{
	"id": "3c324a6e-3e11-419d-b866-25371d96d3c7",
	"created_at": "2026-05-01T03:09:50.792401Z",
	"updated_at": "2026-05-01T03:10:50.653558Z",
	"deleted_at": null,
	"sha1_hash": "8f4e341c110961b9d5c8ca9380ab925ab9830a57",
	"title": "PerSwaysion Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3502066,
	"plain_text": "PerSwaysion Campaign\r\nArchived: 2026-05-01 02:01:10 UTC\r\nIn the first quarter of 2020, Group-IB Threat Intelligence team received a lead concerning corporate email account\r\ncompromise of an Asia-based company. A joint investigation of Group-IB DFIR and Threat Intelligence teams\r\nreveals an uptrending phishing technique which is essentially achieved by abusing Microsoft file sharing services,\r\nincluding Sway, SharePoint, and OneNote. Group-IB Threat Intelligence team names this series of phishing\r\nattacks the PerSwaysion campaign for the extensive abuse of Sway service. The dubbed PerSwaysion\r\ncampaign is a collection of small yet targeted phishing attacks run by multiple cyber-criminal groups,\r\nattacking small and medium financial services companies, law firms, and real estate groups.\r\nEvidence suggests, since mid 2019, at least 156 high ranking officers of given organizations are compromised.\r\nSuch high-profile victims tend to locate in the US, Canada, while the rest are in global and regional financial\r\nhubs such as Germany, the UK, Netherlands, Hong Kong and Singapore and other countries. Group-IB\r\ncontinues to work with the relevant parties in local countries to inform the affected companies of the breach.\r\nFigure 1: Distribution of PerSwaysion victims\r\nThe PerSwaysion campaign adopts multiple tactics and techniques to avoid traffic detection and automated threat\r\nintelligence gathering:\r\nWhitewashing techniques: Using legit file sharing sites as jumping board; Using web application hosting\r\nfrom reputable vendors such as Google’s AppSpot and IBM’s MyBlueMix\r\nCounter-intelligence methods: Randomizing malicious JS file names; Fingerprinting victim browsers and\r\nrejecting repeated visits\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 1 of 16\n\nPerSwaysion campaign is yet another living example of highly specialized phishing threat actors working together\r\nto conduct effective attacks on a large-scale. The campaign phishing kit is primarily developed by a group of\r\nVietnamese speaking malware developers while campaign proliferation and hacking activities are operated by\r\nother independent groups of scammers.\r\nPerSwaysion Attack Analysis\r\nOverview\r\nA typical attack of PerSwaysion is a 3-phase phishing operation which takes a victim from a PDF attached\r\nemail, through Microsoft file sharing services, then to the final phishing site. PerSwaysion campaign\r\ncybercriminals have displayed an adequate level of phishing capabilities since August 2019, earliest timeframe the\r\ncampaign left traces on the internet. PerSwaysion entangles multiple layers of traffic whitewashing to avoid as\r\nmuch corporate network defense as possible. In the current wave of attacks, scammers primarily abuse Microsoft\r\nSway file sharing service as the jumping board to redirect victims to actual phishing sites.\r\nIn its earlier stages, Group-IB Threat Intelligence team discovers other variants using Microsoft SharePoint and\r\nOneNote. The scammers pick legit file sharing services which have the ability of rendering seamless preview of\r\nuploaded files with phishing links. This key feature helps scammers construct web pages that strongly resemble\r\nauthentic Microsoft experience. Furthermore, the scammers also separate phishing application and victim data\r\nharvesting backend servers, providing extra identity masquerades. Such application architecture also improves\r\nflexibility and operational continuity when phishing sites are taken down or blocked. Scammers simply deploy\r\nnew instances under new domain names without disrupting overall data collection operations.\r\nFigure 2: PerSwaysion attack scheme overview\r\nA Case Walkthrough\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 2 of 16\n\nThe victim received an email from an external business partner with a PDF file attachment. The email appears to\r\nbe authentic given its sender address owner is the actual business partner. There are things out of norm about the\r\nemail, such as:\r\nsender and recipient are the same person (true recipients are hidden in bcc list);\r\nemail subject is only the business partner company full name;\r\nthe first sentence contains words separated by ‘+’ instead of space.