AI-Generated Fake Instruction Video Lure Phishing Campaign

Date: 06/19/2026

Severity: Medium

Summary

Threat actors are leveraging AI-generated deepfake audio videos hosted on legitimate SaaS and content delivery platforms to conduct phishing campaigns targeting social media users. The videos use social engineering techniques to guide victims into extracting and submitting their own session cookies through browser developer tools, enabling account takeover without traditional credential theft. By abusing trusted cloud services and CDN infrastructure, the campaign evades URL-based security controls while maintaining large-scale distribution.

Indicators of Compromise (IOC) List

Domains/URLs

https://2toapply-willforwhere.surge.sh

https://add-a-restrictions.surge.sh

https://appeal-for-monetisation-restricted.vercel.app

https://appeal-solve.pages.dev

https://applay-submission-panelo.surge.sh

https://apply-on-free-here.surge.sh

https://apply-tick-easy-getfree.surge.sh

https://applyit-blue-badge.surge.sh

https://azan-review.github.io/violation

https://azam-crush.github.io/subhan

https://buksh-alee.github.io/azan

https://come-review.github.io/subhan

https://community-team-now.surge.sh

https://fastfreeprogramunit3.surge.sh

https://form-review-application.surge.sh

https://get-fix-here-got.vercel.app

https://immediate-action-send-request.surge.sh

https://lifetime-freeblue-badge.surge.sh

https://monetization-under-request-support-on.surge.sh

https://nostop09.github.io/Hauruo

https://now-review-form-here.surge.sh

https://now-solve-issues.surge.sh

https://privacy-security.surge.sh

https://process-submission-complete.surge.sh

https://quick-review-submited.surge.sh

https://rajab-alee.github.io/azan

https://request-i-review.surge.sh

https://review-for-page-here.vercel.app

https://review-privacy-help-community-here.surge.sh

https://review-req-app-user-forms.surge.sh

https://review-submit-for-here.surge.sh

https://sadiqdev.pages.dev

https://shaid-alee.github.io/blue

https://solve-profile-issue-now-five.vercel.app

https://submit-your-info-here.netlify.app

https://suspended-account.netlify.app

https://team-revie.github.io/work

https://resource2.heygen.ai/video_translate/94087358030a4df8b20e73f1fba92ed5-en/720p.mp4

