talos · Crawled Jul 5, 2026

Catan and Mouse

15 IoCs
Read original article ↗

AI Summary

Cisco Talos has identified ARToken, a sophisticated phishing-as-a-service (PhaaS) platform, which provides a wide range of capabilities including device code phishing, Primary Refresh Token (PRT) persistence, email access, business email compromise (BEC), and SharePoint exfiltration. The platform shares infrastructure and operational patterns with the previously documented EvilTokens platform. ARToken features a React-based dashboard and exposes over 80 API endpoints, indicating it is a mature BEC operations environment rather than a simple phishing kit.

AI-extracted · verify before operational use

Indicators of Compromise 15 extracted

Type Value Detail
SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 Details →
MD5 2915b3f8b703eb744fc54c81f4a9c67f Details →
Filename VID001.exe Details →
SHA-256 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f Details →
MD5 38de5b216c33833af710e88f7f64fc98 Details →
Filename sample.exe Details →
SHA-256 afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 Details →
MD5 cc4d231df34e57f59eb970353c7d9de2 Details →
Filename AutoPico.exe Details →
SHA-256 c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe Details →
MD5 bf9672ec85283fdf002d83662f0b08b7 Details →
Filename f_000cd7.html Details →
SHA-256 853baab97b1f3b03c1ffa55797e87867f5fb7ce33457411f56afd270cb395453 Details →
MD5 41acb30b9d662d48b7b4fc0ac3d4b79f Details →
Filename SignInfoConsole.exe Details →