Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
A sophisticated Phishing-as-a-Service (PhaaS) platform called SniperDz has been quietly enabling a wide range of online fraud that goes far beyond basic credential theft. The platform provides cybercriminals with a ready-made toolkit to run convincing scams at scale, targeting victims across the Middle East and North Africa through social media platforms like Facebook and Instagram. […] The post Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking appeared first o
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking
By Tushar Subhra Dutta
June 11, 2026
A sophisticated Phishing-as-a-Service (PhaaS) platform called SniperDz has been quietly enabling a wide range of online fraud that goes far beyond basic credential theft.
The platform provides cybercriminals with a ready-made toolkit to run convincing scams at scale, targeting victims across the Middle East and North Africa through social media platforms like Facebook and Instagram.
Fraudulent accounts impersonating politicians, public figures, and trusted telecom companies lured victims with fake offers including free mobile internet packages, financial compensation, and government subsidy programs.
When victims clicked embedded links, they were not taken to a legitimate site. Instead, they were funneled through a multi-stage redirect chain that ultimately delivered them to phishing infrastructure controlled by the attackers.
Analysts from Group-IB said in a report shared with Cyber Security News (CSN) that by tracing the campaign’s telemetry and bypassing multiple traffic cloaking layers, they identified SniperDz as a centralized, turnkey Push-Notification-as-a-Service (PNaaS) and PhaaS affiliate ecosystem.
The platform hosts more than 50 ready-to-use phishing templates impersonating over 70 globally recognized brands, making it easy for even low-skilled operators to launch convincing campaigns with minimal technical knowledge.
SniperDz’s catalog targets high-value categories, offering clone pages for financial services like PayPal, social media platforms, streaming services, and gaming marketplaces.
The platform uses cloaking techniques that display benign error pages whenever security researchers or automated scanners are detected, making it difficult to identify and dismantle malicious infrastructure.
This evasion capability allowed the ecosystem to operate across multiple campaigns over a sustained period.
The investigation found a recurring VAPID (Voluntary Application Server Identification) public key shared across all examined samples, providing a critical infrastructure fingerprint linking otherwise separate campaigns to one shared monetization platform.
Three IP addresses, all hosted by Horizon IS, further confirmed the interconnected nature of the operation and supported attribution to a single unified ecosystem.
Hackers Abuse SniperDz PhaaS Ecosystem
The attack typically begins with a localized social engineering lure through a fake social media post.
Scammers impersonate well-known telecom providers, such as Algérie Télécom, promoting fake offers promising free mobile data or exclusive subscriber benefits.
Victims are first routed through trusted link-aggregation platforms like Linkbio and Linktree, where attackers create decoy landing pages that appear entirely legitimate at first glance.
For example, fanlnk.to, a domain associated with Linkbio, served as an intermediary layer between the social media post and the final phishing destination.
Typical SniperDz scam victim funnel (Source – Group-IB)
This approach exploits the reputation of trusted services, making early attack stages appear normal to both victims and detection systems.
Once victims pass the link-aggregation layer, they land on attacker-controlled infrastructure where tracking, redirection, and monetization mechanisms are applied.
Browser Hijacking and Multi-Track Monetization
The final stage of the funnel directs victims to a page designed to capture browser notification permissions.
The page presents a minimal interface with a loading spinner and a message prompting users to click “Allow” to continue, creating the impression that a legitimate verification step is underway.
Victims grant browser permissions without realizing what they have agreed to. Behind the scenes, the page uses the shared VAPID public key to register browser push subscriptions, and the resulting token along with metadata like language settings is transmitted back to the operator’s server.
The page also injects browser history manipulation code that inserts 10 fake entries into the victim’s navigation history, creating what researchers called a “back-button prison” that prevents easy exit.
A tab-under technique simultaneously redirects the original tab to an attacker-controlled destination if the victim opens a new browser tab.
Once subscribed, victims receive unsolicited advertisements, scam promotions, and malicious content directly through their browser, even after the original page closes.
Users who suspect exposure should review and revoke browser notification permissions through their browser’s site settings immediately.
Redirection chains involving link-aggregation services and unrelated domains should be treated as suspicious, and unexplained premium SMS subscription charges should be reported to the mobile carrier right away.
Indicators of Compromise (IoCs):-
Type Indicator Description
Domain win.feezossl[.]xyz Attacker-controlled redirect/tracking domain used in scam funnel
Domain win.anababayala[.]com Attacker-controlled redirect/tracking domain used in scam funnel
Domain aff.bnaoswhye[.]shop Additional phishing domain associated with SniperDz campaign
Domain raviral[.]com Domain previously identified as part of the SniperDz ecosystem
IP Address 85.85.9[.]245 Hosted by Horizon IS; associated with SniperDz phishing infrastructure
IP Address 172.172.45[.]112 Hosted by Horizon IS; associated with SniperDz phishing infrastructure
IP Address 172.162.12[.]452 Hosted by Horizon IS; associated with SniperDz phishing infrastructure
VAPID Public Key BHR8bZ93X3YNBNQcN_dGRYtnWqdsJXR2bXqq3vhfBL1TpfZqrGKXYxATKGNHa25HyaghKK8ZiaFXbIgJqY2624 Recurring VAPID public key used across multiple SniperDz campaigns to register browser push subscriptions
URL https://win.feezossl[.]xyz/?utm_medium=91164d58…&utm_campaign=test112 Sample redirect URL observed in victim funnel
URL https://win.anababayala[.]com/?utm_medium=a412cbbd…&utm_campaign=aulgazer Sample redirect URL observed in victim funnel
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers
UniFi OS Server Critical RCE Chain Allows Root Access Without Credentials
Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites
Top 5 Best Tools for Simulated DDoS Attacks in 2026
CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks
Latest News
Cyber Security News
GitHub to Automate Disable npm Script Installs to Block Supply Chain Attacks
AI
Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation
Cyber Security
CISA Warns of Check Point Security Gateway Vulnerability Actively Exploited in Ransomware Attacks
Cyber Security News
Hackers Use Weaponized DMG Files to Target macOS Users With Infostealer Malware
Cyber Security News
Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems