Phishing Technique To Copy/Paste Authentication Tokens From Browser Cache

    Friday, December 19, 2025 In: Threat Research Print

    Date: 12/19/2025

    Severity: Critical

    Summary

    This campaign has been active since at least September 2025 and leverages multiple web hosting platforms. Instead of harvesting usernames and passwords, the phishing pages employ an alternative approach. An embedded video guides victims to extract authentication tokens from their browser cookies and paste them into a pop-up form under the guise of verification. The video concludes by advising users not to log out for at least 24 hours, ensuring the tokens remain valid.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    1-free-reward.netlify.app

    activation-form.vercel.app

    appeals.neocities.org

    apply-get-badge.org

    apply-get-tick.netlify.app

    applyfor-bluebadge.vercel.app

    badge-apply-free.surge.sh

    chatbot.pagehelppro.xyz

    click-here-a.netlify.app

    collact-reward.netlify.app

    fb-badge-reward.netlify.app

    fb-terms.vercel.app

    fil-here.netlify.app

    file-panel.netlify.app

    free-blue-tick-get-now.org

    free-get-badge.netlify.app

    free-get-reward.netlify.app

    free-reward-m.netlify.app

    free-rewards-h.wasmer.app

    free-verifications.netlify.app

    get-blue-badge1066843.vercel.app

    get-blue-program.vercel.app

    get-permanent-badge.org

    getbadge-case2343531.online

    inf0-applying-center.vercel.app

    lifetime-free-blue-page-f.surge.sh

    now-blue-tick-get-free.vercel.app

    request-for-review-remove-here.wasmer.app

    tick-badge-approval.surge.sh

    tick-trust-verify.surge.sh

    yingvera12345.github.io

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "tick-badge-approval.surge.sh" or url like "tick-badge-approval.surge.sh" or siteurl like "tick-badge-approval.surge.sh" or domainname like "inf0-applying-center.vercel.app" or url like "inf0-applying-center.vercel.app" or siteurl like "inf0-applying-center.vercel.app" or domainname like "get-blue-program.vercel.app" or url like "get-blue-program.vercel.app" or siteurl like "get-blue-program.vercel.app" or domainname like "tick-trust-verify.surge.sh" or url like "tick-trust-verify.surge.sh" or siteurl like "tick-trust-verify.surge.sh" or domainname like "applyfor-bluebadge.vercel.app" or url like "applyfor-bluebadge.vercel.app" or siteurl like "applyfor-bluebadge.vercel.app" or domainname like "get-permanent-badge.org" or url like "get-permanent-badge.org" or siteurl like "get-permanent-badge.org" or domainname like "yingvera12345.github.io" or url like "yingvera12345.github.io" or siteurl like "yingvera12345.github.io" or domainname like "chatbot.pagehelppro.xyz" or url like "chatbot.pagehelppro.xyz" or siteurl like "chatbot.pagehelppro.xyz" or domainname like "request-for-review-remove-here.wasmer.app" or url like "request-for-review-remove-here.wasmer.app" or siteurl like "request-for-review-remove-here.wasmer.app" or domainname like "fil-here.netlify.app" or url like "fil-here.netlify.app" or siteurl like "fil-here.netlify.app" or domainname like "1-free-reward.netlify.app" or url like "1-free-reward.netlify.app" or siteurl like "1-free-reward.netlify.app" or domainname like "activation-form.vercel.app" or url like "activation-form.vercel.app" or siteurl like "activation-form.vercel.app" or domainname like "appeals.neocities.org" or url like "appeals.neocities.org" or siteurl like "appeals.neocities.org" or domainname like "apply-get-tick.netlify.app" or url like "apply-get-tick.netlify.app" or siteurl like "apply-get-tick.netlify.app" or domainname like "apply-get-badge.org" or url like "apply-get-badge.org" or siteurl like "apply-get-badge.org" or domainname like "badge-apply-free.surge.sh" or url like "badge-apply-free.surge.sh" or siteurl like "badge-apply-free.surge.sh" or domainname like "click-here-a.netlify.app" or url like "click-here-a.netlify.app" or siteurl like "click-here-a.netlify.app" or domainname like "collact-reward.netlify.app" or url like "collact-reward.netlify.app" or siteurl like "collact-reward.netlify.app" or domainname like "fb-badge-reward.netlify.app" or url like "fb-badge-reward.netlify.app" or siteurl like "fb-badge-reward.netlify.app" or domainname like "fb-terms.vercel.app" or url like "fb-terms.vercel.app" or siteurl like "fb-terms.vercel.app" or domainname like "file-panel.netlify.app" or url like "file-panel.netlify.app" or siteurl like "file-panel.netlify.app" or domainname like "free-blue-tick-get-now.org" or url like "free-blue-tick-get-now.org" or siteurl like "free-blue-tick-get-now.org" or domainname like "free-get-badge.netlify.app" or url like "free-get-badge.netlify.app" or siteurl like "free-get-badge.netlify.app" or domainname like "free-get-reward.netlify.app" or url like "free-get-reward.netlify.app" or siteurl like "free-get-reward.netlify.app" or domainname like "free-reward-m.netlify.app" or url like "free-reward-m.netlify.app" or siteurl like "free-reward-m.netlify.app" or domainname like "free-rewards-h.wasmer.app" or url like "free-rewards-h.wasmer.app" or siteurl like "free-rewards-h.wasmer.app" or domainname like "get-blue-badge1066843.vercel.app" or url like "get-blue-badge1066843.vercel.app" or siteurl like "get-blue-badge1066843.vercel.app" or domainname like "getbadge-case2343531.online" or url like "getbadge-case2343531.online" or siteurl like "getbadge-case2343531.online" or domainname like "lifetime-free-blue-page-f.surge.sh" or url like "lifetime-free-blue-page-f.surge.sh" or siteurl like "lifetime-free-blue-page-f.surge.sh" or domainname like "now-blue-tick-get-free.vercel.app" or url like "now-blue-tick-get-free.vercel.app" or siteurl like "now-blue-tick-get-free.vercel.app" or domainname like "free-verifications.netlify.app" or url like "free-verifications.netlify.app" or siteurl like "free-verifications.netlify.app"

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-12-18-phishing-for-authentication-tokens.txt


    Tags

    MalwarePhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.