#threatreport #MediumCompleteness Cato CTRL™ Threat Research: From Fiscal Lures to Remote Access, A Previously Undocumented NinjaOne RMM Abuse Chain | 10-06-2026 Source: catonetworks.com/blog/cato-c… Key details below ↓ 💀Threats: Ninjaone_tool, Venomrat, Spear-phishing_technique, 🎯Victims: Brazilian organizations, Chemicals and advanced materials 🏭Industry: Logistic, Financial, Chemical 🌐Geo: Portuguese, Brazilian, Americas, Brazil 📚TTPs: ⚔️Tactics: 5 🛠️Technics: 9 🧨IOCs: - Domain: 6 💽Software: Selenium, PhantomJS 📜Programming Languages: javascript, rust #threatreport: Cato CTRL researchers have uncovered a phishing campaign targeting Brazilian organizations, particularly in sectors like chemicals and advanced materials. This campaign employs fake business-document lures that culminate in the installation of a legitimate NinjaOne Remote Monitoring and Management (RMM) agent, marking a significant usage of commonplace software in cyberattacks. The attack leverages familiar Brazilian business processes, employing phishing emails that redirect users to Portuguese-language landing pages made to resemble trusted portals for secure document delivery and fiscal documentation. Victims receive phishing emails with links concealed behind a Googleusercontent-based redirection pathway, enhancing the likelihood of successful delivery by complicating tracking efforts and a potential blocking response. They lead users to portals referencing well-recognized Brazilian services related to tax documents and customer complaints, creating a sense of authenticity. The RMM agent, disguised as a protected document download, does not deliver an actual document but rather a NinjaOne installer that grants attackers remote access to the system, allowing for extensive interaction and control. The operational tactics of the attackers demonstrate a sophisticated understanding of the nuances of Brazilian business culture. Instead of conventional social engineering tactics, the phishing strategy aligns closely with expected everyday activities of procurement, finance, and administrative professionals. This alignment not only increases user compliance but also reduces suspicion during the download process, blurring the lines between legitimate business operations and malicious activities. The infrastructure also integrates anti-analysis features, including browser fingerprinting and geofencing, to target only Brazilian IP addresses and mitigate exposure to security researchers. Investigation into the JavaScript of the phishing pages, aimed at filtering out automated analysis and researchers, revealed the operators’ intent to maximize human interactions. Notably, some users encountered different phishing experiences based on their IP location, further securing the operation against analysis. Additionally, there are potential connections between this campaign and previously observed activities linked to the Venon RAT, suggesting shared resources or participation in the broader Brazilian cybercrime landscape. Despite the attackers' reliance on established business frameworks and software, the campaign also highlights the risks posed by the abuse of legitimate tools like NinjaOne, echoing warnings from cybersecurity entities such as CISA and NSA regarding the misuse of remote-management platforms. The combination of social engineering, well-crafted phishing scenarios, and legitimate software exploitation exemplifies the evolving nature of cyber threats, where the need for custom malware is diminished by the effective manipulation of user behavior and trusted tools, allowing attackers to gain unauthorized remote access without necessarily deploying traditional malware.

es otro phantomjs pero en rust

Burp Suite for Pentester: XSS Validator 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles XSS Validator is a powerful Burp Suite extension that helps penetration testers automatically detect and validate Cross-Site Scripting (XSS) vulnerabilities using browser-based verification techniques and customized payload testing. ⚡ Key Features of XSS Validator 🔍 Automated XSS validation 🧩 Seamless Burp Suite integration ⚙️ Supports PhantomJS-based detection 🛡️ Reduces false positives in XSS testing 📡 Custom payload fuzzing support 🎯 Capabilities of XSS Validator 💥 Detects reflected XSS 🧪 Identifies stored XSS 🧬 Browser-based payload execution testing 🌐 Automated payload verification ⚡ Faster web application testing workflow 📖 Article: hackingarticles.in/burp-suit… #CyberSecurity #EthicalHacking #BurpSuite #Pentesting #BugBounty #InfoSec #WebSecurity #XSS

