CypherLoc phishing-led browser scareware campaign
Campaign
Summary
Hide ▲
Show ▼
The CypherLoc operation has driven around 2.8 million attacks since the start of 2026, using phishing emails to send users to malicious pages that lock browsers and pressure them into calling a fraudulent support number. The scale and user-facing scam flow raise the risk of panic and possible credential theft.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
QR code phishing surged across email threats in Q1 2026
Target Trend
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
**Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
QR code phishing surged across email threats in Q1 2026
Target TrendAbout this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
EvilTokens phishing-as-a-service operation expands device code phishing and BEC
Threat Actor Meta
First: 01.04.2026 22:42
Last: 01.04.2026 22:42
Sources 1
About this happening:
**EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....
EvilTokens phishing-as-a-service operation expands device code phishing and BEC
Threat Actor MetaAbout this happening: **EvilTokens** has been commercialized on **Telegram** as a continuously developed phishing-as-a-service kit, expanding **device code phishing** and **BEC** capabilities at scale....
Timeline
-
20.05.2026 13:00 2 articles · 7d ago
Barracuda warns about CypherLoc browser scareware campaign
Campaign Scope UpdateBarracuda said CypherLoc, a browser-based scareware campaign, had been seen in around 2.8 million attacks since the start of 2026, typically arriving through phishing email links or attachments that send users to malicious pages. The pages use hidden code, URL fragment and cryptographic integrity checks to avoid scanners and sandboxes, then force the browser into full-screen mode, hide controls, display fake warnings and a fraudulent support phone number, and route callers to human operators posing as Microsoft support staff.
Show sources
- Researchers Warn CypherLoc Scareware Has Targeted Millions of Users — www.infosecurity-magazine.com — 20.05.2026 13:00
- Researchers Warn CypherLoc Scareware Has Targeted Millions of Users — www.infosecurity-magazine.com — 20.05.2026 13:00