logo

EvilTokens: How “Ghost” Code Threatens US and European Businesses

ID: 49450622-08c8-5ca4-a02e-414d736cc1dc

STIX ID: report--49450622-08c8-5ca4-a02e-414d736cc1dc

Feed Name: ANY.RUN's Cybersecurity Blog

Threat Score
70/100

Date Published: 2026-06-23

Date Updated: 2026-06-23

Author: GridGuardGhoul

...
...

This report analyzes EvilTokens, a phishing kit that hides its malicious landing page using AES-GCM browser-side decryption and leverages Microsoft OAuth device-code flow to obtain Microsoft 365 account access without harvesting passwords; it shows how ANY.RUN’s interactive sandbox reveals decrypted DOM content, traces requests to endpoints such as /api/device/start, /api/device/status and /api/device/gate/<PAGE_ID>, and extracts IOCs and signatures to help SOCs and MSSPs triage, detect, and respond to targeted campaigns in the United States and Europe.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.