(ctrlaltintel.com) UPMI ULTIMATE: Inside an AI-Developed Adversary-in-the-Middle Phishing-as-a-Service Platform
-
(ctrlaltintel.com) UPMI ULTIMATE: Inside an AI-Developed Adversary-in-the-Middle Phishing-as-a-Service Platform
New PhaaS platform UPMI ULTIMATE, developed by Team Unlimited, leverages AI-assisted code to deliver full AiTM phishing chains with MFA bypass via Evilginx. Platform uses collective intelligence to refine evasion across all operator instances.
In brief - A commercially licensed Phishing-as-a-Service (PhaaS) platform, UPMI ULTIMATE, combines AI-developed code with Evilginx reverse-proxy to execute end-to-end adversary-in-the-middle (AiTM) phishing attacks. The platform aggregates telemetry from all licensed operators to improve evasion, lowering the barrier for sophisticated phishing campaigns. Six live deployments identified, with hardcoded credentials and IOCs recovered.
Technically - UPMI ULTIMATE is a Node.js-based PhaaS (16.3K LOC) supporting direct MX (Port 25), Office 365 SMTP relay, and Microsoft Graph API delivery. Features include AES-256-GCM encrypted modules, passive DNS risk scoring (osint-recon.js), forged Exchange headers (X-MS-Exchange-Organization-SCL: -1), and scanner IP evasion (Microsoft EOP, Google, Proofpoint). Evilginx phishlets target Microsoft 365, cPanel, and Roundcube. License server at 104.131.106[.]42:9999 enforces hardware-bound licensing with Telegram kill switch. IOCs include 11 IPs, 14 domains, and 2 Telegram bot usernames.
-
R relay@relay.infosec.exchange shared this topic
