In recent months, a new phishing toolkit known as PoisonSeed has emerged, targeting both individual users and enterprise organizations with unprecedented sophistication.
Unlike traditional phishing kits that harvest only usernames and passwords, PoisonSeed employs an adversary-in-the-middle (AitM) approach to intercept multi-factor authentication (MFA) tokens and session cookies.
Victims receive spear-phishing emails masquerading as notifications from legitimate bulk email or CRM providers, such as SendGrid and Mailchimp.
Embedded links append the target’s encrypted email address directly in the URL, enabling precision-validated phishing that verifies authenticity before presenting fraudulent login prompts.
The toolkit’s infrastructure is built upon React, with a modular design that includes a faux Cloudflare Turnstile challenge page, customized login forms, and support for multiple 2FA channels (SMS, email codes, authenticator apps, and API keys).
Initial delivery often leverages compromised marketing or CRM domains to evade spam filters. When recipients click the link, they land on a staged verification page that mimics a CAPTCHA challenge.
PoisonSeed Phishing Attack Chain (Source – NVISO Labs)
Behind the scenes, an API call to /api/check-email validates that the encrypted email parameter corresponds to a non-banned account. Only upon successful validation does the kit proceed to capture credentials.
NVISO Labs analysts identified PoisonSeed as a variant aligned with the Scattered Spider and CryptoChameleon groups, collectively known as “The Com,” by tracing domain registration patterns and hosting choices.
All known domains were registered via NICENIC and hosted on Cloudflare or similar CDNs, exploiting name-server obfuscation to hinder takedown efforts. By automating domain creation and rotating infrastructure, the adversary maintains a persistent foothold.
Once credentials are harvested, the attackers replay login requests against the legitimate service’s API, relaying MFA codes and ultimately securing valid session cookies that grant full account control.
Following credential acquisition, PoisonSeed automates bulk export of contact lists and hijacks email infrastructure to distribute cryptocurrency-related spam campaigns.
Beyond spam, the toolkit has been observed in targeted attacks against high-profile individuals, including a recent compromise of a security researcher’s Mailchimp mailing list and a fraudulent wallet migration phishing set-up on a major cryptocurrency platform.
Infection Mechanism: Precision-Validated Phishing and AitM Exploitation
At the heart of PoisonSeed’s infection mechanism lies the precision-validated phishing technique, which ensures that only intended targets complete the credential capture process.
When a victim arrives at the initial URL, the React component TurnstileChallenge.jsx extracts the encrypted email query parameter and issues a background POST request:-
useEffect(() => {
const encryptedEmail = new URLSearchParams(location.search).get(’email’);
if (!encryptedEmail) {
window.location.href = ‘https://www.google.com’;
return;
}
axios.post(`${API_URL}/check-email`, { email: encryptedEmail })
.then(response => {
if (response.data.valid && !response.data.banned) {
setIsChecked(true);
} else {
clearSession();
navigate(‘/verify’, { replace: true });
}
})
.catch(() => {
clearSession();
navigate(‘/verify’, { replace: true });
});
}, [location, navigate]);
Once validation passes, a session flag (fakeTurnstileVerified) is set in session storage, allowing the victim to proceed to the login form.
At this stage, the ProtectedRoute wrapper in App.jsx enforces verification before rendering the login component, redirecting any unverified requests back to /verify.
The login form then captures the username and password, relays them to the legitimate backend, and awaits an MFA challenge.
Depending on the account’s configured second factor, the kit presents one of several React components—TwoFactorSMS.jsx, TwoFactorEmail.jsx, TwoFactorGA.jsx, or ApiKeyVerification.jsx—each designed to mimic the genuine service’s UI while forwarding codes to the real provider.
By acting as an AitM relay, PoisonSeed transparently proxies all authentication traffic. As soon as the victim submits a one-time code or API key, the kit captures session cookies issued by the legitimate service and stores them in the attacker’s backend.
These cookies allow the adversary to bypass MFA entirely on subsequent sessions, granting unfettered access to the victim’s account.
PoisonSeed’s Phishing Kit Overview (Source – NVISO Labs)
The phishing kit illustrates this attack flow, highlighting the seamless interception of authentication tokens.
Through this intricate blend of front-end deception and backend relaying, PoisonSeed exemplifies how modern phishing kits can circumvent even robust MFA defenses, underscoring the urgent need for phishing-resistant authentication methods.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
