The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 12:07:082025-12-10 12:07:08Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 11:06:472025-12-10 11:06:47The best GPS trackers for kids in 2025 (recommended by parents)
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 10:07:182025-12-10 10:07:18T-Mobile will give you a free iPhone 17, no trade-in required – here’s how to get one
Phishing used to be easy to spot. Now it looks clean, trusted, and almost perfect. Behind it are phishkits; ready-made attack platforms built to steal credentials, bypass MFA, and hijack live sessions in seconds.
For SOC teams, one click starts the countdown. What looks like a routine alert can already be a live account takeover.
Here’s how these attacks actually work, and how advanced SOC teams catch them before they spread.
What Is a Phishing kit?
A phishing kit, aka phishkit, is a ready-made toolkit that attackers use to launch phishing campaigns fast and at scale. Instead of building fake pages and infrastructure from scratch, they buy or rent a kit and deploy a full attack setup in minutes.
Most phishkits come with:
Fake login pages for popular services
Reverse proxy scripts to quietly intercept traffic
Built-in MFA bypass
Admin panels for harvesting credentials
Tools to filter out bots and security scanners
What makes phishkits especially dangerous is how little skill they now require. Even low-experience attackers can run advanced phishing operations using these packaged platforms; with the infrastructure, automation, and data collection already built in.
Example of a Greatness phishkit attack analyzed in ANY.RUN’s Interactive Sandbox
Detecting phishkits early comes down to understanding what happens after the click. With an interactive sandbox like ANY.RUN, analysts can safely open suspicious links, interact with phishing pages like a real user, and observe the full execution chain as it unfolds. This makes it possible to expose reverse proxy behavior, MFA capture, and credential theft in real time, often within seconds.
Detect phishing threats in under 60 seconds Integrate ANY.RUN’s Sandbox in your SOC
Phishkits quietly remove the barriers that businesses rely on for protection. By sitting between the employee and the real service, these tools capture logins, MFA codes, and active sessions in real time. The result is immediate, legitimate-looking access to corporate systems.
Once attackers get inside, the impact spreads fast. A single compromised account can open access to email threads, internal tools, cloud platforms, customer data, and even financial systems. From there, attackers blend in, send messages from trusted inboxes, reset passwords, and move deeper without triggering obvious alarms.
What makes phishkits especially dangerous is how clean the entry point often looks. There’s no malware dropped right away or a suspicious attachment. Just a normal login that isn’t normal at all. This makes early detection hard and gives attackers valuable time to act before security teams even realize something is wrong.
For businesses, phishkits often lead to:
Silent data leaks from email, cloud apps, and internal systems
Business disruption caused by locked accounts and broken workflows
Direct financial losses from fraud and unauthorized transactions
Follow-up attacks launched from trusted employee inboxes
Long investigations and recovery efforts that stretch on for weeks
Reputational damage and loss of customer trust
Key Detection Challenges for SOC Teams
Challenge
What It Looks Like in Practice
Why It’s a Problem
Clean phishing emails
Messages pass basic filters and look legitimate
No early warning at the email layer
Reverse proxy behavior
Users log in through a live proxy
Logs show a “normal” successful login
Short-lived domains
Phishing domains disappear quickly
Blocklists don’t update in time
Valid credentials & sessions
Attackers use real usernames, passwords, and MFA
No brute-force or obvious abuse signals
No malware at first stage
No attachment, no payload, just a web login
File-based detection is bypassed
Rapid attacker response
Access is used seconds after credentials are stolen
SOC has almost no reaction window
How SOC Teams Can Detect Phishkit Attacks Faster
Speed matters with phishkits. The sooner a team can see the full phishing chain in action, the sooner they can contain access, block infrastructure, and stop the same kit from hitting more users. A fast investigation comes from combining interactive sandboxing with real-time threat intelligence.
Step 1: Send suspicious links straight to the sandbox
Instead of only blocking the URL, run it in an isolated environment to see what actually happens after the click, redirects, proxy behavior, and the final phishing page.
Suspicious link ready for sandbox analysis
Step 2: Interact with the page like a real user
Phishkits stay quiet until someone behaves like a victim. Clicking buttons, entering test credentials, and moving through the flow helps trigger session theft, MFA capture, and hidden scripts.
Step 3: Watch the full chain unfold in real time
A live sandbox session shows every redirect, outbound connection, script call, and credential capture attempt, not just the final page.
Full attack chain with EvilProxy and Tycoon 2FA exposed in 40 seconds inside ANY.RUN sandbox
Step 4: Pull fresh IOCs as the attack runs
Domains, IPs, URLs, scripts, and proxy infrastructure can be extracted immediately and pushed into blocking rules and hunting queries.
