{
	"id": "89959d3c-d21b-4f28-8683-298cabb89c23",
	"created_at": "2026-04-06T00:06:14.361067Z",
	"updated_at": "2026-04-10T03:25:09.731037Z",
	"deleted_at": null,
	"sha1_hash": "f57c5bd60c7d5d9568eb0cd46ea4306d8a79ca71",
	"title": "PerSwaysion Threat Actor Updates Their Techniques and Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 459162,
	"plain_text": "PerSwaysion Threat Actor Updates Their Techniques and Infrastructure\r\nBy Scarlet Shark\r\nPublished: 2022-01-18 · Archived: 2026-04-05 12:37:51 UTC\r\nBy Alec Dhuse\r\nThe PerSwaysion phishing campaign is back. The threat actor behind PerSwaysion is now using a more direct phishing\r\nmethod and updated techniques from previous campaigns, aimed at stealing credentials for Microsoft 365.\r\nA Quick History of PerSwaysion\r\nIn April of 2020 the Group-IB Threat Intelligence team published an investigation of a series of phishing attacks they\r\ndubbed the PerSwaysion Campaign. This campaign targeted high-level executives with attacks going back to at least August\r\n2019. Group-IB concluded these attacks were likely perpetrated by a Vietnamese-based threat actor. You can read their\r\nwrite-up here: https://blog.group-ib.com/perswaysion\r\nMore than a year later, in November of 2021, SeclarityIO published an in-depth analysis of PerSwaysion’s phishing kit code\r\nand its infrastructure. Their write-up can be accessed here: https://www.seclarity.io/resources/blog/the-art-of-perswaysion-phishing-kit/\r\nThis article will focus on the changes in techniques and the current infrastructure used in the latest phishing campaigns\r\nwe’ve observed.\r\nAttack Chain\r\nIn the past, PerSwaysion phishing pages were hosted on file sharing websites or hosting sites that had a trial or free version.\r\nThis was based on the assumption that the phishing campaign would be completed before the phishing page was taken down\r\nor the trial period expired.\r\nIn their most recent campaigns, this threat actor has switched from using a hosted phishing site to an HTML file attached to\r\na phishing email. The attached file then loads a series of support files to display a copy of Microsoft 365’s login page. See\r\nbelow for the diagram of the attack chain.\r\nPress enter or click to view image in full size\r\nhttps://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nPage 1 of 6\n\nPerSwaysion Attack Chain\r\nPhishing Email — The Lure\r\nPress enter or click to view image in full size\r\nScreenshot of a PerSwaysion phishing email.\r\nThe latest emails were observed being sent from Amazon’s Simple Email Service, with each email passing both Sender\r\nPolicy Framework (SPF) and DomainKeys Identified Mail (DKIM) protections.\r\nThe domains gemlacksresults[.]net and rotarim50[.]com were being used as sender domains. Both sender domains are\r\nregistered through sav.com, and were used less than 30 days after having been registered.\r\nThe previous run of phishing emails was observed sending using stolen Google Mail accounts.\r\nThe HTML Attachment\r\nThe payload of the phishing email is an HTML attachment. The content of this file is obfuscated using multiple layers of\r\nJavaScript functions. Presumably, this is to evade some email filtering systems as well as to prevent causal analysis of the\r\npayload. Despite this, Microsoft’s Exchange Online Advanced Threat Protection detects these attachments as malicious.\r\nThe first layer of obfuscation is Base 64 encoded text that is decoded using built-in browser functions. The decoded text is\r\nthen written to the Document Object Model (DOM). This is a common technique observed in phishing emails with HTML\r\nattachments. This is generally seen with the Base 64 decoding nested inside the document write function like this:\r\ndocument.write(atob(“[Base 64 Text]”));\r\nThe next layer of obfuscation uses a modified JavaScript minifier and packer function originally developed by Dean\r\nEdwards. This modified version includes additional array lookup and replacement, with the lookup array containing\r\ncharacter-shifted cipher values.\r\nhttps://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nPage 2 of 6\n\nDespite all the layers of obfuscation, the attached HTML page is a simple wrapper that adds anti-debugging JavaScript\r\nstatements and a single link to an external JavaScript file. This external JavaScript file loads additional resources to display\r\nthe phishing page to the victim (for ease of reference, we will be calling this file the JavaScript loader file).\r\nThe JavaScript loader file is hosted at hXXps://valdia.quatiappcn[.]pw/[hex digits].js Older campaigns have been\r\nobserved using hXXps://kifot.wancdnapp[.]page/[hex digits].js as the host for this file. In all the campaigns we have\r\nobserved, there are multiple JavaScript loader files hosted here, with each file having a unique filename consisting of\r\nhexadecimal numbers.\r\nThe loader file will in turn load the additional library files used in the phishing kit. Each unique loader file loads the same\r\nlibrary files except for one file that is unique to each loader filename. That unique file has a filename with 32 hexadecimal\r\ncharacters and a .js extension. It contains a hard-coded string that appears to be Base 64 encoded text, but does not decode\r\ninto anything recognizable. This may indicate that the contents are encrypted or that it is an API key used on the\r\nPerSwaysion server to differentiate between campaigns or users.\r\nGet Scarlet Shark’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe JavaScript loader file loads these phishing kit resource files:\r\nhXXps://rikapcndmmooz.firebaseapp.com/njtyzxntbfsdvxxz/themes/css/7f01272697919812996411ac56c3d204nbr163958285\r\nhXXps://rikapcndmmooz.firebaseapp.com/njtyzxntbfsdvxxz/themes/css/069a654bc4a1e6e66a713098353bb534nbr163958285\r\nhXXps://rikapcndmmooz.firebaseapp.com/njtyzxntbfsdvxxz/themes/7f01272697919812996411ac56c3d204nbr1639582853.js\r\nhXXps://rikapcndmmooz.firebaseapp.com/njtyzxntbfsdvxxz/themes/ab50d0179cfb0f7e29d68bebaaa0e399.js\r\nhXXps://rikapcndmmooz.firebaseapp.com/njtyzxntbfsdvxxz/themes/js/a3107e4d4ae0ea783cd1177c52f1e6301639582846.js\r\nAs well as these open-source JavaScript libraries:\r\nhXXps://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js\r\nhXXps://cdnjs.cloudflare.com/ajax/libs/mobile-detect/1.3.6/mobile-detect.min.js\r\nhXXps://cdnjs.cloudflare.com/ajax/libs/vuex/2.3.1/vuex.min.js\r\nhXXps://cdnjs.cloudflare.com/ajax/libs/vee-validate/2.0.0-rc.3/vee-validate.min.js\r\nhXXps://cdnjs.cloudflare.com/ajax/libs/vue-i18n/7.0.3/vue-i18n.min.js\r\nhXXps://unpkg.com/axios@0.16.1/dist/axios.min.js\r\nhXXps://unpkg.com/lodash@4.17.4/lodash.min.js\r\nhXXps://unpkg.com/vue@2.6.11/dist/vue.min.js\r\nhXXps://unpkg.com/vue-router@2.7.0/dist/vue-router.min.js\r\nOlder campaigns hosted the files on a different Google Firebase domain:\r\nhXXps://rikcndapplala.web.app/zxhjkmnjdbfxzvdzx/themes/css/5ec43dada25c716f7880b0b8e6ff5e61nbr1633368005.css\r\nhXXps://rikcndapplala.web.app/zxhjkmnjdbfxzvdzx/themes/css/26ee67cd59cf7ee7f6ca4f6e3a4695f9nbr1633368005.css\r\nhttps://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nPage 3 of 6\n\nhXXps://rikcndapplala.web.app/zxhjkmnjdbfxzvdzx/themes/5ec43dada25c716f7880b0b8e6ff5e61nbr1633368005.js\r\nhXXps://rikcndapplala.web.app/zxhjkmnjdbfxzvdzx/themes/a144f6f5e581d7026db3c04ffe1ab2da.js\r\nThe domains hosting the JavaScript file loader files seem to have been short lived, with different domains being used over\r\nthe months of the investigation. Each of the observed domains is using Cloudflare to mask the actual server IP address.\r\nHowever, the IP address we observed performing credential verification serves up the same files as the Cloudflare protected\r\ndomains. This is a strong indicator that the server hosting the JavaScript loaded files is the same one doing credential\r\nverification. Furthermore, the same JavaScript loader files are still accessible even after the domain name changes, which\r\nfurther indicates that a single server is being used to serve up the loader files, capture credentials and then verify those\r\ncredentials. Credential capture and verification is discussed later in this article.\r\nThe Phishing Page\r\nOpening the attached HTML will display a fake Microsoft 365 login page with company branding. This is a change from\r\nolder versions of the phishing kit, which did not display branding. The sign-in email address is prefilled and matches the\r\nrecipient of the phishing email. Branding is based on the domain of the email address and is pulled from Microsoft 365\r\ndirectly.\r\nPress enter or click to view image in full size\r\nExample with Microsoft branding\r\nWhen the phishing page is loaded, several pieces of information are sent to the PerSwaysion server. This information\r\nincludes the preset victim’s email address, the credential type, and the current time and date. This likely serves as a\r\nnotification that the phishing page is being actively used. This could be the replacement notification system used instead of\r\nthe email notification mentioned in the SeclarityIO article. In that article, SeclarityIO observed that previous versions of the\r\nphishing kit sent notification emails to addresses controlled by this threat actor. Capturing these emails gave security\r\nresearchers a better understanding of the infrastructure used by this threat actor. In the latest kit, the direct email notification\r\nhas been effectively removed by leaving the email field blank.\r\nhttps://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nPage 4 of 6\n\nWhen a victim enters their credentials, both their email address and password are sent via a POST command to\r\nhXXps://iost.kogodemcnd[.]com/re/[Base 64 Like Text], with other observed variants sending data to\r\nhXXps://riki.kogodemcnd[.]com/re/[Base 64 Like Text]. The Base64-looking text at the end of the URL is hard-coded\r\ninto one of the phishing JavaScript files, as mentioned above.\r\nThe victim’s credentials are then validated from 52.156.67[.]141 in real time. This IP corresponds to a server running\r\nUbuntu Linux hosted on Microsoft Azure in the US-West Region. Credential verification has been observed from this IP\r\naddress since 2021–09–20.\r\nThe credential collector domain is using a Cloudflare reverse proxy, with the actual server IP being masked. However, if we\r\ntry to access the same file path used to POST data on the credential collector domain to the IP we observe verifying\r\ncredentials, we get the same response. This indicates that 52.156.67[.]141 is the actual credential collection server behind\r\nthe Cloudflare proxy. As mentioned above, this is the same server hosting the initial JavaScript loader file linked from the\r\nHTML attachment.\r\nVictimology\r\nThe Group-IB researchers noted that previous campaigns targeted management and executives. In various campaigns taking\r\nplace in 2021, we observed targeting of senior employees and accounts associated with those employees, such as support\r\nstaff. We also observed targeting of employees working in human resources and financial departments in the latest\r\ncampaigns.\r\nIn Group-IB’s report, they suspected that victims were obtained from browsing or scraping LinkedIn. Of the several hundred\r\nvictims observed in campaigns this year, 82% had LinkedIn accounts. So while LinkedIn may have been a source in the\r\npast, it’s clearly not the only source used by this threat actor.\r\nPrevention\r\nAs with many types of phishing, obfuscation techniques are very prevalent, more so when HTML attachments are used. If\r\nyour mail filter allows blocking on regular expression, consider blocking attachments that contain a document write function\r\nand a Base 64 encoded string. Here is an example of a regular expression that will match this pattern: document\\.write\\s*\\\r\n(\\s*atob\\s*\\(\\s*[\\”\\’][a-zA-Z0–9\\+\\/\\=]+[\\”\\’]\\s*\\)\\s*\\)\r\nAnother suggestion is to block email from domains that have been registered within the last 30 days. This can be a built-in\r\nfunction or can be achieved by creating a block list of newly registered domains.\r\nConclusion\r\nPhishing and detection is an ever-changing landscape, where threat actors continually change and hone their techniques.\r\nMost changes are incremental, allowing threat researchers to attribute new campaigns to known threat actors. By\r\ndocumenting these changes, security professionals can better understand how techniques change over time and use this\r\nunderstanding to better defend their systems and users.\r\nWith the newest PerSwaysion campaign, we can see this threat actor using organizational branding to make their phishing\r\npages look more legitimate, as well as using custom sender domains that bypass email sender protections. This increases the\r\nlikelihood of phishing emails landing in victim mailboxes. This threat actor has also learned from past mistakes by\r\ntightening up their operational security and using a new notification system that does not expose their email addresses.\r\nIt’s likely that future iterations of PerSwaysion will use yet more improved tactics and techniques, making it beneficial for\r\nsecurity professionals to keep track of these campaigns and the threat actor behind them.\r\nIndicators\r\nhttps://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nPage 5 of 6\n\nhXXps://valdia.quatiappcn[.]pw/[hex digits].js — JavaScript Loader\r\nhXXps://kifot.wancdnapp[.]page/[hex digits].js — JavaScript Loader\r\nrikapcndmmooz.firebaseapp.com — PhishKit File Hosting\r\nhXXps://iost.kogodemcnd[.]com/re/[base64 text] — Credential Collector\r\nhXXps://riki.kogodemcnd[.]com/re/[base64 text] — Credential Collector\r\n52.156.67[.]141 — Credential Verification\r\ngemlacksresults[.]net — Email Sender Domain\r\nrotarim50[.]com — Email Sender Domain\r\nAdditional References\r\nSource: https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nhttps://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.scarletshark.com/perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653"
	],
	"report_names": [
		"perswaysion-threat-actor-updates-their-techniques-and-infrastructure-e9465157a653"
	],
	"threat_actors": [
		{
			"id": "2643a7fe-ed06-46f2-8dc1-2ab97cf03031",
			"created_at": "2023-11-21T02:00:07.371804Z",
			"updated_at": "2026-04-10T02:00:03.4696Z",
			"deleted_at": null,
			"main_name": "PerSwaysion",
			"aliases": [],
			"source_name": "MISPGALAXY:PerSwaysion",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433974,
	"ts_updated_at": 1775791509,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f57c5bd60c7d5d9568eb0cd46ea4306d8a79ca71.pdf",
		"text": "https://archive.orkl.eu/f57c5bd60c7d5d9568eb0cd46ea4306d8a79ca71.txt",
		"img": "https://archive.orkl.eu/f57c5bd60c7d5d9568eb0cd46ea4306d8a79ca71.jpg"
	}
}