.js) revealed that it is also being used in other phishing campaigns hosted on Cloudflare’s r2.dev platform.

An example URL demonstrated how the same script underpins additional phishing attacks.

Additionally, researchers found that this obfuscated script was being distributed via the free blockchain storage service web3.storage, indicating the attackers’ use of decentralized hosting solutions.

The credentials exfiltrated by these phishing sites are sent to the domain “kagn[.]org,” which has been linked to the threat actor.

This domain, registered six years ago and hosted on WordPress, appears to have been compromised or backdoored by the attacker, as its endpoint “/zebra/nmili-wabmall.php” is actively used for this campaign.

To counter these advanced phishing threats, organizations are advised to educate employees about detecting and reporting phishing attempts.

According to the CloudSek, phishing simulations should be conducted regularly to test employees’ awareness and response capabilities.

Furthermore, organizations should also roll out direct-to-customer (D2C) awareness campaigns, urging customers to stay vigilant against such scams and to verify web pages before entering sensitive information.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...