Hexastrike Blog
CodeStorm – A Microsoft 365 AiTM Phishing Kit with Storm-1167 Overlap
Executive Summary Hexastrike has identified an ongoing adversary-in-the-middle (AiTM) phishing campaign targeting Microsoft 365 users that leverages a previously undocumented phishing kit, tracked by Hexastrike as CodeStorm. Analysis of the recovered server-side kit source code and associated deployment infrastructure indicates with moderate confidence that CodeStorm overlaps with infrastructure patterns previously associated with activity Microsoft tracks as Storm-1167. Based on direct code-level comparison conducted by Hexastrike, CodeStorm appears to be a distinct kit family separate from previously documented phishing frameworks such
Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC
Executive Summary After someone impersonated one of our recent projects, PyrsistenceSniper, on GitHub, we uncovered a broader malware distribution campaign built around cloned open source repositories. The operator copies legitimate projects, republishes them under different accounts, strips the README of its technical content, and replaces it with prominent download buttons. Those buttons point to ZIP files hidden inside the repository tree rather than to GitHub releases or tagged source packages. The source code is usually left mostly intact. That is what
Reddit TradingView Lures Leading to Vidar and AMOS Stealers
While handling recent stealer infections, we traced the initial compromise back to Reddit. A threat actor had been operating across several subreddits, some hijacked from legitimate communities and others purpose-built, using a mix of compromised and freshly created Reddit accounts to push malicious software disguised as cracked TradingView Premium builds. Based on overlapping language patterns, shared infrastructure and nearly identical post templates, we assess with high confidence that a single threat actor is behind this campaign. The infection chain itself