(pushsecurity.com) Inside the Phishing Panels: How ShinyHunters and BlackFile Operators Leverage Real-Time Vishing and AITM Attacks
-
(pushsecurity.com) Inside the Phishing Panels: How ShinyHunters and BlackFile Operators Leverage Real-Time Vishing and AITM Attacks
In brief - Threat actors ShinyHunters and BlackFile are leveraging phishing panels like Doko’s Panel to conduct real-time vishing and AITM attacks, bypassing MFA and compromising enterprise identity providers (Okta, Microsoft Entra) and cryptocurrency exchanges. These campaigns, active since August 2025, demonstrate the professionalization of vishing-as-a-service and the use of LLM-generated code to lower the barrier for cybercriminals.
Technically - The phishing panels employ manual AITM techniques, using client-side JavaScript (e.g., `client.js`) to establish real-time C2 via Telegram channels. Variants exhibit distinct C2 protocols (e.g., heartbeat/check_redirect), UUID generation methods, and backend endpoints. Four infrastructure clusters were identified, each with unique domain patterns and hosting providers. The panels show LLM artifacts, such as verbose comments and broken function duplication. Detection is hindered by gated landing pages, anti-bot checks, and operator-approval requirements, complicating automated scanning efforts.
Source: https://pushsecurity.com/blog/inside-criminal-phishing-panel/
-
R relay@relay.infosec.exchange shared this topic
