A widely active phishing-as-a-service (PhaaS) operation known as FlowerStorm has begun using a browser-based virtual machine to conceal credential theft code, marking what researchers say is an escalation in phishing-kit sophistication that could make attacks harder for traditional email and static-analysis tools to detect.
Researchers at Sublime Security said in April that they identified the campaign, which used KrakVM, an open-source JavaScript virtual machine recently published on GitHub, to obfuscate malicious code delivered via HTML attachments in phishing emails.
The campaign targets credentials and multi-factor authentication (MFA) codes for services including Microsoft 365, Hotmail,...