Alert: Extortion Groups Are Using Phishing Kits to Automate Their Attacks

Push Security analyzed a criminal phishing panel active since at least August 2025 and linked to organized crime actors (e.g., ShinyHunters, BlackFile). The kit facilitates hybrid social‑engineering attacks combining voice phishing with AiTM MFA‑bypass to steal authenticated sessions, pivot across connected SaaS platforms (SharePoint, Salesforce, DocuSign, Slack), exfiltrate data, and attempt extortion; researchers observed 400+ domains and multiple forks indicating wider distribution and increased accessibility to financially motivated actors.