Caffeine: the Phishing-as-a-Service Platform Targeting Russian & Chinese Entities

New phishing-as-a-service platform named “Caffeine”, used to conduct phishing campaigns.
Updated on
April 19, 2023
Published on
November 21, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Underground Motivation: Financial Region: Global Source*: C - Fairly Reliable 4 - Doubtfully True

Executive Summary

  • New phishing-as-a-service platform named “Caffeine”, used to conduct phishing campaigns.
  • Equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Steal sensitive information such as PII and exploit them through social engineering attacks.
  • Implement a strong password policy.
  • Enable MFA across logins.
  • Check for anomalies in the endpoints or suspected login attempts.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a new phishing-as-a-service platform named “Caffeine.”
  • The platform could be leveraged to launch phishing campaigns by opting for phishing services providing custom phishing kits.
  • The platform mostly contains phishing templates customized to attack Russian and Chinese entities.
[caption id="attachment_21680" align="alignnone" width="652"]Login Page of the platform Login Page of the platform[/caption]

Caffeine Platform Analysis

  • The platform is open to all and does not require any referral code to register.
  • Upon registering on the platform, the threat actor can buy a subscription license which ranges depending on the operator and features:
    • USD 250 for a month
    • USD 450 for 3 months
    • USD 850 for 6 months
  • The platform also offers anti-detection and anti-analysis systems and customer support services along with the subscription, making it expensive as compared to other Phishing-as-a-service platforms.
  • The platform also offered the following features apart from phishing services:
    • Mechanisms for customizing dynamic URL schemes to help dynamically generate sites with victim-specific data already filled in
    • Ultimate luring pages and first-stage redirect pages for campaigns.
    • Geo-blocking, CIDR range-based blocking, and other IP blocklisting options
  • At the time of writing this, the platform seems to be temporarily down due to maintenance issues.
[caption id="attachment_21681" align="alignnone" width="453"]Store under maintenance Store under maintenance[/caption]

Caffeine Service Analysis

  • CloudSEK researchers investigated the services available on the "Caffeine" platform and discovered that the threat actor was misusing an online service called - ongraphy[.]com which is a no-code SaaS platform to host websites or apps to launch teaching business websites.
  • Similar SaaS services are quickly abused and adopted by other threat actors to host malicious pages.
  • An old phishing page was hosted and disseminated via email ("eduardorodiguez9584.[ongraphy.]com")

Information from the Cybercrime forum

  • The platform “Caffeine” emerged in October 2021 when the threat actor named “MRxCODER” advertised about the store and office365 sender.
  • The threat actor also operates on telegram where regular updates and new tools from the platform are advertised.
  • The video demonstration for the python spamming tools from the Caffeine platform was advertised on crax tube.

Information from OSINT

  • The platform's Telegram channel promoted numerous bots and an Office 2FA cookies stealer. On the channel, the following were advertised:
    • Caffeine Sender
    • Caffeine Redirect
    • OfficeTools FUD Telegram Bot
    • Chase Bank KIT
    • FUD Links Service
    • Boa Kit
    • Dubai Islamic Bank Kit
    • Office 365 Cookies stealer
  • The threat actor or Caffeine Store administrator surveyed on Telegram to inquire about the next phishing kit.

How can services offered be abused?

  • Phishing kits for Chase Bank, Bank of America, and Dubai Islamic Bank are advertised on the service's Telegram channel, along with a service to make FUD phishing URLs that can be used to launch extensive phishing campaigns and attacks.
  • Office 2FA cookie stealer can be used to steal 2FA cookies, victim's PII, and gather logs.
  • Provides an email template for spamming customers and luring victims.
  • The Ongraphy domain served as a redirect to a phishing page housed at a third-party domain that mimics the appearance of the official website for an Italian ophthalmologist's medical practice.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since 2021
Reputation Medium
Current Status Active
Telegram [decent number of subscribers] @mrxc0der @mrxc0derii
Crax Tube
Underground Forum
History Threat actor advertised about the Caffeine store and free carrier lookup bot
Rating C4 (C: Fairly Reliable; 4: Doubtfully True)



[caption id="attachment_21682" align="alignnone" width="1254"]Advertisement on cybercrime forum Advertisement on cybercrime forum[/caption] [caption id="attachment_21683" align="alignnone" width="917"]Screenshot from the Telegram channel Screenshot from the Telegram channel[/caption]   [caption id="attachment_21684" align="alignnone" width="896"]Telegram Channel Telegram Channel[/caption]   [caption id="attachment_21685" align="alignnone" width="1716"]Dashboard of Caffeine Dashboard of Caffeine[/caption] [caption id="attachment_21686" align="alignnone" width="1688"]Dashboard of Caffeine Dashboard of Caffeine[/caption] [caption id="attachment_21687" align="alignnone" width="400"]Logo of Caffeine Store Logo of Caffeine Store[/caption]      

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations