Campaigns
FlowerStorm PhaaS now uses KrakVM for VM-based JavaScript obfuscation in AiTM credential theft.

FlowerStorm PhaaS now uses KrakVM for VM-based JavaScript obfuscation in AiTM credential theft.

FlowerStormKrakVMPhaaSPhishing-as-a-ServiceAdversary-in-the-MiddleAiTM
In April 2026, the FlowerStorm PhaaS platform was detected utilizing the KrakVM JavaScript obfuscation tool to conduct credential theft. This AiTM (Adversary-in-the-Middle) phishing campaign uses malicious HTML attachments to steal Microsoft 365, Hotmail, and GoDaddy credentials, MFA responses, and session cookies in real time. This marks the first documented instance of KrakVM being deployed for malicious purposes.

Indicators of Compromise

jeny.ggsuitauth.site
5624221719.cfd
zpma.uscourtdocuments.com
zrqdi.dynamicgrowthsystems.de
2008377162.cfd
asphalt9nitroo.my.id
empire.appdocstorage.com
6185945827.sbs
y.k5l1m.cfd
nnqsy.secureenvirotrust.de
don.feiracultural.de
pkxza.ruminatingbrook.de
rexjf.digitaltrustbase.de
6438259665.cfd
7766360391.cfd
04qq.digitalcompetitiveedge.de
valid.seashellshoetreasures.de
5832068083.cyou
brenda.5hawb1t.site
china.bureauofcourts.com
alexperu.courtfilecloud.com
5237741854.cfd
m.chantstraditionnels.de
outrageousorganisation.com.au
7250102277.cfd
woovw.maximizevisibility.de
2067612207.cfd
8103841751.cyou
6837577840.cfd
towbb.digitalproficiency.de
bill.cloudbusinessfiles.com
office.bureaucloudservices.com
oztff.valueguardians.de
ottm.secureuserguard.de
amaxelectronics.co.za
ableg.docufiled.com
lifeofa.k5l1m.cfd
rdaol.dreamsintheframe.de
qmduj.smoothhost.de
1969421924.cyou
1419993777.cyou
5531648314.cfd
tlmsh.germanidentityhub.de
irigc.precisionontheweb.de
pozao.clearconceptsdesign.de
chris1.k5l1m.cfd
chr.authgsyuuite.com
7840190445.cyou
2143835084.cfd
7588085895.cyou
chr.v0k3.space
8191769809.cfd
noanme.courtfilecloud.com
dfjxt.patienceintherain.de
7983520156.cyou
1391604445.cfd
albert.uscourtfilestorage.com
6970793981ad.cyou
bafybeiclfnumyd3aztwl2xjz5o6cfw4fqepqz6a6uow3dig57pf5najq2u.ipfs.w3s.link
uvehh.digitalsuccessframeworks.de
chris.ggsuitauth.site
hbfnq.strongsystems.de
6326889358ghf.cyou
dr.k5l1m.cfd
cfur.invoclegal.com
bombom.courtdocumentshub.com
6264277690.cfd
vvbea.builtinlayers.de
1569742347.cfd
evszs.efficiencyworks.de
7622350912.cfd
muchino.database-server.com
1518076290.cyou
bafybeid6ec6mwvrywozlhpblgzl76qtrcqqx26ryk2cptwtykroufqn4y4.ipfs.w3s.link
2059746795x.diflucan50.store
bafybeias2uivmggzl2gqjipqgcarbgyvakvk6yljxbcv4a3qroxcujzqaq.ipfs.w3s.link
5334635671.cfd
vunbp.scalableplatforms.de
mkreply2024.my.id
unix.wearableartbags.de
sjask.reliablevisibility.de
6182120286.my.id
dpqcm.solidreputation.de
6018258857.cfd
5348785839.cfd
msg.uscourtfiles.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation / Detections

Technique ID

Technique Name

Tactic

Detection Method

Log Sources

T1566.001

Phishing: Spearphishing Attachment

Initial Access

Alert on inbound emails carrying .html or .htm attachments whose JavaScript contains the strings `__krak_throw`, `runVM`, or a `bytecode` variable adjacent to a large Base64 blob. These signifiers persist because the campaign uses KrakVM at default configuration.

Email gateway logs, SEG sandbox detonation output, EDR file-content telemetry

T1566.001

Phishing: Spearphishing Attachment

Initial Access

Threshold-alert on inbound emails with short or empty bodies, subjects matching voicemail / vendor-credit / unpaid-invoice templates, and a single HTML attachment from an external sender.

Email gateway metadata, SEG subject-line analytics

T1027

Obfuscated Files or Information

Defense Evasion

Hunt for HTML files containing JavaScript with a string array of more than 20,000 alternating Base64 / HTML / CSS elements with a rotation-and-shift lookup table — the deobfuscated FlowerStorm bootstrap.min.js exhibits a ~26,000-element array of this shape.

Static-analysis sandbox output, EDR file-content telemetry, retro-hunt on email archive

T1102

Web Service: Bidirectional Communication

Command and Control

Detect outbound POSTs to URIs ending in `/next.php` originating from a browser session — FlowerStorm standardises its credential, JWT and MFA-relay channel on this endpoint, distinct from Rockstar2FA's randomised PHP filenames.

Egress proxy / NGFW URL logs, browser network logs, DNS and HTTP metadata

T1102

Web Service

Command and Control

Block and alert on resolutions to the 87 indicators enumerated below; pay particular attention to k5l1m.cfd subdomains (single-operator pattern), ggsuitauth.site / authgsyuuite.com identity-impersonation hostnames, and ipfs.w3s.link payload-hosting hostnames.

