What the ransom note won’t say
An attack is what you see, but a business operation is what you’re up against
WeLiveSecurity – Read More
That data breach alert might be a trap
Ignoring a real breach notification invites risk, but falling for a bogus one could be even worse. Stop reacting on autopilot.
WeLiveSecurity – Read More
Hackers leverage leaked government intelligence tools to target everyday iOS users | Kaspersky official blog
DarkSword and Coruna are two new tools for invisible attacks on iOS devices. These attacks require no user interaction and are already being actively used by bad actors in the wild. Before these threats emerged, most iPhone users didn’t have to lose sleep over their data security. Protection was really only a major concern for a narrow group — politicians, activists, diplomats, high-level business execs, and others who handle extremely sensitive data — who might be targeted by foreign intelligence agencies. We’ve covered sophisticated spyware used against such a group before — noting how hard to come by those tools were.
However, DarkSword and Coruna — discovered by researchers earlier this year — are total game-changers. This malware is being used for mass infections of everyday users. In this post, we dive into why this shift happened, why these tools are so dangerous, and how you can stay protected.
What we know about DarkSword, and how it can target your iPhone
In mid-March 2026, three separate research teams coordinated the release of their findings on a new spyware strain called DarkSword. This tool is capable of silently hacking devices running iOS 18 without the user ever knowing something is wrong.
First, we should clear up some confusion: iOS 18 isn’t as vintage as it might sound. Even though the latest version is iOS 26, Apple recently overhauled its versioning system, which threw everyone for a loop. They decided to jump ahead eight versions — from 18 straight to 26 — so the OS number matches the current year. Despite the jump, Apple estimates that about a quarter of all active devices still run iOS 18 or older.
With that cleared up, let’s get back to DarkSword. Research shows that this malware infects victims when they visit perfectly legitimate websites that have been injected with malicious code. The spyware installs itself without any user interaction at all: you just have to land on a compromised page. This is what’s known as a zero-click infection technique. Researchers report that several thousand devices have already been hit this way.
To compromise a device, DarkSword uses a six-vulnerability exploit chain to escape the sandbox, escalate privileges, and execute code. Once it’s in, the malware harvests data from the infected device, including:
- Passwords
- Photos
- Chats and data from iMessage, WhatsApp, and Telegram
- Browser history
- Information from Apple’s Calendar, Notes, and Health apps
On top of all that, DarkSword lets attackers scoop up crypto-wallet data, making it essentially dual-purpose malware that functions as both a spy tool and a way to drain your crypto.
The only bit of good news is that the spyware doesn’t survive a reboot. DarkSword is fileless malware, meaning it lives in the device’s RAM, and never actually embeds itself into the file system.
Coruna: how older iOS versions are being targeted
Just two weeks before the DarkSword findings went public, researchers flagged another iOS threat dubbed Coruna. This malware is capable of compromising devices running older software — specifically iOS 13 through 17.2.1. Coruna uses the exact same playbook as DarkSword: victims visit a legitimate site injected with malicious code which then drops the malware onto the device. The whole process is completely invisible and requires zero user interaction.
A deep dive into Coruna’s code revealed it exploits a total of 23 different iOS vulnerabilities, several of which are tucked away in Apple’s WebKit. It’s worth reminding that, generally speaking (outside the EU), all iOS browsers are required to use the WebKit engine. This means these vulnerabilities don’t just affect Safari users — they’re a threat to anyone using a third-party browser on their iPhone as well.
The latest version of Coruna, much like DarkSword, includes modifications designed to drain crypto wallets. It also harvests photos and, in certain instances, email data. From what we can tell, stealing cryptocurrency seems to be the primary motive behind Coruna’s widespread deployment.
Who created Coruna and DarkSword — and how did they end up in the wild?
Code analysis of both tools suggests that Coruna and DarkSword were likely built by different developers. However, in both cases, we’re looking at software originally created by state-affiliated companies, possibly from the U.S. The high quality of the code points to this; these aren’t just Frankenstein kits cobbled together from random parts, but uniformly engineered exploits. Somewhere along the line, these tools leaked into the hands of cybercrime gangs.
Experts at Kaspersky’s GReAT analyzed all of Coruna’s components and confirmed that this exploit kit is actually an updated version of the framework used in Operation Triangulation. That earlier attack targeted Kaspersky employees, a story we covered in detail on this blog.
One theory suggests an employee at the company that developed Coruna sold it to hackers. Since then, the malware has been used to drain crypto wallets belonging to users in China; experts estimate that at least 42 000 devices were infected there alone.
As for DarkSword, cybercriminals have already used it to compromise users in Saudi Arabia, Turkey, and Malaysia. The problem is exacerbated by the fact that the attackers who first deployed DarkSword left the full source code on infected websites, meaning it could easily be picked up by other criminal groups.
The code also includes detailed comments in English explaining exactly what each component does, which supports the theory of its Western origins. These step-by-step instructions make it easy for other hackers to adapt the tool for their own purposes.
How to protect yourself from Coruna and DarkSword
Serious malware that allows for the mass infection of iPhones while requiring zero interaction from the user has now landed in the hands of an essentially unlimited pool of cybercriminals. To pick up Coruna or DarkSword, you simply have to visit the wrong site at the wrong time. So this is one of those cases where every user needs to take iOS security seriously — not just those in high-risk groups.
The best thing you can do to protect yourself from Coruna and DarkSword is to update your devices to the latest version of iOS or iPadOS 26, as soon as you can. If you can’t update to the newest software — for instance, if your device is older and doesn’t support iOS 26 — you should still install the latest version available to you. Specifically, look for versions 15.8.7, 16.7.15, or 18.7.7. In a rare move, Apple patched a wide range of older operating systems.
To protect your Apple devices from similar malware that will likely pop up in the future, we recommend the following:
- Install updates promptly on all your Apple devices. The company regularly releases OS versions that patch known vulnerabilities — don’t skip them.
- Enable Background Security Improvements. This feature allows your device to receive critical security fixes separately from full iOS updates, reducing the window for hackers to exploit vulnerabilities. To enable it, go to Settings → Privacy & Security → Background Security Improvements and turn on the Automatically Install
- Consider using Lockdown Mode. This is a heightened security setting that limits some device features but simultaneously blocks or significantly complicates attacks. To enable this, go to Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode.
