Star Blizzard custom-built AiTM phishing kit analysis on account.simpleasip[.]org
Technical Analysis
Summary
Hide ▲
Show ▼
Researchers examined a custom-built Star Blizzard phishing kit on account.simpleasip[.]org, exposing an AiTM flow that relays 2FA and manipulates CAPTCHA and password entry. The findings matter because they reveal how the kit helps operators steal ProtonMail credentials with page-level controls rather than simple spoofing. The analysis also provides concrete artifacts for defenders tracking modified login flows and attacker-controlled credential-processing endpoints.
Related Happenings
Instagram accounts for Obama White House hit by account takeover attack
Incident
H score40
First: 01.06.2026 20:32
Last: 01.06.2026 20:32
Sources 1
About this happening:
The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...
Instagram accounts for Obama White House hit by account takeover attack
IncidentAbout this happening: The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...
UNC6783 BPO compromise campaign targeting downstream companies
Campaign
H score65
First: 09.04.2026 00:46
Last: 09.04.2026 00:46
Sources 1
About this happening:
**UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
UNC6783 BPO compromise campaign targeting downstream companies
CampaignAbout this happening: **UNC6783** is an active **BPO compromise campaign** targeting **business process outsourcers** and large enterprises to reach downstream environments for **extortion**. The opera...
Microsoft Entra device code phishing and vishing campaign
Campaign
H score40
First: 19.02.2026 14:30
Last: 19.02.2026 14:30
Sources 1
About this happening:
A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
Microsoft Entra device code phishing and vishing campaign
CampaignAbout this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...
BitB phishing campaign targeting Facebook users
Campaign
H score38
First: 12.01.2026 23:05
Last: 12.01.2026 23:05
Sources 1
About this happening:
A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...
BitB phishing campaign targeting Facebook users
CampaignAbout this happening: A **six-month** phishing campaign is using **browser-in-the-browser (BitB)** fake login pop-ups to steal **Facebook credentials**, increasing the risk of **account takeover** and...
Sneaky 2FA BitB phishing activity
Malware Activity
H score28
First: 18.11.2025 20:31
Last: 18.11.2025 20:31
Sources 1
About this happening:
The **Sneaky 2FA** phishing kit has added **Browser-in-the-Browser (BitB)** pop-ups, making **credential theft** and **Microsoft account** takeover easier at scale. Attack chains...
Sneaky 2FA BitB phishing activity
Malware ActivityAbout this happening: The **Sneaky 2FA** phishing kit has added **Browser-in-the-Browser (BitB)** pop-ups, making **credential theft** and **Microsoft account** takeover easier at scale. Attack chains...
Timeline
-
03.12.2025 18:45 2 articles · 7mo ago
Custom Star Blizzard AiTM kit targets ProtonMail
Technical Analysis UpdateSekoia.io's TDR team documented a custom-built Star Blizzard phishing kit on account.simpleasip[.]org that targeted ProtonMail accounts with an Adversary-in-the-Middle (AiTM) flow, relayed two-factor authentication (2FA), and used injected JavaScript to keep cursor focus on the password field while an attacker-controlled API handled CAPTCHA and credential processing.
Show sources
- French NGO Reporters Without Borders Targeted by Star Blizzard — www.infosecurity-magazine.com — 03.12.2025 18:45
- French NGO Reporters Without Borders Targeted by Star Blizzard — www.infosecurity-magazine.com — 03.12.2025 18:45