Early October 2025 witnessed the resurgence of a retro phishing technique that exploits legacy Basic Authentication URLs to deceive users into divulging sensitive credentials.

Threat actors crafted links in the format https://username:password@domain.com, embedding a trusted institution’s domain in the username field to visually mimic legitimate services.

When users click these links, their browsers authenticate to the malicious domain specified after the @ symbol, silently harvesting the credentials intended for the forged site.

This tactic is particularly effective in mobile apps and email clients that truncate long URLs, showing only the deceptive portion before the @ symbol.

Netcraft analysts noted the first wave of these attacks targeting GMO Aozora Bank customers in Japan, where the attackers registered URLs such as hxxps://gmo-aozora.com%25TOKEN@coylums.com/sKgdiq.

Victims encountering these links in phishing emails were prompted to complete a Japanese-language CAPTCHA page designed to simulate a legitimate security check.

Despite modern browsers supporting Basic Auth URLs, this format has fallen out of favor due to security concerns, making it an unexpected vector that evades casual URL scrutiny.

Following the initial discovery, Netcraft researchers identified more than 200 unique Basic Auth phishing URLs in a two-week period.

Attacks impersonated major brands including Amazon, Google, and Netflix, often cloaking malicious domains behind familiar names.

One example spoofed Netflix, luring recipients into clicking a link that seemed legitimate but directed them to a credential-stealing script hosted on themiran.net.

The coordinated use of multiple malicious domains and encoded tokens strengthened the illusion of legitimate authentication flows.

Beyond simple credential harvesting, these phishing links also implemented human verification CAPTCHAs to delay automated takedown efforts and to reinforce trust among victims.

The CAPTCHA page emulated a security checkpoint, requiring users to click “I am not a robot” before proceeding to a counterfeit login form. This extra step both increased the perceived legitimacy of the page and gave attackers additional time to capture credentials.

Infection Mechanism and Credential Exfiltration

Upon clicking a compromised Basic Auth URL, the victim’s browser issues an HTTP GET request with the credentials field set to the trusted domain text.

For example:-

GET /sKgdiq HTTP/1.1  
Host: coylums.com  
Authorization: Basic Z21vLWFvem9yYS5jb206  

Here, Z21vLWFvem9ycmEuY29tOg== is the Base64-encoded representation of the string gmo-aozora.com:. The server decodes this header to confirm the presence of the embedded “username,” then serves the phishing page that mimics the bank’s login interface.

Submitted credentials are sent via a POST request to the attacker’s backend endpoint, where they are collected for later misuse.

This mechanism bypasses typical URL filters that focus on query strings rather than embedded authentication tokens.

By reviving this outdated HTTP feature, attackers have demonstrated how legacy standards can be repurposed for modern phishing campaigns.

Financial institutions and security teams should update URL inspection rules to detect and block Basic Authentication tokens in links and educate users about the dangers of unbeknownst embedded credentials.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Phishing Attack Uses Basic Auth URLs to Trick Users and Steal Login Credentials appeared first on Cyber Security News.

A sophisticated multi-stage malware campaign is targeting organizations globally, utilizing the PhantomVAI Loader to distribute dangerous information-stealing malware.

The attack chain, which begins with carefully crafted phishing emails, has emerged as a significant threat to businesses across manufacturing, education, healthcare, technology, utilities, and government sectors.

This malware family, previously known as Katz Stealer Loader, has evolved to deliver multiple infostealer variants including AsyncRAT, XWorm, FormBook, and DCRat, making it a versatile tool in the cybercriminal arsenal.

The infection begins when unsuspecting users receive phishing emails containing malicious attachments disguised as legitimate business communications.

These emails employ social engineering themes such as sales inquiries, payment notifications, and legal matters to lure victims into opening archived JavaScript or VBS files.

What makes these attacks particularly insidious is the use of homograph attacks, where threat actors replace Latin characters with visually similar Unicode characters, effectively bypassing email security filters.

After the initial phishing stage, Palo Alto Networks analysts identified that the attack progresses through multiple sophisticated layers.

The malicious scripts are heavily obfuscated and contain Base64-encoded PowerShell commands that execute automatically upon opening.

These PowerShell scripts download what appears to be an innocuous GIF or image file from attacker-controlled servers.

However, these image files conceal the loader payload using steganography techniques, where Base64-encoded DLL files are embedded within the image data between specific delimiter strings such as \<\<sudo_png>> and \<\<sudo_odt>>.

Infection Mechanism and Evasion Techniques

Once the encoded text is extracted, the PowerShell script decodes it and loads the PhantomVAI Loader DLL written in C#. The loader executes a method called VAI, which performs multiple critical functions before deploying the final payload.

It conducts comprehensive virtual machine detection checks using code based on the VMDetector GitHub project.

The malware examines system attributes including computer information, BIOS details, hard disk characteristics, and Windows services to determine if it runs in a virtualized environment.

If any check returns positive, PhantomVAI Loader immediately terminates.

The loader establishes persistence through scheduled tasks that execute PowerShell commands to download and run files from attacker-controlled URLs, or by creating Windows Registry Run keys.

Finally, it downloads the final payload from a command-and-control server and injects it into legitimate system processes using process hollowing, most commonly targeting MSBuild.exe in the .NET Framework directory.

This evasion mechanism allows the malware to operate undetected while delivering information-stealing capabilities.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post PhantomVAI Loader Attacking Organizations Worldwide to Deliver AsyncRAT, XWorm, FormBook and DCRat appeared first on Cyber Security News.