bitm_phishing_operator_(exploit_forum)

Also known asbitm_phishing_operator_(exploit_forum)

A threat actor observed on the Russian-language cybercrime forum Exploit advertising phishing capabilities rather than a named kit. The advertised capabilities included MFA bypass, live credential validation, and browser-based interception. Supporting reporting links this activity to modern phishing operations using Browser-in-the-Middle (BitM), Adversary-in-the-Middle (AiTM), and reverse-proxy techniques to bypass multi-factor authentication and intercept live sessions. The associated phishing activity targeted Gmail, Facebook, and Microsoft O365 users and reflected a commercialized Phishing-as-a-Service ecosystem. Observed tradecraft included real-time credential validation, session theft and cookie interception, support for multiple 2FA methods, anti-detection and evasion measures, and cloud-native scalable infrastructure including Kubernetes-based deployment. No additional verified aliases or nation-state attribution are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

flareio blogNews

Dec 18, 2025

Hunting for Live Phishing Infrastructure Based on Cybercrime Intelligence

This threat actor is selling and operating advanced phishing infrastructure and services, focusing on Browser-in-the-Middle (BitM) and Adversary-in-the-Middle (AiTM) techniques. They provide phishing kits and platforms capable of bypassing MFA, intercepting live sessions, and automating account takeover for major SaaS platforms like Gmail, Facebook, and Microsoft O365. Their offerings are cloud-native, Kubernetes-backed, and designed for rapid scaling and resilience, often marketed as Phishing-as-a-Service (PhaaS).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.