SheByte PaaS Launches $199 Subscription Service for Cybercriminals

The landscape of cyber threats targeting Canadian financial institutions saw significant shifts after LabHost, a prominent phishing-as-a-service (PhaaS) platform, was shut down.

LabHost, known for its extensive Interac-branded phishing kits, was responsible for around three-fourths of such phishing attempts.

Its sudden closure led to a halving of phishing attacks against Canadian banks in the subsequent three months.

– Advertisement –

However, the expected dramatic drop in phishing activities did not fully materialize.

This resilience was largely due to a new player emerging on the scene SheByte.

Launched officially in mid-June 2024, SheByte rapidly positioned itself as the go-to platform for cybercriminals previously reliant on LabHost.

The service began teasing its features on Telegram in May, and by June, it had already started to make an impact, accounting for 8% of Interac-branded phishing attacks during its limited launch phase.

SheByte’s strategy was unique in its brazen approach to marketing, akin to LabHost’s earlier tactics.

The platform claimed to be operated by a single developer, addressing concerns about operational security that plagued other services post-arrests of key members.

They boasted no data logging and end-to-end encryption of stolen information, aiming to provide a safer harbor for cybercriminals.

Subscription Details and Impact

SheByte offers a premium package for $199 a month, with discounts for longer subscription periods, allowing unlimited phishing attacks using all provided kits.

By March 2025, SheByte had expanded its offerings to include customizable phishing pages targeting not only Canadian banks but also US banks, email providers, telecom companies, toll roads, and crypto services.

The platform’s LiveRAT admin dashboard mirrors LabHost’s successful LabRAT tool, enabling real-time monitoring and manipulation of phishing site visitors.

Despite a dip in activity from July to October 2024, possibly due to reputational attacks from competitors like Frappo, SheByte’s phishing volume began to climb again with the introduction of their new ‘v2’ phishing pages in December.

According to Fortra, these newly customizable kits, fully integrating Interac phishing by early 2025, saw an immediate surge in activity.

Notably, the ‘V2’ versions of SheByte’s Interac kits introduced more dynamic elements, allowing for greater customization and potentially increasing the effectiveness of phishing campaigns.

Technical Indicators

The SheByte platform presents several technical indicators for its phishing content:

• URL Structure: Older kits directed to start.php within the /go/ directory, while the newer V2 kits use a randomized 8-character alphanumeric pattern for landing pages, suggesting manual change capabilities by users.
• File Naming: Similar randomness is observed in file naming conventions, with directories using the same 8-character pattern, while files for receiving data and live RAT operations use 7 or 9 character names.

In conclusion, SheByte has carved out a niche in the PhaaS market, effectively capturing the void left by LabHost and adapting rapidly to the evolving demands of cybercriminals.

While its growth has faced challenges, its strategic moves and unique offerings indicate a durable presence in the Canadian cyber threat landscape.

Indicators of Compromise (IOC)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!