Recursive DNS logs, secure web gateway, threat-intel feed integrations

T1539

Steal Web Session Cookie

Credential Access

Correlate Microsoft Entra sign-ins on a single account that show successful MFA from one geolocation followed within seconds or minutes by additional sign-ins, token-replay, or risky-session signals from a different geolocation or ASN — the classic AiTM cookie-replay pattern.

Microsoft Entra ID sign-in logs, Identity Protection risk events, M365 audit logs

T1556.006

Modify Authentication Process: MFA

Credential Access

Alert on Cloudflare Turnstile CAPTCHA challenges on pages that subsequently prompt for Microsoft 365, Hotmail or GoDaddy credentials. Turnstile is heavily abused by FlowerStorm to filter automated scanners away from the credential-harvester.

Browser proxy logs, EDR browser telemetry, URL category logs

T1041

Exfiltration Over C2 Channel

Exfiltration

Monitor for browser POSTs containing form fields named `email`, `password`, and JWT-shaped tokens to non-Microsoft and non-GoDaddy destinations. Sublime and ANY.RUN both identify next.php as the relay handler.

Browser network logs, DLP, secure web gateway

T1583.001

Acquire Infrastructure: Domains

Resource Development

Run periodic DNS retro-hunts for newly-registered domains assembling German-language brand-like names from English business words on .de TLDs, and for numeric-only second-level domains on .cfd, .cyou, .sbs and .my.id TLDs. 56 of the 87 indicators conform to one of these two patterns.

Passive DNS, WhoisXML / DomainTools feeds, newly-registered-domain monitoring

Observed Countries250

AD (272)
AE (892)
AF (907)
AG (520)
AI (302)
AL (433)
AM (708)
AO (162)
AQ (816)
AR (81)
AS (804)
AT (496)
AU (161)
AW (681)
AX (9)
AZ (292)
BA (377)
BB (467)
BD (624)
BE (81)
BF (912)
BG (544)
BH (690)
BI (362)
BJ (548)
BL (455)
BM (156)
BN (61)
BO (354)
BQ (512)
BR (721)
BS (178)
BT (141)
BV (337)
BW (343)
BY (977)
BZ (621)
CA (225)
CC (10)
CD (225)
CF (819)
CG (933)
CH (468)
CI (17)
CK (155)
CL (735)
CM (186)
CN (521)
CO (863)
CR (326)
CU (461)
CV (735)
CW (844)
CX (576)
CY (911)
CZ (65)
DE (809)
DJ (515)
DK (998)
DM (469)
DO (455)
DZ (124)
EC (987)
EE (997)
EG (160)
EH (664)
ER (337)
ES (972)
ET (549)
FI (199)
FJ (622)
FK (1)
FM (744)
FO (733)
FR (13)
GA (525)
GB (337)
GD (102)
GE (628)
GF (780)
GG (481)
GH (704)
GI (306)
GL (284)
GM (959)
GN (115)
GP (808)
GQ (673)
GR (166)
GS (541)
GT (490)
GU (487)
GW (671)
GY (752)
HK (35)
HM (930)
HN (592)
HR (587)
HT (799)
HU (540)
ID (447)
IE (196)
IL (147)
IM (233)
IN (765)
IO (735)
IQ (515)
IR (877)
IS (490)
IT (639)
JE (162)
JM (344)
JO (533)
JP (586)
KE (854)
KG (55)
KH (795)
KI (781)
KM (234)
KN (291)
KP (999)
KR (439)
KW (724)
KY (756)
KZ (200)
LA (403)
LB (981)
LC (746)
LI (762)
LK (919)
LR (37)
LS (900)
LT (382)
LU (767)
LV (909)
LY (825)
MA (848)
MC (10)
MD (796)
ME (669)
MF (174)
MG (104)
MH (578)
MK (317)
ML (872)
MM (740)
MN (604)
MO (822)
MP (558)
MQ (223)
MR (167)
MS (48)
MT (80)
MU (908)
MV (734)
MW (750)
MX (628)
MY (893)
MZ (316)
NA (510)
NC (606)
NE (772)
NF (627)
NG (423)
NI (528)
NL (643)
NO (742)
NP (634)
NR (170)
NU (738)
NZ (22)
OM (664)
PA (962)
PE (472)
PF (749)
PG (771)
PH (692)
PK (219)
PL (264)
PM (10)
PN (490)
PR (235)
PS (803)
PT (807)
PW (427)
PY (874)
QA (127)
RE (453)
RO (527)
RS (658)
RU (842)
RW (915)
SA (703)
SB (283)
SC (59)
SD (497)
SE (595)
SG (982)
SH (534)
SI (873)
SJ (235)
SK (841)
SL (793)
SM (292)
SN (823)
SO (940)
SR (799)
SS (869)
ST (347)
SV (660)
SX (538)
SY (683)
SZ (473)
TC (808)
TD (151)
TF (534)
TG (866)
TH (377)
TJ (163)
TK (650)
TL (154)
TM (736)
TN (311)
TO (86)
TR (614)
TT (637)
TV (536)
TW (544)
TZ (28)
UA (819)
UG (216)
UM (515)
US (941)
UY (315)
UZ (399)
VA (319)
VC (319)
VE (816)
VG (591)
VI (778)
VN (267)
VU (110)
WF (660)
WS (517)
XK (746)
YE (917)
YT (752)
ZA (850)
ZM (105)
ZW (941)