Relevant IOCs automatically collected in one tab inside ANY.RUN sandbox
Step 5: Enrich indicators with TI Lookup
With ANY.RUN TI Lookup, analysts can instantly check whether the same domains, IPs, scripts, or redirect patterns were seen in past phishing or malware campaigns. This helps confirm phishkit families and link related activities.
Recent Tycoon 2FA analysis sessions found with the help of TI Lookup
Using indicators from both the sandbox and TI Lookup, teams can quickly:
Identify related infrastructure across past and current cases
Detect active waves using the same phishkit
Validate whether a campaign is isolated or part of a larger operation
Collect intelligence on phishkit attacks with ANY.RUN’s TI Lookup
This workflow turns phishing from a slow, reactive task into a fast, repeatable investigation process, with confirmation in minutes.
Step 6: Track new infrastructure with Threat Intelligence Feeds
TI Feeds enriched with fresh data from 15.000 SOCs worldwide
ANY.RUN’s Threat Intelligence Feeds deliver fresh, actionable indicators of compromise (IOCs) sourced directly from live attack data across 15,000 SOCs, ensuring your security infrastructure stays ahead of emerging threats.
With only 1% overlap with other sources, your team gains access to previously undiscovered threat intelligence that competitors miss. Every IOC comes enriched with detailed sandbox reports and contextual metadata, providing the forensic depth needed for rapid incident response and threat hunting. Real-time updates deliver a live view of the threat landscape as attacks unfold, enabling proactive defense before threats reach your perimeter.
Integration is seamless. TI Feeds connects directly to your existing SIEM, TIP, and SOAR platforms via popular standards (STIX/TAXII) or through dedicated API and SDK, minimizing implementation overhead while maximizing threat coverage across your entire security stack.
Expand threat coverage in your SOC Rely on 99% unique IOCs from TI Feeds
Real Phishkit Examples Analyzed inside the ANY.RUN Sandbox
The following examples come from real attacks and show how different phishkits operate in live environments:
TyKit: A Multi-Stage Microsoft 365 Phishkit in Action
TyKit is a multi-stage phishing kit built to steal Microsoft 365 credentials at scale. It spreads through malicious SVG files that silently redirect victims to fake login pages protected by CAPTCHA and anti-bot checks. Once credentials are entered, they’re sent straight to the attackers through a structured C2 API.
The kit has been active since at least mid-2025 and has targeted organizations across finance, IT, government, telecom, and professional services worldwide. Its strength is simplicity: clean delivery, fast credential theft, and infrastructure that’s easy to rotate.
TyKit shows how modern phishkits don’t need malware to succeed, just one clean login flow is enough.
Tycoon 2FA: A Phishkit Built to Bypass MFA
Tycoon 2FA is a phishing-as-a-service platform designed to steal Microsoft 365 and Gmail accounts even when MFA is enabled. It works as an adversary-in-the-middle (AiTM) kit, using a reverse proxy to capture credentials, MFA codes, and active session cookies in real time.
What sets Tycoon 2FA apart is its constant evasion upgrades. Over time, it has added:
Rotating CAPTCHA systems
Browser and sandbox fingerprinting
Multi-layer obfuscation (Base64, XOR, AES)
Fake 404 pages and legitimacy checks
Long redirect chains to hide the true entry point
Once access is captured, attackers log in using a fully valid session. From a SOC view, it often looks like a normal user login until damage is already unfolding.
Mamba2FA: A Persistent Corporate Phishkit
Mamba2FA is a widely used phishkit built to steal corporate credentials, with repeated campaigns observed against organizations in the finance and manufacturing sectors. Like TyKit and Tycoon, it relies on clean phishing flows, fast infrastructure rotation, and live credential capture to move quickly before defenders can react.
What makes Mamba2FA especially useful as an example is how clearly it shows the value of tracking phishkits as ongoing campaigns, not one-off incidents. If your organization has already encountered a specific kit, the worst mistake is treating it as “closed.”
TI Lookup provides a wealth of threat data on phishing kit attacks
This immediately reveals both new attacks and network indicators observed during live sandbox analysis.
Instead of chasing isolated alerts, this approach turns phishkits like Mamba2FA into continuously monitored threats, making it much easier to spot repeat campaigns early and shut them down faster.
Phishkit Evolution: Hybrid Threats
Phishkits are no longer operating in isolation. One of the most worrying shifts is the rise of hybrid phishing chains, where multiple kits are combined into a single attack. These blended campaigns mix different infrastructures, redirect logic, and credential-theft methods to make detection and attribution far more difficult.
In recent enterprise-focused attacks, analysts have observed Tycoon 2FA and Salty working together in the same chain. One kit handles the initial lure and proxying, while the other takes over at later stages for credential capture, session hijacking, or follow-up delivery. For SOC teams, this breaks many traditional assumptions about how a “single” phishing campaign should look.
