The Rise of Kratos: How the New Phishing-as-a-Service Kit Industrializes Cybercrime

Lead Analysts: Jeewan Singh Jalal, Prabhakaran Ravichandhiran and Anand Bodke

By the end of 2026, over 90% of all credential compromise attacks are estimated to be enabled by modular Phishing-as-a-Service (PhaaS) kits like the sophisticated, global threat, Kratos.

This aggressive platform has already begun reshaping the threat landscape. At its core, Phishing-as-a-Service (PhaaS) is a malicious cloud-based service that allows easier deployment of phishing attacks and faster updating of features as compared to traditional phishing and malware attacks.

KnowBe4 Threat Labs identified and launched a thorough investigation into Kratos PhaaS shortly after its first observation around the beginning of 2026. This investigation has provided a rare “under-the-hood” look at the platform, allowing our analysts to deobfuscate the codebase and map its sophisticated operational logic.

Kratos is an evolution from its former life as a family of commercial Trojans and info-stealers. It is now a comprehensive phishing platform focusing on web-based harvesting and management. It is designed to centralize campaign management, democratizing advanced phishing tools and fueling high-volume campaigns that have targeted victims across more than 20 countries. Currently, the primary focus has been on the United States, accounting for 33% of total detections.

Map of Kratos Attack Targets.

Kratos PhaaS Kit: Core Features

This research analysis highlights the following key platform features of the Kratos PhaaS kit:

• Advanced Dashboard: Kratos features a sophisticated administrative control panel engineered for operational efficiency and centralized campaign orchestration.
• Adobe-Themed Precision: Recent aggressive campaigns across 20+ countries used high-fidelity payment authorization lures to exploit the Adobe brand.
• Decoupled Architecture: Isolation between the front-end phishing page and backend data storage ensures harvested data remains accessible even if URLs are taken down.
• Anti-Analysis Defenses: The kit provides anti-bot protection and traffic filtering using CAPTCHA and controls access from crawlers, VPNs, and proxies.
• Telegram-Based Exfiltration Architecture: Kratos leverages Telegram's centralized and encrypted infrastructure for real-time credential exfiltration. The phishing kit filters out bots and non-target regions, captures victim data (credentials, IP, geolocation, device type), stores it locally as JSON logs on the web server, and simultaneously transmits the credentials to the attacker-controlled bots for immediate exploitation.

Attack Flow Architecture

The Kratos platform operates on a circular, highly resilient logic designed to maximize data harvesting while minimizing the attacker's footprint. The kit's backend captures critical visitor data and geolocation, stored in web server storage to filter out security researchers and non-target regions. Upon successful credential entry, the kit uses a JavaScript-based decoupled architecture to process exfiltrated data.

Stolen credentials are packaged into JSON format, which is a commonly used XML-based format, and pushed directly to the attacker’s Telegram channel, a very popular app used by tens of millions of people. By using Telegram as the final dropzone, the attacker ensures that even if the phishing URL is taken down, the harvested data remains safe.

Social Engineering Lead: Adobe Impersonation

The KnowBe4 Threat Labs initial discovery was catalyzed by a highly sophisticated Adobe-themed social engineering vector. This campaign meticulously mimics the billing and administrative workflows of Adobe Creative Cloud and Document Cloud users. Adobe was chosen as a strategic lure because of its corporate integration and users' urgency regarding invoice and payment notifications.

A real-world example of a phishing lure, sourced from the KnowBe4 PhishER Plus console, that served as the primary lead for discovery.

Investigative Findings: The Kratos Administrative Interface

The Kratos administrative dashboard provides real-time visitor analytics and campaign management.

Analysis revealed a dashboard offering detailed visitor analytics that track and geolocate victims using services like geoplugin.net. This allows attackers to capture victim IP, location, device, and browser specifics to bypass device-based security alerts during exploitation.

Configuration Panel Overview

• Sending Results: Configures exfiltration via Telegram or Email and defines triggers for valid, invalid, or all submissions.
• Bot Protection: Implements anti-automation defenses using CAPTCHA solutions (reCAPTCHA, Turnstile, hCaptcha).
• File Management: Organizes submissions within the kit's internal directory, recommending JSON format and regular backups.
• Geographic & Device Restrictions: Controls victim access through country-based whitelisting and device type toggles (Desktop, Mobile, Tablet).
• Administrative Security: Secures the panel with a master password, Telegram-based 2FA, and custom session management.

The Payload Generator

Kratos provides a point-and-click interface for multiple payload types, leveraging an "Auto Grab" technique to appear personalized using templates like ++email64++.

1. Links: Creates targeted links with subdomain randomization.
2. QR Codes: Targets mobile users and bypasses traditional email link scanning.
3. HTML/SVG Attachments: Weaponized "Stealth HTML" files employing obfuscation.
4. ICS Calendar Files: Weaponizes invitations from "Microsoft Team" with embedded malicious links.
5. EML Email Files: RFC-compliant message files that bypass authentication controls (SPF, DKIM, DMARC) by encapsulating malicious content within a legitimate outer email.
6. PDF/DOCX Documents: Weaponized files with embedded QR codes targeting users who perceive these formats as safer than links.

Example of an ICS Calendar invitation payload on the Kratos Dashboard.

Exfiltration: The Telegram Chain

Configuring real-time exfiltration via Telegram Bot API tokens.

Kratos exploits Telegram's reliable, encrypted infrastructure for exfiltration. Captured credentials are transmitted directly to an attacker-controlled bot via the api.telegram.org endpoint. This blends stolen data with legitimate encrypted traffic, preventing interception by standard deep packet inspection tools.

The Evolving PhaaS Threat Landscape

The rise of Kratos is making it easy for every low-skilled attacker to deploy sophisticated, multi-vector campaigns that were once exclusive to highly skilled threat actors. This shift has driven rapid market adoption and proliferation. The number of active PhaaS kits doubled during 2025, and it is estimated that over 90% of all credential compromise attacks will be enabled by such kits by the end of 2026. In the first quarter of 2026 alone, KnowBe4 Threat Labs identified a range of distinct campaign clusters utilizing the Kratos kit, targeting diverse sectors around the globe.

Kratos is also engineered for operational resilience. Its decoupled architecture and decentralized exfiltration via Telegram ensure that campaigns can persist and harvested data remains safe, even after significant law enforcement and security vendor takedowns.

Indicators of Compromise (IOCs)

Organizations are advised to integrate the following technical artifacts into their security monitoring and detection workflows:

MITRE ATT&CK Mapping:

• T1566 (Phishing): Initial access via Adobe-themed lures.
• T1557 (AiTM): Adversary-in-the-Middle techniques to bypass traditional MFA.
• T1567 (Exfiltration Over Web Service): Using Telegram Bot API for data exfiltration.

Strategic Recommendations: A Layered Defense through Human Risk Management

Defending against platforms like Kratos requires a transition from static, reactive defenses to a layered, proactive security strategy. Kratos’s multi-vector payloads (such as QR codes, EML attachments, and ICS calendar files) are highly effective because they target the human layer of defense, proving that traditional perimeter controls and simple credential checks are insufficient.

Organizations must move quickly to counter these sophisticated threats by adopting a Human Risk Management (HRM) approach. This framework directly connects real-time threat intelligence with user awareness. The core technical defense must involve prioritizing and implementing phishing-resistant authentication and shifting from static indicators to behavioral identity analytics that detect and flag anomalous user and session activity in real-time.

A continuous focus on the human element is crucial: it turns the user from the easiest target into the organization’s most resilient layer of defense.

Real-Time Protection and Ongoing Threat Intelligence

Defending against the industrialization of cybercrime demands a pivot from static, reactive controls to a dynamic, expert-led strategy. KnowBe4 Threat Labs delivers a unified defense by combining deep-dive human intelligence with rapid, high-impact action. These researchers meticulously investigate reported emails and identify active campaigns, neutralizing threats before they can escalate across the organization.

Crucially, for PhishER customers, these real-time discoveries translate into immediate, actionable protection: identified Indicators of Compromise (IOCs) are instantly injected into M365 TABL via the PhishER Global Blacklist feature.

Stay Connected

Don't wait for the next attack to learn about the latest tactics.

Follow @Kb4Threatlabs on X for real-time updates and ongoing intelligence from the front lines of Phishing defense.