Phishing kits go dark

            In Q2 2025, 58 percent of phishing kits detected were unidentifiable. This marks a significant departure
            from previous years when threat researchers could often track specific kits and campaigns. The rise of
            custom-built  or  heavily  obfuscated  phishing  kits  suggests  that  threat  actors  are  avoiding  known
            signatures and using AI to create scalable, low-detection phishing infrastructure.

            Named kits such as Evilginx (20 percent), Tycoon 2FA (10 percent), and 16shop (7 percent) remain
            present, but the majority of kits now defy categorization. These kits are often deployed across global
            infrastructure, making detection and attribution increasingly difficult.



            Callback phishing gains traction


            One of the most surprising trends this year is the emergence of callback phishing. In Q1 2025, this tactic
            accounted for 16 percent of phishing attempts, up from almost nothing in 2024.

            In callback phishing, attackers send emails that prompt users to call a phone number to resolve an issue.
            These emails often appear to be from trusted sources like IT departments or service providers. Once the
            victim calls, they are socially engineered into disclosing credentials or installing malware. Because no
            links  are  included  in  the  initial  email,  traditional  phishing  detection  methods  often  fail  to  flag  these
            messages.



            SVG files: a rising delivery mechanism

            Although PDF attachments remain the most common file format used in phishing campaigns, accounting
            for 36 percent of cases, SVG files are closing the gap quickly at 34 percent. SVGs, or scalable vector
            graphics files, are attractive to attackers because they can include embedded JavaScript code through
            the use of script tags. When opened in a browser, these scripts can redirect the user to a malicious site
            or initiate a file download.

            Many security filters do not scan SVGs as aggressively as they do other file types, making this a favored
            tool for bypassing defenses. The United States remains the most targeted region for this type of attack,
            followed by countries in Western Europe.



            Malware-as-a-Service matures

            In both quarters analyzed, Malware-as-a-Service (MaaS) played a key role in the spread of dangerous
            payloads. In Q1, the backdoor malware XRed accounted for three times more infections than any other
            malware family. In Q2, Lumma Stealer took the top spot. Both malware families are sold on underground
            forums as MaaS, making them accessible to a wide range of cybercriminals, including those with limited
            technical expertise.






            Cyber Defense eMagazine – September 2025 Edition                                                                                                                                                                                                          74
            Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.