- Reboot your device once a day (or more). This stops fileless malware in its tracks, since these threats aren’t embedded in the system and disappear after a restart.
- Use encrypted storage for sensitive data. Keep things like crypto wallet keys, photos of IDs, and confidential info in a secure vault. Kaspersky Password Manager is a great fit for this; it manages your passwords, two-factor authentication tokens, and passkeys across all your devices while also keeping your notes, photos, and docs synced and encrypted.
The idea that Apple devices are bulletproof is a myth. They’re vulnerable to zero-click attacks, Trojans, and ClickFix infection techniques — and we’ve even seen malicious apps slip into the App Store more than once. Read more here:
Kaspersky official blog – Read More
Supply chain dependencies: Have you checked your blind spot?
Your biggest risk may be a vendor you trust. How can SMBs map their third-party blind spots and build operational resilience?
WeLiveSecurity – Read More
Foxit, LibRaw vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities.
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Foxit use-after-free vulnerability
Discovered by KPC of Cisco Talos.
Foxit Reader allows users to view, edit, and sign PDF documents, among other features. Foxit aims to be one of the most feature-rich PDF readers on the market, and contains many similar functions to that of Adobe Acrobat Reader.
TALOS-2026-2365 (CVE-2026-3779) is a use-after-free vulnerability in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
LibRaw heap-based buffer overflow and integer overflow vulnerabilities
Discovered by Francesco Benvenuto of Cisco Talos.
LibRaw is a library and user interface for processing RAW file types and metadata created by digital cameras. Talos analysts found 6 vulnerabilities in LibRaw.
TALOS-2026-2330 (CVE-2026-20911), TALOS-2026-2331 (CVE-2026-21413), TALOS-2026-2358 (CVE-2026-20889), and TALOS-2026-2359 (CVE-2026-24660) are heap-based buffer overflow vulnerabilities in LibRaw, and TALOS-2026-2363 (CVE-2026-24450) and TALOS-2026-2364 (CVE-2026-20884) are integer overflow vulnerabilities. Specially crafted malicious files can lead to heap buffer overflow in all cases. An attacker can provide a malicious file to trigger these vulnerabilities.
Cisco Talos Blog – Read More
The Q1 vulnerability pulse
Welcome to this week’s edition of the Threat Source newsletter.
The first quarter of 2026 passed faster than a misconfigured firewall rule gets exploited — and the last few weeks have been firmly stamped with the “software supply chain compromise” label, with headlines surrounding incidents involving Trivy,Checkmark, LiteLLM, telnyx and axios. This edition stays focused on vulnerability statistics, although you can view Dave and Nick’s Talos blogs for more information about these incidents.
Known Exploited Vulnerabilities (KEVs) stayed roughly in line with 2025 numbers — no dramatic spike, but no room for relief either.
What does stand out? Networking gear accounted for 20% of KEV-related vulnerabilities, and that number is expected to climb as the year progresses. If the trend from 2025 holds, this won’t be the high-water mark.
Patch management remains one of the industry’s most persistent challenges, and I understand all the operational complexity that comes with it. That said, it still stings to come across CVEs with disclosure dates reaching back to 2009 — and roughly 25% of the CVEs we’re tracking date to 2024 or earlier. Old vulnerabilities don’t retire. They wait. It starts with visibility: Knowing what’s actually running in your environment is the prerequisite for everything else.
Overall CVE counts increased in Q1, with March showing the sharpest climb. Whether that reflects improved disclosure pipelines, increased researcher activity, ora genuine uptick in vulnerability density, the trend line from 2025 hasn’t flattened — if anything, it’s still pointing up.
Using the keyword methodology described here, 121 CVEs with AI relevance were identified in Q1 — more than Q1 2025, though consistent with what adoption trends would predict. As AI components become more deeply embedded across the software stack, this number will keep climbing.
Given the recent developments with models like the Mythos preview and the industry teaming up in initiatives like Project Glasswing, I’m curious how the trajectory will change moving forward. If you haven’t read about it:
“During our testing, we found that Mythos Preview is capable of identifying and then exploiting zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so.” – Anthropic Frontier Red Team
That’s a substantial capability jump in agentic coding and reasoning, which eventually needs to be implemented early in the development lifecycle. And as Anthony points out, those capabilities will become available to adversaries. Read Cisco’s guidance on defending in the age of AI-enabled attacks for more.
Will we see fewer CVEs or even more negative times-to-exploit (TTEs)?
It’s on us. Defenders need to get ahead of the adversaries, and at the same time, we need to pay attention to (sometimes decade-old) vulnerabilities.
The one big thing
Cisco Talos has identified a significant increase in the abuse of n8n, an AI workflow automation platform, to facilitate malicious campaigns including malware delivery and device fingerprinting. Attackers are weaponizing the platform’s URL-exposed webhooks to create phishing lures that bypass traditional security filters by leveraging trusted, legitimate infrastructure. By masking malicious payloads as standard data streams, these campaigns effectively turn productivity tools into delivery vehicles for remote access trojans and other cyber threats.
Why do I care?
The abuse of legitimate automation platforms exploits the inherent trust organizations place in these tools, which often neutralizes traditional perimeter-based security defenses. Because these platforms are designed for flexibility and seamless integration, they allow attackers to dynamically tailor payloads and evade detection through standard reputation-based filtering.
So now what?
Move beyond static domain blocking and implement behavioral detection that alerts on anomalous traffic patterns directed toward automation platforms. Restrict endpoint communication with these services to only those explicitly authorized by the organization’s established internal workflows. Finally, utilize AI-driven email security solutions to analyze the semantic intent of incoming messages and proactively share indicators of compromise, such as specific webhook structures, with threat intelligence communities.
Top security headlines of the week
Adobe patches actively exploited zero-day that lingered for months
Adobe patched an arbitrary code execution vulnerability in the latest versions of its Acrobat and Reader for Windows and macOS, nearly four months after an attacker first appeared to have begun exploiting it. (Dark Reading)
Fake Claude website distributes PlugX RAT
A threat actor created a site that hosts a download link pointing to a ZIP archive allegedly containing a pro version of the LLM. (SecurityWeek)
Sweden blames Russian hackers for attempting “destructive” cyber attack on thermal plant
Sweden’s minister of civil defense said during a press conference on Wednesday that the attempted attack happened in early 2025 and attributed the incident to hackers with “connections to Russian intelligence and security services.” (TechCrunch)
FBI and Indonesian police dismantle W3LL phishing network behind $20M fraud attempts
The W3LL phishing kit, advertised for a fee of about $500, allowed criminals to mimic legitimate login pages to deceive victims into handing over their credentials, allowing the attackers to seize control of their accounts. (The Hacker News)
Google API keys in Android apps expose Gemini endpoints to unauthorized access
Armed with the key, an attacker could access private files and cached content, make arbitrary Gemini API calls, exhaust API quotas and disrupt legitimate services, and access any data on Gemini’s file storage. (SecurityWeek)
Can’t get enough Talos?
More than pretty pictures: Wendy Bishop on visual storytelling in tech
From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy talks about the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.
PowMix botnet targets Czech workforce
Cisco Talos discovered an ongoing malicious campaign affecting Czech workers with a previously undocumented botnet we call “PowMix.” It employs random beaconing intervals to evade the network signature detections.
APTs: Different objectives, similar access paths
Across the Talos 2025 Year in Review, state-sponsored threat activity from China, Russia, North Korea, and Iran all had varying motivations, such as espionage, disruption, financial gain, and geopolitical influence.
Upcoming events where you can find Talos
- PIVOTcon (May 6 – 8) Málaga, Spain
- OffensiveCon (May 15 – 16) Berlin, Germany
Most prevalent malware files from Talos telemetry over the past week
SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Example Filename: VID001.exe
Detection Name: Win.Worm.Coinminer::1201**
SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
MD5: aac3165ece2959f39ff98334618d10d9
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe
Detection Name: W32.Injector:Gen.21ie.1201
SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59
Example Filename: APQ9305.dll
Detection Name: Auto.90B145.282358.in02
SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe
Detection Name: Win.Dropper.Miner::95.sbx.tg**
SHA256: 38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
MD5: 41444d7018601b599beac0c60ed1bf83
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55
Example Filename: content.js
Detection Name: W32.38D053135D-95.SBX.TG
SHA256: 3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc
MD5: d749e0f8f2cd4e14178a787571534121
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=3c1dbc3f56e91cc79f0014850e773a7f12bbfef06680f08f883b2bf12873eccc
Example Filename: Unconfirmed 280575.crdownload.exe
Detection Name: W32.3C1DBC3F56-90.SBX.TG
Cisco Talos Blog – Read More
More than pretty pictures: Wendy Bishop on visual storytelling in tech
In this episode of Humans of Talos, Amy sits down with Wendy Bishop, Head of Creative, to explore the vital role of design in the world of cybersecurity. From her early beginnings in web design and journalism to leading the creative vision for Talos, Wendy shares the unique challenges and rewards of bridging the gap between artistic expression and highly technical research.
Whether you’re a creative professional looking to break into the cybersecurity industry or simply curious about the people behind our security intelligence, this conversation offers a fascinating look at the artistic side of Talos’ mission to keep the digital world safe.
Amy Ciminnisi: Wendy, welcome! We haven’t had anyone from creative here yet. Can you talk to me a little bit about what drew you into creative work and how your career evolved into what it is now at Talos?
Wendy Bishop: I never in my entire life thought I would do anything besides something creative. It’s the only thing I’ve ever known. I have so many memories in my childhood of just being locked in my moody teenage bedroom. In high school, I started doing web design courses, and I think that’s when I really started being interested in a graphic design path. I learned Photoshop and basic HTML/CSS stuff as a side hobby. I moderated a message board for my favorite pop-punk band in high school. When it came time to go to college, there was nothing I wanted to do otherwise besides design. I found myself at Ohio University— that’s where I’m from, Ohio — in the School of Visual Communication.
I went off to a job working in newspapers. I actually never thought I would, but it was the job I found after college, and I designed news pages. It sounds funny now; it was already dying then, probably not the best long career path. But I think my background in journalism and communication-driven design is really what made me a great fit for the kind of design work we do here at Talos. We work with complicated materials, and a lot of the creative work we do is comms-driven. Our blog in some ways functions as a news outlet, so visual storytelling is a lot of my job. But of course, we have a lot of regular, branding-based design work now that comes out of my team.
AC: We just had a really big report come out that has occupied our minds for months, especially over here in design. Can you talk a little bit about the 2025 Year in Review and share what that process is like?
WB: When it starts to take shape, I look over that draft with the team and we talk about each graphic. I say, “That one might be better if we did this,” or “This is missing that piece for when it goes into production.” I really start to wrap my mind around the various assets and how we would go about taking what is essentially an Excel graphic or something created in PowerPoint and making it into a much more polished and designed presentation.
We get a sneak peek, and then one day it lands on your desk, Amy. From there, my designers and I put it together. It’s a lot about putting that puzzle together, thinking about what makes sense on each page, making sure the content flow is clean and linear, and the adjacencies of the graphics are in the right place. I come to you and say, “Amy, I need a headline,” or “Does this make sense?” We come up with a look and feel and theme for the whole report every year that’s greater than just the layout of the document. That gets extended to all the other companion pieces — our videos, social graphics, and any continuing campaign pieces.
Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.
Cisco Talos Blog – Read More
BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory
ANY.RUN has observed a sustained surge in a credential-phishing campaign active since 2024. This campaign, dubbed BlobPhish, introduces a sneaky twist: instead of delivering phishing pages via traditional HTTP requests, it generates them directly inside the victim’s browser using blob objects. The result is a phishing payload that lives entirely in memory, leaving little to no trace in logs, caches, or network telemetry.
The campaign targets credentials across multiple platforms, including Microsoft 365, banking services, and webmail portals, making it both widespread and high-impact.
Key Takeaways
- Memory-resident evasion: BlobPhish loads entire phishing pages as in-browser blob objects, bypassing file-based and network-based detection entirely.
- Broad targeting: The campaign hits Microsoft 365 alongside major U.S. banks (Chase, Capital One, FDIC, E*TRADE, Schwab) and webmail services.
- Persistent and active: First observed in October 2024, the operation continues uninterrupted as of April 2026 with a major spike in February 2026.
- Compromised infrastructure: Attackers routinely abuse legitimate WordPress sites and reuse exfiltration endpoints (res.php, tele.php, panel.php).
- High-value credential theft: Stolen accounts enable BEC, data exfiltration, and lateral movement — threats that carry multimillion-dollar consequences.