Hybrid attack with Salty and Tycoon detected inside ANY.RUN sandbox in just 35 seconds
Hybrid chains create several challenges at once:
Indicators belong to different kits, not just one
Redirect paths change mid-attack
Infrastructure overlaps across separate actor groups
Detection rules based on one kit alone often miss the full picture
This evolution shows where phishing is heading: modular, flexible attack chains built from multiple commercial kits. For defenders, that means investigations must focus on behavior and execution flow, not just kit names or static indicators.
Key Takeaways for SOC Readiness in 2026
Phishkits now shape how real-world phishing attacks are built, delivered, and scaled against organizations.
Phishing is now a real-time intrusion, not just a user mistake. Once a link is clicked, the compromise may already be underway.
MFA alone is no longer enough: Session hijacking turns traditional MFA into a speed bump, not a barrier.
Hybrid phishing chains are becoming common: When multiple kits are combined in one attack, single-family detections fall short.
Behavior matters more than static indicators: Clean emails, short-lived domains, and valid sessions leave very little to flag at first glance.
Speed defines outcome: Minutes often decide whether an incident stays contained or escalates.
Evasion must be assumed by default: CAPTCHA abuse, fingerprinting, layered redirects, and sandbox checks are now standard tactics.
See It for Yourself
Phishkits behave very differently from what logs alone can show. A live run-through exposes even the most complex phishing chains, from redirects and proxy logic to live credential theft, often within the first 60 seconds of analysis in over 90% of cases. That speed alone can cut investigation time dramatically and help teams act before access spreads.
ANY.RUN supports more than 15,000 organizations worldwide, including leaders in finance, healthcare, telecom, retail, and tech, helping them strengthen security operations and respond to threats with greater confidence.
Designed for speed and visibility, the solution blends interactive malware analysis with live threat intelligence, giving SOC teams instant insight into attack behavior and the context needed to act faster.
By integrating ANY.RUN’s Threat Intelligence suite into your existing workflows, you can accelerate investigations, minimize breach impact, and build lasting resilience against evolving threats.
Frequently Asked Questions (FAQ)
How is a phishkit different from regular phishing?
Traditional phishing often just steals usernames and passwords. Phishkits go much further. They can: – Intercept live sessions – Bypass MFA in real time – Rotate domains automatically – Filter out bots and security scanners This turns phishing into a full attack platform, not just a fake page.
Can phishkits bypass MFA?
Yes. Many modern phishkits use adversary-in-the-middle (AiTM) techniques through reverse proxies. They capture credentials, MFA codes, and session cookies at the same time. Attackers then reuse the stolen session to log in without triggering MFA again.
Do phishkit attacks use malware?
Often, no. Many phishkit campaigns start with no malware at all. The compromise happens entirely through web-based credential theft. Malware may appear later for persistence or lateral movement, but the initial access is usually “clean.”
What are the most common signs of a phishkit attack?
Early warning signs may include unusual redirect chains before a login page appears, very short-lived phishing domains, CAPTCHA on unexpected login flows, new mailbox forwarding rules, or login activity from unfamiliar locations immediately after authentication.
Is blocking phishing domains enough to stop phishkits?
No. Domain blocking alone is not enough because phishing domains rotate quickly, redirect chains change constantly, and infrastructure is reused across campaigns. Behavioral detection and live analysis are now essential.
Will phishing get worse with phishkits in 2026?
Yes. Phishkits are becoming more automated, more modular, harder to attribute, and better at evading scanners and sandboxes. Hybrid chains that combine multiple phishkits in one attack are already becoming common.
What is the best long-term defense against phishkit attacks?
A strong long-term defense combines phishing-resistant MFA such as FIDO2 or certificate-based authentication, live sandbox analysis, continuous IOC enrichment, threat intelligence feeds, and SOC playbooks built around behavioraldetection. Because phishkits evolve constantly, defense must be continuous; not one-time.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 08:07:052025-12-10 08:07:05Reinventing your career for the AI age? Your technical skill isn’t your most valuable asset
Cyble Vulnerability Intelligence researchers tracked 591 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities.
A total of 69 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 26 received a critical severity rating based on the newer CVSS v4.0 scoring system.
Here are some of the more critical IT and ICS vulnerabilities flagged by Cyble in recent reports to clients.
The Week’s Top IT Vulnerabilities
CVE-2025-60854 is a critical command injection vulnerability found in the D-Link R15 (AX1500) router firmware 1.20.01 and below. The flaw has a severity score of 9.8 and requires no authentication or user interaction to exploit, making it highly dangerous for affected systems.
CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in the last week:
CVE-2025-55182 is a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability has been reportedly targeted by China-linked threat groups.
CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR that was targeted in recent attacks by the pro-Russian hacktivist group TwoNet on a honeypot simulating a water treatment facility, where the threat actors used default credentials for initial access, exploited the flaw to deface the HMI login page, and disabled logs and alarms in a little more than a day.
Five days after adding CVE-2021-26829 to the KEV catalog, CISA added CVE-2021-26828, a high-severity Unrestricted Upload of File with Dangerous Type vulnerability affecting OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows. The flaw could allow remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm.
CISA also added two Android vulnerabilities to the KEV catalog, both high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Neither vulnerability has been added to the National Vulnerability Database (NVD) yet.
Notable vulnerabilities discussed in open-source communities included:
CVE-2025-13223, a type confusion vulnerability in Google Chrome‘s V8 JavaScript and WebAssembly engine, allowing remote attackers to exploit heap corruption via a crafted HTML page, potentially leading to arbitrary code execution.
CVE-2025-11001, a directory traversal remote code execution vulnerability in 7-Zip, stemming from improper handling of symbolic links in ZIP files, potentially allowing attackers to escape extraction directories and execute arbitrary code in the context of a service account upon user interaction with crafted archives.
CVE-2025-58034, an OS command injection vulnerability in Fortinet FortiWeb web application firewalls.
CVE-2025-41115, a critical privilege escalation and user impersonation vulnerability in Grafana Enterprise’s SCIM provisioning feature, which could allow attackers to create accounts impersonating privileged users, modify dashboards, access databases, alter alerts, and pivot to connected systems.
CVE-2025-59366, a critical authentication bypass vulnerability in ASUS AiCloud routers, potentially allowing unauthorized execution of specific router functions via path traversal and OS command injection.
Vulnerabilities Under Discussion on the Dark Web
Cyble dark web researchers observed multiple threat actors (TA) on dark web and cybercrime forums discussing various exploits and weaponizing multiple vulnerabilities, including:
CVE-2025-60709: A Windows Common Log File System (CLFS) Driver elevation of privilege vulnerability that could allow an authorized attacker to elevate privileges locally through an out-of-bounds read flaw. The specific flaw exists within the clfs.sys driver and results from improper validation of user-supplied data, which can lead to a read past the end of an allocated memory region.
Local attackers can disclose sensitive information on affected Microsoft Windows installations and potentially exploit this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel, resulting in privilege escalation.
CVE-2025-5931: A high-severity privilege escalation vulnerability in the Dokan Pro WordPress plugin, which stems from improper user identity validation during the staff password reset procedure, allowing attackers with vendor-level access to escalate their privileges to staff member level and then change arbitrary user passwords, including those of administrators, potentially leading to a full account takeover.
CVE-2025-64446: A critical unauthenticated path traversal vulnerability in Fortinet FortiWeb WAF that could allow full administrative compromise of affected appliances via crafted HTTP(S) requests. The flaw is a relative path traversal (sometimes called “path confusion”) issue in the FortiWeb GUI / management API that could let an attacker reach an internal CGI handler and execute privileged operations without valid credentials. In practice, this becomes an authentication bypass that enables remote admin‑level control and, effectively, remote code execution on the WAF.
ICS Vulnerabilities
In addition to the OpenPLC ScadaBR vulnerabilities noted by CISA, Cyble threat intelligence researchers flagged four additional industrial control system (ICS) vulnerabilities in recent reports to clients.
CVE-2024-3871 is a critical Stack-Based Buffer Overflow vulnerability affecting Emerson Appleton UPSMON-PRO, versions 2.6 and prior. Successful exploitation of the vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO.
CVE-2025-13483 is a Missing Authentication for Critical Function vulnerability affecting SiRcom SMART Alert (SiSA), version 3.0.48. Successful exploitation of the vulnerability could enable an attacker to remotely activate or manipulate emergency sirens.
CVE-2025-13658 is a Command Injection vulnerability affecting Longwatch versions 6.309 to 6.334. Successful exploitation could allow an unauthenticated attacker to gain remote code execution with elevated privileges.
CVE-2025-13510 is a Missing Authentication for Critical Function vulnerability affecting Iskra iHUB and iHUB Lite, all versions. Successful exploitation could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.
Conclusion
The wide range of critical and exploited vulnerabilities in this week’s report highlights the breadth of threats faced by security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.
Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks.
Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.
The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 05:07:102025-12-10 05:07:10Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws
Britain and its allies face escalating “hybrid threats … designed to weaken critical national infrastructure, undermine our interests and interfere in our democracies.”
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-12-10 03:07:102025-12-10 03:07:10UK Sanctions Russian and Chinese Firms Suspected of Being ‘Malign Actors’ in Information Warfare