Hash

fc6a175c7f61a5c81875ca29a2c444d7a8f95506ddcdc0c59629f65e15911d83

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "https://review-submit-for-here.surge.sh" or url like "https://review-submit-for-here.surge.sh" or siteurl like "https://review-submit-for-here.surge.sh" or domainname like "https://monetization-under-request-support-on.surge.sh" or url like "https://monetization-under-request-support-on.surge.sh" or siteurl like "https://monetization-under-request-support-on.surge.sh" or domainname like "https://come-review.github.io/subhan" or url like "https://come-review.github.io/subhan" or siteurl like "https://come-review.github.io/subhan" or domainname like "https://request-i-review.surge.sh" or url like "https://request-i-review.surge.sh" or siteurl like "https://request-i-review.surge.sh" or domainname like "https://review-req-app-user-forms.surge.sh" or url like "https://review-req-app-user-forms.surge.sh" or siteurl like "https://review-req-app-user-forms.surge.sh" or domainname like "https://community-team-now.surge.sh" or url like "https://community-team-now.surge.sh" or siteurl like "https://community-team-now.surge.sh" or domainname like "https://apply-tick-easy-getfree.surge.sh" or url like "https://apply-tick-easy-getfree.surge.sh" or siteurl like "https://apply-tick-easy-getfree.surge.sh" or domainname like "https://fastfreeprogramunit3.surge.sh" or url like "https://fastfreeprogramunit3.surge.sh" or siteurl like "https://fastfreeprogramunit3.surge.sh" or domainname like "https://now-review-form-here.surge.sh" or url like "https://now-review-form-here.surge.sh" or siteurl like "https://now-review-form-here.surge.sh" or domainname like "https://rajab-alee.github.io/azan" or url like "https://rajab-alee.github.io/azan" or siteurl like "https://rajab-alee.github.io/azan" or domainname like "https://applyit-blue-badge.surge.sh" or url like "https://applyit-blue-badge.surge.sh" or siteurl like "https://applyit-blue-badge.surge.sh" or domainname like "https://nostop09.github.io/Hauruo" or url like "https://nostop09.github.io/Hauruo" or siteurl like "https://nostop09.github.io/Hauruo" or domainname like "https://suspended-account.netlify.app" or url like "https://suspended-account.netlify.app" or siteurl like "https://suspended-account.netlify.app" or domainname like "https://azam-crush.github.io/subhan" or url like "https://azam-crush.github.io/subhan" or siteurl like "https://azam-crush.github.io/subhan" or domainname like "https://team-revie.github.io/work" or url like "https://team-revie.github.io/work" or siteurl like "https://team-revie.github.io/work" or domainname like "https://sadiqdev.pages.dev" or url like "https://sadiqdev.pages.dev" or siteurl like "https://sadiqdev.pages.dev" or domainname like "https://process-submission-complete.surge.sh" or url like "https://process-submission-complete.surge.sh" or siteurl like "https://process-submission-complete.surge.sh"
Detection Query 2 :	domainname like "https://quick-review-submited.surge.sh" or url like "https://quick-review-submited.surge.sh" or siteurl like "https://quick-review-submited.surge.sh" or domainname like "https://apply-on-free-here.surge.sh" or url like "https://apply-on-free-here.surge.sh" or siteurl like "https://apply-on-free-here.surge.sh" or domainname like "https://2toapply-willforwhere.surge.sh" or url like "https://2toapply-willforwhere.surge.sh" or siteurl like "https://2toapply-willforwhere.surge.sh" or domainname like "https://get-fix-here-got.vercel.app" or url like "https://get-fix-here-got.vercel.app" or siteurl like "https://get-fix-here-got.vercel.app" or domainname like "https://shaid-alee.github.io/blue" or url like "https://shaid-alee.github.io/blue" or siteurl like "https://shaid-alee.github.io/blue" or domainname like "https://azan-review.github.io/violation" or url like "https://azan-review.github.io/violation" or siteurl like "https://azan-review.github.io/violation" or domainname like "https://now-solve-issues.surge.sh" or url like "https://now-solve-issues.surge.sh" or siteurl like "https://now-solve-issues.surge.sh" or domainname like "https://resource2.heygen.ai/video_translate/94087358030a4df8b20e73f1fba92ed5-en/720p.mp4" or url like "https://resource2.heygen.ai/video_translate/94087358030a4df8b20e73f1fba92ed5-en/720p.mp4" or siteurl like "https://resource2.heygen.ai/video_translate/94087358030a4df8b20e73f1fba92ed5-en/720p.mp4" or domainname like "https://lifetime-freeblue-badge.surge.sh" or url like "https://lifetime-freeblue-badge.surge.sh" or siteurl like "https://lifetime-freeblue-badge.surge.sh" or domainname like "https://buksh-alee.github.io/azan" or url like "https://buksh-alee.github.io/azan" or siteurl like "https://buksh-alee.github.io/azan" or domainname like "https://applay-submission-panelo.surge.sh" or url like "https://applay-submission-panelo.surge.sh" or siteurl like "https://applay-submission-panelo.surge.sh" or domainname like "https://form-review-application.surge.sh" or url like "https://form-review-application.surge.sh" or siteurl like "https://form-review-application.surge.sh" or domainname like "https://add-a-restrictions.surge.sh" or url like "https://add-a-restrictions.surge.sh" or siteurl like "https://add-a-restrictions.surge.sh" or domainname like "https://privacy-security.surge.sh" or url like "https://privacy-security.surge.sh" or siteurl like "https://privacy-security.surge.sh" or domainname like "https://appeal-for-monetisation-restricted.vercel.app" or siteurl like "https://appeal-for-monetisation-restricted.vercel.app" or url like "https://appeal-for-monetisation-restricted.vercel.app" or domainname like "https://appeal-solve.pages.dev" or siteurl like "https://appeal-solve.pages.dev" or url like "https://appeal-solve.pages.dev" or domainname like "https://immediate-action-send-request.surge.sh" or siteurl like "https://immediate-action-send-request.surge.sh" or url like "https://immediate-action-send-request.surge.sh" or domainname like "https://review-for-page-here.vercel.app" or siteurl like "https://review-for-page-here.vercel.app" or url like "https://review-for-page-here.vercel.app" or domainname like "https://review-privacy-help-community-here.surge.sh" or siteurl like "https://review-privacy-help-community-here.surge.sh" or url like "https://review-privacy-help-community-here.surge.sh" or domainname like "https://solve-profile-issue-now-five.vercel.app" or siteurl like "https://solve-profile-issue-now-five.vercel.app" or url like "https://solve-profile-issue-now-five.vercel.app" or domainname like "https://submit-your-info-here.netlify.app" or siteurl like "https://submit-your-info-here.netlify.app" or url like "https://submit-your-info-here.netlify.app"
Detection Query 3 :	`sha256hash IN ("fc6a175c7f61a5c81875ca29a2c444d7a8f95506ddcdc0c59629f65e15911d83")`

Reference:

https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-19-AI-generated-fake-instruction-video-lure-phishing-campaign.txt

AI-Generated Fake Instruction Video Lure Phishing Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

AI-Generated Fake Instruction Video Lure Phishing Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments