Threat Actors Use GenAI to Launch Phishing Attacks Mimicking Government Websites
Threat actors are increasingly leveraging generative AI (GenAI) tools to craft highly convincing phishing websites that impersonate legitimate government portals.
As highlighted by Zscaler ThreatLabz in their recent reports and blogs, the dual nature of GenAI empowering productivity for legitimate users while enabling cybercriminals has become a critical issue.
These tools, such as DeepSite AI and BlackBox AI, allow attackers to replicate official websites with alarming precision, targeting unsuspecting users for financial gain.
Sophisticated Phishing Campaigns
Two specific campaigns in Brazil, impersonating the State Department of Traffic and the Ministry of Education, exemplify this growing threat, exploiting both technical sophistication and social engineering to deceive victims.
The phishing campaigns analyzed by Zscaler ThreatLabz reveal a meticulous approach by threat actors who use GenAI to clone government websites, like those of Brazil’s State Department of Traffic and Ministry of Education, with near-identical aesthetics.
These fraudulent sites are boosted in search engine results through SEO poisoning techniques, ensuring high visibility to potential victims.

AI-Generated Phishing Pages
Technical analysis of the source code uncovers distinct signatures of AI-generated content, including the use of TailwindCSS for styling and FontAwesome for icons, alongside overly descriptive code comments such as “In a real implementation, this would make an API call.”
These comments, meant to guide developers, are uncommon in traditional phishing kits that prioritize obfuscation.
Additionally, non-functional UI elements on these pages, such as non-clickable buttons or links contrast with legitimate websites, serving as a telltale sign of AI replication without full interactivity.
The phishing pages also employ staged data collection, requesting sensitive information like the Brazilian taxpayer ID (CPF) and residential details in a manner mimicking authentic processes, further enhanced by backend API validation to build trust.
The ultimate goal of these attacks is to extract payments via Pix, Brazil’s instant payment system, under the guise of mandatory fees, with victims unknowingly transferring funds directly to attackers.
These campaigns, while currently extracting modest sums (approximately $16 USD per victim), pose a significant risk of escalation.
The ability to rapidly generate convincing replicas using GenAI tools signals a potential for broader, more damaging attacks targeting sensitive data or larger financial transactions.
According to the report, Zscaler emphasizes the importance of adopting a Zero Trust architecture to mitigate such risks, alongside best practices for identifying phishing indicators.
Their cloud security platform detects related threats under identifiers like HTML.Phish.AIGen, providing multilayered protection against these evolving attacks.
As GenAI continues to lower the barrier for creating sophisticated phishing sites, organizations and individuals must remain vigilant, prioritizing robust security measures to counter this double-edged technological advancement.
Indicators of Compromise (IOCs)
Domain |
---|
govbr[.]agentesdaeducacao[.]org |
govbrs[.]com |
gov-brs[.]com |
govbr[.]inscricaoagente[.]com |
gov[.]ministerioeduca[.]com |
govbr[.]agenteeducacao[.]org |
agentedaeducacao[.]top |
gov[.]agentedaeducacao[.]top |
agentesdaeducacao[.]com[.]br |
The Ultimate SOC-as-a-Service Pricing Guide for 2025
– Download for Free
Source link