Ransomware

New Phishing Framework Attack Multiple Brands Login Pages To Steal Credentials

Researchers have identified a sophisticated phishing tactic leveraging Cloudflare’s workers.dev, a free domain name service, to execute credential theft campaigns.

The modus operandi involves a generic phishing page that can impersonate any brand, with significant technical ingenuity aimed at deceiving unsuspecting users and evading detection.

The phishing page, hosted on the URL “workers-playground-broken-king-d18b.supermissions.workers.dev,” is designed to harvest credentials from victims.

The attackers employ a clever customization technique to make the generic phishing page appear as if it belongs to a specific brand.

By appending an employee’s email address to the URL, separated by a “#” symbol, the page dynamically takes on the appearance of a targeted brand’s login portal.

For instance, adding “#ahshs@google.com” to the URL transforms the page into a fake Google login interface.

The phishing page uses the free screenshot generation service, Thum.io, to fetch an image of the legitimate organization’s domain (e.g., google.com).

New phishing Framework New phishing Framework
A Generic Looking Phishing Page to Steal Credentials

This image is then used as the background for the phishing site to enhance its authenticity and fool victims into believing they are on a genuine login page.

Credential Exfiltration

When victims input their credentials on the phishing page, the stolen data is exfiltrated to a remote endpoint hosted at “hxxps://kagn[.]org/zebra/nmili-wabmall.php.”

exfiltration from the impersonated phishing page to a remote server controlled by the scammers

The phishing page’s Document Object Model (DOM) is obfuscated using JavaScript (file: myscr939830.js) to prevent detection by scam engines.

Although the obfuscation lacks sophistication and was easily deobfuscated by researchers, the measure effectively deters less advanced detection methods.

Once deobfuscated, the source code revealed how the page dynamically generates backgrounds using free services like Google’s favicon fetcher and Thum.io to create brand-specific phishing interfaces.

Additionally, the phishing page blocks users from viewing its source code, further complicating detection and analysis efforts.

This functionality is achieved by manipulating JavaScript controls to disable source code access, a tactic frequently used to frustrate security teams.

Broader Use of Phishing Tactics

The analysis of the JavaScript file (myscr939830.js) revealed that it is also being used in other phishing campaigns hosted on Cloudflare’s r2.dev platform.

An example URL demonstrated how the same script underpins additional phishing attacks.

Additionally, researchers found that this obfuscated script was being distributed via the free blockchain storage service web3.storage, indicating the attackers’ use of decentralized hosting solutions.

The credentials exfiltrated by these phishing sites are sent to the domain “kagn[.]org,” which has been linked to the threat actor.

This domain, registered six years ago and hosted on WordPress, appears to have been compromised or backdoored by the attacker, as its endpoint “/zebra/nmili-wabmall.php” is actively used for this campaign.

To counter these advanced phishing threats, organizations are advised to educate employees about detecting and reporting phishing attempts.

According to the CloudSek, phishing simulations should be conducted regularly to test employees’ awareness and response capabilities.

Furthermore, organizations should also roll out direct-to-customer (D2C) awareness campaigns, urging customers to stay vigilant against such scams and to verify web pages before entering sensitive information.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Top 20 Best Open-Source SOC Tools in 2025

As cyber threats continue to evolve, Security Operations Centers (SOCs) require robust tools to detect,…

35 minutes ago

Hackers Exploit Fast Flux to Evade Detection and Obscure Malicious Servers

Cybersecurity agencies worldwide have issued a joint advisory warning against the growing threat posed by…

2 hours ago

Oracle Confirms The Data Breach- Starts Initiating Client Notifications

Oracle Corporation has confirmed a data breach involving its older Gen 1 servers, marking its…

3 hours ago

Vite Development Server Flaw Allows Attackers Bypass Path Restrictions

A critical security vulnerability, CVE-2025-31125, has been identified in the Vite development server. Due to improper…

4 hours ago

New Android Spyware Tricks Users by Demanding Passwords for Uninstallation

A newly identified Android spyware app is elevating its tactics to remain hidden and unremovable…

4 hours ago

Malicious PDFs Responsible for 22% of All Email-Based Cyber Threats

Malicious PDF files have emerged as a dominant threat vector in email-based cyberattacks, accounting for…

5 hours ago