\r\nHowever, these abnormalities are not significant to alert the victim.\r\nFigure 3: Text extracted from email sent by victim’s external business partner\r\nThe PDF attachment file presents itself as a notification of Office 365 file sharing to the victim. To increase its\r\ncredibility, the PDF mimics real Office 365 notification format by listing the full name, email address and sender’s\r\ncompany.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 3 of 16\n\nFigure 4: Screenshot of the email attachment\r\nThe ill-formed PDF file contains several long yet seemingly random strings. It is likely to be a result of bugs in\r\nthe automation software used by scammers to generate PDF files. Strings are in the same white color as the page\r\nbackground. However, in certain PDF reader applications, a viewer could make hidden strings visible by simply\r\nhighlighting all text (Ctrl + A).\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 4 of 16\n\nFigure 5: PDF with invisible characters highlighted\r\nUpon clicking ‘Read Now’, the victim is taken to a file hosted on Sway in this specific case. For untrained eyes,\r\nthis page resembles an authentic Microsoft Office 365 file-sharing page. However, this is a specially crafted\r\npresentation page which abuses Sway default borderless view to trick the victim as if it were part of the Office 365\r\nofficial login page.\r\nFigure 6: Sway displays a phishing file in presentation mode\r\nOnce clicking ‘Read Now’ on the page, the victim is redirected to the final destination, the actual phishing site.\r\nUpon reaching the phishing domain home page, the victim is assigned a unique serial number by the\r\nphishing kit. Immediately, the victim is redirected yet again to the same domain but with the generated serial\r\nnumber appended as parameter. The phishing site disguises as a Microsoft Single Sign-On page. Front end of the\r\nphishing kit, however, seems to be re-used for quite a long period of time. The kit developer copied Microsoft\r\nOutlook login page with revision number 6.7.6640.0. This revision was used by Microsoft back in May 2017.\r\nCurrently, official Microsoft SSO page doesn’t have any application specific header such as ‘Outlook’.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 5 of 16\n\nFigure 7: Phishing site disguised as Microsoft SSO\r\nThe generated serial number serves as a rudimentary fingerprinting technique of the victim. Any repeated request\r\nto the exact same URL will be rejected by 403 error. As a side effect, it stops any automated threat detection\r\nefforts to URLs visited by victims. However, even the same browser with same IP will be assigned different serial\r\nnumbers when visit the phishing home page multiple times.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 6 of 16\n\nFigure 8: Repeated requests are rejected\r\nWhen the victim submits his or her corporate Office 365 credentials as if for a normal login, the sensitive data is\r\nsent to a separate data server with an extra email address which is hidden on the page. This extra email seems to\r\nbe used as a real-time notification method to make sure scammers react on freshly harvested credentials. Such\r\nindependent notification indicates that PerSwaysion campaign is likely to be operated by several groups with\r\ndistinguished focuses.\r\nFigure 9: Network traffic when victim click ‘Log In’ button\r\nDisassembling the Phishing Site\r\nPerSwaysion campaign phishing kit displays interesting technology capability progress. Common phishing kits\r\nusually focus on mimicking visual similarities to authentic services while the credential harvesting methods are\r\nrudimentary, static HTML codes centric. PerSwaysion phishing kit is well modularized into:\r\nPhishing GUI serving web application\r\nVictim credential data hosting backend server\r\nReal-time notification service\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 7 of 16\n\nFigure 10: Phishing web application sequence diagram\r\nThe main phishing web application adopts reactive JavaScript framework Vue.js and promise-based HTTP client\r\naxios to implement on-page data manipulation, aligning with most modern web application user experience. As a\r\nside effect, the phishing kit pushes most computing tasks to the client (victim) side, saving further operational cost\r\nby shrinking rental fees of cloud server CPU hours.