New Kali365 PhaaS Kit Being Abused in the Wild

Date: 04/28/2026

Severity: High

Summary

Kali365 is a newly emerged phishing-as-a-service (PhaaS) kit that abuses OAuth device code registration flows to conduct large-scale credential phishing campaigns. Distributed through Telegram, the platform offers advanced capabilities including mailbox scanning, phishing page generation, and AI-powered chatbot assistance for creating convincing lures. Positioned as a lower-cost alternative to other kits like EvilTokens, Kali365 is rapidly gaining traction among cybercriminals due to its affordability and extensive feature set.

Indicators of Compromise (IOC) List

Urls/Domains

kali365.xyz

v2.kali365.xyz

auth.kali365.xyz

api.kali365.xyz

www.nikadent.icu

www.walter-software.com

www.duemineral.uk

www.democrakidsradio.org

pohlusa.co

www.cecyani.xyz

www.trulites.com

www.abt90.org

nysexams.com

www.stpaulscathedralokc.org

www.mediaplanung.biz

api.duemineral.uk

v2.duemineral.uk

loadingdocuments.uk

auth.loadingdocuments.uk

panel.loadingdocuments.uk

flow-open-7ff0.p-ygj98iy2.workers.dev

note-access-nj2w.rob-c2d.workers.dev

drive-mail-wmou.pwyv30sj.workers.dev

store-open-rc2p.p-ko5g87h5.workers.dev

mail-link-zkfq.p-qjt4uz2n.workers.dev

core-box-iz5s.reckagrace.workers.dev

form-cloud-t655.p-oejdzrsz.workers.dev

vault-cloud-maou.p-afw8621d.workers.dev

page-sync-4pib.p-qtlv10l7.workers.dev

sync-vault-lpwq.p-zhge84gd.workers.dev

file-base-ggoa.p-yxcqepyg.workers.dev

net-web-qo53.p-2f5hwpkd.workers.dev

page-core-sv2l.p-anmh2mbc.workers.dev

data-form-f5at.p-lvqyivvk.workers.dev

view-base-5vpr.3mdcy99f8511wpsebllpbkjizyg3run6.workers.dev

access-file-z1or.steve-c57.workers.dev

data-doc-sfym.p-50ds7vs5.workers.dev

file-doc-uhug.p-ao3eomo9.workers.dev

drive-edge-lzl0.p-8pd549l5.workers.dev

access-base-yz6o.p-uhv4e1ee.workers.dev

cloud-link-j46j.p-zltii3tp.workers.dev

share-portal-r6le.p-deum4gog.workers.dev

sync-store-ur85.p-lboid22u.workers.dev

open-share-njlb.p-l4yg6fjb.workers.dev

app-edge-8bqf.p-j65j3f1q.workers.dev

data-drive-bd71.p-4bpdi3hp.workers.dev

flow-store-gyoz.p-o9vztksz.workers.dev

link-app-jhzt.p-ux0nzmb5.workers.dev

file-share-9p2m.papastrious.workers.dev

view-open-jiif.bryanray1104.workers.dev

net-open-55eu.p-r3k6zulh.workers.dev

base-mail-w7v5.p-onnw7z7w.workers.dev

file-drive-g180.p-lmilwl5o.workers.dev

sync-link-z79k.bartlett-pamela.workers.dev

core-portal-g1cv.ran04don.workers.dev

view-portal-exuw.b875e3d068d947ba88099fe9.workers.dev

portal-cloud-cs2c.p-ewgaj1gg.workers.dev

sync-page-pwra.p-rrw76os2.workers.dev

box-note-1qu3.p-xqs8hnkj.workers.dev

form-doc-wyiy.p-xqs8hnkj.workers.dev

vault-access-pg0o.misty-pine-60bb.workers.dev

view-sync-9r5b.p-y9fhvs2p.workers.dev

cloud-view-hb2b.boom-book.workers.dev

tiny-water-f307.eggzhan.workers.dev

hub-app-8ee1.p-kegps6il.workers.dev

cloud-access-03pv.bdeda974c99320a3040456b8.workers.dev

doc-open-z062.p-4510rez0.workers.dev

sync-portal-jumn.p-ajmeubmp.workers.dev

file-sync-tczr.p-77iqt3w6.workers.dev

doc-note-82oj.p-ll66wpsr.workers.dev

hub-flow-2qs3.p-qn7zcudl.workers.dev

net-web-wnqd.p-8r4315uz.workers.dev

page-mail-vm24.p-8xzcvt1x.workers.dev

cloud-access-uc53.p-vy4za09n.workers.dev

form-hub-lfct.p-utpgo2kb.workers.dev

tryingdocusign.pages.dev

pwjss-npaw-3soj.mary-3fb.workers.dev

gmkcb-bdxh-03l9.c-cmd509g3.workers.dev

base-flow-38xb.p-l3bhkqec.workers.dev

acqxx-nikg-5cub.p-8kehah0a.workers.dev

chrji-fhav-oz04.p-qtlv10l7.workers.dev

core-mail-etk1.p-b8eaz6oe.workers.dev

rwlha-qilv-ic1v.p-rrw76os2.workers.dev

oynfe-roik-zlpe.c-qtkfck53.workers.dev

secure-link-ek3t.c-kzevzz5a.workers.dev

pgfqi-epwc-d1t6.p-1razygxw.workers.dev

egvmu-ejrp-8rmc.royalbase3.workers.dev

vault-web-s3ue.p-y10utwre.workers.dev

core-flow-0np5.pdfonlinedocsdocs-outlook-com-s-account.workers.dev

portal-share-tj8e.p-50ds7vs5.workers.dev

sharepoint-81c.pages.dev

sharepoint-63m.pages.dev

ls.sharepoint-msviewer.com

IP Address

216.203.20.95

199.91.220.111

167.99.0.116

162.243.166.119

157.230.53.233

102.89.22.100

159.203.163.96

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "kali365.xyz" or siteurl like "kali365.xyz" or url like "kali365.xyz" domainname like "v2.kali365.xyz" or siteurl like "v2.kali365.xyz" or url like "v2.kali365.xyz" domainname like "auth.kali365.xyz" or siteurl like "auth.kali365.xyz" or url like "auth.kali365.xyz" domainname like "api.kali365.xyz" or siteurl like "api.kali365.xyz" or url like "api.kali365.xyz" domainname like "www.nikadent.icu" or siteurl like "www.nikadent.icu" or url like "www.nikadent.icu" domainname like "www.walter-software.com" or siteurl like "www.walter-software.com" or url like "www.walter-software.com" domainname like "www.duemineral.uk" or siteurl like "www.duemineral.uk" or url like "www.duemineral.uk" domainname like "www.democrakidsradio.org" or siteurl like "www.democrakidsradio.org" or url like "www.democrakidsradio.org" domainname like "pohlusa.co" or siteurl like "pohlusa.co" or url like "pohlusa.co" domainname like "www.cecyani.xyz" or siteurl like "www.cecyani.xyz" or url like "www.cecyani.xyz" domainname like "www.trulites.com" or siteurl like "www.trulites.com" or url like "www.trulites.com" domainname like "www.abt90.org" or siteurl like "www.abt90.org" or url like "www.abt90.org" domainname like "nysexams.com" or siteurl like "nysexams.com" or url like "nysexams.com" domainname like "www.stpaulscathedralokc.org" or siteurl like "www.stpaulscathedralokc.org" or url like "www.stpaulscathedralokc.org" domainname like "www.mediaplanung.biz" or siteurl like "www.mediaplanung.biz" or url like "www.mediaplanung.biz" domainname like "api.duemineral.uk" or siteurl like "api.duemineral.uk" or url like "api.duemineral.uk" domainname like "v2.duemineral.uk" or siteurl like "v2.duemineral.uk" or url like "v2.duemineral.uk"
Detection Query 2 :	domainname like "loadingdocuments.uk" or siteurl like "loadingdocuments.uk" or url like "loadingdocuments.uk" domainname like "auth.loadingdocuments.uk" or siteurl like "auth.loadingdocuments.uk" or url like "auth.loadingdocuments.uk" domainname like "panel.loadingdocuments.uk" or siteurl like "panel.loadingdocuments.uk" or url like "panel.loadingdocuments.uk" domainname like "flow-open-7ff0.p-ygj98iy2.workers.dev" or siteurl like "flow-open-7ff0.p-ygj98iy2.workers.dev" or url like "flow-open-7ff0.p-ygj98iy2.workers.dev" domainname like "note-access-nj2w.rob-c2d.workers.dev" or siteurl like "note-access-nj2w.rob-c2d.workers.dev" or url like "note-access-nj2w.rob-c2d.workers.dev" domainname like "drive-mail-wmou.pwyv30sj.workers.dev" or siteurl like "drive-mail-wmou.pwyv30sj.workers.dev" or url like "drive-mail-wmou.pwyv30sj.workers.dev" domainname like "store-open-rc2p.p-ko5g87h5.workers.dev" or siteurl like "store-open-rc2p.p-ko5g87h5.workers.dev" or url like "store-open-rc2p.p-ko5g87h5.workers.dev" domainname like "mail-link-zkfq.p-qjt4uz2n.workers.dev" or siteurl like "mail-link-zkfq.p-qjt4uz2n.workers.dev" or url like "mail-link-zkfq.p-qjt4uz2n.workers.dev" domainname like "core-box-iz5s.reckagrace.workers.dev" or siteurl like "core-box-iz5s.reckagrace.workers.dev" or url like "core-box-iz5s.reckagrace.workers.dev" domainname like "form-cloud-t655.p-oejdzrsz.workers.dev" or siteurl like "form-cloud-t655.p-oejdzrsz.workers.dev" or url like "form-cloud-t655.p-oejdzrsz.workers.dev" domainname like "vault-cloud-maou.p-afw8621d.workers.dev" or siteurl like "vault-cloud-maou.p-afw8621d.workers.dev" or url like "vault-cloud-maou.p-afw8621d.workers.dev" domainname like "page-sync-4pib.p-qtlv10l7.workers.dev" or siteurl like "page-sync-4pib.p-qtlv10l7.workers.dev" or url like "page-sync-4pib.p-qtlv10l7.workers.dev" domainname like "sync-vault-lpwq.p-zhge84gd.workers.dev" or siteurl like "sync-vault-lpwq.p-zhge84gd.workers.dev" or url like "sync-vault-lpwq.p-zhge84gd.workers.dev" domainname like "file-base-ggoa.p-yxcqepyg.workers.dev" or siteurl like "file-base-ggoa.p-yxcqepyg.workers.dev" or url like "file-base-ggoa.p-yxcqepyg.workers.dev" domainname like "net-web-qo53.p-2f5hwpkd.workers.dev" or siteurl like "net-web-qo53.p-2f5hwpkd.workers.dev" or url like "net-web-qo53.p-2f5hwpkd.workers.dev" domainname like "page-core-sv2l.p-anmh2mbc.workers.dev" or siteurl like "page-core-sv2l.p-anmh2mbc.workers.dev" or url like "page-core-sv2l.p-anmh2mbc.workers.dev" domainname like "data-form-f5at.p-lvqyivvk.workers.dev" or siteurl like "data-form-f5at.p-lvqyivvk.workers.dev" or url like "data-form-f5at.p-lvqyivvk.workers.dev" domainname like "view-base-5vpr.3mdcy99f8511wpsebllpbkjizyg3run6.workers.dev" or siteurl like "view-base-5vpr.3mdcy99f8511wpsebllpbkjizyg3run6.workers.dev" or url like "view-base-5vpr.3mdcy99f8511wpsebllpbkjizyg3run6.workers.dev"
Detection Query 3 :	domainname like "access-file-z1or.steve-c57.workers.dev" or siteurl like "access-file-z1or.steve-c57.workers.dev" or url like "access-file-z1or.steve-c57.workers.dev" domainname like "data-doc-sfym.p-50ds7vs5.workers.dev" or siteurl like "data-doc-sfym.p-50ds7vs5.workers.dev" or url like "data-doc-sfym.p-50ds7vs5.workers.dev" domainname like "file-doc-uhug.p-ao3eomo9.workers.dev" or siteurl like "file-doc-uhug.p-ao3eomo9.workers.dev" or url like "file-doc-uhug.p-ao3eomo9.workers.dev" domainname like "drive-edge-lzl0.p-8pd549l5.workers.dev" or siteurl like "drive-edge-lzl0.p-8pd549l5.workers.dev" or url like "drive-edge-lzl0.p-8pd549l5.workers.dev" domainname like "access-base-yz6o.p-uhv4e1ee.workers.dev" or siteurl like "access-base-yz6o.p-uhv4e1ee.workers.dev" or url like "access-base-yz6o.p-uhv4e1ee.workers.dev" domainname like "cloud-link-j46j.p-zltii3tp.workers.dev" or siteurl like "cloud-link-j46j.p-zltii3tp.workers.dev" or url like "cloud-link-j46j.p-zltii3tp.workers.dev" domainname like "share-portal-r6le.p-deum4gog.workers.dev" or siteurl like "share-portal-r6le.p-deum4gog.workers.dev" or url like "share-portal-r6le.p-deum4gog.workers.dev" domainname like "sync-store-ur85.p-lboid22u.workers.dev" or siteurl like "sync-store-ur85.p-lboid22u.workers.dev" or url like "sync-store-ur85.p-lboid22u.workers.dev" domainname like "open-share-njlb.p-l4yg6fjb.workers.dev" or siteurl like "open-share-njlb.p-l4yg6fjb.workers.dev" or url like "open-share-njlb.p-l4yg6fjb.workers.dev" domainname like "app-edge-8bqf.p-j65j3f1q.workers.dev" or siteurl like "app-edge-8bqf.p-j65j3f1q.workers.dev" or url like "app-edge-8bqf.p-j65j3f1q.workers.dev" domainname like "data-drive-bd71.p-4bpdi3hp.workers.dev" or siteurl like "data-drive-bd71.p-4bpdi3hp.workers.dev" or url like "data-drive-bd71.p-4bpdi3hp.workers.dev" domainname like "flow-store-gyoz.p-o9vztksz.workers.dev" or siteurl like "flow-store-gyoz.p-o9vztksz.workers.dev" or url like "flow-store-gyoz.p-o9vztksz.workers.dev" domainname like "link-app-jhzt.p-ux0nzmb5.workers.dev" or siteurl like "link-app-jhzt.p-ux0nzmb5.workers.dev" or url like "link-app-jhzt.p-ux0nzmb5.workers.dev"
Detection Query 4 :	dstipaddress IN ("216.203.20.95","199.91.220.111","167.99.0.116","162.243.166.119","157.230.53.233","102.89.22.100","159.203.163.96") or srcipaddress IN ("216.203.20.95","199.91.220.111","167.99.0.116","162.243.166.119","157.230.53.233","102.89.22.100","159.203.163.96")

Reference:

https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-04-24-New-Kali365-PhaaS-Kit.txt

New Kali365 PhaaS Kit Being Abused in the Wild

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

New Kali365 PhaaS Kit Being Abused in the Wild

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments