Virtual Machine Aware Phishing Sites

The report examines a DHL-themed phishing page that uses WebGL's WEBGL_debug_renderer_info and screen properties (color depth and resolution) to detect virtual machines or headless/bot environments and withhold the malicious content when such environments are detected. The analyst links the payload to a ‘m3dular’ phish kit, provides example phishing URLs and mail IOCs (including a sender IP), and highlights the anti-analysis techniques used by the campaign.