Flowerstorm Phishing Activity Report - June 2025
Summary
The Flowerstorm phishing kit remained a persistent threat throughout June 2025, with 1,488 total reports. Activity was concentrated in the first week before tapering off. The campaign maintained focus on Microsoft credential harvesting and relied heavily on Cloudflare-backed infrastructure and consistent domain patterns.
Note: This summary was generated with the assistance of AI.
Timeline Analysis
- June 1–8: 551 reports – High activity in the first week.
- June 9–15: 336 reports – Significant drop (39%).
- June 16–22: 266 reports – Continued decline in observed activity.
- June 23–30: 335 reports – Slight rebound in final week.
Key Findings
Infrastructure Summary
- TLDs: .it.com, .com.de, .de, with extraction domains hosted on .cfd and .xyz
- ASNs: Cloudflare (AS13335), OVH SAS (AS16276), Akamai (AS63949), Google (AS15169)
- Cloud Providers: Tencent Cloud (myqcloud.com), other providers observed include Linode, and Microsoft Azure (blob.core.windows.net).
Geographic Hosting Distribution
- France
- United States
- South Korea
- Bulgaria
- Germany
- Indonesia
Common Domain & URL Patterns
- Impersonation subdomains:
docuusignapproveddone,authenticatorclouds3365,outlookoffice - Frequent infrastructure domains:
myqcloud.com - Persistent use of
.it.comand.com.defor phishing pages
Anomalies & Activity Shifts
- Glitch.me Hosting: Rare usage noted—deviation from standard cloud providers
Relevant Links
Tycoon Phishing Kit Activity Report - May 2025
Summary
Tycoon phishing kit operations demonstrated significant activity escalation throughout May 2025, with 2,842 total detections representing a concentrated campaign targeting Microsoft Office 365 credentials. The month showed a notable surge in the final week with activity levels nearly tripling compared to mid-month periods.
Note: This summary was generated with the assistance of AI.
Timeline Analysis
- Week 1 (May 1–7): 724 detections – High volume with a broad usage across multiple infrastructures.
- Week 2 (May 8–14): 493 detections – 32% drop in activity indicates a pause for refinement.
- Week 3 (May 15–21): 374 detections – Continued decline. Minimal detections may reflect active avoidance of early takedown.
- Week 4 (May 22–31): 1,251 detections – Sharp 234% increase marks the month's peak. This escalation likely timed with end-of-month financial workflows to maximize success in credential harvesting and potential BEC exploitation.
Key Findings
Infrastructure Summary
- Primary CDN: Cloudflare (ASN #13335) – 85%+ of operations
- Secondary Infrastructure: Microsoft Azure, Amazon AWS, Google Cloud
Target Patterns
- Exclusive focus on Microsoft Office 365 credential harvesting
- Base64-encoded victim email addresses in URLs
- Enterprise email systems specifically targeted
- BEC preparation indicators
Common Domain Patterns
- Spanish .es TLD exploitation:
*.es - Russian .ru TLD exploitation:
*.ru - Cloud storage abuse: Azure, Google Cloud buckets
- Legitimate site compromise: .gob.mx, business domains
Anomalies & Activity Shifts
- Campaign Timing: Final week surge aligns with business cycles
- Geographic Diversification: From Chile/Brazil to global infra
Relevant Links
Phishing Landscape Analysis: May 2025
Summary
May 2025 demonstrated significant independent phishing activity with 8,338 total reports outside major phishing kit operations. The data reveals a mature threat actor ecosystem using cloud infrastructure, advanced brand impersonation, and diverse targeting strategies. Activity stayed consistently high, with cloud-hosted campaigns making up over 32% of all phishing infrastructure.
Note: This summary was generated with the assistance of AI.
Timeline Analysis
- Week 1 (May 1–7): 2,401 reports – Strong opening driven by established social media and financial phishing campaigns.
- Mid-month (May 15–22): 1,846 reports – Sustained targeting with continued abuse of Vercel and GitHub infrastructure.
- Week 4 (May 24–31): High volume continued, with an end-of-month surge aligned with government impersonation and financial cycles.
- Cloud-hosted campaigns: 2,726 instances, reflecting a strategic pivot toward resilient, decentralized infrastructure.
Key Findings
Infrastructure Dominance
- Cloudflare: ASN #13335, most-used CDN for hosting phishing content
- Amazon Web Services: Vercel.app, S3 buckets, EC2 instances widely abused
- GitHub Pages & Vercel: Top platforms for impersonation and clone sites
- TLD Usage: High abuse of .win, .xyz, .chat, .pro, and cloud-linked subdomains
Campaign Categories
- Social Media (35%): Facebook/Meta phishing dominated by 50+ Vercel variants
- Streaming Services (25%): Netflix, Amazon clones on GitHub.io
- Financial (20%): Chase, PayPal, Outlook phishing remained persistent
- Government (12%): E-devlet, DMV, French tax authority impersonations
- Crypto (8%): WalletConnect, DeFi spoofing campaigns
Technical Evolution
- Sophisticated redirect chains using sites like ringaraja.net, telehaber.com
- Standardized use of Base64 email encoding in phishing URLs
- Legit-looking assets from jsdelivr, cdnjs, and bootstrapcdn
- Emerging IPFS (dweb.link) use for hosting phishing content
Anomalies & Activity Shifts
- Geographic Shifts: Growth in Asia (China, Japan) and new activity in Lithuania, Turkey
- Cloud over bulletproof: Legitimate providers increasingly favored over traditional bulletproof hosting
- Hotel/Travel phishing surge: Booking.com-style clones using chained redirects
- Telegram impersonation spike: 200+ alerts on coordinated campaigns
- Technical anomalies: Long URLs, reused GitHub templates, and parallel Vercel deployments