@Gi7w0rm @UK_Daniel_Card LOL - That has been vibe coded to hell and back!
Nice spot. Interesting open redirects abused but the phishing kit is hilarious.
English
Jake | JCyberSec_
9.4K posts
Jake | JCyberSec_
@JCyberSec_
Expert in Credential Phishing and Phishing Kit Research. Working in Cyber Security - Threat Intelligence #Phishing
UK Katılım Ağustos 2017
76 Takip Edilen9.7K Takipçiler
You must have heard of #Chenlun - A huge Chinese phishing framework 🌐
🔎All our automated detections are now clustered and attributed on @urlscanio Pro
💥Read our new threat intel report into this framework to know how to attribute, defend & mitigate the risk posed by this kit
urlscan.io@urlscanio
New TI report 📷 Chenlun (“Outsider”) is a feature-rich phishing kit using modern web frameworks, verification flows, and anti-bot techniques. A step up in sophistication across Chinese Phishing-as-a-Service ecosystems. Full analysis + detections 📷 urlscan.io/pricing/urlsca…
English
This is a much smaller Chinese phishing framework🇨🇳
🪙I bet you won't have heard of it before!
🌐What makes this notable is the targeting of Chinese companies by the framework🔎
🎯This is a Pro only report
✉️Reach out to sales@ if you are not on the pro platform!
urlscan.io@urlscanio
New TI report on urlscan Pro 📷 Flyfish is a lightweight phishing kit built around simple but effective API endpoints. Despite its simplicity, it’s actively used for large-scale victim interaction and data capture. Detection patterns included 📷 urlscan.io/pricing/urlsca…
English
If you have been tracking phishing kits you will have come across Darcula 🧛
🔢 There are 3 main version as well as fake shops all linked to this framework.
📚 Read the in-depth analysis on urlscan Pro platform, and the free version is on the blog now.
urlscan.io@urlscanio
New report: Darcula (“Magic Cat”) is one of the most active phishing frameworks we’re tracking. From API-driven infra to socket-based comms and fake shop deployments, this kit continues to evolve rapidly. Breakdown, detections: urlscan.io/blog/2026/05/1… Full report on urlscan Pro
English
And we are off! The first in the series.
⚠️This one focuses on the newest and most rampant framework we are observing - ⚓Sailers Framework
Previously undocumented at this depth 🎯
🔎Pro intel users: pro.urlscan.io/intel/reports/…
🔑Free report: urlscan.io/blog/2026/05/0…
urlscan.io@urlscanio
New urlscan report 🚨 We’re kicking off our Chinese phishing series with a deep dive into the Sailor framework. A modular kit leveraging client-side storage for session tracking and victim management at scale. Detection included 👇 urlscan.io/blog/2026/05/0…
English
@pivot_con @JReisdorffer First time attending and running a free workshop - Bring on the Spanish sun ☀️🇪🇸🍻
GIF
English
Countdown is real ⌛️ Next week‼️
#ThreatResearch community gathers in Málaga 🇪🇸
Time to remind our PIVOTcon song: soundcloud.com/argonix/pivotc…
But watch out — it's a banger!
thx: @JReisdorffer
#CTI #ThreatIntel #PIVOTcon26
GIF
English
This is going to be huge 🧨
🔎Myself and the team worked so hard on these. It is going to uncover and expose the true scale of multiple frameworks
Watch this space...
urlscan.io@urlscanio
New research drop 🚨 We're diving deep into Chinese-language phishing-as-a-service ecosystems powering large-scale global campaigns. From infrastructure to operations, this series uncovers how these platforms scale and evade detection. Starting May 4th: urlscan.io/blog/2026/04/2…
English
Jake | JCyberSec_ retweetledi
New research drop 🚨
We're diving deep into Chinese-language phishing-as-a-service ecosystems powering large-scale global campaigns. From infrastructure to operations, this series uncovers how these platforms scale and evade detection. Starting May 4th:
urlscan.io/blog/2026/04/2…
English
@eKg_sec @executemalware @urlscanio - Amazing use of the tool to discover and hunt click fix campaigns. Similar hunting tactics as Magecart attacks with malicious injections after compromising a host.
English
Apparent WordPress compromise of popular restaurant chain #TGIFridays observed with #clickfix infection chain delivering malicious MSI disguised as "Microsoft Endpoint DLP Module"
TGIF? 👾
#malware #clickfix
@executemalware
English
📅Calendly phishing isn't new therefore we cut through the noise resulting in 7 new clearly defined clusters of campaigns
🔎These clusters allow for clean alerting and attribution supporting follow-on investigations.
urlscan.io@urlscanio
New urlscan Pro Threat Intel Report: We uncovered 7 distinct phishing kit clusters hiding behind Calendly-themed lures. Same brand, very different tooling & infrastructure. The report includes hunting queries & technical fingerprints for defenders.
English
@William_Code1 @SushiSwap @MetaMask @dubstard @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @PhishFort @phishunt_io @Sniko_ @nullcookies @Spam404 DNS Error - Could not resolve domain The domain /sushiswanp.com could not be resolved to a valid IPv4/IPv6 address
English
@Glen_recv @SushiSwap @MetaMask @dubstard @CryptoPhishing @CryptoScamDB @JAMESWT_MHT @PhishFort @phishunt_io @Sniko_ @nullcookies @Spam404 DNS Error - Could not resolve domain The domain /sushiswanp.com could not be resolved to a valid IPv4/IPv6 address
English
Jake | JCyberSec_ retweetledi
Got a suspicious URL but don't want to click it? 🔒
@urlscanio visits it for you - capturing a screenshot, every domain contacted, every script loaded, and the tech stack behind it.
Used by Reuters in a real hacking investigation. Free for basic use:
tools.osintnewsletter.com/osint-tools/ur…
The OSINT Newsletter@osintnewsletter
🚨 Launching: The OSINT Tools Library A curated, investigator-first directory of tools used in real cases. → Tools.OSINTNewsletter.com We’re building the largest and best maintained OSINT tools resource and need your help. Reply and tag a tool we should add 👇
English
Jake | JCyberSec_ retweetledi
Community: We want to ensure our community platform remains viable to operate for us. To that end, some scan results will have promotions (not ads!) for related services injected into screenshot. These not-ads are very subtle and should not interfere with your operations.
English
JavaScript Proxy frameworks are interesting🖥️
🔍Have you detected these being used in any campaigns?
Investigating these is tricky but the fingerprints caused are simple to track!🎯
urlscan.io@urlscanio
TAs are weaponising client-side proxy frameworks like Ultraviolet & Scramjet to deliver stealthy phishing campaigns that evade traditional detection. Our latest urlscan Pro report covers techniques, artifacts, and detection strategies for this new threat: urlscan.io/pricing/urlsca…
English
I believe this GitHub is associated with a different threat actor from TA446 🇷🇺
However attribution on the sdji hostname is unknown at this time 🤔
English
The lmhtvn repo only came online Fri, 20 Mar 2026 21:35:37 +0700
GMT+7 (or UTC+7) is primarily located in Southeast Asia, covering countries like Thailand, Vietnam, Cambodia, Laos, and parts of Indonesia (Western Indonesia Time)
This makes sense with the Philippines targeting
English
Another payload site found on @urlscanio
🇰🇷Site appears to be targeting Korean security researchers...
🌐/sdij.org/adminorg/index.html urlscan.io/result/019d28b…
Page states it is a System Security Bug Bounty Program🔑
But there's more ... 🧵
Threat Insight@threatinsight
Proofpoint has directly observed this email activity and attributes the messages to Russian FSB threat actor TA446 with high confidence. We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices. TA446 does not overlap with UNC6353. Further details below in🧵.
English