- Global but finance-focused: One-third of victims are in the U.S.; phishing pages almost exclusively mimic premium financial and Microsoft services regardless of victim industry.
- ANY.RUN delivers proactive defense: Sandbox instantly reveals blob behavior in real browsers, while TI Lookup and TI Feeds provide real-time IOCs and YARA rules for automated blocking and hunting, turning reactive security into prevention.
How BlobPhish works
The attack is based on the abuse of browser Blob objects to serve fake authentication forms. A JavaScript loader, fetched from an attacker-controlled page, constructs a Blob from a Base64-encoded payload and loads it directly into browser memory — never touching disk and never generating the traditional HTTP requests that security tools rely on to detect phishing.
Targeted services include: Microsoft 365, OneDrive, SharePoint, Chase, FDIC, Capital One, E*Trade, American Express, Charles Schwab, Merrill Lynch, PayPal, Intuit, and others.
Technical Deep Dive
Because the phishing page exists only in memory and is referenced by the scheme blob:https://, it cannot be blocked by URL reputation engines, does not appear in proxy logs as a suspicious request, and leaves no cache artefact. This makes BlobPhish significantly harder to detect and investigate than conventional phishing.
View the observed analysis session in ANY.RUN sandbox
1. Delivery Vector
The typical initial access point is a phishing email or a link to a trusted-looking service such as DocSend. Example phishing link: hxxps[://]docsend[.]com/view/vsrrknxprh2xt84n
Upon clicking, the victim is redirected to an HTML page that contains the loader script. Example loader URL: hxxps[://]mtl-logistics[.]com/blb/blob[.]html
2. Loader Script — Step by Step
The loader uses jQuery to perform the following sequence invisibly to the user:
- var a = $(“<a style=’display: none;’/>”)
Creates an invisible HTML anchor element;
- var decodedStringAtoB = atob(encodedStringAtoB)
Decodes the Base64 payload;
- const myBlob = new Blob([decodedStringAtoB], { type: ‘text/html’ }); → Constructs the Blob object;
- const url = window.URL.createObjectURL(myBlob)
Generates the blob: URL;
- a.attr(“href”, url)
Attaches the URL to the hidden anchor;
- $(“body”).append(a)
Injects the anchor into the DOM;
- a[0].click()
Triggers navigation to the phishing page;
- window.URL.revokeObjectURL(url); + a.remove()
Destroys evidence from memory and DOM.
3. The Phishing Page
The victim sees a convincing Microsoft 365 (or other financial service) login page. The browser address bar shows the scheme blob:https://, which can appear legitimate to an untrained eye.
The page contains:
- A spoofed credential-capture form:
- Specific set of selectors for the used HTML elements:
- Exfiltration logic that POSTs captured credentials to an attacker-controlled endpoint:
- A failed-login counter to force repeated credential entry (increasing harvest accuracy), a final redirect to the legitimate service website to avoid suspicion:
- Data is sent via a POST request as form-data:
Observed exfiltration endpoint pattern:
hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php
4. YARA Detection Rule
The following YARA rule matches the loader HTML page and can be used in ANY.RUN Threat Intelligence Lookup to hunt for BlobPhish infrastructure:
rule BlobPhishLoaderHTML
{
meta:
author = "ANY.RUN"
description = "Matches HTML pages with JS-script which creates and loads
phishing page as blob-object"
strings:
$s1 = "function saveFile(" ascii
$s2 = "var a = $("<a style='display: none;'/>");" fullword ascii
$s3 = "var encodedStringAtoB" fullword ascii
$s4 = "var decodedStringAtoB = atob(encodedStringAtoB);" fullword ascii
$s5 = "window.URL.createObjectURL(myBlob);" fullword ascii
$s6 = "window.URL.revokeObjectURL(url);" fullword ascii
condition:
all of them
} 5. Exfiltration Infrastructure by Target
Pivoting on url:”/res.php$” and via the YARA rule above, ANY.RUN researchers identified multiple targets and corresponding exfiltration URLs.
1. Capital One
Exfiltration URL: hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php
2. Chase Banking
Exfiltration URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php
3. Morgan Stanley E*Trade
Exfiltration URL: hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php
Variants with exfiltration to url:”*/tele.php” with a roughly similar request structure were also observed view a sandbox analysis with exfiltration URL hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php.
Importantly, in some cases calls to the service endpoint /panel.php have been observed. In response to a POST request, an error and its description (e.g., “IP not found”) are returned.
Example POST URL: hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php
6. HTTP Detection Patterns
The following HTTP traffic signatures reliably identify BlobPhish activity in proxy and SIEM logs:
- POST */res.php — credentials in body (MIME: form-data or x-www-form-urlencoded);
- POST */tele.php — credentials in body (MIME: form-data or x-www-form-urlencoded);
- POST */panel.php — empty body; response: JSON with error & description (e.g., “IP not found”).
7. Delivery Methods
The following initial-access vectors have been observed:
- Phishing emails with financial lures (suspicious transaction, personal loan/operation confirmation, invoice & document signature, disputed payment);
- PDF attachments containing a QR code that leads to a malicious JS page and subsequently the blob:http scheme and */res.php exfiltration pattern (observed in an energy-sector campaign);
- Shortened links (e.g., via t.co) redirecting through JS to the blob:http payload;
- Links to legitimate-looking document-sharing services such as DocSend.
Threat Landscape
First spotted in October 2024, BlobPhis has proved itself as a sustained, continuously evolving campaign that remains active at the time of publication.
Analysis of related artefacts shows that the threat actors regularly rotate infrastructure, exfiltration endpoints, loader hosting domains, and phishing lure themes. They also vary the path names of the loader pages (blob.html, blom.html, bloji.html, emailandpasssss.html) and exfiltration scripts (res.php, tele.php), complicating static signature-based detection.
Targeted Industries
Although the phishing lures predominantly impersonate financial and cloud services, the victim organizations span multiple sectors:
- Manufacturing,
- Education,
- Government,
- Transport,
- Telecommunications.
Regardless of the victim’s industry, attackers focus on harvesting credentials for high-value financial and cloud corporate services — increasing the probability of capturing credentials that unlock significant monetary or data assets.
Financial institutions and cloud-productivity platforms most frequently spoofed:
- Capital One,
- American Express,
- JPMorgan Chase,
- Intuit,
- Charles Schwab,
- Morgan Stanley’s E*TRADE,
- Merrill Lynch,
- PayPal,
- Microsoft 365 / OneDrive / SharePoint (used as a document-access lure).
