
FlowerStorm PhaaS now uses KrakVM for VM-based JavaScript obfuscation in AiTM credential theft.
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
T1566.001 | Phishing: Spearphishing Attachment | Initial Access | Alert on inbound emails carrying .html or .htm attachments whose JavaScript contains the strings `__krak_throw`, `runVM`, or a `bytecode` variable adjacent to a large Base64 blob. These signifiers persist because the campaign uses KrakVM at default configuration. | Email gateway logs, SEG sandbox detonation output, EDR file-content telemetry |
T1566.001 | Phishing: Spearphishing Attachment | Initial Access | Threshold-alert on inbound emails with short or empty bodies, subjects matching voicemail / vendor-credit / unpaid-invoice templates, and a single HTML attachment from an external sender. | Email gateway metadata, SEG subject-line analytics |
T1027 | Obfuscated Files or Information | Defense Evasion | Hunt for HTML files containing JavaScript with a string array of more than 20,000 alternating Base64 / HTML / CSS elements with a rotation-and-shift lookup table — the deobfuscated FlowerStorm bootstrap.min.js exhibits a ~26,000-element array of this shape. | Static-analysis sandbox output, EDR file-content telemetry, retro-hunt on email archive |
T1102 | Web Service: Bidirectional Communication | Command and Control | Detect outbound POSTs to URIs ending in `/next.php` originating from a browser session — FlowerStorm standardises its credential, JWT and MFA-relay channel on this endpoint, distinct from Rockstar2FA's randomised PHP filenames. | Egress proxy / NGFW URL logs, browser network logs, DNS and HTTP metadata |
T1102 | Web Service | Command and Control | Block and alert on resolutions to the 87 indicators enumerated below; pay particular attention to k5l1m.cfd subdomains (single-operator pattern), ggsuitauth.site / authgsyuuite.com identity-impersonation hostnames, and ipfs.w3s.link payload-hosting hostnames. | Recursive DNS logs, secure web gateway, threat-intel feed integrations |
T1539 | Steal Web Session Cookie | Credential Access | Correlate Microsoft Entra sign-ins on a single account that show successful MFA from one geolocation followed within seconds or minutes by additional sign-ins, token-replay, or risky-session signals from a different geolocation or ASN — the classic AiTM cookie-replay pattern. | Microsoft Entra ID sign-in logs, Identity Protection risk events, M365 audit logs |
T1556.006 | Modify Authentication Process: MFA | Credential Access | Alert on Cloudflare Turnstile CAPTCHA challenges on pages that subsequently prompt for Microsoft 365, Hotmail or GoDaddy credentials. Turnstile is heavily abused by FlowerStorm to filter automated scanners away from the credential-harvester. | Browser proxy logs, EDR browser telemetry, URL category logs |
T1041 | Exfiltration Over C2 Channel | Exfiltration | Monitor for browser POSTs containing form fields named `email`, `password`, and JWT-shaped tokens to non-Microsoft and non-GoDaddy destinations. Sublime and ANY.RUN both identify next.php as the relay handler. | Browser network logs, DLP, secure web gateway |
T1583.001 | Acquire Infrastructure: Domains | Resource Development | Run periodic DNS retro-hunts for newly-registered domains assembling German-language brand-like names from English business words on .de TLDs, and for numeric-only second-level domains on .cfd, .cyou, .sbs and .my.id TLDs. 56 of the 87 indicators conform to one of these two patterns. | Passive DNS, WhoisXML / DomainTools feeds, newly-registered-domain monitoring |