Threat Research

Browser-in-the Browser sextortion scam makes victims pay by imitating Indian Gov

Securonix

A new Browser-in-the-Browser (BITB) sextortion campaign impersonates the Indian government to coerce victims into paying a fine with their credit card. The attack uses a full-screen fake browser window, browser fingerprinting, and a fraudulent payment flow to harvest card details and relay them to a C2 server. #BITB #IndianGovernment #ZscalerThreatLabZ #supernight

Keypoints

  • BITB phishing campaign impersonates an Indian government site to deliver a sextortion demand.
  • Attack uses a full-screen fake browser window with a fake address bar and unclickable controls to hide the real URL.
  • Browser fingerprinting creates a persistent visitor identifier that works even in incognito or after clearing cookies.
  • Server responses include fake credit card and SMS/OTP forms to capture payment details.
  • Subsequent actions redirect victims to a C2, where stolen data is sent (e.g., gateway.php on a malicious domain).
  • Anti-debugging and keystroke disabling techniques are used to hinder analysis and user interaction.
  • A large list of IOCs (domains and IPs) is associated with the campaign, indicating widespread hosting infrastructure.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The attackers use a Browser-in-the-Browser popup to impersonate an Indian government page and prompt victims to enter credit card details. “Attackers then prompt the victim with an extortion demand requiring them to enter a credit card and pay a fine to avoid being arrested by the police.”
  • [T1041] Exfiltration Over C2 Channel – After validating credit card details, the credentials are sent to a C2 location. “Sending stolen credit card credentials to c2 location.”
  • [T1562.001] Impair Defenses – The campaign employs anti-debugging and fullscreen/keystroke disabling to hinder analysis and victim interaction. “This phishing page also has anti-debugging techniques…” and “Function to disable keystrokes”

Indicators of Compromise

  • [Domain] supernight.world – used as a hosting/C2 domain for the scam
  • [Domain] alimalipay.xyz – associated domain in the campaign
  • [Domain] searchfirst.xyz – observed phishing domains related to the operation
  • [IP] 65.20.70.213 – observed infrastructure address
  • [IP] 92.255.85.133 – observed infrastructure address

Read more: https://www.zscaler.com/blogs/security-research/browser-browser-sextortion-scam-makes-victims-pay-imitating-indian-gov