BotBeat
...
← Back

> ▌

Google / AlphabetGoogle / Alphabet
RESEARCHGoogle / Alphabet2026-07-09

Researchers Expose 'Nyasher' Phishing Kit Stealing Google Accounts with Advanced BITM Attack

Key Takeaways

  • ▸Clean PDF attachments bypass security scanners when the only weapon is a hidden hyperlink—Google's safety scan cannot detect malicious intent, only malicious bytes
  • ▸Attackers abuse legitimate services (Framer, Cloudflare Workers) as proxy relay layers to obscure infrastructure and avoid triggering automated threat detection
  • ▸Anti-analysis armoring (human gesture verification, in-memory blob URLs, DevTools disabling) prevents both automated URL scanners and manual researcher inspection
Source:
Hacker Newshttps://david.weekly.org/blog/2026-07-08-detailing-a-phishing-attack-nyasher/↗

Summary

Security researcher dweekly has detailed a sophisticated phishing attack kit known as Nyasher that uses Browser-in-the-Middle (BITM) technology to hijack Google accounts and bypass two-factor authentication. The attack begins with a seemingly innocent PDF attachment containing a hidden hyperlink, which appears clean to automated security scanners. Once clicked, users are redirected through a chain of legitimate services (Framer and Cloudflare Workers) that serve as proxies, reaching a credential harvesting page that doesn't exist at a real address but is instead rendered in-memory as an encrypted blob URL.

The kit includes advanced anti-analysis features—right-click disabling, console nuking, anti-debugger loops, and DevTools detection—to evade security researchers and automated scanners. Most notably, rather than simply stealing credentials, Nyasher establishes a live, remote-controlled browser connection that captures sessions in real-time and walks through two-factor authentication challenges in the victim's actual browser context. Once accounts are compromised, they're immediately weaponized to send the same phishing lure to new targets, creating a self-propagating attack cycle.

  • Browser-in-the-Middle approach allows real-time session capture and 2FA bypass by hijacking the victim's actual browser context, not just stealing credentials
  • Compromised accounts become attack nodes in a viral loop—hijacked Gmail accounts immediately send the lure to other targets

Editorial Opinion

This research exposes a fundamental blind spot in email security: scanning for malware misses the real threat when the weapon is simply a link. The sophistication of Nyasher—particularly its BITM architecture and anti-analysis defenses—demonstrates that phishing infrastructure is now mature and adaptive. Email providers and security teams must rethink how they validate session authenticity and user context, especially during account recovery and 2FA, before more accounts are compromised into weaponized nodes in these networks.

CybersecurityRegulation & PolicyPrivacy & Data

More from Google / Alphabet

Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCH

Google Launches AlphaEvolve Optimization Agent to General Availability on Google Cloud

2026-07-09
Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCH

Google Launches LiteRT.js: High-Performance AI Inference Comes to the Web Browser

2026-07-09
Google / AlphabetGoogle / Alphabet
UPDATE

Google Accidentally Deprecates Gemini 2.5 Models Early, Causing Production Outages

2026-07-09

Comments

Suggested

Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCH

Google Launches LiteRT.js: High-Performance AI Inference Comes to the Web Browser

2026-07-09
OpenAIOpenAI
POLICY & REGULATION

News Outlets Seek Court Sanctions Against OpenAI Over Copyright Evidence in ChatGPT Trial

2026-07-09
OpenAIOpenAI
POLICY & REGULATION

OpenAI's Sol Release Highlights the Murky, Ad Hoc Process for Approving Frontier AI Models

2026-07-09
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us