Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

Alert: Extortion Groups Are Using Phishing Kits to Automate Their Attacks

KnowBe4 Team | May 27, 2026

Researchers at Push Security have analyzed a phishing platform used by organized criminal threat actors like ShinyHunters and BlackFile, finding more than 400 domains linked to attacks launched by the phishing kit.

“Since at least August 2025, attackers have been running hybrid social engineering campaigns targeting hundreds of organizations across financial services, technology, cryptocurrency, healthcare, hospitality, and private aviation,” the researchers write. “The attacks combine voice phishing with MFA-bypassing adversary-in-the-middle (AiTM) phishing mechanisms that allow the attacker to steal authenticated sessions for target applications — typically enterprise identity providers and cryptocurrency exchanges. Once an identity provider account is compromised, the attackers pivot across connected SaaS platforms — SharePoint, Salesforce, DocuSign, Slack — exfiltrate data, and attempt to extort the victim organization. “

Notably, the researchers have observed several forks based on the original phishing kit. Some of the forks rely heavily on AI-generated code, suggesting that inexperienced threat actors are developing capabilities above their skill levels.

“The existence of these independently branded forks indicates that the tooling has entered a phase of wider distribution — operators who obtained the original panel source are now customizing and reshipping it for their own purposes,” Push Security says. “As a result, the tooling is now most likely accessible to a broad population of financially motivated threat actors.”

Attackers are always coming up with ways to bypass technical defenses and target humans directly with social engineering attacks.

“The phone call as delivery vector eliminates the email-based detection surface that most organizations rely on as their primary phishing defense,” the researchers write. “Operator-gated payload delivery further reduces the likelihood that these sites will be flagged as malicious and added to known-bad detection lists (and in any case, it’s trivial for attackers to spin up new ones).”

Push Security has the story: We infiltrated a criminal phishing panel: here’s what we found

Topics: Social Engineering Phishing vishing

See KnowBe4 Defend™ in Action

Learn how Defend™ strategically enhances Microsoft 365's native security to catch the threats Secure Email Gateways (SEGs) miss.

Request a Demo

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

KnowBe4 Team

ABOUT KNOWBE4 TEAM

The KnowBe4 Team delivers timely, expert-driven insights on cybersecurity trends, emerging threat intelligence, human risk and agent security best practices, compliance strategies and industry research to help organizations strengthen their digital defense layer and stay informed, resilient, and secure.

Read more from KnowBe4 »

Subscribe the KnowBe4 Blog

Posts By Topic

View All