Phishing Campaigns Using Advanced Kits Targeting Universities and Banks
Threat actors have launched a sophisticated phishing campaign targeting U.S. universities by leveraging the open-source Evilginx framework. At least 18 educational institutions have been affected since April 2025, with attackers using personalized emails containing TinyURL links that redirect to dynamically generated phishing pages. These pages closely mimic student single sign-on portals and employ advanced evasion techniques, such as expiring URLs, wildcard TLS certificates, bot filtering, and JavaScript obfuscation, making detection and mitigation increasingly difficult. The campaign demonstrates the growing accessibility of advanced phishing tools, enabling even unskilled actors to bypass multi-factor authentication and compromise sensitive credentials.
Simultaneously, a new phishing kit called Spiderman has emerged on the dark web, targeting customers of major European banks and cryptocurrency platforms. This full-stack kit allows attackers to easily clone login pages for dozens of financial institutions and conduct real-time credential theft across multiple countries. With a large user community and features that facilitate immediate data exfiltration and hybrid fraud operations, Spiderman represents a significant escalation in the scale and efficiency of phishing threats facing the financial sector. Both campaigns highlight the evolving landscape of phishing, where sophisticated toolkits are lowering the barrier to entry for cybercriminals and increasing the risk to organizations worldwide.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers identify broader wave of advanced phishing kits
Researchers disclosed four advanced phishing kits—BlackForce, GhostFrame, InboxPrime AI, and Spiderman—highlighting the growing industrialization of phishing. The report emphasized AI-assisted phishing, MFA bypass, anti-analysis features, and sales through Telegram and Signal as part of a wider trend toward scalable credential theft operations.
Researchers detail Spiderman's scale and operator ecosystem
Further reporting revealed that Spiderman is modular, supports interception of OTP and PhotoTAN codes, and provides a dashboard for real-time monitoring and export of stolen data. Researchers also observed a Signal group with roughly 750 members, indicating broad adoption among threat actors.
Researchers report Spiderman phishing kit targeting European banks
Varonis researchers identified the Spiderman phishing kit as a new phishing-as-a-service offering targeting major European banks and cryptocurrency platforms across at least five countries. The kit supports real-time theft of banking credentials, MFA codes, card data, and crypto wallet seed phrases while using geo-targeting and other evasion features.
Evilginx phishing campaign begins targeting U.S. universities
Threat actors began using the open-source Evilginx framework in April 2025 to target at least 18 U.S. universities and educational entities. The campaign used personalized phishing emails with TinyURL links leading to dynamically generated fake student SSO portals.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New Advanced Phishing Kits Use AI and MFA Bypass Tactics to Steal Credentials at Scale
thehackernews.com
Open sourceNew Spiderman phishing service targets dozens of European banks
bleepingcomputer.com
Open sourceWarning: Phishing Campaign Leveraging Evilginx Targets U.S. Universities
blog.knowbe4.com
Open sourceSpiderman Phishing Kit Targets European Banks with Real-Time Credential Theft
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Emergence of New Cybercriminal Groups and Tools Targeting European Financial Sector
UK law enforcement is facing increased pressure from the simultaneous rise of young, English-speaking hackers such as those associated with 'Scattered Spider' and the continued threat from organized Russian-speaking ransomware groups. These new threat actors, often motivated by prestige and recruited from online communities, have been implicated in high-profile attacks on UK retailers, resulting in significant financial losses and straining the resources of authorities already challenged by budget constraints and evolving technology. The operational differences between these groups—Scattered Spider's focus on social engineering and the Russian-speaking groups' technical sophistication—are creating a complex threat landscape for the UK. Concurrently, a new phishing kit named 'Spiderman' has emerged, enabling cybercriminals to launch sophisticated phishing campaigns against dozens of European banks and cryptocurrency services. The kit allows attackers to create convincing replicas of legitimate banking and fintech sites, capture credentials and two-factor authentication codes, and even steal cryptocurrency wallet seed phrases. Its modular design and real-time control panel features make it a popular tool among cybercriminals, further complicating the security environment for financial institutions across Europe as they adapt to new e-banking authentication methods.
Mar 21, 2026
Phishing Campaigns Targeting US Universities and Higher Education
A coordinated phishing campaign targeted at least 18 American universities over several months used the open-source Evilginx phishing kit to bypass multi-factor authentication (MFA) and compromise student and staff accounts. Attackers employed adversary-in-the-middle (AiTM) tactics, leveraging personalized emails with short-lived TinyURLs that mimicked university single sign-on (SSO) portals. By capturing both credentials and session cookies, the attackers were able to fully take over accounts, despite MFA protections. The campaign demonstrated advanced operational security, including frequent changes to attack links and the use of services like Cloudflare to obscure infrastructure, as detailed in Infoblox's investigation. Separately, Harvard University experienced a breach of its Alumni Affairs and Development office systems, attributed to a successful mobile phishing ("mishing") attack. The attacker gained access to internal systems, which the university subsequently secured. This incident highlights the growing trend of mobile-first phishing strategies that bypass traditional desktop and network defenses, posing significant risks to organizations with distributed workforces and sensitive data. The breach underscores the need for dedicated mobile threat defense solutions, as standard MDM and UEM tools are insufficient against sophisticated mobile phishing attacks.
Mar 21, 2026
Sophisticated Phishing Campaigns Leveraging Advanced Kits and Evasion Techniques
Cybercriminals are increasingly utilizing advanced Phishing-as-a-Service (PhaaS) kits to conduct large-scale, targeted phishing campaigns that impersonate trusted brands and institutions. These kits, which have doubled in number over the past year, enable even less-skilled attackers to deploy sophisticated attacks at scale by incorporating features such as URL obfuscation, MFA bypass, CAPTCHA abuse, and the use of malicious QR codes and attachments. Threat analysts have observed a surge in new PhaaS entrants, including Cephas, Whisper 2FA, and GhostFrame, alongside established kits like Tycoon 2FA and Mamba 2FA. Attackers are also leveraging AI, social engineering, and polymorphic techniques to evade detection, making it increasingly difficult for organizations to defend against these threats with static security controls alone. Technical analysis reveals that phishing infrastructure is evolving to include fake verification pages, such as counterfeit Cloudflare Turnstile challenges, which act as intelligent traffic filtering gates. These pages use browser fingerprinting, geolocation, and proxy detection to selectively deliver malicious payloads to high-confidence victims while evading security researchers and automated defenses. The fake verification pages closely mimic legitimate branding and user experience, including fabricated Ray IDs and links to real policy documents, to build trust and bypass scrutiny. Security experts recommend adopting layered defenses, including phishing-resistant MFA, continuous monitoring, and integrated email security, to counter these increasingly sophisticated phishing operations.
Mar 21, 2026