ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

Executive Summary — EclecticIQ analysts discovered active phishing campaigns leveraging an ONNX Store Phishing-as-a-Service platform that distributes QR-coded malicious PDFs to redirect victims to Microsoft 365–style AiTM phishing pages, capturing credentials and 2FA tokens in real time; the report details technical analysis, infrastructure overlaps with the Caffeine kit, attribution to an Arabic-speaking actor (MRxC0DER), IOCs, YARA detection rules, and recommended mitigations.