Elastic Security Labs publishes comprehensive technical breakdown of Tycoon 2FA AiTM kit operations across Microsoft 365 and Google Workspace. Despite March 2026 takedown by Microsoft and Europol, operators rapidly adapted with OAuth device code flows. • **Technical Architecture**: Two-tier Microsoft operations (cloud VPS kit relay residential operator console) vs single-tier Google relay. Kit uses WebSocket C2, per-victim encryption, and extensive anti-analysis (IP filtering, debugger traps, DOM vanishing) • **Attack Chain**: Phishing → multi-layer redirects → AiTM proxy intercepts real MFA → session token theft → device registration for PRT persistence (Microsoft only). Google variant targets Chrome OAuth client `77185425430` with compressed ~1-second auth sequence • **Evasion Techniques**: Blocklists cloud provider IPs (api[.]ipapi[.]is checks), detects Selenium/PhantomJS, encrypts payloads with Caesar XOR cipher seeded per-session. Linux users get blank pages assuming researcher targeting • **Detection IOCs**: Microsoft kit relay uses Node.js UAs (`node`, `axios`, `undici`) from cheap hosting ASNs. Google variant shows impossible travel patterns across multiple ASNs with `token.authorize` events for Chrome client • **Graph API Enumeration**: Post-compromise recon hits 4 categories within 60 seconds: role discovery, cross-tenant mapping, mailbox settings, contact harvesting using `/beta/` endpoints with `$top=999` parameters #DFIR_Radar

botの可能性のあるトラフィックを自社サイトのGoogleアナリティクスで識別して1週間。Googleアナリティクスではもともと既知のbotのトラフィックは計測から除外されているけれども、一部は計測に含まれている。それを識別できるかの試み。 ◆前提 以下の自動化シグナルを識別。5月9日に計測開始。 [ WebDriver / Selenium / PhantomJS / Nightmare / Headless Chrome] ※ブラウザー自動化、ヘッドレス実行、自動化ツールと思われるものを識別。既知botとしてGA側で除外されなかったもの 現時点で識別しているのは WebDriver のみ。 ◆概況と傾向（直近1週間のデータから） ●WebDriver のトラフィックはセッションレベルで全体の約3% ●エンゲージメント率はサイト全体の1/8程度と極端に低い ●セッション平均エンゲージメント時間は2秒。極端に短い ●参照元はすべてdirect ●閲覧ページの参照元URLもすべて空 ●端末環境もChrome中心で、バージョンが極端に低いもの（83や85）や古くキリが良すぎるもの（120.0.0.0）が多い ●画面解像度に800x600や1600x1600など違和感のある固定的なものに偏りあり ●OSが不明なものあり ●言語と国は「Chinese - China」「English - Japan」が目立つ。もちろん多様な組み合わせあり ●端末情報やUser-Agent、国地域は偽装できるという前提で捉える必要あり ●「/recruit/」「/saiyou/」「/inquiry/」といった「当社サイトには存在しないが一般的にその可能性のあるURLへのアクセス」も確認できる 通常ユーザーの自然な回遊ではなく、URLを直接指定してページを確認巡回している自動化ブラウザーアクセスの可能性が考えられる。 ◆今後 方向性としては、以下の方法で計測からのトラフィック除外を検討していた。 -- 「botの可能性のあるトラフィックを定義」 →「［イベントの修正］を使って特定条件の際にパラメータ付与で識別」 →「データフィルタで該当トラフィックを除外（内部トラフィック除外の仕組みを利用）」 -- ただし現実的には困難。botトラフィックの定義が「識別がわかりやすいものに限られる」「今後その条件は増え続ける」「いくらでも偽装できる」ため。メンテナンスが困難。グーグル側で処理してほしい事案。 アウトプットする側で（レポートやBI側で）それらしきトラフィックを除外してレポート作成や分析を行うことは条件的には可能。計測としては受け入れざるを得なさそう。 ◆別件と所感 検証として他のバリエーションを知ろうと、所有する別サイトに同様の計測を実装（トラフィックは2万セッション程度）。計測を開始して数日なのでまだ経過を追う必要があるが、WebDriver のトラフィックがセッションレベルで「全体の約20%弱」あって驚いている。一応Google AdSense収益の発生しているサイトだが、WebDriver のトラフィックでは収益は発生していないことを確認。 他のWebサイトでGAの計測にbotと思われるトラフィックが大量に含まれて分析に耐えられなくなっているというケースを耳にしている。「情報データベースとして価値のあるWebサイト」になるほどそういった被害を受けやすい可能性はありそう。 2026年5月の記録として。 （以上）

POV when threat actors ask nicely to quit reversing their JavaScript stored in smart contract input data 😂 They check for headless browsers through a scoring system: webdriver, headless chrome user agent, specific user agents (PhantomJS, Puppeteer, Playwright), window height, vendor-specific objects, plugin/languages count. #ClearFake #EtherHiding

think I used Capybara PhantomJS back when but hard to remember because i'm a dumb dj at heart

15年間で言及がなくなった技術（2011-2013 → 2023-2025）だと BackboneとかGruntとかPhantomJSとかは言及しなくて、 代わりにESMだったりmonorepoとかWebAssemblyとかRustとかは増えてきています。 RustとかGoはJSのツールチェインで使われることが多くなったからですね。

me decidí a volver a scrapear después de mucho tiempo, y descubro que phantomjs ahora es de pago El mundo en el que nací ya no existe

🪦 Is Puppeteer Stealth dead? Not yet… but its best days are over. I did the same post years ago for PhantomJS, now it’s Puppeteer Stealth’s turn 😅 Still used in the wild, but 10× less than vanilla Selenium. 👉 blog.castle.io/is-puppeteer-… #BotDetection #CyberSecurity

Day 99 of #100DaysofCode: Just finished a unit on feature and server testing with TDD! Used Chai, phantomJS, SuperTest, jsdom, and handlebars to write tests, check status codes, and implement server testing patterns in Express.js. Ready for my next project! #TDD #Testing #WebDev

Not surprised they'd set up the viewbot locally. Normally they've been getting away with it on AWS but who owns AWS and who owns Twitch? Amazon. Obviously Amazon caught on and now has to be done locally inhouse. What makes it so insidious is how easy it is!!! Grab a Python script from GitHub, run it on your home server with a headless browser like PhantomJS, slap on rotating proxies & random user agents to mimic real peeps. Vary watch times, nuke cookies, add fake interactions, and you got yourself FaZe Clan and N3on streaming with celebs thinking they're on the same playing field in terms of clout. It's fkn hilarious. @crashoverride

Llevaba un tiempo con ganas de meterle mano a una web con RSelenium (por cierto no olvideis meter el phantomjs a Null), usando un cambio de agentes aleatorio, los tiempos de espera con una función de poisson aleatoria de tiempo, movimientos random de ratón y cambios de tamaño y scroll y finalmente un pequeño clic en una subpagina para "humanizar" al máximo la interacción con la página. Funcionó.

Interactive Tree Of Life (iTOL) v4: recent updates and new developments The Interactive Tree Of Life (itol.embl.de) is an online tool for the display, manipulation and annotation of phylogenetic and other trees. The current version introduces four new dataset types, together with numerous new features. Annotation options have been expanded and new control options added for many display elements. An interactive spreadsheet-like editor has been implemented, providing dataset creation and editing directly in the web interface. iTOL is accessible with any modern web browser. The tree display engine is implemented in pure Javascript and uses the HTML5 Canvas element for visualization. iTOL supports commonly used phylogenetic tree formats: Newick, Nexus and phyloXML. Phylogenetic placements files created by EPA and pplacer are also supported. Current version introduces support for QIIME 2 trees and annotation files. QIIME 2 QZA trees (Phylogeny[Rooted] or Phylogeny[Unrooted]) can be uploaded directly, and annotated with the following types of data: FeatureData[Taxonomy]: Leaf labels will be automatically assigned, and confidence values will appear as a bar chart dataset. FeatureTable[Frequency]: A multi value bar chart will be created with sample frequencies in different tree leaves. FeatureData[AlignedSequence]: Multiple sequence alignment dataset will be created automatically. All additional data used for various types of tree annotation are provided in plain text files, and simply dragged and dropped onto the trees visualized in the user's web browser. iTOL provides most common functions available in any phylogenetic tree viewer. In addition to standard display formats (rectangular, circular and unrooted), iTOL v4 supports the slanted phylogram display mode. Trees can be manipulated in various ways, and basic editing functions allow users to interactively delete or move single nodes or whole clades. Clades can also be pruned or collapsed, either manually or automatically, based on various parameters (such as associated bootstrap values or average branch length distances). Trees can be re-rooted manually on any node, or automatically using the midpoint rooting method. Tree leaves can be sorted in various ways, either manually or automatically. iTOL v4 is the first tool which supports direct visualization of Qiime 2 trees and associated annotations. The user account system has been streamlined and expanded with new navigation options, and currently handles >700 000 trees from more than 40 000 individual users. Full batch access has been implemented allowing programmatic upload and export of trees and annotations. iTOL v4 expands the bootstrap visualization options with full support for MRBAYES and The New Hampshire X (NHX) formatted metadata in the tree nodes, as well as multi-value node support values, e.g. as provided by IQ-TREE. These metadata values are parsed and available as selectable sources for iTOL’s existing bootstrap display options. iTOL offers programmatic access to both its tree upload and export interfaces. All iTOL features available interactively through the web interface can also be accessed through the batch interface. Complete redesign of iTOL in version 3 introduced ‘What-You-See-Is-What-You-Get’ export capabilities, where the user's browser performs the initial creation of the SVG (Scalable Vector Format) image, making our old batch access system incompatible. The current version solves this problem by using scriptable headless browsers on the server side (phantomjs, phantomjs.org). Example upload/download scripts are provided in several programming languages. itol.embl.de 📄academic.oup.com/nar/article…

🚨 Webinar Alert: Account Takeover & Social Engineering in Action Fraudsters are evolving — and so should your defenses. Join Group-IB and expert Hailey Windham for a deep dive into real-world ATO and #socialengineering cases, detection signals, and frontline strategies to fight back. What you'll learn: 🔹 Unpack the current state of #ATO attacks — how credentials are compromised, how automation tools like PhantomJS and Selenium are used, and how fraudsters cash out. 🔹 Hear real-world “front-line” cases of ATO and social engineering. 🔹 Identify key detection signals — from behavioral anomalies to transactional #redflags that anti-fraud teams must watch for. 🔹 Understand the psychological tactics behind social engineering and how to spot early and post-attack indicators. 🔹 Explore proactive strategies to strengthen defenses, enhance #frauddetection, and stay ahead of emerging threats. 🎙 Speakers: - Hailey Windham, CFCS, Founder, CU Fight Fraud LLC - Julien Laurent, Senior Product Marketing Manager, Group-IB - Nick Palmer, Head of Business Development and Sales Ream, Group-IB Don’t miss this tactical session for fraud fighters. 🔗 Register now: link.group-ib.com/44mmSQi

5️⃣ From XSS to SSRF/LFD @bbuerhaus documents how he escalated an XSS to a local file read (LFR/LFD) vulnerability in PhantomJS! buer.haus/2017/06/29/escalat…

Who remembers PhantomJS? Right now on the #NgBaguette stage, @sumy92 presenting the whole story of #Angular SSR and Hydration from AngularJS until today, and maybe tomorrow. What a journey!

Very cool. Never thought of using screenshot of whole page for social... I did something similar for a site with 10,000s of pages, using phantomJS ($10/mnth) to take the screenshots, new screenshots only taken when page changes. Also took it to next level, adding ?screenshot to a page loads a different html template with same job info, optimized for screenshot dimensions, and all stats are larger, only relevant info is included.

after reading your code I must admit that playwright is the best my data scraping project (on Apache Spark) uses Selenium phantomjs/CEF headless, which is much more verbose adding to my list of pending migrations 😂