#phishing · 8sync News

Bluekit phishing kit adopts browser-in-the-middle for login theft

Bluekit, a phishing-as-a-service platform first documented in April, has evolved to include browser-in-the-middle (BitM) capabilities using the open-source JavaScript library rrweb. This technique streams the legitimate login page's DOM to victims over WebSocket, allowing attackers to capture credentials and session tokens while bypassing MFA. The platform also features sophisticated anti-analysis defenses including randomized CSS filters, obfuscated JavaScript bundles, custom CAPTCHAs, browser fingerprinting, and WebRTC-based VPN/proxy detection. Nearly 70 new hostnames were identified in the past week, indicating active expansion. Indicators of Bluekit activity include WebSocket connections sending encrypted data on login pages and CSS filter manipulation on top-level HTML elements.

Next-Gen Phishing Tactics Users Aren’t Ready For

Modern phishing attacks have evolved far beyond misspelled domains and fake login pages. Attackers now use ClickFix (tricking users into running malicious terminal commands via fake CAPTCHAs), Browser-in-the-Browser (BitB) attacks that render convincing fake browser windows inside real pages, OAuth consent phishing (ConsentFix) that steals authorization codes without ever asking for a password, device code phishing that abuses legitimate OAuth flows to authorize attacker devices, and fake video conference overlays that prompt malware downloads under the guise of driver updates. Each technique systematically eliminates traditional red flags, weaponizing users' own habits and trusted infrastructure against them. Huntress SAT offers simulated scenarios replicating these exact tactics to build behavioral muscle memory before users encounter the real thing.

The Devil, Eight Million Emails, and a Whole Lot of Milk

A Huntress SOC investigation uncovered a Romanian threat actor who compromised a small client's internet-facing RDWeb terminal server via brute-forced credentials and no MFA. The attacker staged Gammadyne Mailer (a legitimate bulk email tool) with 8.9 million recipient addresses on the compromised desktop, configured to impersonate UK pharmacy chain Boots with a fake customer satisfaction survey. The phishing payload was hosted on a hijacked Bolivian government website (ipelc.gob.bo) to bypass reputation filters. Direct-to-MX delivery via 666 threads meant the victim's IP — not the attacker's — would be blocklisted. Huntress isolated all 25 endpoints mid-send, blocking 29,954 outbound SMTP connections in a 104-second burst. The investigation also revealed the attacker had been operating from at least July 2025, rotating the same Gammadyne project file across multiple compromised terminal servers targeting UK audiences with retail, tax, and crypto-themed lures.

Threat landscape for SMBs in 2026: fake AI tools, phishing and more

Kaspersky's 2026 SMB threat report reveals a nearly fivefold increase in cyberattacks disguising malware as popular AI tools like Claude compared to 2025. Fake messenger apps remain the most common lure with over 414,000 attacks detected in the first four months of 2026. Phishing campaigns increasingly exploit legitimate platforms (OneDrive, Zoom Docs) to bypass email filters. Dark web analysis shows SMBs and mid-sized businesses account for more than half of all initial access listings sold by brokers, with Middle East, Africa, and Latin America seeing significant increases. The report includes a practical cybersecurity action plan covering access controls, employee training, backups, and specialized security solutions.

2026 FIFA World Cup Faces Surge in Cyber Threats

The 2026 FIFA World Cup is facing a broad and persistent wave of cyber threats, including phishing campaigns, ticketing fraud, ransomware, and DDoS attacks targeting stadium operations, transit systems, and hospitality networks. Thousands of fraudulent domains impersonating FIFA services have been identified. Hacktivist and state-aligned actors are also attempting to leverage the tournament's visibility. Security experts recommend establishing behavioral baselines before events, deploying honeypots, pre-event threat hunting, and addressing IT/OT network segmentation gaps and supply chain risks as key defensive measures.

KnowBe4 awarded in the email security industry

KnowBe4 has received Frost & Sullivan's '2026 Global Customer Value Leadership' award in the email security industry. The recognition highlights KnowBe4's unified platform that combines technical email protection with behavioural risk management, AI-driven threat detection with reduced false positives, contextual user nudges for security education, and seamless integration with platforms like Microsoft 365. Frost & Sullivan also noted the company's future plans to expand protection beyond email into collaboration and messaging environments.

“Total access to all your devices.” Sextortion scammers strike again

A line-by-line breakdown of a current sextortion email campaign, explaining the psychological and fake-technical tactics scammers use to extort money. The email claims the sender installed a Trojan, recorded the victim via webcam, and demands $1,490 in Bitcoin within 48 hours. Each claim is debunked: no specific malware, no proof of access, no actual recording. Key red flags include vague technical language, absence of any evidence, artificial urgency, and objection-handling designed to prevent victims from seeking help. Practical advice: never reply, don't pay, change any exposed passwords, enable 2FA, and delete the message.

Kahneman, ‘Where’s Waldo’ and the Nexus pass: A CISO’s mental model for the AI era

Security awareness training as a phishing defense is obsolete in the AI era, where attacks are fluent and surface-level tells no longer exist. Drawing on Kahneman's System 1/2 framework applied at the organizational level, the argument is that companies should stop relying on human vigilance and instead audit their operational 'fast lanes' — processes where trust was granted and friction removed. Using the analogy of trusted-traveler programs like Nexus, the piece advocates for risk-tiered process design: identifying which fast paths were built on outdated assumptions and re-tiering them. It also calls out the trust inversion where employees face constant authentication while suppliers receive long-lived access based on a SOC 2 report, a gap attackers routinely exploit.

Healthtech firm Xolis suffers data breach impacting 1.4 million people

Healthcare technology company Xsolis disclosed a data breach affecting nearly 1.4 million individuals following a targeted phishing attack on January 20, 2026. Attackers gained access to sensitive customer data including names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment details. Xsolis detected the breach two days later, contained it with help from external cybersecurity experts, and reported it to law enforcement. The company has since reset all user passwords, increased system monitoring, accelerated employee security training, and strengthened credential management. Affected individuals are being notified by mail and offered 12 months of identity monitoring and theft restoration services through Kroll.