\r\nWhen a victim lands on the phishing page, victim’s browser automatically loads 2 JavaScript files referred in the\r\npage. Both JS file names follow format of ‘theme/[hash_like_string].js‘, while 1 file hash string has 45 characters\r\nand the other has 32 (e.g. ‘a5e2a323bdb682660c9cd8b06e950f31nbr1581699430.js‘ and\r\n‘e88a1b1823a36c944d71746cdefb5fdc.js‘). 45-character named JS file handles usual user interactions. 32-\r\ncharacter named JS file contains the main code to communicate with the data backend server. Following\r\ndiscussion will refer the 32-character named JS file as ‘loading.js‘ for the convenience.\r\nFigure 11: Phishing web application sequence diagram\r\nThe loading.js first generates a long string to mark the victim browser if the victim visits the home page without\r\nsub-folder in the URL. If a URL with sub-folder is requested by client side, the data server will check whether the\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 8 of 16\n\nfolder with same name exists or not. If it already exists, the server will reject the request.\r\nFigure 12: JS code to generate unique ID\r\nOtherwise, the server assigns the string as designated folder name for the victim on the data server. At the same\r\ntime, the victim is redirected to the URL with folder name appended as sub URI.\r\nFigure 13: Data server redirects a victim to designated sub URI\r\nLoading.js also defines a set of operational parameters to differentiate sub campaigns by version number\r\n(ID_CUS_SP_NBR_30629) and notification email (EMAILRESULT_NBR). At a ‘safety net’, loading.js will\r\nredirect the victim to legitimate sites defined in LINKRE_RESULT if processing goes wrong.\r\nFigure 14: Operational parameters to differentiate sub campaigns\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 9 of 16\n\nChain Reaction Infection Tactics\r\nPerSwaysion scammers conduct follow-up operations against newly collected victim account credentials in\r\nvery timely manners. Group-IB investigations reveal that scammers take 3 main steps to push new round of\r\nphishing attempts leveraging current victim’s account (‘T’ denotes current victim infection time):\r\n1. Initial reconnaissance. PerSwaysion operatives log into victim email accounts via web application access.\r\nOn average, this step happens on T + 6 hours. If victim credentials are valid, operatives move on to the\r\nnext step.\r\n2. Mass data dumping via API. Operatives establish connection to the victim’s corporate email server and\r\ndump email data via IMAP APIs. On average, this step starts on T + 7 hours.\r\n3. Victim impersonation. Operatives generate new phishing PDF files with the current victim’s full name,\r\nemail address, company legal name, and some time victim’s official title. These PDF files are sent to a\r\nselection of new people who has recent email communications with the current victim. On average, this\r\nstep happens on T + 21 hours. It’s of note that PerSwaysion scammers typically delete impersonating\r\nemails from the victim’s outbox to avoid suspicion.\r\nIt is worth noticing that PerSwaysion scammers tend to select next round of victims who are outside of\r\ncurrent victim organization and hold significant positions. Evidence indicates that scammers are likely to use\r\nLinkedIn profiles to assess potential victim positions. Such tactic reduces possibility of early warning from current\r\nvictim’s co-workers and increase successful rate of new phishing cycle. As a side effect, PerSwaysion campaign\r\ndisplays a unique chain reaction type of infection timeline in which victims’ relations are traceable.\r\nAt the current stage, PerSwaysion scammers do not have clear preferences of financial profit generating models.\r\nThe scammers hold covert access to many corporate email accounts and large piles of sensitive business email\r\ndata. The situation opens up a wide range of possibilities. The account access could be sold in bulk to other\r\nfinancial scammers to conduct traditional monetary scams. Sensitive business data extracted from emails, such\r\nas non public financial records, secret trading strategies, and client lists, could be sold to the highest bidder\r\nin the underground markets.\r\nHunting\r\nInfection Chronicle\r\nBased on unique signatures of malicious JavaScript files, the earliest samples in the wild are discovered hosted on\r\nyourjavascript.com. It seems in the early stage of PerSwaysion campaign, scammers use free JavaScript host\r\nservice to store malicious scripts. Files were uploaded by ‘adriangalbincea’ on 9th August 2019.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 10 of 16\n\nFigure 15: Yourjavascript hosted files\r\nBy late September 2019, PerSwaysion campaign has adopted much mature technology stacks, using Google\r\nAppspot for phishing web application servers (first reported by Zscaler) and Cloudflare for data backend\r\nservers. In the same month, the campaign reached its first peak of actions. Followed by Zscaler’s report, the\r\ncampaign was temporarily suppressed thanks to mass takedown by Appspot. PerSwaysion campaign started to\r\nramp up again in late December 2019 as noted by Avanan. In the second wave, scammers moved to IBM\r\nMybluemix for phishing web application server hosting.\r\nGroup-IB Threat Intelligence team discovered a series of malicious PDF files and Sway sharing links via instant\r\nmessaging services (such as Slack) in the wild that indicate potential successful infection incidences. With prior\r\nfirst hand investigation experience from actual victims, the team established 156 high profile cases\r\nworldwide with a good degree of confidence. PerSwaysion scammers carefully selected their victims with\r\nstrong preferences of management personnels. Among these high-ranking officer victims, more than 20 Office365\r\naccounts of executives, presidents and managing directors appeared. Majority of the cases are in the US and\r\nCanada. Other victims tend to locate in global and regional financial hubs such as Singapore, Germany, the UK,\r\nNetherlands, and Hong Kong.\r\nThreat Actors Tracing\r\nPerSwaysion campaign is a series of typical Malware-as-a-Service based operations. The phishing kit\r\ndevelopment team has a strong link to Vietnamese speaking community while scammers who purchase and\r\noperate actual phishing attacks are scattered across the world.\r\n27 threat actors controlled email addresses are discovered embedded in variants of PerSwaysion phishing\r\nkits. Evidence indicates that PerSwaysion is run by several loosely connected sub-groups of threat actors. Each\r\nvariant is differentiated by the ‘ID_CUS_SP_NBR‘ in the malicious JavaScript file. This also proves that kit\r\ndeveloper groups do not run phishing campaigns by themselves. We assume that the developer group sells its\r\nproduct to various scammers for direct profit – a common practice in the underground community.\r\n‘ID_CUS_SP_NBR‘ is a string which follows ‘[UniqueID]_dd.mm.YYYY.MM_SS_[milisecond]‘ format.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 11 of 16\n\nThe date portion is likely to be the date when such a variant is updated and passed on to scammers. These sub-groups purchase the web phishing kit and PDF generator from the malware developer group. They run targeted\r\nphishing attacks independently and take further actions to proliferate infection jumping from 1 victim to another.\r\nFurther analysis shows 5 groups of emails co-operates in certain attacks, each group bears the same prefix in\r\n‘ID_CUS_SP_NBR’. The groups are highlighted with different colours in Figure 16. These emails are also\r\nprovided in the Appendix section below.\r\nFigure 16: Relation of threat actor emails and variant names\r\nCombining Group-IB threat actor database and various OSINT sources, the Threat Intelligence team discovered a\r\nnumber of relations between PerSwaysion scammers and other threat actors.\r\nEmail anuanuanuoluwa@gmail[.]com was first spotted in August 2017 in a phishing kit mimicking Adobe PDF\r\nlock. This account has been active since 2017 in 7 major phishing kits. Considering that the email account appears\r\nin the earliest PerSwaysion campaign variant uncovered and several testing data set, it is very likely the owner is\r\npart of PerSwaysion development group. It has been co-operate campaigns with scammer\r\nanuanu2018@yahoo[.]com, kikersnot3@gmail[.]com, sampile@yandex[.]com in following years.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 12 of 16\n\nFigure 17: Adobe phishing kit\r\nScammer email fashsam@protonmail[.]com is used to register LinkedIn account named ‘Daniel browns‘. This\r\naccount is believed for gathering potential victim profiles. Such data helps PerSwaysion scammers to pick people\r\nholding significant corporate positions.\r\nFigure 18: LinkedIn account at www.linkedin.com/in/daniel-browns-721316196\r\nThe scammer nasubaexpress45@gmail[.]com conducted phishing attacking in October 2018 on domain\r\npaperbarkestate.co.za, disguised as JPMorgan online banking. Later, it initiated another phishing attack on domain\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 13 of 16\n\npractica-ltd[.]com, acting as if Discover credit card home page.\r\nBoth tommyben395@gmail[.]com and sucknipples911@gmail[.]com are used for Facebook registration. It is\r\nlikely that scammers use these Facebook account to initiate similar reconnaissance tasks as on LinkedIn.\r\nScammers controlling virgilabloh007@yandex[.]com, cargillfsc_accountspayable@cargillll[.]com,\r\ncontabilidad@grupolren[.]com are specialized in Microsoft Office 365 related phishing attacks and have been\r\nworking closely with each other in the past 3 years.\r\nThe ‘Nigerian Prince’\r\nThreat actor group of anuanuanuoluwa@gmail[.]com, as one the first PerSwaysion participating team, has been\r\nactively conducting various phishing attacks since its inception in 2017. With Group-IB’s threat actor profiling\r\nsystem, the team is able to attribute anuanuanuoluwa@gmail[.]com to a group of active scammers in Nigeria and\r\nSouth Africa whose main personnel goes by the name Sam.\r\nFigure 19: anuanuanuoluwa@gmail[.]com attribution process\r\nThe choice of words in threat actor code names often reveal their culture, background and personal preferences. It\r\nis particularly true among non-native English speakers. In PerSwaysion case, anuanuanuoluwa resembles the\r\nname Anu Oluwa (or Anuoluwa), a popular female name among Yoruba. Yoruba is an ethnic group lives mainly\r\nin Nigeria and Benin. Furthemore, the Gmail account is linked to a Tecno brand mobile phone. Tecno is a\r\nsubsidiary of the Shenzhen based Chinese smartphone manufacturer Transsion Group which focuses on producing\r\naffordable smartphones for Africa. Majority of Tecno phones are sold in Nigeria.\r\nThe anuanuanuoluwa group has been operating the same Skype ID ‘fash20161‘ since 2017. In the early stage, the\r\nSkype account goes by the name Anaye (anuanuanuoluwa@gmail[.]com). This account was used primarily for\r\nonline shopping scam at buyatcheapstore[.]com, a fake online electronic store. Later, it was moved to fash sam\r\n(fashsam2015@gmail[.]com) when the online shopping scam is no longer profitable and the group needs a new\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 14 of 16\n\nname to start new operations. With further investigation, the Threat Intelligence team establishes links to the\r\nFacebook account ‘Fash‘ (facebook[.]com/pg/-Fash–2093680757537979/about). Its associated phone number\r\n(+234 8149571720) finally leads to a potential personnel goes by the name Sam who owned a flat in Ikorodu,\r\nNigeria.\r\nFigure 20: A property listing in Nigeria posted by a user fashsam2015 with a phone number 8149571720\r\nIntriguing Language Preference\r\nSeveral unusual language preferences in the loading.js (discussed in ‘Disassembling the Phishing Site‘ section)\r\nunveils diversity of highly specialized subgroups who develop the phishing kit and run PerSwaysion campaign.\r\nVietnamese warning messages show scammer intention to further target Vietnamese business.\r\nFigure 21: Vietnamese locale for user warning messages\r\nThis intention becomes even clearer during code analysis when Group-IB researchers discovered the VeeValidate\r\nuser input validation module used in code only includes Vietnamese locale while 48 languages are supported.\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 15 of 16\n\nFigure 22: Vietnamese locale for VeeValidate\r\nFurthermore, Vietnamese usage in the log message indicates malicious JavaScript developer team has native\r\nVietnamese-speaking threat actors.\r\nFigure 23: Vietnamese developer log messages\r\nBesides usual English fonts, the font rendering set in the script also contains Microsoft YaHei (a Simplified\r\nChinese font) and Microsoft JhengHei (a Traditional Chinese font). Such code shows the potential interest in\r\nChinese speakers in both mainland China and Taiwan region.\r\nFigure 24: Chinese fonts emerge from unexpected code blocks\r\nAppendix\r\nSource: https://blog.group-ib.com/perswaysion\r\nhttps://blog.group-ib.com/perswaysion\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/perswaysion"
	],
	"report_names": [
		"perswaysion"
	],
	"threat_actors": [],
	"ts_created_at": 1777604990,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f4e341c110961b9d5c8ca9380ab925ab9830a57.pdf",
		"text": "https://archive.orkl.eu/8f4e341c110961b9d5c8ca9380ab925ab9830a57.txt",
		"img": "https://archive.orkl.eu/8f4e341c110961b9d5c8ca9380ab925ab9830a57.jpg"
	}
}