Cyble analyzes an AI-driven phishing campaign that abuses browser permissions to capture victims images and exfiltrate the data to attacker-controlled Telegram bots.

Cyble's publication is a resource for cybersecurity professionals and businesses seeking to stay ahead of evolving cyber threats. Through detailed analysis of threat intelligence, cybersecurity trends, and real-world cyber incidents, Cyble provides  insights into emerging threats, cyber attack tactics, and risk mitigation strategies. Readers can learn about threat detection methodologies, vulnerability assessment techniques, incident response protocols, and compliance standards to enhance their cybersecurity posture. Additionally, Cyble offers expert commentary, best practices, and actionable recommendations to help organizations protect their digital assets, safeguard sensitive data, and maintain business continuity in the face of cyber threats.

Cyble

Cyble Research & Intelligence Labs has uncovered an active phishing campaign hosted on edgeone.app infrastructure that goes beyond credential theft. Using deceptive lures like 'ID Scanner,' 'Telegram ID Freezing,' and 'Health Fund AI,' the campaign tricks users into granting browser-level camera, microphone, and contact permissions. Once granted, embedded JavaScript silently captures photos, video, audio, device fingerprints, geolocation, and contact lists, then exfiltrates everything to attacker-controlled Telegram bots via the Telegram Bot API. The campaign impersonates TikTok, Telegram, Instagram, Google Chrome/Drive, and Flappy Bird. Code analysis suggests AI-assisted development, evidenced by structured annotations and emoji-based formatting in the malicious scripts. Harvested biometric and multimedia data could enable identity fraud, deepfake attacks, video-KYC bypass, extortion, and targeted social engineering. MITRE ATT&CK techniques and IOCs are provided.

AI-Assisted Phishing Campaign Harvesting Victim Data