Geography
Approximately one-third of observed activity involves US-based users and organisations. BlobPhish activity has been observed from: Germany, Poland, Spain, Switzerland, United Kingdom, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan.
Business Impact: Why BlobPhish Is a Board-Level Risk
BlobPhish does not just steal one employee’s password. By targeting the financial, cloud, and productivity accounts that employees use every day, a single successful compromise can cascade into:
- Unauthorized wire transfers or fraudulent invoices (Business Email Compromise follow-on);
- Full Microsoft 365 tenant takeover — email, SharePoint, Teams, and connected SaaS apps;
- Regulatory exposure (GDPR, SEC, FFIEC, PCI-DSS) from confirmed data exfiltration;
- Reputational damage when customer or partner data is compromised;
- Operational disruption if attacker pivots to ransomware after credential harvest.
Security and risk teams should model the following impact chains when a BlobPhish credential is compromised:
- Microsoft 365 credential → MFA fatigue or session token theft → full mailbox access → BEC fraud or data exfiltration to partners/clients;
- Banking credential (Chase, CapitalOne) → account takeover → wire fraud or ACH manipulation;
- Investment platform credential (Schwab, E*TRADE, Merrill) → unauthorized trades or fund transfer;
- Any cloud credential → lateral movement to connected SaaS → ransomware deployment.
Regulatory consequences may include mandatory breach notification under GDPR (72-hour window), SEC cybersecurity incident disclosure requirements, and FFIEC guidance on authentication for financial institutions.
How ANY.RUN Helps You Stay Ahead
ANY.RUN provides the complementary capabilities that address BlobPhish at every stage of the threat lifecycle: from proactive hunting to real-time detection and automated feed enrichment.
1. Analyze Alerts & Artifacts to Prevent Attack
When a suspicious link or email is forwarded to the security team, ANY.RUN’s fully interactive cloud sandbox executes the entire BlobPhish kill chain in a safe cloud environment:
- The JavaScript loader runs, the Base64 payload is decoded, and the blob: URL is created, exactly as it would on a victim’s machine.
- Analysts watch the live session and see the fake login page render, observe the POST to */res.php, and capture all network artefacts.
- Because execution happens in a real browser, there are no emulation gaps that the attacker’s anti-sandbox checks could exploit.
- Full analysis reports — including screenshots, network traffic, memory artefacts, and extracted IOCs — are generated in minutes.
This means your SOC can definitively confirm or dismiss a BlobPhish suspicion within minutes rather than hours, without risking any internal system.
2. Stop Future Attacks by Enriching Proactive Defense
Threat Intelligence Lookup gives threat hunters direct, query-based access to the ANY.RUN database of analyzed samples and infrastructure:
- Run YARA-based searches to find all samples matching the BlobPhishLoaderHTML rule.
- Pivot on URL patterns (url:”/res.php$”, url:”*/blob.html$”) to discover new attacker infrastructure the moment it appears in the wild.
url:”*/res.php$” AND url:”*/blob.html$” and threatName:”phishing”
- Correlate domains, IPs, file hashes, and HTTP patterns across millions of analyzed tasks.
- Export results directly into SIEM, SOAR, or ticketing workflows.
Security teams can monitor this campaign continuously rather than reacting after a compromise. New loader domains and exfiltration endpoints are surfaced as soon as ANY.RUN community members (and automated systems) submit related tasks.
3. Automate Monitoring with Live Intelligence
Threat Intelligence Feeds deliver structured, machine-readable threat intelligence in STIX/TAXII or flat-file formats, enabling automated enforcement across your security stack:
- BlobPhish-related domains, IPs, and URL patterns are automatically pushed to firewalls, proxies, and SIEM correlation rules.
- Indicators are enriched with context (campaign name, targeted brand, exfiltration pattern, confidence level) so that alerts are actionable, not just noisy.
- Feeds are updated in near-real-time as the campaign evolves, meaning your defenses track the attacker’s infrastructure rotation without manual analyst effort.
- Integration is supported with leading SIEM/SOAR platforms (Splunk, Microsoft Sentinel, Palo Alto XSOAR, and others) via standard connectors.
Rather than relying solely on reactive detection, TI Feeds shift your posture to proactive blocking: exfiltration endpoints are denied before a single employee credential can be harvested.
Indicators of Compromise (IOCs)
URLs
- hxxps[://]mtl-logistics[.]com/blb/blob[.]html
- hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php
- hxxps[://]larva888[.]com/wp-includes/css/dist/tmp/vmo[.]html
- hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php
- hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//panel[.]php
- hxxps[://]mail[.]hubnorte[.]com[.]br/blom[.]html
- hxxps[://]riobeautybrazil[.]com/wp-admin/amx/res[.]php
- hxxps[://]riobeautybrazil[.]com/wp-admin/amx/panel[.]php
- hxxps[://]hnint[.]net/bloji[.]html
- hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php
- hxxps[://]hnint[.]net/cgi-bin/peacemind//panel[.]php
- hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/blob[.]html
- hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php
- hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//panel[.]php
- hxxps[://]i-seotools[.]com/wp-content/citttboy[.]html
- hxxps[://]mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/res[.]php
- hxxps[://]mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/panel[.]php
- hxxps[://]localmarketsense[.]com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss[.]html
- hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele[.]php
Domains
- mtl-logistics[.]com
- larva888[.]com
- wajah4dslot[.]com
- mail[.]hubnorte[.]com[.]br
- riobeautybrazil[.]com
- hnint[.]net
- ftpbd[.]net
- i-seotools[.]com
- mts-egy[.]net
Conclusion
BlobPhish represents a mature, well-maintained phishing operation that has been running continuously for over eighteen months. Its core innovation — abusing the browser’s Blob URL API to serve phishing pages entirely in memory — renders the campaign invisible to a wide range of conventional controls including secure email gateways, URL filters, web proxies, and file-based endpoint solutions.
For security teams, the takeaway is clear: static and perimeter-based defenses are insufficient against this class of attack. Effective defense requires dynamic analysis (to execute and observe the full attack chain), proactive threat hunting (to discover attacker infrastructure before it is weaponized against your organization), and automated, continuously updated threat intelligence feeds that propagate IOCs across the entire security stack in near-real-time.
About ANY.RUN
ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.
It allows teams to safely execute suspicious files and URLs, observe real behavior in an Interactive Sandbox, enrich indicators with immediate context through TI Lookup, and monitor emerging malicious infrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.
ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is SOC 2 Type II certified, demonstrating its commitment to protecting customer data and maintaining strong security controls.
FAQ
What is BlobPhish?
BlobPhish is an ongoing credential-phishing campaign active since October 2024 that delivers fake login pages as browser blob objects, evading traditional security tools.
How does the blob technique work?
JavaScript decodes a base64 payload, creates a blob object, generates a blob:https:// URL, forces the browser to load it via a hidden link, then immediately cleans up — leaving no file or cache trace.
Which companies and services are impersonated?
Microsoft 365, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, American Express, PayPal, and others — primarily U.S. financial and cloud brands.
What are the main indicators of compromise?
URLs ending in /blob.html, /res.php, /tele.php or /panel.php; the YARA rule provided; and blob:https:// URLs in browser history.
Who is at risk?
Organizations in Finance, Manufacturing, Education, Government, Transport, and Telecommunications — especially those using Microsoft 365 or corporate online banking.
How can executives reduce the business impact?
Enforce MFA, train staff on unexpected login prompts, and integrate proactive threat intelligence that catches memory-resident attacks before they reach employees.
How does ANY.RUN specifically help against BlobPhish?
The interactive Sandbox detonates the attack in a real browser to reveal blob behavior; TI Lookup surfaces related samples instantly; and TI Feeds push live IOCs into your security tools for automated prevention.
The post BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
PowMix botnet targets Czech workforce
- Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.”
- PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections.
- PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs.
- PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically.
- Talos observed a few tactical similarities of the current campaign with the ZipLine campaign, including the payload delivery mechanism and the misuse of the legitimate cloud platform Heroku for C2 operations.
Victimology
Talos observed that an attacker targeted Czech organizations across various levels, based on the contents of the lure documents used by the attacker in the current campaign.
Impersonating the legitimate EDEKA brand and authentic regulatory frameworks such as the Czech Data Protection Act, the attacker deploys decoy documents with compliance-themed lures, potentially aimed at compromising victims from human resources (HR), legal, and recruitment agencies. In the lure documents, the attacker also used compensation data, as well as the legitimate legislative references, to enhance the authenticity of these decoy documents and to entice the job aspirants across diverse sectors like IT, finance, and logistics.
Figures 1 (left) and 2 (right). First pages of two decoy documents.
TTPs overlaps with the ZipLine campaign
Talos observed a few tactical similarities employed in the current campaign with that of the ZipLine campaign, reported by researchers from Check Point in August 2025.
In the current campaign, the PowMix botnet payload is delivered via an LNK triggered PowerShell loader that extracts it from a ZIP archive data blob, bypasses AMSI, and executes the decrypted script directly in memory. This campaign shares tactical overlaps with the older ZipLine campaign (which deployed the MixShell malware), including identical ZIP-based payload concealment, Windows-scheduled task persistence, CRC32-based BOT ID generation, and the abuse of “herokuapp.com” for command-and-control (C2) infrastructure. Although there are overlaps in the tactics, the attacker’s final payload was unobserved, and the intent remains unknown in this campaign.
Attack summary
The attack begins when a victim runs the Windows shortcut file contained within the received malicious ZIP file, potentially through a phishing email. This shortcut file triggers the execution of an embedded PowerShell loader script, which initially creates a copy of the ZIP file along with its contents in the victim’s “ProgramData” folder. Subsequently, it loads the malicious ZIP file, extracts, and executes the embedded PowMix botnet payload directly in the victim’s machine memory and starts to communicate with the botnet C2.
PowerShell loader executes PowMix in memory
The first stage PowerShell script functions as a loader, and its execution routine is designed to bypass security controls and deliver a secondary payload. It begins by defining several obfuscated variables, including file name of the malicious ZIP file that was likely received via a phishing email. Then, the script dynamically constructs paths to the folders such as “ProgramData” and the user’s “Downloads” folder to locate this ZIP file. Once the ZIP file is found, it extracts the contents to the “ProgramData”folder, effectively staging the environment for the next phase of the attack.
To evade detection, the script employs an AMSI (Antimalware Scan Interface) bypass technique. It uses a reflection technique to browse the loaded assemblies in the current process, specifically searching for the AmsiUtils class. Once located, it identifies the amsiInitFailed field and manually sets its value to true. This action deceives the Windows security subsystem into thinking that AMSI has not initialized, which disables real-time scanning of subsequent commands, enabling the script to run malicious code in memory without being detected by Windows Defender or other endpoint detection and response (EDR) solutions.
The script parses the malicious ZIP file to locate a specific marker that is hardcoded, such as zAswKoK. This marker is treated as a delimiter, enabling the extraction of a hidden, encoded command that is embedded within the ZIP file data blob.
Throughout this process, the script performs a series of string replacements, which include the removal of # symbols and the mapping of placeholders, such as {cdm}, to their corresponding specific file paths, reconstructing a functional secondary PowerShell script payload. Then it executes the secondary payload script in the victim machine memory using the Invoke-Expression (IEX) PowerShell command.
PowMix botnet
Talos discovered that the secondary payload PowerShell script, which we call “PowMix,” is a previously unreported botnet designed for remote access, reconnaissance, and remote code execution.
The main execution of the script begins with an environment check to ensure it is running within a specific loader context at the placeholder {cdm}, which is the path of the Windows shortcut in the ProgramData folder, before immediately attempting to conceal its presence. It invokes a function that utilizes the Win32ShowWindowAsync function of “user32.dll” to hide the current PowerShell console window.
Then it decrypts the C2 domain and a configuration file using a custom XOR-based routine with a hardcoded key. It retrieves the machine’s product ID by querying the HKLM: SOFTWAREMicrosoftWindows NTCurrentVersion registry key for the Windows ProductID. PowMix processes the victim machine’s ProductID and the decrypted configuration data through a CRC32-style checksum function to generate a unique Bot ID and a corresponding Windows schedule task name, which it subsequently uses to establish persistence.
Some of the hardcoded XOR key strings found in this campaign are:
- HpSWSb
- qDQyxQE
- bKUxmhyAe
- HymzqLse
- KsEYwmgSF
- ujCPOEPU
Instead of using obvious task names, PowMix names the scheduled task by concatenating the Bot ID and Configuration file hash, resulting in names that appear as random hexadecimal strings (such as “289c2e236761”). The task configuration specifies a daily trigger set to execute at 11:00 a.m., and the execution action is configured to launch the benign Windows Explorer binary with the malicious Windows Shortcut file path as an argument. Windows Explorer’s file association handling then automatically launches the malicious shortcut file to execute the PowerShell loader script.
Before attempting to establish persistence, PowMix performs several validation checks to ensure that another instance of the botnet is not running in the infected machine. It examines the process tree using Common Information Model (CIM) queries to identify its parent processes. If the PowMix is not running under either “svchost.exe” or “powershell.exe”, and if certain environmental variables are not set, it attempts to restart itself in the privileged context.
The mutex implementation in the botnet prevents multiple instances from running at the same time. It creates a mutex with the name “Global[BotID]”. The “Global” prefix makes the mutex visible across all user sessions, stopping separate instances from running in different user sessions.
PowMix avoids persistent connections to the C2 server. Instead, it implements a jitter via Get-Random PowerShell command to vary the beaconing intervals initially between 0 and 261 seconds, and subsequently between 1,075 and 1,450 seconds. This technique attempts to prevent detection of C2 traffic through predictable network signatures.
Each request from PowMix to C2 is created by concatenating the base C2 domain with the Bot ID, configuration file hash, an encrypted heartbeat, a hexadecimal Unix timestamp, and a random hexadecimal suffix. The standard heartbeat string “[]0” is encrypted using a custom XOR routine using the Bot ID as the key and is then converted to a hex string. The inclusion of a random length hexadecimal suffix further ensures that every URL is unique.
The attacker mimics the REST API calls URLs by embedding these data directly into the URL path, instead of using a URL query string or a POST request for communicating with the C2 server.
PowMix establishes a Chrome User-Agent and configures the Accept-Language (en-US) and Accept-Encoding (gzip, deflate, br) headers. It utilizes the GetSystemWebProxy API along with DefaultCredentials to dynamically adopt the host machine’s network proxy settings and automatically authenticates using the logged-in user’s active session tokens, thereby disguising the C2 traffic as legitimate web browser traffic within the victim’s environment.
The PowMix command processing logic is executed upon receiving the response from the C2 with a period delimiter. It extracts the second segment and decrypts it using the unique Bot ID as the XOR key. The resulting decrypted response is then evaluated through a conditional parser that distinguishes between the command operations hardcoded in the botnet and arbitrary code execution, allowing the attacker to remotely control the victim machine.
The remote management commands that the botnet receives from the C2 are identified by a leading hash symbol (#). We found that the PowMix botnet facilitates the commands described below:
#KILL– The KILL command initiates a self-deletion routine, utilizing theUnregister-ScheduledTaskPowerShell command with the parameterConfirm: $falseto silently remove persistence, followed byRemove-Item -Recurse–Forcecommand to wipe the malware’s directory in the victim machine.#HOST– The HOST command enables the C2 infrastructure migration by remotely updating a new C2 URL to a configuration file. By receiving the HOST command, PowMix will encrypt the new domain that it receives using the hardcoded XOR key and save it to a local configuration file viaSet-ContentPowerShell command. During the next initialization of the botnet through the task scheduler execution, it prioritizes the local configuration file data with the encrypted new C2 domain over hardcoded defaults, providing a robust mechanism for evading domain blacklisting.- For non #-prefixed responses from the C2, the command processing routine of PowMix transitions into an arbitrary execution mode. It bypasses static detection of the
Invoke-Expression(IEX) PowerShell command by dynamically reconstructing the command string from the$VerbosePreferencevariable and executes the decrypted payload while redirecting the output to Out-Null, ensuring erasing the execution traces.
Coverage
The following ClamAV signature detects and blocks this threat:
- Lnk.Trojan.PowMix-10059735-0
- Txt.Trojan.PowMix-10059742-0
- Txt.Trojan.PowMix-10059778-0
- Win.Trojan.PowMix-10059728-0
The following Snort Rules (SIDs) detect and block this threat:
- Snort2 and Snort3: 66118
Indicators of compromise (IOCs)
The IOCs for this threat are also available at our GitHub repository here.
Cisco Talos Blog – Read More
Spotting cyberthreats: a guide for blind and low-vision users | Kaspersky official blog
In 2023, Tim Utzig, a blind student from Baltimore, lost a thousand dollars to a laptop scam on X. Tim had been a long-time follower of a well-known sports journalist. When that journalist’s account started posting about a “charity sale” of brand-new MacBook Pros, Tim jumped at the chance to get a deal on a laptop he needed for his studies. After a few quick messages, he sent over the money.
Unfortunately, the journalist’s account had been hacked, and Tim’s cash went straight to scammers. The red flags were strictly visual: the page had been flagged as “temporarily restricted”, and both the bio and the Following list had changed. However, Tim’s screen reader — the software that converts on-screen text and graphics into speech — didn’t announce any of those warnings.
Screen readers allow blind users to navigate the digital world like everyone else. However, this community remains uniquely vulnerable. Even for sighted users, spotting a fake website is a challenge; for someone with a visual impairment, it’s an even steeper uphill battle.
Beyond screen readers, there are specialized mobile apps and services designed to assist the blind and low-vision community, with Be My Eyes being one of the most popular. The app connects users with sighted volunteers via a live video call to tackle everyday tasks — like setting an oven dial or locating an object on a desk. Be My Eyes also features integrated AI that can scan and narrate text or identify objects in the user’s environment.
But can these tools go beyond daily chores? Can they actually flag a phishing attempt or catch the hidden fine print when someone is opening a bank account?
Today we explore the specific online hurdles visually impaired users face, when it makes sense to lean on human or virtual assistants, and how to stay secure when using these types of services.
Common cyberthreats facing the blind and low-vision community
To start, let’s clarify the difference between these two groups. Low-vision users still rely on their remaining sight, even though their visual function is significantly reduced. To navigate digital interfaces, they often use screen magnifiers, extra-large fonts, and high-contrast settings. For them, phishing sites and emails are particularly dangerous. It’s easy to miss intentional typos — known as typosquatting — in a domain name or email address, such as the recent example of rnicrosoft{.}com.
