ANY.RUN has observed a sustained surge in a credential-phishing campaign active since 2024. This campaign, dubbed BlobPhish, introduces a sneaky twist: instead of delivering phishing pages via traditional HTTP requests, it generates them directly inside the victim’s browser using blob objects. The result is a phishing payload that lives entirely in memory, leaving little to no trace in logs, cache...
BlobPhish represents a sophisticated evolution in phishing tactics, leveraging browser Blob objects to evade traditional detection mechanisms. The campaign’s use of memory-resident payloads bypasses file-based and network-based security tools, making it particularly insidious. While the technical innovation is notable, the broader implication is the growing arms race between attackers and defenders, where conventional perimeter defenses are increasingly inadequate. The campaign’s focus on high-v...