New SheByte PaaS Offering $199 Subscription for Cyber Criminals

In the wake of LabHost’s shutdown in April 2024, a new player has emerged in the Phishing-as-a-Service (PhaaS) landscape, positioning itself as the heir apparent to the once-dominant platform.

SheByte, which officially branded its services on Telegram in May 2024 before fully launching in mid-June, has quickly carved out a significant portion of the Canadian phishing threat landscape by offering sophisticated phishing infrastructure targeting financial institutions.

SheByte’s business model revolves around a premium $199 monthly subscription package, with discounts available for longer commitments.

This subscription grants users unlimited access to static and customizable phishing kits targeting 17 Canadian banks, 4 US-based banks, email providers, telecom companies, and cryptocurrency services.

The service deliberately markets itself as being operated by a single developer—a direct response to concerns raised after individual LabHost developers were compromised by law enforcement.

While the LabHost takedown initially reduced Interac-branded phishing attacks targeting Canadian banks by half, SheByte rapidly filled the void.

Fortra researchers noted that SheByte accounted for 8% of Interac-branded phishing attacks in May 2024, rising to 10% upon full platform release in June, demonstrating its growing influence in the criminal ecosystem.

Fortra analysts identified a significant innovation in February 2025 when SheByte released its “v2” customizable Interac kit for their page builder tool, triggering a measurable surge in Canadian bank phishing activity.

The platform proudly advertises its LiveRAT dashboard, which enables threat actors to monitor phishing visits in real-time, intercept multi-factor authentication codes, and request additional information from victims.

The platform’s anti-detection capabilities present a sophisticated challenge for security professionals. SheByte’s evasion settings allow customers to block specific geographic regions, known VPNs, proxies, and traffic from suspected virtual machines.

For additional protection, the service offers multiple CAPTCHA implementation options to filter out security researchers and automated scanning tools.

Technical Indicators and Evasion Tactics

SheByte phishing kits can be identified through specific technical markers. The now-retired v1 Interac kit utilized a “start.php” file in the “/go/” directory as its landing page.

The newer v2 kits employ a naming convention of eight randomized alphanumeric characters for PHP files, though this pattern remains consistent across campaigns rather than generating unique names per phishing instance.

File and directory naming follows similar patterns, with directories using eight-character sequences while form receiver and LiveRAT components utilize seven or nine-character names.

These technical fingerprints allow security teams to detect SheByte campaigns, though the service continually evolves its tactics.

The LiveRAT capabilities are particularly concerning, as they enable real-time manipulation of the victim experience, allowing attackers to adapt their approach based on victim behavior and potentially circumvent standard security measures.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy