Keypoints
- 0ktapus targets IT service desk staff and administrators using a range of social engineering tactics—smishing, vishing, phishing pages, MFA fatigue, and SIM hijacking—to harvest credentials and gain cloud access.
- The report catalogs multiple DOM templates (A–L) used in 0ktapus phishing pages, each with distinct fingerprints, example domains and activity windows to aid detection and pivoting.
- Application fingerprinting techniques—like searching for shared scripts, hashes, or replicated assets—help pivot from known phishing pages to uncover additional malicious domains.
- Network profiling (shared IPs, nameservers, JARM, certificate patterns) and domain registration analysis (registrar, registration/expiration patterns, nameserver usage) further reveal related phishing infrastructure.
- 0ktapus often reuses or reactivates previous infrastructure and returns to previously compromised victims, increasing the need for continuous vigilance.
- Practical prevention and detection recommendations include enforcing MFA/SSO, tightening MFA/SSPR registration, restricting app access to managed devices, and monitoring Okta behavior detection and system logs.
MITRE Techniques
- No explicit MITRE ATT&CK technique identifiers (TIDs) were cited in the article – ‘Phishing is a commonly observed technique used by threat actors to gain illicit access to identities, including cloud identities.’ (describes use of phishing, smishing, vishing, MFA fatigue and SIM hijacking as methods for credential theft)
Indicators of Compromise
- [Domain] phishing landing pages and examples – revolut-ticket[.]com, gemini-sso[.]com, and other domains such as dashboard-mailgun[.]com, att-mfa[.]com (many more enumerated in the linked GitHub CSV)
- [File hashes] DOM/script/file SHA256 examples – fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1, 69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966, and other hashes (and 4 more hashes)
- [Image/hash] replicated asset used as logo – dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727 (DoorDash logo image reused across multiple phishing domains)
- [File names / scripts] script and path indicators – /bundles/modernizr, /WebResource.axd, /Scripts/jquery-2.2.3.min.js, discoveryIframe-82e613074a3700abe11a.min.js
- [Nameserver / registrar] hosting and registration artifacts – ns3.my-ndns[.]com (nameserver), Registrar.eu and Choopa (registrars) used repeatedly by domains linked to the campaigns
The original article reviews how cloud-focused phishing campaigns run by the actor known as 0ktapus (aka Scattered Spider and several other aliases) operate and how defenders and researchers can find related phishing infrastructure. The threat actor prioritizes social engineering to obtain credentials, often singling out IT service desk workers and administrators so stolen access can be used to steal data, deploy ransomware, or extort victims. The authors compile and label a set of Document Object Model templates—A through L—observed across two years of phishing pages, and they provide distinguishing features, example domains and activity periods for each template to support hunting and attribution efforts.
Template A is one of the most common patterns in recent months and is characterized by references such as /bundles/modernizr, /WebResource.axd, and /Scripts/jquery-2.2.3.min.js; its page title often reads “CMS Dashboard Login,” image height tag errors appear repeatedly, and placeholders vary between values like “Email or Username” and “SSO ID.” Example domains using this template include revolut-ticket[.]com and other imitations reported since May 2023. Template B contains a hidden link to a legitimate Okta subdomain and uses PHP endpoints like f[redacted].php and factor.php to capture credentials and 2FA responses, with gemini-sso[.]com observed since November 2023. Template C includes image tags referencing a _nuxt keyword and was reported by Group‑IB with domains like att-mfa[.]com active from July 2022 through April 2024. Template D has scripts named Poll.js and init.js and constructs strings such as ${credential}:${password}, with domains like stargate-okta[.]com appearing since September 2024. Template E sends POSTs to /login/email or /login/identifier and loads htmx.min.js; dashboard-mailgun[.]com surfaced in October 2024. Template F and G are recognized by explicit SHA256 DOM hashes and include domains such as mgmresorts-okta[.]com (Aug 2022) and calendar-dd[.]com (Sep 2022). Template H posts victim data to ../tmo/data/login.php and includes t-mobile-okta[.]com (Sep 2023). Template I encodes images and fonts in base64 and includes intercom-okta[.]com (Nov 2023–Apr 2024). Template J uses authorization.php with a known SHA256 and posts to files/common.php (klav-workday[.]com, Mar 2023). Template K features unique script and CSS names such as index-CDmh8I23.js and index-aNURsHR-.css (grid-review[.]com, Sep 2024). Template L is identified by a DOM SHA256 and includes rejectauth-sendgrid[.]com (Aug 2024–present). The research focuses primarily on Template A for demonstration, while acknowledging that identical kits can be used by multiple groups, complicating definitive attribution.
