Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Star Blizzard custom-built AiTM phishing kit analysis on account.simpleasip[.]org

Technical Analysis
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

Researchers examined a custom-built Star Blizzard phishing kit on account.simpleasip[.]org, exposing an AiTM flow that relays 2FA and manipulates CAPTCHA and password entry. The findings matter because they reveal how the kit helps operators steal ProtonMail credentials with page-level controls rather than simple spoofing. The analysis also provides concrete artifacts for defenders tracking modified login flows and attacker-controlled credential-processing endpoints.

Related Happenings

UNC6783 BPO compromise campaign targeting downstream companies

Campaign
First: 09.04.2026 00:46 Last: 09.04.2026 00:46 Sources 1

About this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...

Open Happening

Microsoft Entra device code phishing and vishing campaign

Campaign
First: 19.02.2026 14:30 Last: 19.02.2026 14:30 Sources 1

About this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...

Open Happening

BitB phishing campaign targeting Facebook users

Campaign
First: 12.01.2026 23:05 Last: 12.01.2026 23:05 Sources 1

About this happening: A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...

Open Happening

Sneaky 2FA BitB phishing activity

Malware Activity
First: 18.11.2025 20:31 Last: 18.11.2025 20:31 Sources 1

About this happening: The **Sneaky 2FA** phishing kit has added **Browser-in-the-Browser (BitB)** pop-ups, making **credential theft** and **Microsoft account** takeover easier at scale. Attack chains...

Open Happening

Coldriver intensified high-profile espionage campaign

Campaign
First: 21.10.2025 13:02 Last: 21.10.2025 13:02 Sources 1

How related: A fresh wave of spear-phishing activity linked to the Russia-nexus intrusion set Star Blizzard, also known as ColdRiver or Calisto, has been identified by cybersecurity researchers.

About this happening: **Star Blizzard** (**ColdRiver/Calisto**) continued a **spear-phishing campaign** in **May and June 2025** against **Reporters Without Borders (RSF)** and another organization, us...

Latest development: 03.12.2025 18:45

Star Blizzard, also known as ColdRiver or Calisto, was identified in a fresh spear-phishing wave against Reporters Without Borders (RSF) and another organization. The operators used impersonated trusted contacts, a custom Adversary-in-the-Middle (AiTM) kit on account.simpleasip[.]org, modified ProtonMail interface elements, and attacker-controlled API handling for CAPTCHA and two-factor authentication (2FA) to harvest credentials.

Open Happening

Timeline

  1. 03.12.2025 18:45 2 articles · 5mo ago

    Custom Star Blizzard AiTM kit targets ProtonMail

    Technical Analysis Update

    Sekoia.io's TDR team documented a custom-built Star Blizzard phishing kit on account.simpleasip[.]org that targeted ProtonMail accounts with an Adversary-in-the-Middle (AiTM) flow, relayed two-factor authentication (2FA), and used injected JavaScript to keep cursor focus on the password field while an attacker-controlled API handled CAPTCHA and credential processing.

    Show sources
    Open in new tab