D2T120-20The20Phishermen20-20Dissecting20Phishing20Techniques20of2_niDtzJ4.pdf (12 MB)

TeamT5’s HITB slides dissect CloudDragon “Phisherman” tradecraft, focusing on phishing infrastructure rather than a single intrusion victim. The material shows email delivery tooling, including PHPMailer on compromised C2 sites, target-account lists, and tokenized phishing URLs that log victim data and redirect users to decoy content. It also describes evolutions from traditional credential pages to proxy-mirror and phishing-bot workflows that use encoded parameters, mobile detection, and decrypt-and-redirect logic to mimic webmail sessions. The malware section highlights AppleSeed/AutoUpdate capabilities, including command execution, DLL loading with regsvr32, in-memory DLL execution, command polling, upload, deletion, and upgrade endpoints.