Phishing platform adds program to hide credential theft code

FlowerStorm, a phishing-as-a-service platform has adopted a browser-based JavaScript virtual machine to encrypt its malicious payload at runtime, a technique borrowed from sophisticated malware that makes its attack chain much harder for static analysis tools to detect.

What happened

Researchers have identified a campaign by the FlowerStorm phishing-as-a-service operation that hides its credential theft code inside email attachments using a technique designed to defeat security scanning tools. According to CSO Online, victims receive phishing emails with attachments disguised as voicemail notices, invoices, or vendor communications. When the attachment is opened, the malicious code runs immediately but does so in a way that keeps it hidden from the security tools most organizations use to scan email attachments. The campaign targets credentials for Microsoft 365, Hotmail, and GoDaddy, and is designed to capture both passwords and multi-factor authentication codes in real time, bypassing MFA entirely. Researchers noted the group adopted the new obfuscation technique within one month of the underlying tool becoming publicly available on GitHub.

Going deeper

Once a victim opens the attachment and enters their credentials, the attack adapts in real time. The kit identifies which login service the victim uses, displays a matching fake login page pre-filled with their email address, and customizes the page with company branding to appear legitimate. When the victim enters their password, it is forwarded to the real service. If that service then asks for an MFA code, the kit presents the same prompt to the victim, captures the code they enter, and uses it immediately to complete the attacker's login. The attacker gains a fully authenticated session without the victim ever suspecting anything went wrong. Researchers found evidence of the campaign's infrastructure spread across cloud storage services in Singapore, Frankfurt, Tokyo, Seoul, and several other locations, with domain names constructed to resemble legitimate business portals. The campaign did not require advanced technical skill from operators to run, which researchers noted raises concern that the obfuscation technique could spread quickly across other phishing platforms.

What was said

Researchers stated in their report cited by CSO Online that "what makes this campaign notable is the adoption of KrakVM as a delivery wrapper within a month of the project's public release," and warned that "this campaign likely represents only the earliest use of KrakVM's obfuscation capabilities. We anticipate more complex implementations as its adoption grows." Researchers described the broader concern as whether "VM-based obfuscation techniques could spread quickly across phishing ecosystems if tooling becomes easier to operationalize."

In the know

FlowerStorm emerged in late 2024 following the infrastructure collapse of Rockstar2FA, a rival phishing-as-a-service platform. According to BleepingComputer, FlowerStorm shares structural similarities with Rockstar2FA, including phishing portals mimicking Microsoft login pages, Cloudflare Turnstile integration, and backend server patterns, leading researchers to assess a possible shared ancestry or operational overlap between the two platforms. FlowerStorm's adoption of VM-based obfuscation represents a meaningful technical escalation beyond what Rockstar2FA offered, applying malware-grade avoidance techniques to a mass-market phishing platform for the first time at documented scale.

The big picture

Virtual machine obfuscation has been a standard technique in malware for years, used to defeat reverse engineering and detection tools that analyze code statically. Its adoption inside a phishing kit creates a detection gap specific to email security tools: when the malicious logic exists only as encrypted bytecode executed at runtime inside a browser, traditional email scanners that analyze attachment content find nothing flagged as dangerous. For healthcare organizations whose email security relies on attachment scanning and known-bad signature detection, FlowerStorm's VM-based approach bypasses the layer of defense most commonly deployed against HTML attachment phishing. Microsoft's Q1 2026 email threat data, documented in Microsoft's April 2026 phishing report, found that CAPTCHA-gated phishing surged 125% in a single month, and credential theft was the objective behind 94% of payload-based attacks, the same environment in which FlowerStorm now operates with improved avoiding capability.

FAQs

What is a browser-based virtual machine, and why does it help attackers avoid detection?

A browser-based virtual machine is a JavaScript program that interprets and executes custom bytecode inside the browser. When malicious code is compiled into encrypted bytecode and executed through the VM rather than written as readable JavaScript, static analysis tools that scan for malicious code patterns find only the VM engine, which appears benign. The actual attack logic only exists in memory during execution.

How does FlowerStorm intercept MFA codes in real time?

FlowerStorm identifies which MFA method the victim's account uses and presents a matching prompt after credential entry. The kit forwards those credentials to the real service, which triggers a genuine MFA request. The victim sees what appears to be a normal MFA prompt, enters their code, and FlowerStorm captures and forwards it to complete the attacker's authenticated session before the victim realizes anything has occurred.

Why does adopting a tool within one month of its public release matter?

It signals that phishing operators are actively monitoring open-source repositories for new obfuscation tools and integrating them at speed. The window between a new avoidance technique becoming publicly available and being weaponized at scale is shrinking, reducing the time defenders have to update detection rules before campaigns are already running.

What sectors does FlowerStorm currently target?

The campaign identified in this research targeted local government, logistics, retail, communications, and real estate. Prior FlowerStorm activity documented by Sophos in late 2024 showed services, manufacturing, retail, and financial services as the most targeted sectors. Healthcare was not the primary focus in the identified campaign, but it sits within the broader target profile of Microsoft 365-dependent organizations.

What is the only authentication method that defeats AiTM phishing regardless of obfuscation?

Phishing-resistant MFA using FIDO2 hardware keys or passkeys is cryptographically bound to the legitimate domain. An AiTM proxy cannot relay a FIDO2 authentication response to a different domain, meaning the session hijacking step fails regardless of how well the phishing page or its code is obfuscated.