AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data
Summary:
Cyble Research and Intelligence Labs has identified a widespread social engineering campaign active since early 2026 that leverages AI-assisted development techniques to harvest sensitive multimedia and device data. Hosted primarily on edgeone[.]app infrastructure, the campaign uses diverse themes such as "ID Scanner", "Telegram ID Freezing", and "Health Fund AI" to trick users into granting browser-level hardware permissions. Once permissions are granted, the framework captures live images, video recordings, microphone audio, device metadata, contact details, and approximate geographic location. This information is subsequently exfiltrated to attacker-controlled Telegram bots. The breadth of the harvested data poses significant risks to individuals and organizations, enabling follow-on attacks like identity fraud, targeted social engineering, account recovery manipulation, and extortion.
Security Officer Comments:
The sophisticated campaign operates as a web-based phishing framework designed to bypass traditional typed credential harvesting by focusing exclusively on browser hardware permissions. The attack chain begins with social engineering lures impersonating popular brands to establish victim trust. Victims are directed to malicious landing pages hosted on EdgeOne Pages, which provides a low-cost, scalable, and highly available infrastructure. The attackers manipulate the user interface by displaying fake status messages, such as "Capturing photo", "Sending to server", and "Photo sent successfully", to simulate legitimate identity verification or service recovery workflows.
After user consent, the underlying JavaScript silently captures frames from the live video stream, along with device telemetry and geographic location. Rather than relying on dedicated backend servers, the operators utilize the Telegram Bot API for streamlined C2 and as a data exfiltration channel. This API integration allows the malicious client-side scripts to upload captured files directly via simple HTTP requests, simplifying deployment and enabling rapid rotation of phishing URLs.
Analysis of the framework's operational logic revealed structured annotations and emoji-based message formatting embedded within the code. These decorative Unicode symbols within operational code are uncommon in manually written malicious scripts, indicating the use of generative AI tools to accelerate the development of the phishing kit.
Suggested Corrections:
Actionable Suggested Correctionss
Link(s):
https://cyble.com/blog/ai-assisted-phishing-campaign/
Cyble Research and Intelligence Labs has identified a widespread social engineering campaign active since early 2026 that leverages AI-assisted development techniques to harvest sensitive multimedia and device data. Hosted primarily on edgeone[.]app infrastructure, the campaign uses diverse themes such as "ID Scanner", "Telegram ID Freezing", and "Health Fund AI" to trick users into granting browser-level hardware permissions. Once permissions are granted, the framework captures live images, video recordings, microphone audio, device metadata, contact details, and approximate geographic location. This information is subsequently exfiltrated to attacker-controlled Telegram bots. The breadth of the harvested data poses significant risks to individuals and organizations, enabling follow-on attacks like identity fraud, targeted social engineering, account recovery manipulation, and extortion.
Security Officer Comments:
The sophisticated campaign operates as a web-based phishing framework designed to bypass traditional typed credential harvesting by focusing exclusively on browser hardware permissions. The attack chain begins with social engineering lures impersonating popular brands to establish victim trust. Victims are directed to malicious landing pages hosted on EdgeOne Pages, which provides a low-cost, scalable, and highly available infrastructure. The attackers manipulate the user interface by displaying fake status messages, such as "Capturing photo", "Sending to server", and "Photo sent successfully", to simulate legitimate identity verification or service recovery workflows.
After user consent, the underlying JavaScript silently captures frames from the live video stream, along with device telemetry and geographic location. Rather than relying on dedicated backend servers, the operators utilize the Telegram Bot API for streamlined C2 and as a data exfiltration channel. This API integration allows the malicious client-side scripts to upload captured files directly via simple HTTP requests, simplifying deployment and enabling rapid rotation of phishing URLs.
Analysis of the framework's operational logic revealed structured annotations and emoji-based message formatting embedded within the code. These decorative Unicode symbols within operational code are uncommon in manually written malicious scripts, indicating the use of generative AI tools to accelerate the development of the phishing kit.
Suggested Corrections:
Actionable Suggested Correctionss
- Block known malicious subdomains hosted on edgeone[.]app that are associated with this campaign.
- Monitor or restrict network traffic to api.telegram[.]org from corporate endpoints to prevent unauthorized data exfiltration.
- Configure enterprise web browsers via group policy to block or strictly prompt for hardware permissions (camera, microphone, geolocation) by default, restricting access on untrusted domains.
- Deploy endpoint detection mechanisms to identify anomalous browser behaviors, such as unauthorized or unusual attempts to access device telemetry or contact details via browser APIs.
- Conduct security awareness training to educate users on the specific risks of granting browser permissions to unfamiliar or unverified websites.
- Establish strict organizational policies regarding the use of webcams and microphones on corporate devices.
- Implement robust identity and access management controls, including phishing-resistant Multi-Factor Authentication (MFA), to mitigate the risk of account recovery manipulation using stolen identity data.
- Continuously monitor threat intelligence feeds for new variations of AI-generated phishing kits and emerging brand impersonation campaigns.
Link(s):
https://cyble.com/blog/ai-assisted-phishing-campaign/