Researchers Expose 'Nyasher' Phishing Kit Stealing Google Accounts with Advanced BITM Attack
Key Takeaways
- ▸Clean PDF attachments bypass security scanners when the only weapon is a hidden hyperlink—Google's safety scan cannot detect malicious intent, only malicious bytes
- ▸Attackers abuse legitimate services (Framer, Cloudflare Workers) as proxy relay layers to obscure infrastructure and avoid triggering automated threat detection
- ▸Anti-analysis armoring (human gesture verification, in-memory blob URLs, DevTools disabling) prevents both automated URL scanners and manual researcher inspection
Summary
Security researcher dweekly has detailed a sophisticated phishing attack kit known as Nyasher that uses Browser-in-the-Middle (BITM) technology to hijack Google accounts and bypass two-factor authentication. The attack begins with a seemingly innocent PDF attachment containing a hidden hyperlink, which appears clean to automated security scanners. Once clicked, users are redirected through a chain of legitimate services (Framer and Cloudflare Workers) that serve as proxies, reaching a credential harvesting page that doesn't exist at a real address but is instead rendered in-memory as an encrypted blob URL.
The kit includes advanced anti-analysis features—right-click disabling, console nuking, anti-debugger loops, and DevTools detection—to evade security researchers and automated scanners. Most notably, rather than simply stealing credentials, Nyasher establishes a live, remote-controlled browser connection that captures sessions in real-time and walks through two-factor authentication challenges in the victim's actual browser context. Once accounts are compromised, they're immediately weaponized to send the same phishing lure to new targets, creating a self-propagating attack cycle.
- Browser-in-the-Middle approach allows real-time session capture and 2FA bypass by hijacking the victim's actual browser context, not just stealing credentials
- Compromised accounts become attack nodes in a viral loop—hijacked Gmail accounts immediately send the lure to other targets
Editorial Opinion
This research exposes a fundamental blind spot in email security: scanning for malware misses the real threat when the weapon is simply a link. The sophistication of Nyasher—particularly its BITM architecture and anti-analysis defenses—demonstrates that phishing infrastructure is now mature and adaptive. Email providers and security teams must rethink how they validate session authenticity and user context, especially during account recovery and 2FA, before more accounts are compromised into weaponized nodes in these networks.

