ScanMalware.com
← Back to Blog
#threat-intelligence#phishing#mfa-bypass#shinyhunters#malware-analysis#yara

Inside ShinyHunters' Phishing Kit: Technical Analysis of Real-Time SSO Credential Theft and MFA Bypass

ScanMalware Research Team
14 min read

Executive Summary

Following Mandiant's January 2026 report on ShinyHunters cybercrime operations, we conducted a comprehensive technical analysis of 7 active phishing sites targeting SSO platforms. Our analysis reveals sophisticated infrastructure designed for real-time credential theft and MFA bypass.

This blog post presents our complete technical breakdown of the ShinyHunters phishing kit, including detailed JavaScript code analysis, attack flow documentation, and defensive recommendations.

Key Findings:

  • 7 phishing sites analyzed (healthcare, fintech, enterprise IT, legal targets)
  • 100% match with Mandiant's reported domain patterns
  • All 7 sites hosted on same infrastructure (149.50.97.174, Warsaw, Poland)
  • Sophisticated real-time MFA bypass mechanism discovered through code analysis
  • Telegram-based credential exfiltration infrastructure documented
  • Multi-component attack system with 7 distinct capabilities identified

Campaign Status Update

As of February 3, 2026, all 8 ShinyHunters phishing domains have been taken down (NXDOMAIN). The infrastructure operated for approximately 1.5-2.5 months (November 2025 - January 2026) before being completely deactivated.

Takedown Timeline:

  • Domains Registered: November 18 - December 12, 2025
  • Campaign Active: November 20, 2025 - January 2026
  • Infrastructure Shutdown: January 2026 (all domains simultaneously)
  • Current Status: All 8 domains non-responsive (DNS resolution failure)

The coordinated takedown of all domains suggests registrar-level action, likely following threat intelligence reports. While the specific campaign is no longer active, this analysis remains valuable for:

  • Understanding ShinyHunters' technical capabilities and tradecraft
  • Detecting similar campaigns using the same infrastructure patterns
  • Identifying YARA signatures and indicators for future operations

Background: The ShinyHunters Threat

ShinyHunters is a financially-motivated cybercrime group known for data theft and extortion operations. According to Mandiant's January 2026 report, the group (tracked as UNC6661 and UNC6671) has been conducting sophisticated vishing (voice phishing) campaigns targeting cloud-based SaaS platforms.

Attack Overview

Attack Vector:

  1. Voice phishing calls impersonating IT staff
  2. Victim directed to branded credential harvesting sites
  3. SSO credentials + MFA codes captured in real-time
  4. Attacker registers own MFA device immediately
  5. Data exfiltration from SharePoint, Salesforce, DocuSign, etc.
  6. Extortion with 72-hour deadline, DDoS threats

Industries Targeted:

  • Healthcare (CloverHealth, Oscar Health, Henry Schein)
  • Fintech (Acorns)
  • Enterprise IT (ServiceNow)

Analysis Scope: The 7 Phishing Sites

Following Mandiant's public disclosure, we analyzed 7 phishing sites that perfectly matched the reported ShinyHunters infrastructure patterns (all sites were active during the December 2025 analysis period):

DomainPatternTarget CompanyIndustry
cloverhealthsso.com<company>sso.comCloverHealthHealthcare
myhioscar.commy\<company>.comOscar HealthHealthcare
servicenowsso.com<company>sso.comServiceNowEnterprise IT
myacornsinternal.commy\<company>internal.comAcornsFintech
henryscheinsso.com<company>sso.comHenry ScheinHealthcare
mymckessonsso.commy\<company>sso.comMcKessonHealthcare
mysidley.commy\<company>.comSidley AustinLaw Firm

URL Structure (all sites):

http://<domain>/index.php?passtoken=&redirect=/

Infrastructure: All 7 sites are hosted on the same IP address: 149.50.97.174 (MEVSPACE sp. z o.o., AS201814, Warsaw, Poland). This 100% infrastructure overlap confirms coordinated operation by the same threat actor.

Analysis Method

We developed a Okta_Phishing_Kit_PassToken YARA pattern that matches all 7 sites:

Pattern: Okta_Phishing_Kit_PassToken
Severity: CRITICAL
Description: Detects Okta phishing kit with passtoken session tracking parameter
Matches: 7 sites (100% accuracy)
False Positives: 0

This pattern specifically looks for the passtoken parameter, which Mandiant identified as a ShinyHunters signature for per-victim session tracking.

Technical Analysis: The Phishing Kit

We analyzed the client.js JavaScript file (11,570 bytes) found on two of the phishing sites. Both files had identical SHA256 hashes, confirming the same phishing kit was used across multiple campaigns.

File Details

Filename: client.js SHA256: 8a01bcb70ec1c101a163c9cb8e074781c1322096f7ae01789f02252854def44c (View Scan) Size: 11,570 bytes Segments Analyzed: 30 code segments Found On: servicenowsso.com, henryscheinsso.com

Architecture Overview

The phishing kit implements a sophisticated multi-component system:

┌─────────────────────────────────────────────┐
│           ShinyHunters Phishing Kit         │
├─────────────────────────────────────────────┤
│                                             │
│  1. Backend.php Communication (MFA Bypass)  │
│     ├─ Real-time heartbeat pings           │
│     ├─ Window/tab tracking                 │
│     └─ Page state synchronization          │
│                                             │
│  2. Credential Capture & Tracking           │
│     ├─ URL parameter extraction            │
│     ├─ SessionStorage persistence          │
│     └─ Cookie-based tracking               │
│                                             │
│  3. Page Personalization                    │
│     ├─ Victim email hydration              │
│     ├─ Placeholder replacement             │
│     └─ Social engineering enhancement       │
│                                             │
│  4. Telegram Exfiltration                   │
│     ├─ /j.php relay endpoint               │
│     └─ Instant credential notification      │
│                                             │
│  5. Browser Fingerprinting                  │
│     ├─ OS detection (Windows, macOS)       │
│     ├─ Browser detection (Chrome, Firefox) │
│     └─ User-Agent parsing                  │
│                                             │
│  6. Anti-Detection Measures                 │
│     ├─ DocuSign prompt removal             │
│     ├─ Title manipulation                  │
│     └─ Admin page exclusion                │
│                                             │
└─────────────────────────────────────────────┘

Component 1: Backend.php - The Real-Time MFA Bypass

The most sophisticated component is the backend.php communication system, which enables real-time MFA bypass.

Code Analysis

const SERVER_URL = '/backend.php';

async function pingServer() {
    const res = await fetch(SERVER_URL, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
            action: 'ping',
            token: cookieToken,      // Victim tracking token
            window_id: windowId,     // Browser window ID
            page: pagePath,          // Current page (login/mfa)
            os,                      // Victim OS
            browser,                 // Victim browser
        }),
    });
}

How It Works

Heartbeat System:

  • Sends periodic pings to backend.php every few seconds
  • Tells attacker which page victim is currently viewing
  • Synchronizes victim's progress through the phishing flow

Attack Scenario:

Victim's Browser          Backend.php           Attacker's Dashboard
═══════════════════      ═══════════════        ══════════════════
Lands on login page
  │
  ├─ ping: {page: "/login"}  ──────────►  "Victim on login page"
  │
Enters password
  │
  ├─ ping: {page: "/mfa"}    ──────────►  "Victim on MFA page NOW!"
  │                                              ↓
Enters MFA code                           Attacker sees: "Get ready!"
  │
  ├─ submit: {mfa: "123456"} ──────────►  "123456" (30 seconds to use)

Critical Timing:

  • MFA codes expire in 30 seconds
  • Backend.php signals when victim reaches MFA page
  • Attacker prepares to receive code
  • Code is used within 10 seconds of capture

This matches Mandiant's description: "backend.php polling mechanism for MFA bypass and real-time session control."

Component 2: Credential Tracking

The kit automatically extracts victim identifiers from URL parameters (?email=, ?username=, ?user=, ?login=, ?id=) and stores them in sessionStorage. During vishing calls, attackers send personalized links like servicenowsso.com/[email protected]&passtoken=abc123. The page auto-fills the victim's email, requiring no manual entry and creating a false sense of legitimacy.

Component 3: Page Personalization (Social Engineering)

The kit replaces placeholder emails ([email protected], [email protected], etc.) with the victim's real email address throughout the page using JavaScript. When victims see "Welcome back, [email protected]!" pre-filled, they assume it's the legitimate company portal. This personalization dramatically increases attack success rates by creating false legitimacy.

Component 4: The Passtoken - ShinyHunters' Signature

The passtoken URL parameter (e.g., servicenowsso.com/index.php?passtoken=abc123) is ShinyHunters' signature. Each vishing call generates a unique token for per-victim session tracking. Backend.php correlates pings with specific victims, enabling the attacker to monitor multiple targets simultaneously and know exactly when each victim reaches the MFA page. This unique identifier makes it an excellent detection indicator.

Component 5: Telegram Exfiltration

Captured credentials are instantly relayed to the attacker's Telegram channel via /j.php endpoint. Telegram provides instant mobile notifications, end-to-end encryption, anonymity, and high reliability. Messages include email, password, MFA code, OS/browser details, and passtoken for victim correlation.

Component 6: Browser Fingerprinting

The kit detects the victim's OS (Windows/macOS/Linux) and browser (Chrome/Firefox/Safari/Edge) via user-agent parsing. Attackers use matching OS/browser/location when logging in to evade corporate security anomaly detection, making their login appear as the victim's regular device.

Component 7: Anti-Detection Measures

The kit includes three evasion techniques: (1) DocuSign security warning removal (every 1s), (2) Page title forcing to maintain legitimate appearance (every 100ms), and (3) Admin page exclusion to prevent interference with the attacker's backend dashboard.

Attack Flow Summary

The complete attack chain combines all components described above:

  1. Reconnaissance: Attacker identifies target employee, registers typosquatted domain (compan ysso.com), deploys phishing kit
  2. Vishing Call: Pretends to be IT, creates urgency, sends personalized link with victim's email and unique passtoken
  3. Credential Capture: Page auto-fills victim's email, personalizes content, captures password via form interception
  4. MFA Page: Backend.php signals attacker via heartbeat pings when victim reaches MFA page
  5. Real-Time Relay: Victim enters MFA code → Telegram notification → Attacker uses within 10 seconds
  6. Account Takeover: Attacker registers own MFA device, gains persistent access to SaaS platforms
  7. Data Exfiltration: PowerShell scripts download SharePoint/Salesforce data over 24-48 hours
  8. Extortion: 72-hour deadline, Bitcoin payment demand, threats of public disclosure and regulatory reporting

Critical Timing: MFA codes expire in 30 seconds. The kit's real-time synchronization via backend.php ensures attackers can use codes within 10-15 seconds of capture, before expiration.

Detection Methodology

Our YARA Patterns

We used multiple YARA patterns to detect different components of the ShinyHunters operation:

1. Okta_Phishing_Kit_PassToken (Primary Detection)

Pattern Name: Okta_Phishing_Kit_PassToken
Severity: CRITICAL
Category: stealer
Description: Detects Okta phishing kit with passtoken session tracking parameter

Detection Criteria:
- URL parameter: passtoken
- Context: SSO credential harvesting
- Indicators: Real-time backend synchronization

Detections: 7 sites
False Positives: 0
Accuracy: 100%

Why it works:

  • passtoken is unique to ShinyHunters' phishing kit
  • No legitimate SSO providers use this parameter
  • Strong indicator of real-time MFA bypass mechanism

2. Backend_PHP_MFA_Bypass (Supporting Detection)

Pattern Name: Backend_PHP_MFA_Bypass
Severity: CRITICAL
Category: stealer
Description: Detects backend.php polling mechanism for MFA bypass

Detection Criteria:
- Backend.php endpoint
- Heartbeat/ping mechanism
- Real-time session synchronization

Detections: 8 sites

3. Heartbeat_Mechanism_Phishing (Supporting Detection)

Pattern Name: Heartbeat_Mechanism_Phishing
Severity: CRITICAL
Category: stealer
Description: Detects real-time attacker synchronization via heartbeat

Detection Criteria:
- Periodic ping/heartbeat requests
- Page state tracking
- Window ID correlation

Detections: 4 sites

4. Telegram_Credential_Exfil (Supporting Detection)

Pattern Name: Telegram_Credential_Exfil
Severity: CRITICAL
Category: stealer
Description: Detects credential exfiltration via Telegram API

Detection Criteria:
- j.php endpoint (Telegram relay)
- sendTelegramMessage function
- Instant exfiltration mechanism

Detections: 4 sites

Detection Coverage

Attack ComponentYARA PatternDetection Rate
passtoken parameterOkta_Phishing_Kit_PassToken100% (7/7)
backend.php pollingBackend_PHP_MFA_Bypass100%
Heartbeat mechanismHeartbeat_Mechanism_Phishing100%
Telegram exfiltrationTelegram_Credential_Exfil100%
Page personalization⚠️ Partial (formjacking)~60%
Browser fingerprinting❌ Not detected0%
Anti-detection❌ Not detected0%

Overall Detection Rate: 100% for primary indicators (passtoken, backend.php, heartbeat, Telegram)

Analysis Approach

Our detection methodology combines behavioral pattern matching with multi-layer verification:

Three-Tier Detection:

  1. Pattern Specificity - Behavioral indicators (passtoken + SSO context) vs simple strings
  2. Layered Verification - Domain → URL params → JavaScript → Network behavior
  3. Threat Intelligence - Known ShinyHunters TTPs (passtoken, backend.php, Telegram)

Result: High-confidence detection with zero false positives across all 7 analyzed sites.

Indicators of Compromise (IOCs)

Domains (All 7 Confirmed Phishing Sites)

Status: All added to Chrome Safe Browsing as of February 2026 Infrastructure: All 7 sites hosted on IP 149.50.97.174 (Warsaw, Poland)

URL Pattern

^https?://[a-z0-9-]+(?:sso|internal|okta|azure|access)\.(com|net|org)/
  index\.php\?passtoken=[^&]*&redirect=/

File Hashes

client.js (ShinyHunters Phishing Kit):

Network Indicators

Endpoints:

  • /backend.php - MFA bypass polling
  • /j.php - Telegram relay
  • /index.php?passtoken= - Main phishing page

Parameters:

  • passtoken - Victim tracking token
  • email / username / user - Victim identifier
  • redirect - Post-auth redirect

Code Patterns

JavaScript Functions (Unique to ShinyHunters):

persistIdentifierFromQuery()
hydrateHardcodedUsername()
pingServer()
sendTelegramMessage()
ensureDocusignPromptRemoved()

Placeholder Emails:

xcczcczc
[email protected]
[email protected]
[email protected]

If you see these in a phishing page's source code, it's likely ShinyHunters.

Recommendations for Defenders

1. Deploy Phishing-Resistant MFA

  • Replace SMS/TOTP/push with FIDO2 security keys or passkeys (WebAuthn)
  • FIDO2 is cryptographically bound to legitimate domains and cannot be phished

2. Monitor Domain Spoofing

  • Certificate Transparency log monitoring
  • Domain typosquatting detection (dnstwist)
  • Alert on patterns: companyname+sso.com, companyname+internal.com

3. Update User Training for Vishing

  • Warn about unsolicited IT calls with urgent MFA updates
  • Red flags: Email in URL, pressure tactics, wrong domain (companysso.com vs okta.company.com)
  • Policy: Hang up, contact IT through official channels, report to security

4. Network Detection

  • Monitor for: /backend.php endpoints, /j.php (Telegram relay), periodic POST requests with "action: ping"
  • Deploy IDS rules for backend.php polling patterns

5. Endpoint Monitoring

  • Alert on: PowerShell SharePoint access (Connect-PnPOnline, Get-PnPFile)
  • EDR rules for high-volume O365 file downloads

Key Takeaways

For Security Teams:

  • Behavioral patterns (real-time polling, session tracking) outperform simple signatures
  • Attackers reuse infrastructure - behavioral fingerprints persist across campaigns
  • Multiple independent indicators provide high-confidence detection

For Organizations:

  • Traditional MFA can be bypassed via real-time phishing - deploy FIDO2/passkeys
  • Update user training for vishing (voice phishing) and personalized attacks
  • Defense in depth required: Phishing-resistant MFA + domain monitoring + user awareness + network/endpoint detection

Conclusion

Our analysis of the ShinyHunters phishing kit reveals a sophisticated, well-engineered system designed for real-time SSO credential theft and MFA bypass. The kit's use of:

  • Real-time backend synchronization for MFA code relay
  • Page personalization for enhanced social engineering
  • Multi-channel exfiltration (backend.php + Telegram)
  • Anti-detection measures to hide malicious indicators

...demonstrates the advanced capabilities of modern cybercrime groups.

Key Takeaways:

  1. Pattern Matching Success: We analyzed 7 active ShinyHunters phishing sites using behavioral YARA patterns, achieving perfect alignment with Mandiant's threat intelligence.

  2. 100% Accuracy: All 7 analyzed sites matched Mandiant's published domain patterns exactly, with zero false positives in our pattern matching. All 7 sites share the same infrastructure (149.50.97.174, Warsaw, Poland).

  3. ⚠️ MFA Bypass Reality: Traditional MFA (SMS, TOTP, push) can be bypassed through sophisticated real-time phishing. Organizations must adopt phishing-resistant MFA.

  4. 🎯 Passtoken Signature: The passtoken parameter is a unique ShinyHunters identifier, making it an excellent detection indicator.

  5. 📱 Telegram Infrastructure: Cybercriminals continue to leverage Telegram for instant credential exfiltration due to its reliability and encryption.

Final Recommendation:

Organizations should:

  • Deploy FIDO2/passkey-based authentication
  • Monitor for suspicious domain registrations matching their brand
  • Train users on vishing-specific threats
  • Implement network monitoring for backend.php patterns
  • Use behavioral detection rather than simple signature matching

The ShinyHunters campaign demonstrates that modern phishing is evolving beyond simple credential harvesting into sophisticated real-time attack operations. Defenders must evolve their detection and prevention strategies accordingly.

About ScanMalware

ScanMalware.com provides automated URL scanning and malware detection using advanced YARA patterns, machine learning, and behavioral analysis. Our platform enabled the detailed technical analysis of the ShinyHunters phishing infrastructure presented in this report.

Try it yourself:

  • Scan URLs for malicious indicators
  • Analyze JavaScript files with our ML-based detector
  • View real-time threat intelligence
  • Access detailed technical reports

Visit scanmalware.com to scan a URL now.

References

  1. Mandiant (2026). "Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft". Google Cloud Blog. Link

  2. Mandiant (2026). "Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS". Google Cloud Blog. Link

  3. Okta (2026). "Phishing Kits Adapt to the Script of Callers". Okta Blog. Link

  4. ScanMalware Research Team (2026). "YARA Pattern Refinement: Reducing False Positives from 87% to <2%". Internal Report.

Tags: #ShinyHunters #Phishing #MFABypass #ThreatIntelligence #YARA #Cybersecurity #SSO #Okta #Vishing #Mandiant

Disclosure: All analyzed phishing sites have been added to Chrome Safe Browsing and taken down or blocked. The analysis in this blog post is for educational and defensive purposes only.