Jake | JCyberSec_

9.4K posts

Jake | JCyberSec_

@JCyberSec_

Expert in Credential Phishing and Phishing Kit Research. Working in Cyber Security - Threat Intelligence #Phishing

UK Katılım Ağustos 2017

76 Takip Edilen9.7K Takipçiler

Jake | JCyberSec_@JCyberSec_·18 May

This is a much smaller Chinese phishing framework🇨🇳 🪙I bet you won't have heard of it before! 🌐What makes this notable is the targeting of Chinese companies by the framework🔎 🎯This is a Pro only report ✉️Reach out to sales@ if you are not on the pro platform!

urlscan.io@urlscanio

New TI report on urlscan Pro 📷 Flyfish is a lightweight phishing kit built around simple but effective API endpoints. Despite its simplicity, it’s actively used for large-scale victim interaction and data capture. Detection patterns included 📷 urlscan.io/pricing/urlsca…

English

886

Jake | JCyberSec_@JCyberSec_·11 May

If you have been tracking phishing kits you will have come across Darcula 🧛 🔢 There are 3 main version as well as fake shops all linked to this framework. 📚 Read the in-depth analysis on urlscan Pro platform, and the free version is on the blog now.

urlscan.io@urlscanio

New report: Darcula (“Magic Cat”) is one of the most active phishing frameworks we’re tracking. From API-driven infra to socket-based comms and fake shop deployments, this kit continues to evolve rapidly. Breakdown, detections: urlscan.io/blog/2026/05/1… Full report on urlscan Pro

English

490

Jake | JCyberSec_@JCyberSec_·4 May

And we are off! The first in the series. ⚠️This one focuses on the newest and most rampant framework we are observing - ⚓Sailers Framework Previously undocumented at this depth 🎯 🔎Pro intel users: pro.urlscan.io/intel/reports/… 🔑Free report: urlscan.io/blog/2026/05/0…

urlscan.io@urlscanio

New urlscan report 🚨 We’re kicking off our Chinese phishing series with a deep dive into the Sailor framework. A modular kit leveraging client-side storage for session tracking and victim management at scale. Detection included 👇 urlscan.io/blog/2026/05/0…

English

419

Jake | JCyberSec_@JCyberSec_·1 May

@pivot_con @JReisdorffer First time attending and running a free workshop - Bring on the Spanish sun ☀️🇪🇸🍻

GIF

English

108

PIVOTcon@pivot_con·30 Nis

Countdown is real ⌛️ Next week‼️ #ThreatResearch community gathers in Málaga 🇪🇸 Time to remind our PIVOTcon song: soundcloud.com/argonix/pivotc… But watch out — it's a banger! thx: @JReisdorffer #CTI #ThreatIntel #PIVOTcon26

GIF

English

4.5K

Jake | JCyberSec_@JCyberSec_·27 Nis

This is going to be huge 🧨 🔎Myself and the team worked so hard on these. It is going to uncover and expose the true scale of multiple frameworks Watch this space...

urlscan.io@urlscanio

New research drop 🚨 We're diving deep into Chinese-language phishing-as-a-service ecosystems powering large-scale global campaigns. From infrastructure to operations, this series uncovers how these platforms scale and evade detection. Starting May 4th: urlscan.io/blog/2026/04/2…

English

1.2K

Jake | JCyberSec_ retweetledi

urlscan.io@urlscanio·27 Nis

English

6.4K

Jake | JCyberSec_@JCyberSec_·21 Nis

@eKg_sec @executemalware @urlscanio - Amazing use of the tool to discover and hunt click fix campaigns. Similar hunting tactics as Magecart attacks with malicious injections after compromising a host.

English

191

eKg_@eKg_sec·11 Nis

Apparent WordPress compromise of popular restaurant chain #TGIFridays observed with #clickfix infection chain delivering malicious MSI disguised as "Microsoft Endpoint DLP Module" TGIF? 👾 #malware #clickfix @executemalware

English

1.3K

Jake | JCyberSec_@JCyberSec_·15 Nis

⚠️Public blog post is now live: urlscan.io/blog/2026/04/1…

Jake | JCyberSec_@JCyberSec_

JavaScript Proxy frameworks are interesting🖥️ 🔍Have you detected these being used in any campaigns? Investigating these is tricky but the fingerprints caused are simple to track!🎯

English

1.1K

Jake | JCyberSec_@JCyberSec_·15 Nis

📅Calendly phishing isn't new therefore we cut through the noise resulting in 7 new clearly defined clusters of campaigns 🔎These clusters allow for clean alerting and attribution supporting follow-on investigations.

urlscan.io@urlscanio

New urlscan Pro Threat Intel Report: We uncovered 7 distinct phishing kit clusters hiding behind Calendly-themed lures. Same brand, very different tooling & infrastructure. The report includes hunting queries & technical fingerprints for defenders.

English

485

Jake | JCyberSec_@JCyberSec_·9 Nis

@William_Code1 @SushiSwap @MetaMask @dubstard @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @PhishFort @phishunt_io @Sniko_ @nullcookies @Spam404 DNS Error - Could not resolve domain The domain /sushiswanp.com could not be resolved to a valid IPv4/IPv6 address

English

186

Jake | JCyberSec_@JCyberSec_·9 Nis

@Glen_recv @SushiSwap @MetaMask @dubstard @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @PhishFort @phishunt_io @Sniko_ @nullcookies @Spam404 DNS Error - Could not resolve domain The domain /sushiswanp.com could not be resolved to a valid IPv4/IPv6 address

English

156

Jake | JCyberSec_ retweetledi

The OSINT Newsletter@osintnewsletter·6 Nis

Got a suspicious URL but don't want to click it? 🔒 @urlscanio visits it for you - capturing a screenshot, every domain contacted, every script loaded, and the tech stack behind it. Used by Reuters in a real hacking investigation. Free for basic use: tools.osintnewsletter.com/osint-tools/ur…

The OSINT Newsletter@osintnewsletter

🚨 Launching: The OSINT Tools Library A curated, investigator-first directory of tools used in real cases. → Tools.OSINTNewsletter.com We’re building the largest and best maintained OSINT tools resource and need your help. Reply and tag a tool we should add 👇

English

261

1.6K

105.5K

Jake | JCyberSec_ retweetledi

urlscan.io@urlscanio·1 Nis

Community: We want to ensure our community platform remains viable to operate for us. To that end, some scan results will have promotions (not ads!) for related services injected into screenshot. These not-ads are very subtle and should not interfere with your operations.

English

1.1K

Jake | JCyberSec_@JCyberSec_·31 Mar

JavaScript Proxy frameworks are interesting🖥️ 🔍Have you detected these being used in any campaigns? Investigating these is tricky but the fingerprints caused are simple to track!🎯

urlscan.io@urlscanio

TAs are weaponising client-side proxy frameworks like Ultraviolet & Scramjet to deliver stealthy phishing campaigns that evade traditional detection. Our latest urlscan Pro report covers techniques, artifacts, and detection strategies for this new threat: urlscan.io/pricing/urlsca…

English

1.7K

Jake | JCyberSec_@JCyberSec_·28 Mar

I believe this GitHub is associated with a different threat actor from TA446 🇷🇺 However attribution on the sdji hostname is unknown at this time 🤔

English

233

Jake | JCyberSec_@JCyberSec_·28 Mar

The lmhtvn repo only came online Fri, 20 Mar 2026 21:35:37 +0700 GMT+7 (or UTC+7) is primarily located in Southeast Asia, covering countries like Thailand, Vietnam, Cambodia, Laos, and parts of Indonesia (Western Indonesia Time) This makes sense with the Philippines targeting

English

307

Jake | JCyberSec_@JCyberSec_·28 Mar

Another payload site found on @urlscanio 🇰🇷Site appears to be targeting Korean security researchers... 🌐/sdij.org/adminorg/index.html urlscan.io/result/019d28b… Page states it is a System Security Bug Bounty Program🔑 But there's more ... 🧵

Threat Insight@threatinsight

Proofpoint has directly observed this email activity and attributes the messages to Russian FSB threat actor TA446 with high confidence. We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices. TA446 does not overlap with UNC6353. Further details below in🧵.

English

1.6K

Jake | JCyberSec_@JCyberSec_·28 Mar

@threatinsight @UrlScan I think you mean @urlscanio 😜 Might want to edit your post!

English

129

Threat Insight@threatinsight·27 Mar

A submission on @URLScan (#transactions" target="_blank" rel="nofollow noopener">urlscan.io/result/019d2c0…) confirmed that the TA446-controlled domain was serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed. Related compromised first stage domains also include motorbeylimited[.]com and bridetvstreaming[.]org. Only the activity from March 26 spoofing Atlantic Council has been linked to DarkSword usage; previous TA446 activity shows no indication of exploit use.

English

3.1K

Threat Insight@threatinsight·27 Mar

Malfors@MalforsHQ

We are observing a targeted campaign delivering DarkSword RCE (GHOSTBLADE) via fake Atlantic Council "discussion invitation" emails. IOCs: siekeltd[.]com escofiringbijou[.]com -- payload & C2

English

233

69.1K

Jake | JCyberSec_ retweetledi

urlscan.io@urlscanio·26 Mar

Meet us at PIVOTcon in Málaga and go hands-on with us and how we use the urlscan platform for phishing campaign research!

PIVOTcon@pivot_con

Workshop 1️⃣ : "Uncovering Phishing Infrastructure: A Hands-On Workshop with @urlscanio " delivered directly by the URLSCAN founder and lead threat researcher - Johannes Gilger @heipei and Jake S @JCyberSec_ 2/5

English

Keşfet

@pivot_con @JReisdorffer @eKg_sec @executemalware @urlscanio @William_Code1 @SushiSwap @MetaMask