Blind users navigate primarily by sound, using screen readers and specific touch gestures. Interestingly, though, unlike those with low vision, blind users are more likely to spot a phishing site using a screen reader: as the software reads the URL aloud, the user will hear that something is off. However, if a service — whether legitimate or malicious — isn’t fully compatible with screen readers, the risk of falling victim to a scam increases. This is exactly what happened to Tim Utzig.
It’s important to remember that screen magnifiers and readers are basic accessibility tools. They’re designed to enlarge or narrate an interface — not act as a security suite. They can’t warn the user of a threat on their own. That’s where more advanced software — tools that can analyze images and files, flag suspicious language, and describe the broader context of what’s happening on-screen — comes into play.
When to lean on an assistant
Be My Eyes is a major player in the accessibility space, boasting around 900 000 users and over nine million volunteers. Available on Windows, Android, and iOS, it bridges the gap by connecting blind and low-vision users with sighted volunteers via video calls for help with everyday tasks. For example, if someone wants to run a Synthetics cycle on their washing machine but can’t find the right button, they can hop into the app. It connects them with the first available volunteer speaking their language, who then uses the smartphone’s camera to guide them. The service is currently available in 32 languages.
In 2023, the app expanded its capabilities with the release of Be My AI — a virtual assistant powered by OpenAI’s GPT-4. Users take a photo, and the AI analyzes the image to provide a detailed text description, which it also reads aloud. Users can even open a chat window to ask follow-up questions. This got us thinking: could this AI actually spot a phishing site?
As an experiment, we uploaded a screenshot of a fake social media sign-in page to Be My Eyes. On a phone, you can do this by selecting a photo in your gallery or files, hitting Share, and choosing Describe with Be My Eyes. In Windows, you can upload a screenshot directly.
An example of a phishing page that mimics the Facebook sign-in form. Note the incorrect domain in the address bar
At first, the AI gave us a detailed description of the page. We then followed up in the chat: “Can I trust this page?” The AI flagged the domain name error immediately, advised us to close the fake login page, and suggested typing the official URL directly into the browser, or to use the official Facebook app.
Be My AI explains why the page looks sketchy: the domain doesn’t match the official site. The app suggests typing the official URL directly into the browser, or using the official Facebook app
We saw the same positive results when testing a phishing email. In fact, the AI flagged the scam during its initial description of the message. It wrapped up with a warning: “This looks like a suspicious email. It’s best not to open any attachments or click any links. Instead, navigate to the official website or app manually, or call the number listed on their official site”.
Beyond just spotting cyberthreats, Be My AI is a solid sidekick for navigating online stores, banking apps, and digital services. For instance, the AI can help you to:
- Read descriptions, names, and prices when a store’s website or app doesn’t support screen readers or large fonts
- Scan those tricky terms and conditions — often buried in tiny text or otherwise inaccessible to a screen reader — when you’re signing up for a subscription or opening a bank account
- Pull key info directly from product cards or instruction manuals
The risks of relying on Be My AI
The most common hiccup with AI is hallucinations, where the language model distorts text, skips crucial details, or invents words out of thin air. When it comes to cyberthreats, an AI’s misplaced confidence in a malicious site or email can be dangerous. Furthermore, AI isn’t immune to prompt injection attacks, which scammers use to trick AI agents beyond just Be My AI.
Even though the AI passed our test, you shouldn’t rely on it unquestioningly. There’s no guarantee it’ll get it right every time. This is a vital point for the blind and low-vision community, as a neural network can often feel like the only eyes available.
At the end of every response, Be My AI suggests checking in with a volunteer if you’re still unsure. However, when you’re trying to spot a fake webpage, we advise against this. You have no way of knowing how tech-savvy or trustworthy a random volunteer might be. Besides, you risk accidentally exposing sensitive data like your email address or password. Before connecting with a stranger, make sure they won’t see anything confidential on your screen. Better yet, use the app’s dedicated feature to create a private group of family, friends, or trusted contacts. This ensures your video call goes to people you actually know, rather than a random volunteer.
To stay safe, we recommend installing a trusted security tool on all your devices. These programs are designed to block phishing attempts and prevent you from landing on malicious sites. Another practical recommendation for visually impaired users is to use a password manager. These apps will only auto-fill credentials on the legitimate, saved website; they won’t be fooled by a clever domain spoof.
How Be My AI handles and stores your data
According to the Be My Eyes privacy policy, video calls with volunteers may be recorded and stored to provide the service, ensure safety, enforce the terms of service, and improve the products. When you use Be My AI, your images and text prompts are sent to OpenAI to generate a response. This data is processed on servers located in the U.S., and OpenAI uses it only to fulfill your specific request. The policy explicitly states that user images and queries aren’t used to train AI models.
Photos and videos are encrypted both in transit and at rest, and the company takes steps to strip away sensitive information. It’s worth noting that video call recordings can be retained indefinitely unless you request their deletion — in which case they’re typically wiped within 30 days. Data from Be My AI interactions is stored for up to 30 days unless you delete it manually within the app. If you decide to close your account, your personal data may be held for up to 90 days. At any time, you can opt out of data sharing, or request the deletion of your existing data by contacting the Be My Eyes support team.
How to use Be My Eyes safely
Despite Be My Eyes’ claims regarding privacy, you should still follow a few ground rules when using the service:
- Use Be My AI for a first-pass on suspicious emails or pages, but don’t treat it as the only source of truth. Specialized security software is better at identifying and neutralizing threats.
- If a site, email, or message feels off, don’t touch any links or attachments. Instead, manually type the official website address into your browser, or open the official app to verify the info.
- Remember: a volunteer sees exactly what your camera sees. Make sure it isn’t capturing things it shouldn’t, like a safe code or an open passport. Avoid sharing your name, showing your face, or revealing too much of your surroundings. Be extra careful about reflections that might show you or your personal details. Only show what is absolutely necessary for the task at hand.
- Stick to your inner circle. Create a group in the app and add your friends and family. This ensures your video calls go to people you know — not a random volunteer.
- Don’t use Be My AI to read documents that contain confidential info. Remember, your images and text prompts are sent to OpenAI for processing and generating a response.
- Remember to delete chats you no longer need. Otherwise, they’ll hang around for 30 days.
- If you need to read something personal or confidential, consider apps with real-time reading features like Envision, Seeing AI, or Lookout. These apps process data locally on your device rather than sending it to the cloud.
Kaspersky official blog – Read More