BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory

    Friday, April 17, 2026 In: Threat Research Print

    Date: 04/17/2026

    Severity: High

    Summary

    BlobPhish is an advanced credential-phishing campaign active since 2024 that generates phishing pages directly within the victim’s browser using in-memory blob objects, bypassing traditional network and file-based detection. Targeting platforms like Microsoft 365, banking services, and webmail, the campaign leverages compromised infrastructure to steal high-value credentials for activities such as BEC, data exfiltration, and lateral movement. Its persistent, stealthy approach and focus on financial and enterprise accounts make it a significant ongoing threat.

    Indicators of Compromise (IOC) List

    Domains/Urls

    mtl-logistics.com 

    larva888.com 

    wajah4dslot.com 

    mail.hubnorte.com.br 

    riobeautybrazil.com 

    hnint.net 

    ftpbd.net 

    i-seotools.com 

    mts-egy.net 

    https://mtl-logistics.com/blb/blob.html 

    https://mtl-logistics.com/css/sharethepoint/point/res.php 

    https://larva888.com/wp-includes/css/dist/tmp/vmo.html 

    https://wajah4dslot.com/wp-includes/certificates/tmp//res.php 

    https://wajah4dslot.com/wp-includes/certificates/tmp//panel.php 

    https://mail.hubnorte.com.br/blom.html 

    https://riobeautybrazil.com/wp-admin/amx/res.php 

    https://riobeautybrazil.com/wp-admin/amx/panel.php 

    https://hnint.net/bloji.html 

    https://hnint.net/cgi-bin/peacemind//res.php 

    https://hnint.net/cgi-bin/peacemind//panel.php 

    https://ftpbd.net/wp-content/plugins/cgi-/trade/blob.html 

    https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//res.php 

    https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//panel.php 

    https://i-seotools.com/wp-content/citttboy.html 

    https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/res.php 

    https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/panel.php 

    https://localmarketsense.com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss.html 

    https://_wildcard_.gonzalezlawnandlandscaping.com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele.php 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://wajah4dslot.com/wp-includes/certificates/tmp//res.php" or url like "https://wajah4dslot.com/wp-includes/certificates/tmp//res.php" or siteurl like "https://wajah4dslot.com/wp-includes/certificates/tmp//res.php" or domainname like "https://ftpbd.net/wp-content/plugins/cgi-/trade/blob.html" or url like "https://ftpbd.net/wp-content/plugins/cgi-/trade/blob.html" or siteurl like "https://ftpbd.net/wp-content/plugins/cgi-/trade/blob.html" or domainname like "https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/res.php" or url like "https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/res.php" or siteurl like "https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/res.php" or domainname like "https://hnint.net/cgi-bin/peacemind//panel.php" or url like "https://hnint.net/cgi-bin/peacemind//panel.php" or siteurl like "https://hnint.net/cgi-bin/peacemind//panel.php" or domainname like "https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//res.php" or url like "https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//res.php" or siteurl like "https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//res.php" or domainname like "https://riobeautybrazil.com/wp-admin/amx/res.php" or url like "https://riobeautybrazil.com/wp-admin/amx/res.php" or siteurl like "https://riobeautybrazil.com/wp-admin/amx/res.php" or domainname like "https://hnint.net/cgi-bin/peacemind//res.php" or url like "https://hnint.net/cgi-bin/peacemind//res.php" or siteurl like "https://hnint.net/cgi-bin/peacemind//res.php" or domainname like "hnint.net" or url like "hnint.net" or siteurl like "hnint.net" or domainname like "https://riobeautybrazil.com/wp-admin/amx/panel.php" or url like "https://riobeautybrazil.com/wp-admin/amx/panel.php" or siteurl like "https://riobeautybrazil.com/wp-admin/amx/panel.php" or domainname like "mtl-logistics.com" or url like "mtl-logistics.com" or siteurl like "mtl-logistics.com" or domainname like "https://wajah4dslot.com/wp-includes/certificates/tmp//panel.php" or url like "https://wajah4dslot.com/wp-includes/certificates/tmp//panel.php" or siteurl like "https://wajah4dslot.com/wp-includes/certificates/tmp//panel.php" or domainname like "https://larva888.com/wp-includes/css/dist/tmp/vmo.html" or url like "https://larva888.com/wp-includes/css/dist/tmp/vmo.html" or siteurl like "https://larva888.com/wp-includes/css/dist/tmp/vmo.html"

    Detection Query 2 :

    domainname like "wajah4dslot.com" or url like "wajah4dslot.com" or siteurl like "wajah4dslot.com" or domainname like "larva888.com" or url like "larva888.com" or siteurl like "larva888.com" or domainname like "https://mtl-logistics.com/css/sharethepoint/point/res.php" or url like "https://mtl-logistics.com/css/sharethepoint/point/res.php" or siteurl like "https://mtl-logistics.com/css/sharethepoint/point/res.php" or domainname like "https://hnint.net/bloji.html" or url like "https://hnint.net/bloji.html" or siteurl like "https://hnint.net/bloji.html" or domainname like "https://i-seotools.com/wp-content/citttboy.html" or url like "https://i-seotools.com/wp-content/citttboy.html" or siteurl like "https://i-seotools.com/wp-content/citttboy.html" or domainname like "https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/panel.php" or url like "https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/panel.php" or siteurl like "https://mts-egy.net/wp-content/plugins/owpsyzj/cgi-ent/panel.php" or domainname like "mts-egy.net" or url like "mts-egy.net" or siteurl like "mts-egy.net" or domainname like "ftpbd.net" or url like "ftpbd.net" or siteurl like "ftpbd.net" or domainname like "https://localmarketsense.com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss.html" or url like "https://localmarketsense.com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss.html" or siteurl like "https://localmarketsense.com/wp-includes/Text/sxzmqkp/krtxbvo/sahz1xi/cgi-ent/emailandpasssss.html" or domainname like "mail.hubnorte.com.br" or url like "mail.hubnorte.com.br" or siteurl like "mail.hubnorte.com.br" or domainname like "i-seotools.com" or url like "i-seotools.com" or siteurl like "i-seotools.com" or domainname like "https://mtl-logistics.com/blb/blob.html" or url like "https://mtl-logistics.com/blb/blob.html" or siteurl like "https://mtl-logistics.com/blb/blob.html" or domainname like "https://mail.hubnorte.com.br/blom.html" or url like "https://mail.hubnorte.com.br/blom.html" or siteurl like "https://mail.hubnorte.com.br/blom.html" or domainname like "https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//panel.php" or url like "https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//panel.php" or siteurl like "https://ftpbd.net/wp-content/plugins/cgi-/trade/trade//panel.php" or domainname like "https://_wildcard_.gonzalezlawnandlandscaping.com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele.php" or siteurl like "https://_wildcard_.gonzalezlawnandlandscaping.com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele.php" or url like "https://_wildcard_.gonzalezlawnandlandscaping.com/zovakmf/exfuzaj/pcnlwyf/cgi-ent/tele.php" or domainname like "riobeautybrazil.com" or siteurl like "riobeautybrazil.com" or url like "riobeautybrazil.com"

    Reference: 

    https://any.run/cybersecurity-blog/evasive-blob-phishing-detection/              


    Tags

    MalwarePhishingMicrosoftFinancial Servicescredential stealersExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.