FlowerStorm unleashes the KrakVM: PhaaS operators turn to VM-based obfuscation

May 18, 2026, 6:56 p.m.

Description

FlowerStorm is a widely known Phishing-As-A-Service (PhaaS) attack kit that has been active since at least mid-2024, increasingly in large scale campaigns. FlowerStorm performs targeted, complex collection of a victim’s credentials, including the management of multi-factor authentication (MFA).

External References

https://otx.alienvault.com/pulse/6a0b5e378b3635e94b3b7656
https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/
Tags
phishing
phaas
html
flowerstorm
2026-05-18
attachment
kravvm
mfa
vm

Date

  • Created: May 18, 2026, 6:45 p.m.
  • Published: May 18, 2026, 6:45 p.m.
  • Modified: May 18, 2026, 6:56 p.m.

Attack Patterns

  • FlowerStorm

Additional Informations

  • 2059746795x.diflucan50.store
  • nnqsy.secureenvirotrust.de
  • 7840190445.cyou
  • 5348785839.cfd
  • evszs.efficiencyworks.de
  • sjask.reliablevisibility.de
  • 6264277690.cfd
  • 1391604445.cfd
  • outrageousorganisation.com.au
  • 6326889358ghf.cyou
  • 8103841751.cyou
  • chr.v0k3.space
  • bill.cloudbusinessfiles.com
  • mkreply2024.my.id
  • hbfnq.strongsystems.de
  • 5531648314.cfd
  • china.bureauofcourts.com
  • 1969421924.cyou
  • 1569742347.cfd
  • dr.k5l1m.cfd
  • msg.uscourtfiles.com
  • unix.wearableartbags.de
  • 6182120286.my.id
  • 5624221719.cfd
  • muchino.database-server.com
  • 5334635671.cfd
  • alexperu.courtfilecloud.com
  • 5237741854.cfd
  • y.k5l1m.cfd
  • amaxelectronics.co.za
  • vvbea.builtinlayers.de
  • 7622350912.cfd
  • dfjxt.patienceintherain.de
  • 6185945827.sbs
  • chr.authgsyuuite.com
  • pozao.clearconceptsdesign.de
  • zpma.uscourtdocuments.com
  • qmduj.smoothhost.de
  • bombom.courtdocumentshub.com
  • 8191769809.cfd
  • 7983520156.cyou
  • 2067612207.cfd
  • 2143835084.cfd
  • vunbp.scalableplatforms.de
  • m.chantstraditionnels.de
  • dpqcm.solidreputation.de
  • bafybeid6ec6mwvrywozlhpblgzl76qtrcqqx26ryk2cptwtykroufqn4y4.ipfs.w3s.link
  • ottm.secureuserguard.de
  • 1518076290.cyou
  • 7588085895.cyou
  • 7250102277.cfd
  • uvehh.digitalsuccessframeworks.de
  • 1419993777.cyou
  • zrqdi.dynamicgrowthsystems.de
  • tlmsh.germanidentityhub.de
  • 6970793981ad.cyou
  • chris.ggsuitauth.site
  • 2008377162.cfd
  • ableg.docufiled.com
  • brenda.5hawb1t.site
  • 04qq.digitalcompetitiveedge.de
  • woovw.maximizevisibility.de
  • chris1.k5l1m.cfd
  • don.feiracultural.de
  • noanme.courtfilecloud.com
  • albert.uscourtfilestorage.com
  • office.bureaucloudservices.com
  • jeny.ggsuitauth.site
  • rexjf.digitaltrustbase.de
  • bafybeias2uivmggzl2gqjipqgcarbgyvakvk6yljxbcv4a3qroxcujzqaq.ipfs.w3s.link
  • asphalt9nitroo.my.id
  • 5832068083.cyou
  • oztff.valueguardians.de
  • 6837577840.cfd
  • towbb.digitalproficiency.de
  • cfur.invoclegal.com
  • bafybeiclfnumyd3aztwl2xjz5o6cfw4fqepqz6a6uow3dig57pf5najq2u.ipfs.w3s.link
  • rdaol.dreamsintheframe.de
  • empire.appdocstorage.com
  • 6438259665.cfd
  • 6018258857.cfd
  • 7766360391.cfd
  • irigc.precisionontheweb.de
  • valid.seashellshoetreasures.de
  • pkxza.ruminatingbrook.de
  • lifeofa.k5l1m.cfd