National Cyber Warfare Foundation (NCWF)

DadSEC
0 user ratings		2025-05-30 22:52:29
blscott

DadSec (Storm-1575): A Deep Dive into a Rising Phishing-as-a-Service ThreatReddit+7Windows Forum+7GBHackers Security+7


DadSec, also tracked by Microsoft as Storm-1575, is an emerging and highly active cybercriminal group specializing in Phishing-as-a-Service (PhaaS). Since mid-2023, DadSec has orchestrated large-scale credential harvesting campaigns targeting Microsoft 365 users, employing advanced Adversary-in-the-Middle (AiTM) techniques to bypass Multi-Factor Authentication (MFA) and maintain persistent access to compromised accounts.Windows Forum+5GBHackers Security+5eSentire+5



Origins and Evolution


Initially identified through its phishing kit, DadSec has evolved into a full-fledged PhaaS operation. The group offers a subscription-based platform that enables clients to deploy sophisticated phishing campaigns with minimal technical expertise. The DadSec phishing panel features customizable themes, anti-bot mechanisms, Cloudflare Turnstile integration, and options for exfiltrating stolen credentials via Telegram or email. Access to this panel is priced at approximately $500 .IBM X-Force Exchange+2GBHackers Security+2Windows Forum+2Risky.Biz+2eSentire+2GBHackers Security+2



Attack Techniques


DadSec's campaigns typically commence with spear-phishing emails containing QR codes or HTML attachments. These lures direct victims to counterfeit Microsoft 365 login pages hosted on attacker-controlled servers. The phishing sites are designed to capture login credentials and session cookies, effectively bypassing MFA protections. Notably, DadSec employs AiTM tactics, positioning themselves between the user and legitimate services to intercept authentication tokens in real-time .Google Cloud+5GBHackers Security+5eSentire+5GBHackers Security+2eSentire+2blog.sekoia.io+2


To evade detection, DadSec utilizes several obfuscation strategies:




  • Cloudflare Turnstile Integration: Incorporating CAPTCHA challenges to add legitimacy and hinder automated analysis.




  • Anti-Bot Scripts: Deploying scripts that detect and block traffic from known security tools and crawlers.




  • Obfuscated Code: Employing heavily obfuscated PHP files to conceal malicious functionalities.




  • IP Blocking: Restricting access from IP addresses associated with security research and analysis .eSentire+1GitHub+1





Infrastructure and Collaborations


Investigations have revealed significant infrastructure overlap between DadSec and another PhaaS platform, Tycoon2FA. Both platforms share common IP addresses, Autonomous System Numbers (ASNs), and domain naming conventions, suggesting a coordinated or shared operational framework. The phishing sites are often hosted on Cyber Panel, an open-source web hosting control panel, and utilize Russian top-level domains (TLDs) like ".ru" .Bridewell+7GBHackers Security+7Windows Forum+7


Furthermore, DadSec's operations have been linked to targeted attacks on various sectors, including education. Reports indicate that public schools across the United States have been subjected to sophisticated phishing campaigns orchestrated by DadSec, aiming to compromise administrator email accounts and deliver ransomware .


Comments
new comment
Nobody has commented yet. Will you be the first?
  




This link is from a restricted area of the forums.
Forum


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.