The article shows practical detection approaches grouped into three large categories. Application fingerprinting inspects the page HTML, script names, embedded code and asset hashes to find pages that share unique artifacts. Replicated assets are a useful pivoting method because attackers often copy images, CSS or scripts directly from legitimate sites they mimic; for example, a DoorDash logo image hash tied back to multiple phishing domains revealed several sites impersonating DoorDash services. The authors note that relying solely on exact HTML hashes can be brittle because pages tailored per victim will differ; nevertheless, searching for shared scripts, uncommon file names and specific DOM patterns yields fruitful leads.
Network profiling complements application fingerprints by exposing shared infrastructure elements. Because phishing domains are often short-lived and hosted with lightweight configurations, they sometimes lack robust TLS setups or reuse the same certificate authorities, nameservers and IP ranges. Monitoring IP addresses, scanning for other domains hosted on the same IPs, and observing repeated JARM signatures or open ports can expose clusters of related domains. The researchers underscore that 0ktapus commonly registers domains with nameserver ns3.my-ndns[.]com and has used registrars like Registrar.eu and Choopa, patterns that can be monitored to detect newly registered phishing domains.
Domain registration analysis adds another layer: tracking registrar usage, registration and expiration dates, and naming conventions uncovers automation patterns and bulk registrations. The actor favors .com and .net TLDs and frequently uses terms such as servicenow, hr, corp, dev, okta, sso and workspace in domain names. Some domains are intentionally aged before use to improve reputation scores, and older infrastructure can be reactivated later; for instance, mailgun-okta[.]com was observed in campaigns both in August 2022 and again in May of a subsequent year. By combining registration timing, nameserver usage and the fingerprints from application and network profiling, defenders improve their odds of surfacing emerging malicious domains.
The report also describes the attribution challenges inherent in this work. Shared public assets such as logos or scripts may appear across different malicious pages, and phishing kits are often reused or sold, meaning a cluster of similar pages might represent multiple actors. To improve confidence in attribution, analysts should combine multiple indicators—victim profile, ASN, registrar and nameserver choices, DOM template artifacts and other infrastructure details—rather than rely on any single signal.
Several distinctive technical artifacts tied to Template A are highlighted as reliable hunting signals. A recurring syntax error in image height attributes appears across many Template A pages and likely stems from a bug in the phishing kit. Identical JavaScript tags and repeated file names and paths, such as the WebResource.axd example and the bundles/modernizr plus jquery-2.2.3.min.js combination, are other repeatable fingerprints that can be used with URL scanning and threat-hunting platforms to discover additional sites created with the same kit.
For defenders, the article recommends preventative controls and detection measures. Enforcing multi-factor authentication and single sign-on broadly reduces the success rate of stolen credentials, and strengthening MFA and self-service password reset (SSPR) registration with device- or network-based checks helps prevent attackers from adding new MFA options. Restricting application access to managed or registered devices (for example, with Okta FastPass or endpoint management controls) further reduces risk. On the detection side, monitoring for anomalous or suspicious authentication activity against Okta—using behavior detection, step-up authentication, and analysis of system logs—can surface potential MFA hijacking or SIM swap incidents, such as new device registrations from unexpected operating systems, older device models, multiple identities tied to one phone ID, or external email addresses added as multifactor options.
Finally, the researchers provide practical guidance and resources to replicate their findings. They compiled IOCs relevant to activity between May 1, 2024 and October 12, 2024 in a public GitHub repository, and they recommend integrating the techniques described—application fingerprinting, network profiling and domain registration analysis—into continuous hunting workflows so new campaigns can be found before attackers achieve their objectives. The authors stress that because 0ktapus tends to revisit previous victims and reuse effective infrastructure, organizations must maintain ongoing vigilance even after incidents have been remediated.
Read more: https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains