{
	"id": "9c45f840-d8b4-44fa-93a7-d8865a2e253a",
	"created_at": "2026-04-25T02:18:49.200393Z",
	"updated_at": "2026-04-25T02:19:49.903336Z",
	"deleted_at": null,
	"sha1_hash": "de973cd4c7ad5e422e5fa26b1f97db74156e62e1",
	"title": "Phishing-as-a-Service Profile: LabHost Threat Actor Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39531,
	"plain_text": "Phishing-as-a-Service Profile: LabHost Threat Actor Group\r\nBy Cybersecurity Experts at Fortra\r\nPublished: 2024-02-15 · Archived: 2026-04-25 02:00:35 UTC\r\nFortra continues to monitor malicious activity targeting Canadian banks by the Phishing-as-a-Service (PhaaS)\r\ngroup known as LabHost. Throughout 2022 and 2023, phishing campaigns linked to PhaaS platforms have surged,\r\nas threat actors increasingly rely on subscription-based services to execute attacks. These platforms offer a range\r\nof features, including stolen industry branding, real-time monitoring tools, and techniques to bypass security\r\nmeasures.\r\nCanadian Phishing-as-a-Service Background\r\nIn 2022 and 2023, Fortra monitored threat actors targeting Canadian banks as they adopt the use of Phishing-as-a-Service platforms. Initially, the dominant provider for these services was Frappo. Frappo’s launch in late 2021\r\nresulted in an explosion of multi-branded phishing attacks capable of targeting numerous Canadian financial\r\ninstitutions simultaneously.\r\nAfter the initial spike in activity in the first half of 2022, Frappo users reported that phishing pages made through\r\nthe service were being blocked and mitigated at faster rates. In September 2022, Frappo promised that an\r\nimproved second version of the service would be launched. \r\nOver the course of 2023, Fortra observed phishing content families grow in popularity which shared many\r\nsimilarities with existing Frappo campaigns but included minor changes. Originally thought to be possible\r\ncandidates for “V2”, over time it became evident that the campaigns were sourced from a different distinct PhaaS\r\nplatform. Communication in Canada-centric threat actor channels suggested that phishers had pivoted to using\r\nLabHost instead of Frappo for phishing campaigns.\r\nThe phishing kits used by LabHost and Frappo don’t feature many indicators that make distinguishing between the\r\ntwo easy. However, a LabHost service outage in October and the resulting drop in phishing volume provided\r\nstrong evidence for the attribution of LabHost to specific tracked phishing content families. This new information\r\nconfirmed Fortra’s suspicion that LabHost had overtaken Frappo in popularity in the first half of 2023.\r\nLabHost Threat History\r\nLabHost began publicly operating in Q4 2021, only a month after Frappo first became available to paying\r\ncustomers. Threat actors did not immediately take to using LabHost. Compared to Frappo, LabHost was\r\nconsiderably more expensive to subscribe to and initially developed a reputation among threat actors for “taxing”\r\ntheir users’ successful campaigns or outright stealing from their customers.\r\nLabHost’s original multi-branded phishing kit featured full multi-factor authentication phishing for only three\r\nCanadian banks. LabHost added a more robust Canadian inter-bank network scam kit in June 2022 which\r\nhttps://www.phishlabs.com/blog/phishing-service-profile-labhost-threat-actor-group\r\nPage 1 of 3\n\nexpanded this capability to ten Canadian banking institutions. Fortra first detected a significant increasing trend in\r\nphishing threats originating from LabHost compared to Frappo in the fourth quarter of 2022. In April 2023,\r\nCanadian financial phishing activity spiked following the release of LabHost’s latest multi-branded page offering.\r\nMulti-branded phishing attacks generated by PhaaS platforms, 2023.\r\nAfter the release of the most recent Canadian inter-bank network kit, phishing remained at an elevated level\r\nthrough spring and summer until October. On October 4, 2023, LabHost experienced a major outage which\r\nprevented the creation of new phishing pages and locked threat actors out of any stolen information they had\r\nstored in the platform. This outage coincided with the disappearance of multiple tracked phishing content families\r\nfrom the threat landscape, providing strong evidence for attributing specific kits to the LabHost threat group.\r\nWeek-to-week PhaaS activity targeting Canadian Banks, Q3-Q4 2023.\r\nCommunication from the LabHost support team claimed that server maintenance had corrupted their installation\r\nand that a partner of the group sabotaged their systems, and as a result the recovery of the platform would be\r\ndelayed. LabHost remained completely out of service until November 20, when users were allowed back onto the\r\nwebsite to view their information stored on the platform. The functionality to purchase and host new phishing\r\npages was not made available until the service was fully restored on December 6.\r\nPhaaS Analysis\r\nLabHost divides their available phishing kits between two separate subscription packages: a North American\r\nmembership covering US and Canadian brands, and an international membership consisting of various global\r\nbrands (and excluding the NA brands). While the international service is only offered through a single $300 per\r\nmonth subscription, the North American service is available in either a standard or premium package. LabHost’s\r\nstandard membership limits the threat actor to only Canadian brands and three concurrently active phishing pages.\r\nPremium membership grants phishers access to kits targeting US banks and increases the concurrent page count to\r\n20 active phish.\r\nMonthly subscriptions offered by LabHost phishing service.\r\nThe phishing kits most utilized by LabHost’s customers are the Canadian inter-bank network kits targeting a wide\r\narray of Canadian banks. Other Canadian-targeted phishing kits target regional telecom providers and postal\r\ndelivery services. Premium kits include phishing pages for 13 US banks, Spotify, and DHL.\r\nLabHost ad for new and updated phishing pages, June 2022.\r\nSeveral variations of the popular multi-brand scam pages are offered, each tailored to work with phishing lures\r\ntargeting various industries including telecommunications, postal services, retail stores and more.\r\nThese kits include detailed installation options which allow threat actors to choose what banks will be actively\r\ntargeted and what personal information will be requested.\r\nSample of multi-branded phishing kit setup and customization.\r\nhttps://www.phishlabs.com/blog/phishing-service-profile-labhost-threat-actor-group\r\nPage 2 of 3\n\nLive Phishing Capabilities\r\nAll scam kits available from LabHost work alongside a real-time campaign management tool named LabRat.\r\nLabRat allows the phisher to control and monitor their active attacks. This functionality is leveraged in man-in-the-middle style attacks to obtain two-factor authentication codes, authenticate valid credentials, and bypass\r\nadditional security checks.\r\nDemonstration of 2FA code interception. Left – Victim View. Right – Threat Actor Panel.\r\nLabSend Phishing Lures\r\nAlongside LabHost’s relaunch in December, The Lab released a new SMS lure and campaign manager named\r\nLabSend. This new SMS spamming tool provides a sophisticated automated method for sending links to LabHost\r\nphishing pages. As described by The Lab team, the LabSend tool can coordinate an automated smishing campaign\r\nacross multiple SIDs, randomizing portions of text messages to evade detection of catalogued malicious spam\r\nmessages. After sending an SMS lure, LabSend will auto-reply to victims’ responses using customizable message\r\ntemplates.\r\nLabSend features detailed in launch ad, December 2023.\r\nLabSend service home page.\r\nLabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures. In order to protect against attacks\r\ntargeting their organizations, security teams should be aware of the spaces these attacks are occurring and monitor\r\nfor activity targeting their brands. Fortra will continue to provide updates on any LabHost developments as they\r\noccur.\r\nSource: https://www.phishlabs.com/blog/phishing-service-profile-labhost-threat-actor-group\r\nhttps://www.phishlabs.com/blog/phishing-service-profile-labhost-threat-actor-group\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.phishlabs.com/blog/phishing-service-profile-labhost-threat-actor-group"
	],
	"report_names": [
		"phishing-service-profile-labhost-threat-actor-group"
	],
	"threat_actors": [],
	"ts_created_at": 1777083529,
	"ts_updated_at": 1777083589,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de973cd4c7ad5e422e5fa26b1f97db74156e62e1.pdf",
		"text": "https://archive.orkl.eu/de973cd4c7ad5e422e5fa26b1f97db74156e62e1.txt",
		"img": "https://archive.orkl.eu/de973cd4c7ad5e422e5fa26b1f97db74156e62e1.jpg"
	}
}