Phishing Campaigns Using Advanced Kits Targeting Universities and Banks
Threat actors have launched a sophisticated phishing campaign targeting U.S. universities by leveraging the open-source Evilginx framework. At least 18 educational institutions have been affected since April 2025, with attackers using personalized emails containing TinyURL links that redirect to dynamically generated phishing pages. These pages closely mimic student single sign-on portals and employ advanced evasion techniques, such as expiring URLs, wildcard TLS certificates, bot filtering, and JavaScript obfuscation, making detection and mitigation increasingly difficult. The campaign demonstrates the growing accessibility of advanced phishing tools, enabling even unskilled actors to bypass multi-factor authentication and compromise sensitive credentials.
Simultaneously, a new phishing kit called Spiderman has emerged on the dark web, targeting customers of major European banks and cryptocurrency platforms. This full-stack kit allows attackers to easily clone login pages for dozens of financial institutions and conduct real-time credential theft across multiple countries. With a large user community and features that facilitate immediate data exfiltration and hybrid fraud operations, Spiderman represents a significant escalation in the scale and efficiency of phishing threats facing the financial sector. Both campaigns highlight the evolving landscape of phishing, where sophisticated toolkits are lowering the barrier to entry for cybercriminals and increasing the risk to organizations worldwide.
Related Entities
Malware
Sources
Related Stories
Emergence of New Cybercriminal Groups and Tools Targeting European Financial Sector
UK law enforcement is facing increased pressure from the simultaneous rise of young, English-speaking hackers such as those associated with 'Scattered Spider' and the continued threat from organized Russian-speaking ransomware groups. These new threat actors, often motivated by prestige and recruited from online communities, have been implicated in high-profile attacks on UK retailers, resulting in significant financial losses and straining the resources of authorities already challenged by budget constraints and evolving technology. The operational differences between these groups—Scattered Spider's focus on social engineering and the Russian-speaking groups' technical sophistication—are creating a complex threat landscape for the UK. Concurrently, a new phishing kit named 'Spiderman' has emerged, enabling cybercriminals to launch sophisticated phishing campaigns against dozens of European banks and cryptocurrency services. The kit allows attackers to create convincing replicas of legitimate banking and fintech sites, capture credentials and two-factor authentication codes, and even steal cryptocurrency wallet seed phrases. Its modular design and real-time control panel features make it a popular tool among cybercriminals, further complicating the security environment for financial institutions across Europe as they adapt to new e-banking authentication methods.
3 months agoPhishing Campaigns Targeting US Universities and Higher Education
A coordinated phishing campaign targeted at least 18 American universities over several months used the open-source Evilginx phishing kit to bypass multi-factor authentication (MFA) and compromise student and staff accounts. Attackers employed adversary-in-the-middle (AiTM) tactics, leveraging personalized emails with short-lived TinyURLs that mimicked university single sign-on (SSO) portals. By capturing both credentials and session cookies, the attackers were able to fully take over accounts, despite MFA protections. The campaign demonstrated advanced operational security, including frequent changes to attack links and the use of services like Cloudflare to obscure infrastructure, as detailed in Infoblox's investigation. Separately, Harvard University experienced a breach of its Alumni Affairs and Development office systems, attributed to a successful mobile phishing ("mishing") attack. The attacker gained access to internal systems, which the university subsequently secured. This incident highlights the growing trend of mobile-first phishing strategies that bypass traditional desktop and network defenses, posing significant risks to organizations with distributed workforces and sensitive data. The breach underscores the need for dedicated mobile threat defense solutions, as standard MDM and UEM tools are insufficient against sophisticated mobile phishing attacks.
3 months ago
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
2 months ago