Device Code Phishing Campaign — Infrastructure Update

This report analyzes a large-scale device-code phishing campaign hosted on Cloudflare Workers, enumerating 1,337 probed URLs (966 active), 326 unique workers.dev hostnames and 1,061 active per-victim session paths. It highlights the use of encrypted base64/AES JavaScript payloads that hide phishing content from scanners, multiple branded lure skins (Microsoft, DocuSign, Adobe), homoglyph typosquat attacker domains, and evidence that the kit is distributed to multiple operators (PhaaS).