JUMPSEC have detected and tracked a new phishing attack campaign targeting numerous industrial sector organisations, predominately in engineering, construction, and energy sectors in the UK and US, where threat actors have consistently used a common and identifiable AITM (Adversary in the Middle) phishing kit throughout March 2025. At-risk organisations should take steps to reduce the risk of compromise as the infrastructure detailed below continues to be leveraged by threat actors.
1. Executive Summary
Adversary in the Middle (AiTM) phishing kits are used by threat actors to bypass multi-factor authentication (MFA) and steal credentials by impersonating legitimate websites. Unlike traditional phishing kits, AiTM leverages reverse proxies to intercept and relay login credentials, enabling attackers to capture both the victim’s login information and the session token in real-time.
This advisory blog provides detailed technical analysis and known Indicators of Compromise (IoCs) to provide defenders a clearer picture of the phishing campaign, along with key mitigations to limit its potential impact. Having cross-checked IoCs with ~200 threat intelligence reports from across the industry, the infrastructure used by threat actors does not appear to be widely known as malicious at the time of publication.
Any login events from the malicious IPs provided on JUMPSEC Labs’ GitHub should be treated as indicative of a compromised account, requiring immediate investigation and response, including credential resets and session revocation. While our analysis reveals a clear industry focus, other industries and regions may also be impacted. JUMPSEC will continue to update the IoC list as we continue to track the phishing kit, ensuring the latest known malicious IPs are available.
2. Key Findings
The phishing kit and associated TTPs were first detected on 27/02/2025 and remain active. Over time, JUMPSEC has developed a broader understanding of the kit by analysing its structure, scanning related URLs via platforms such as VirusTotal.
JUMPSEC assesses that the phishing kit is likely a commercially available tool, exploiting lookalike domains and trusted services to appear legitimate. Expanding the set of identified IoCs (such as IP addresses and domains) has enabled correlation with other known attacks and the identification of new targets. Findings indicate that the campaign is primarily focused on UK-based organisations within manufacturing, construction, oil & gas, and engineering.
2.1 Initial Access Techniques
Threat actors initiate attacks via Business Email Compromise (BEC) phishing, using compromised legitimate services (e.g. Gamma App and Adobe) to distribute phishing emails containing malicious PDFs. The attackers impersonate legitimate known firms within the targeted industry to increase credibility.
Left: A redacted screenshot of the ‘gamma.app’ PDF phishing page victims are redirected to.
Right: Another instance, where legitimate Adobe Acrobat was used to deliver the Malicious AiTM link to the victim.
Upon accessing the AiTM page, the victim encounters a Cloudflare CAPTCHA service that performs the following checks:
- VPN/bot detection via Cloudflare CAPTCHA
- Sandbox detection
When it does not detect a legitimate browser, it redirects the user to a randomised Wikipedia page. However, if all the checks are passed it will redirect the user through Cloudflare to the AiTM page shown below
Left: The intended phishing AiTM page for victims to verify themselves.
Right: Randomised page for non-legitimate VPN/Bot browsers.
Once the victim successfully passes the verification checks, they are redirected to the attacker-controlled AiTM (Adversary-in-the-Middle) phishing page. At this stage, the phishing site proxies the legitimate login portal of the impersonated service as is typically the case with AiTM attacks, increasing the likelihood that the victim enters their credentials.
A screenshot of the final AiTM page where threat actors would capture victim credentials.
2.2 Attacker Evasion Techniques
The phishing kit author has taken steps to prevent direct IP access by masking services behind Cloudflare. However, analysis of service information patterns reveals consistent identifiers:
- The AiTM page’s HTML includes a window.location.reload() function, which refreshes the page and forces the victim through the phishing workflow.
- The content below is static across deployments, except for dynamic class variables, making it possible to fingerprint attacker infrastructure.
HTML source code of the AiTM phishing page that enforces the workflow and maintains control over the victim’s session.
A screenshot of the page the user lands on. Using this data, JUMPSEC has identified back-end attacker infrastructure operating behind Cloudflare, with high confidence that this serves as a proxy for phishing attacks.
The threat actors employ additional evasion techniques to hinder detection and analysis. Identified IPs are configured to block reconnaissance scans from Shodan and ZoomEye, while still allowing Censys queries. Furthermore, hosting provider statistics reveal that the majority of observed phishing infrastructure is hosted on DigitalOcean, suggesting a preference for this platform due to its ease of deployment and anonymity.
Censys results enabling us to identify IP addresses which had similar HTTP responses.
Hosting provider statistics show that Digital Ocean host the majority of incidents.
Over the course of March 2025, adversaries leveraging the AiTM phishing kit have shown a significant increase in scope. The number of observed results has grown from 184 on 11/03/2025 to 290 by 27/03/2025, reflecting a steady expansion in the campaign’s reach.
The daily average percentage increase in observed results was ~12.3%, indicating either a broader adoption of the phishing kit by multiple threat actors or an escalation by the original attacker. This consistent growth highlights the need for heightened vigilance and proactive monitoring by organisations, as the attack continues to evolve and target more sectors.
2.3 Sector and geographic analysis
Our analysis of targeted and impersonated organisations reveals a clear industry focus, with construction being the most frequently affected sector, followed closely by manufacturing, engineering, and energy. While other industries and regions may also be impacted, the evidence confirms that, at the very least, these sectors are being deliberately targeted.
Left: A breakdown of the sectors either impersonated or targeted. Right: The UK is predominately targeted.
This suggests that threat actors are strategically selecting industries with high-value supply chains, large contractor networks, and frequent financial transactions—ideal conditions for Business Email Compromise (BEC) phishing.
4. Recommendations
To mitigate the threats identified in this report, JUMPSEC recommends the following proactive and defensive measures:
Immediate Actions
- Treat any login events from identified malicious IPs as indicative of compromise.
- Reset user credentials and revoke active sessions for impacted accounts.
Preventative Controls
- Block gamma.app within enterprise environments to prevent malicious PDF-based phishing attempts, provided it is not a service that is commonly used or necessary for your organisation.
- Conduct retrospective log analysis to identify previous instances of gamma.app usage, particularly if this is not widely used by your organisation.
- Improve filtering for file-sharing services like Adobe Acrobat by establishing a baseline for normal activity and setting up anomaly detection.
- Recognise that trusted services (e.g. Adobe) are being exploited for AiTM delivery.
Long-Term Threat Monitoring & Hunting
- Monitor Censys queries for signs of this phishing kit before active deployment.
- Conduct targeted threat hunts by analysing network/security logs for connections to known IoCs.
- Extract SSL certificate domain names associated with the attack infrastructure and monitor for new registrations.
- Focus on authentication logs rather than direct IP access attempts, as the attack relies on session hijacking rather than brute force logins.
5. Indicators of Compromise (IoCs)
Any login events from the malicious IPs provided on JUMPSEC Labs’ GitHub should be treated as indicative of a compromised account, requiring immediate investigation and response, including user credential resets and session revocation. JUMPSEC will continue to update this list as we track the phishing kit, ensuring the latest known malicious IPs are available.