BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory
BlobPhish is an evasive credential-phishing campaign that generates fake authentication forms directly in the victim's browser memory using Blob objects. By avoiding traditional HTTP requests and disk writes, it bypasses standard network and file-based detection mechanisms to steal high-value financial and cloud service credentials.
Authors: ANY.RUN
Source:
ANY.RUN
- urlhxxps://ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res.phpCredential exfiltration endpoint
- urlhxxps://hnint[.]net/cgi-bin/peacemind//res.phpCredential exfiltration endpoint
- urlhxxps://mtl-logistics[.]com/blb/blob.htmlInitial loader URL hosting the malicious JavaScript
- urlhxxps://mtl-logistics[.]com/css/sharethepoint/point/res.phpCredential exfiltration endpoint
- urlhxxps://wajah4dslot[.]com/wp-includes/certificates/tmp//res.phpCredential exfiltration endpoint
Key Takeaways
- BlobPhish loads phishing pages entirely in browser memory as blob objects, evading file and network-based detection.
- The campaign targets high-value credentials for Microsoft 365 and major US financial institutions.
- Attackers abuse legitimate WordPress sites to host exfiltration endpoints (e.g., res.php, tele.php, panel.php).
- The campaign has been active since October 2024 and remains ongoing as of April 2026.
Affected Systems
- Microsoft 365
- OneDrive
- SharePoint
- Chase
- Capital One
- E*TRADE
- American Express
- Charles Schwab
- PayPal
- Web Browsers
Attack Chain
The attack begins with a phishing email, PDF containing a QR code, or shortened link that redirects the victim to an HTML page hosting a JavaScript loader. This loader decodes a Base64 payload to construct a Blob object, generating a blob:https:// URL that is injected into the DOM and clicked invisibly. The victim is presented with a spoofed login page running entirely in memory, which captures credentials and POSTs them to an attacker-controlled endpoint (e.g., res.php, tele.php) before redirecting to the legitimate service.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: ANY.RUN
A YARA rule named BlobPhishLoaderHTML is provided to detect the HTML loader pages containing the JavaScript responsible for creating the malicious blob objects.
Detection Engineering Assessment
EDR Visibility: Low — The phishing payload is constructed and executed entirely within the browser's memory using Blob objects, leaving no file artifacts on disk for EDRs to scan. Network Visibility: Medium — While the in-memory blob scheme itself does not generate standard HTTP requests, the initial loader fetch and the subsequent credential exfiltration POST requests are visible in network traffic. Detection Difficulty: Hard — The use of blob:https:// URLs evades standard URL reputation engines and proxy logs for the phishing page itself, requiring defenders to focus on the initial loader and exfiltration patterns.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Network Traffic Analysis (NTA)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for HTTP POST requests to paths ending in /res.php, /tele.php, or /panel.php containing form-data with credential-like fields. | Web Proxy Logs | Exfiltration | Medium |
| Search for initial access URLs ending in /blob.html, /blom.html, or /bloji.html. | Web Proxy Logs | Delivery | Low |
| Identify HTTP POST requests to /panel.php that return a JSON response containing an error message and IP address. | Network Traffic Analysis | Exfiltration | Low |
Control Gaps
- Secure Email Gateways (SEGs)
- URL Reputation Filters
- File-based Antivirus
Key Behavioral Indicators
- POST requests to /res.php or /tele.php with MIME type form-data or x-www-form-urlencoded
- POST requests to /panel.php with an empty body returning JSON errors
False Positive Assessment
- Low. The specific combination of blob:https:// usage for login forms and POST requests to /res.php or /tele.php with credential data is highly indicative of this specific phishing campaign.
Recommendations
Immediate Mitigation
- Block known BlobPhish loader domains and exfiltration URLs at the web proxy and DNS levels.
- Reset credentials for any users observed interacting with the identified exfiltration endpoints.
Infrastructure Hardening
- Implement strict web proxy filtering to monitor or block HTTP POST requests to suspicious .php endpoints on unknown or low-reputation domains.
User Protection
- Enforce FIDO2/WebAuthn multi-factor authentication (MFA) to render stolen passwords useless.
- Deploy browser-based security extensions capable of analyzing in-memory page content.
Security Awareness
- Train employees to be highly suspicious of authentication prompts where the address bar begins with 'blob:https://'.
MITRE ATT&CK Mapping
- T1566.001 - Phishing: Spearphishing Attachment
- T1566.002 - Phishing: Spearphishing Link
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1132.001 - Data Encoding: Standard Encoding
- T1056.002 - Input Capture: GUI Input Capture
- T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Additional IOCs
- Ips:
45[.]128[.]199[.]83- IP address observed in /panel.php error response during sandbox analysis
- Domains:
mtl-logistics[.]com- Compromised domain hosting loader and exfiltration scriptslarva888[.]com- Compromised domain hosting loader scriptwajah4dslot[.]com- Compromised domain hosting exfiltration scriptsmail[.]hubnorte[.]com[.]br- Compromised domain hosting loader scriptriobeautybrazil[.]com- Compromised domain hosting exfiltration scriptshnint[.]net- Compromised domain hosting loader and exfiltration scriptsftpbd[.]net- Compromised domain hosting loader and exfiltration scriptsi-seotools[.]com- Compromised domain hosting loader scriptmts-egy[.]net- Compromised domain hosting exfiltration scripts_wildcard_[.]gonzalezlawnandlandscaping[.]com- Compromised domain hosting exfiltration scripts
- Urls:
hxxps://docsend[.]com/view/vsrrknxprh2xt84n- Phishing link redirecting to loaderhxxps://larva888[.]com/wp-includes/css/dist/tmp/vmo.html- Loader URLhxxps://wajah4dslot[.]com/wp-includes/certificates/tmp//panel.php- Exfiltration/Panel endpointhxxps://mail[.]hubnorte[.]com[.]br/blom.html- Loader URLhxxps://riobeautybrazil[.]com/wp-admin/amx/res.php- Exfiltration endpointhxxps://riobeautybrazil[.]com/wp-admin/amx/panel.php- Exfiltration/Panel endpointhxxps://hnint[.]net/bloji.html- Loader URLhxxps://hnint[.]net/cgi-bin/peacemind//panel.php- Exfiltration/Panel endpointhxxps://ftpbd[.]net/wp-content/plugins/cgi-/trade/blob.html- Loader URLhxxps://ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//panel.php- Exfiltration/Panel endpointhxxps://i-seotools[.]com/wp-content/citttboy.html- Loader URLhxxps://mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/res.php- Exfiltration endpointhxxps://mts-egy[.]net/wp-content/plugins/owpsyzj/cgi-ent/panel.php- Exfiltration/Panel endpointhxxps://localmarketsense[.]com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss.html- Loader URLhxxps://_wildcard_[.]gonzalezlawnandlandscaping[.]com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele.php- Exfiltration endpoint
- File Hashes:
C3FF6844E5B9A583FBE2A658291107E294AED9829E943248B8166A7A7E7BC51E(SHA256) - Hash of malicious loader HTML file (blob.html)BF5D0838D472414CEF43449083E61C5E9A3BA6BDC0925A62A6EF78A9AF8D0B1B(SHA256) - Hash of malicious loader HTML file (blob.html)9C4416D8B282B83662CDA2BFA7D9B6D4FC7C9BEF3DFCEDB987B6BAF438B86E3(SHA256) - Hash of malicious PDF attachment containing QR code