ARToken: Inside an EvilTokens Affiliate Panel Targeting Microsoft 365

    Date: 07/02/2026

    Severity: Medium

    Summary

    ARToken is a sophisticated Phishing-as-a-Service (PhaaS) platform closely linked to the EvilTokens ecosystem, providing affiliates with a comprehensive toolkit for Microsoft 365 account compromise. The platform supports device code phishing, Primary Refresh Token (PRT) persistence, Business Email Compromise (BEC), SharePoint data exfiltration, and email access through a web-based dashboard. It also employs advanced multi-layer anti-analysis techniques and encrypted payloads to evade detection and enhance phishing operations. 

    Indicators of Compromise (IOC) List 

    Domains/URLs

    pamconj.com

    dashboard-bl.pamconj.com

    spx.pamconj.com

    clear90489058903-document.workers.dev

    917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev

    321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev

    98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev

    112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev

    aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev

    e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev

    50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev

    reynoldsjace5.workers.dev

    50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev

    IP Address

    172.67.214.35

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "dashboard-bl.pamconj.com" or url like "dashboard-bl.pamconj.com" or siteurl like "dashboard-bl.pamconj.com" or domainname like "spx.pamconj.com" or url like "spx.pamconj.com" or siteurl like "spx.pamconj.com" or domainname like "pamconj.com" or url like "pamconj.com" or siteurl like "pamconj.com" or domainname like "98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev" or url like "98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev" or siteurl like "98c4c82e-2d81-0837-e3d6-docviewer.clear90489058903-document.workers.dev" or domainname like "112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev" or url like "112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev" or siteurl like "112838d8-9a75-2e90-d63b-docviewer.clear90489058903-document.workers.dev" or domainname like "aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev" or url like "aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev" or siteurl like "aquaclaude-09494-9099403-docviewer.clear90489058903-document.workers.dev" or domainname like "clear90489058903-document.workers.dev" or url like "clear90489058903-document.workers.dev" or siteurl like "clear90489058903-document.workers.dev" or domainname like "321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev" or url like "321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev" or siteurl like "321a1392-939d-3bf5-4040-docviewer.clear90489058903-document.workers.dev" or domainname like "e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev" or url like "e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev" or siteurl like "e5469cec-124a-c84f-abaa-docviewer.clear90489058903-document.workers.dev" or domainname like "50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev" or url like "50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev" or siteurl like "50a201fd-dd2d-cf72-5fa6-onedrive.clear90489058903-document.workers.dev" or domainname like "50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev" or url like "50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev" or siteurl like "50a201fd-dd2d-cf72-5fa6-adobe2.reynoldsjace5.workers.dev" or domainname like "917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev" or url like "917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev" or siteurl like "917bedb0-554e-a8b9-79f1-docviewer.clear90489058903-document.workers.dev" or domainname like "reynoldsjace5.workers.dev" or url like "reynoldsjace5.workers.dev" or siteurl like "reynoldsjace5.workers.dev"

    Detection Query 2 :

    dstipaddress IN ("172.67.214.35") or srcipaddress IN ("172.67.214.35")

    Reference:    

    https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/            


    Tags

    MalwarePhishingMicrosoftExfiltrationPhaaS

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags