BeEF
BeEF (Browser Exploitation Framework) is an open-source browser exploitation and post-exploitation framework used to target web browsers through client-side techniques, including cross-site scripting-driven script injection and phishing or watering-hole pages. The provided content describes BeEF being loaded via injected scripts on compromised websites, hosted on generic phishing pages, and used alongside other offensive tooling such as Cobalt Strike, Meterpreter, ScanBox, Blue-Lotus, and Viper C2. Reported use cases include malicious JavaScript injected into government websites that redirected visitors to attacker-controlled sites hosting ScanBox and BeEF, phishing infrastructure hosting generic BeEF pages, and attacker-controlled registries containing BeEF as part of a broader toolkit.
The content links BeEF to multiple threat activities. Kaspersky reported that the Chinese-linked espionage group LuckyMouse (also known as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger) compromised a national data center in Central Asia in 2017, injected JavaScript into government websites, and redirected visitors to malicious sites hosting ScanBox and BeEF as part of an intrusion chain that attempted to infect users with the HyperBro RAT. Trend Micro reported that Earth Empusa (also known as Evil Eye and POISON CARP) injected BeEF into copied Uyghur-related news pages and later into phishing pages used against targets in Tibet, Turkey, and Taiwan. Splunk also reported that actors exploiting CVE-2024-4577 against Japanese organizations had access to BeEF hosted in an Alibaba Cloud Container Registry alongside Blue-Lotus and Viper C2.
Observed infrastructure and indicators in the content include the domains isglatam.online and isglatam.tk, which URLscan indicated were hosting generic BeEF phishing sites. High-confidence behaviors directly mentioned in the content are script-based browser targeting, use on phishing and watering-hole pages, and deployment as part of broader intrusion ecosystems rather than as a standalone payload.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
All pages were injected with a script to load the cross-site scripting framework BeEF.
"...redirected users to malicious sites hosting exploitation tools such as ScanBox and BEeF (Browser Exploitation Framework)."
"...redirected users to malicious sites hosting exploitation tools such as ScanBox and BEeF (Browser Exploitation Framework)."
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueInitial Access
3 techniquesEarth Empusa also employs watering hole attacks to compromise iOS devices. The group injected their malicious scripts on websites that their targets could potentially visit and load the injected script from it.
Out of the last 5 domains that were tied to the IP address, 3 were phishing websites... Two of the domains associated with the 159.65.76.209 IP address were isglatam.online and isglatam.tk. These were both at one point in time phishing websites for isglatam.com.
Earth Empusa also used social engineering lures to trick its targets into visiting the phishing pages.
Execution
2 techniquesCommand and Control
1 techniqueRecorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
BeEF is mentioned in the context of a demo related to browser-based attack techniques.
Browser exploitation framework listed among the attacker-accessible tooling hosted in the Alibaba cloud container registry.
BeEF is referenced as the framework used to host phishing sites tied to the investigated infrastructure.
Named offensive security framework mentioned as an honorable mention among detected tools.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.