惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz
Jagadeeswar Ramanukolanu, Kartik Dixit, Yesenia Barajas · 2025-08-05 · via Security Research | Blog

Technical Analysis

The threat actor’s use of generative AI tools can be spotted when inspecting the source code of these phishing pages and by identifying a few design flaws that make certain elements of the page non-clickable. Signs that generative AI tools were used include TailwindCSS styling, overly organized and instructive code comments, staged forms collecting CPF data, and an API system for validating information, all of which will be reviewed in detail below.

CSS clues

DeepSite AI and BlackBox AI consistently utilize TailwindCSS for styling and FontAwesome CSS (hosted on Cloudflare CDN) for icons. Both of these CSS libraries are referenced in the source code of the phishing pages, as shown in the figure below.

Example of the Brazilian government phishing pages HTML source code using the TailwindCSS and FontAwesome libraries.

Figure 5: Example of the Brazilian government phishing pages HTML source code using the TailwindCSS and FontAwesome libraries.

In the figure below, ThreatLabz used DeepSite AI to replicate the legitimate gov.br website by providing the tool with a link and providing instructions to create a clone. The resulting clone’s source code, displayed on the right side of the figure below, closely mirrors the source code shown in the figure above.

Example of HTML code generated by DeepSite AI.

Figure 6: Example of HTML code generated by DeepSite AI.

Non-clickable elements

The phishing pages and the legitimate website are similar in appearance. However, the phishing pages include non-functional user interface (UI) elements that are typically not included in legitimate, working websites. 

The figure below compares a legitimate login page with a phishing page's login prompt, highlighting non-functional UI elements outlined in red boxes.

Comparison of the legitimate Brazilian government website and a phishing page with non-clickable elements.

Figure 7: Comparison of the legitimate Brazilian government website and a phishing page with non-clickable elements.

This lack of functionality for expected interactive elements is a strong indicator of a phishing page, suggesting that the generative AI tool replicated the visual layout without implementing the underlying interactive logic.

Code comments

Our analysis of the JavaScript files uncovered code comments that appear to be auto-generated by generative AI tools. Informative comments such as, “In a real implementation, this would make an API call,” appear in the code, as demonstrated in the JavaScript sample below:

function performSearch(query) {
   console.log('Searching for:', query);
   // In a real implementation, this would make an API call
   fetch(`/search?q=${encodeURIComponent(query)}`)
   .......
}

Code comments are frequently included by generative AI tools to explain a function’s purpose, allowing a developer to easily understand and continue further integration. Such comments are not commonly found in phishing kits, where obfuscation and compactness are the primary goals. Furthermore, these comments are also not typically present in professional, production-ready code intended to power legitimate pages.

Similarly, the CSS files of the site include highly structured comments, seemingly designed to function as an easy-to-read template for the developer (i.e., the threat actor).

These highly structured comments can be seen in the CSS example below:

/* Custom CSS for gov.br clone */
....
/* Base styling - Gov.br font stack */
...
/* Half circle element - Gov.br style */
...
/* Gov.br logo styling */
...


API validation and staged data collection

The phishing pages employ staged data collection and API validation to enhance their appearance of legitimacy, as explained below. 

The phishing page mimics the behavior of authentic websites by progressively requesting additional information from the victim in stages. Information such as a victim’s CPF and address is collected and then validated using an API created by the threat actor.. This whole process is designed to deceive the victim because, from the victim’s perspective, a “legitimate” page requested information in a traditional manner and seemingly validated personal details.

Case study 1: State Department of Traffic 

The figure below shows the phishing page for Brazil’s Department of Traffic prompting the victim to enter their CPF number and then their residential information.

Example phishing page for Brazil’s Department of Traffic requesting a victim’s CPF and address.

Figure 8: Example phishing page for Brazil’s Department of Traffic requesting a victim’s CPF and address.

Case study 2: Ministry of Education

The figure below shows the phishing page mimicking Brazil’s Ministry of Education requesting the victim’s CPF number.

Example phishing page for Brazil’s Ministry of Education requesting a victim’s CPF.

Figure 9: Example phishing page for Brazil’s Ministry of Education requesting a victim’s CPF. 

After the victim provides their CPF number, address, and additional personal information, the attackers utilize backend API calls to validate the submitted information.

The API domain identified during analysis is registered by the threat actor. The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.

ANALYST NOTE: It is possible that the attackers may have initially acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key. This information is then utilized to enhance the credibility of their phishing attempts.

The figure below shows the API’s request and response for fetching CPF number information.

Phishing website API request and response for fetching CPF information, name, date of birth, mother’s name, and gender.

Figure 10: Phishing website API request and response for fetching CPF information, name, date of birth, mother’s name, and gender.

Payment stolen via Pix

The final stage of these attacks requests a “mandatory registration fee” via Pix, Brazil’s instant payment system. This step mimics standard government procedures, but ultimately aims to extract money from the victim.

Case study 1: State Department of Traffic 

The figure below depicts the State Department of Traffic phishing page, prompting the victim to send a R$87.40 (~$16 USD) "registration fee" via Pix.

Example phishing page impersonating Brazil’s State Department requesting payment via Pix.

Figure 11: Example phishing page impersonating Brazil’s State Department requesting payment via Pix.

Case study 2: Ministry of Education

The figure below depicts the phishing page for Brazil’s Ministry of Education asking the victim to make a R$87.40 (~$16 USD) payment via Pix.

Example phishing page impersonating Brazil’s Ministry of Education requesting payment via Pix.

Figure 12: Example phishing page impersonating Brazil’s Ministry of Education requesting payment via Pix.