Quishing Campaigns : Advanced QR-Code Phishing Evaluation and Insights – CYFIRMA

MITRE Techniques

• [T1566.002 ] Phishing: Spear phishing Link – QR codes redirected victims to malicious links hosted on untrusted domains to initiate credential harvesting (‘The QR code URL follows a structured but deceptive pattern in which a malicious or compromised domain is combined with randomly generated directory names and an embedded target specific email identifier.’)
• [T1566.001 ] Phishing: Spear phishing Attachment – Campaign framework lists attachment-based spear phishing as a related initial access vector (’T1566.001 Phishing: Spear phishing Attachment’)
• [T1059.007 ] Command and Scripting Interpreter: JavaScript – Malicious pages executed obfuscated JavaScript in the victim’s browser to reconstruct runtime instructions and autofill fields (‘During the CAPTCHA interaction, the page loads and executes highly obfuscated JavaScript code.’)
• [T1027 ] Obfuscated Files or Information – Attackers used encrypted/obfuscated script payloads and XOR/decryption routines to hide intent and evade detection (‘the script reconstructs hidden instructions at runtime using encoding and encryption techniques’).
• [T1497.003 ] Virtualization/Sandbox Evasion: Time Based Evasion – Fake CAPTCHA interactions intentionally delayed automated analysis and sandbox inspection to hinder detection (‘This CAPTCHA … Delay automated security analysis’).
• [T1556 ] Modify Authentication Process – The phishing flow auto-filled the victim’s email in the login form and altered the expected authentication interaction to increase trust (‘The email auto-fill is performed by heavily obfuscated JavaScript delivered in the server’s response.’)
• [T1056.003 ] Input Capture: Web Portal Capture – The page captured credentials via a fraudulent web form that collected the victim’s password after the email was pre-populated (‘the phishing page presents a password entry field … harvest the complete credentials, email, and password from the targeted user.’)
• [T1114 ] Email Collection – The attack extracted and used the victim’s email embedded in the URL path for targeting and auto-fill purposes (‘this script … extracts the victim’s email address that was embedded in the URL path’)
• [T1071.001 ] Application Layer Protocol: Web Protocols – Malicious scripts communicated with attacker-controlled infrastructure over web protocols to coordinate stages and exfiltration (‘This code communicates with attacker controlled infrastructure and prepares the next stage of the attack’).
• [T1104 ] Multi-Stage Channels – The campaign used a staged flow (QR → landing with CAPTCHA → obfuscated JS → separate exfiltration endpoints) to separate delivery and collection phases (‘a highly targeted, multi-stage attack leveraging social engineering, technical obfuscation, and per-victim infrastructure’).
• [T1090.003 ] Proxy: Multi-hop Proxy – Exfiltration used separate, rotating subdomains and unique endpoints, effectively introducing additional hops and obfuscation in data collection (‘it is encrypted and sent via cross-site POST to a completely different, randomly generated subdomain’).
• [T1041 ] Exfiltration Over C2 Channel – Harvested credentials were encrypted in-browser and exfiltrated over web channels to attacker-controlled collection endpoints (‘The stolen password … is encrypted and sent via cross-site POST to a completely different, randomly generated subdomain’).