ET PHISHING Operation HookedWing Landing Page Observed

SID: 2069384Rev: 10 views
Sourceet/open
CreatedMay 21, 2026
UpdatedMay 21, 2026
Classificationcredential-theft
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Operation HookedWing Landing Page Observed"; flow:established,to_client; http.response_body; content:"const|20|resLG|20 3d 20|await|20|fetch"; fast_pattern; content:"preloader|5f|container|5f|stef"; content:"window|2e|stef|2e|srv|5f|loc"; reference:url,socradar.io/blog/operation-hookedwing-4-year-phishing; classtype:credential-theft; sid:2069384; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_05_21, deployment Perimeter, deployment SSLDecrypt, malware_family HookedWing, confidence Medium, signature_severity Major, updated_at 2026_05_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing; target:dest_ip;)

References

urlsocradar.io/blog/operation-hookedwing-4-year-phishing

Metadata

affected productWeb_Browsers
attack targetClient_Endpoint
tls stateTLSDecrypt
created at2026_05_21
deploymentSSLDecrypt
malware familyHookedWing
confidenceMedium
signature severityMajor
updated at2026_05_21
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1566
mitre technique namePhishing

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!