Security researchers outline detection strategies for the Caffeine phishing service platform, including endpoint and network indicators. They provide YARA rules, domain infrastructure details, and defensive best practices to mitigate PhaaS-based phishing campaigns. #Caffeine #PhaaS #Mandiant #Phishing
Keypoints
- Endpoint detections rely on YARA rules targeting Caffeine kit artifacts such as specific PHP files, obfuscation patterns, and configuration files.
- Mentioned PHP obfuscation in Caffeine (e.g., index.php) indicates the use of obfuscated scripts as part of the toolkit.
- The main configuration file used by deployed kits is config.json, with detectable configuration artifacts baked into detections.
- Typical Caffeine phishing artifacts include PHP-based redirect pages (file.htm) and related toolmark strings in outputs.
- Several domains and hosting patterns (e.g., caffeinefiles.click, caffeines.store, caffeines.space) are associated with Caffeine’s architecture, often behind Cloudflare; legitimate services like ip-api.io and telegram.org are also leveraged.
- Strategic defenses recommended include public-facing infrastructure reviews, behavioral analytics on web logs, password policy reassessment, and mandatory two-factor authentication for external access.
MITRE Techniques
- [T1566.002] Spearphishing Link – Redirect pages are used to drive targets to phishing content; the article notes: “This is a typical Caffeine redirect page. The strings within the matching detection are configuration artifacts Caffeine leverages by default.” – Redirects as phishing delivery mechanism.
- [T1027.001] Obfuscated/Compressed Files or Information – PHP obfuscation detected in Caffeine-style scripts; the article states: “This detection casts a wider phishing net than the previous rule, looking for PHP files that have a “Caffeine-style” obfuscation mechanism…”
- [T1071.001] Web Protocols – Use of Telegram as a communication channel; the article notes: “A legitimate encrypted messaging service used heavily by Caffeine.”
Indicators of Compromise
- [Domain/URL] caffeinefiles.click, caffeines.store – Active hosting domains used by Caffeine kit components and store operations.
- [IP Address] 104.21.6.210, 149.154.167.99 – IPs linked to hosting or communication endpoints (Cloudflare-backed domains; Telegram usage).
- [MD5] ce9a17f9aec9bd2d9eca70f82e5e048b, 684b524cef81a9ef802ed3422700ab69 – YARA-related hash indicators for specific Caffeine artifacts.
- [File Name] index.php, config.json, file.htm, favicon.ico – Core artifact files used by Caffeine kits and detections.
Read more: https://www.mandiant.com/resources/blog/caffeine-phishing-service-platform