Known malicious kitcriticalphishing

ShinyHunters Okta PassToken

family: okta-passtoken

Okta-themed brand-impersonation phishing kit. Landing URL has the ?passtoken=&redirect=/ signature; backend.php polls for MFA-bypass state; pingServer heartbeat; Telegram-channel credential exfiltration. Attributed to the ShinyHunters cluster.

Fingerprint anchors

content sha2568a01bcb70ec1c101a163c9cb8e074781c1322096f7ae01789f02252854def44c

canonical AST4a92f5e83fc948d0e1e25ff34745ae2e17dc925dce4106c0ccf6f77ebd8c5fae

TLSHT17132855E502922714A33A3BDEB579105FB7391333581A2593D9D83402F70DAA87B2FDE

Provenance

Added by: analyst

Added: 2026-05-26 12:28

Seeded 2026-05-26 from PassToken pattern + js-fp3 byte-identical sweep (henryscheinsso.com, servicenowsso.com).

References:

https://scanmalware.com/script/1485207/client.js
https://scanmalware.com/result/f7d999c9-0cc4-4c47-8143-54f85b07fe73

Sightings (2)

Host	Scan	Script	Match	When
henryscheinsso.com	f7d999c9…	https://henryscheinsso.com/client.js	byte	2026-05-22 14:55
servicenowsso.com	61b53f5f…	https://servicenowsso.com/client.js	byte	2026-05-22 14:54