Skip to main content
Back to Blog
Threat Intelligence50 min readJuly 3, 2026
Kali365PhishingPaaSTelegram

Kali365 PhaaS Kit: OAuth Device-Code Phishing Enables MFA-Satisfied Token Theft

End-to-end reverse engineering of the Kali365 (K365) Microsoft 365 Phishing-as-a-Service operator client, purchased web panel, and payment infrastructure — revealing OAuth device-code phishing (RFC 8628) that satisfies MFA legitimately to steal long-lived refresh tokens.

Dani Varys Z

Contributors: Ellis Stannard, Eric Taylor, Olivier Ferrand, Reyben Cortes

Classification: Microsoft 365 Phishing-as-a-Service (PhaaS) / Token Abuse Panel / Operator Client

Header image for the Kali365 PhaaS kit report

Figure: Header image for the Kali365 PhaaS kit report.

Executive Summary

Kali365 (aka K365) is a subscription Phishing-as-a-Service (PhaaS) platform, sold via Telegram since April 2026, that targets Microsoft 365 accounts. This report separates three evidence streams that should not be conflated: hands-on reverse engineering of the Kali365 operator-side client application (kali365.exe), purchased access to a legitimate Kali365 web UI obtained through the actor’s sales channel, and a separate fake / testing panel that was initially treated as victim telemetry but is now assessed as non-production.

The client is the operator tool, not the capture engine: it connects to a backend panel (v2.duemineral.uk), polls for captured victim tokens, and lets an operator open a victim’s Outlook or Admin Center in one click using stolen refresh tokens — its own UI states “Tokens will appear here once captured by your lures.” Recovered client, lure-shaped records, and legitimate web UI artifacts support OAuth device-code phishing (RFC 8628) as the core advertised / implemented workflow: victims are steered to the genuine login.microsoft.com/device page and approve an attacker-initiated device session, so MFA is satisfied legitimately rather than “bypassed.” The previously cited four-victim token-store dataset has been removed from impact claims because it came from the fake / testing panel and should not be treated as confirmed victimology.

Key Findings

  • Operator client reverse-engineered end to end. kali365.exe unpacks (NSIS → Squirrel/Electron → ASAR) into a TypeScript/React app whose source we reconstructed from retained source maps. It recovered as two builds six days apart, showing rapid iteration in post-capture token-abuse technique (hidden-window ESTS seeding → MSAL.js intercept + bearer injection + CSP strip + SSO-cookie export).
  • Capture model = OAuth device-code phishing. Client and panel artifacts consistently model device-code capture (user_code, verification_uri = login.microsoft.com/device, Microsoft Office client_id, token refresh), while the purchased web UI shows the operator-facing lure and delivery workflow.
  • Token theft, not password theft. Long-lived refresh tokens are stored panel-side and reused weeks later; MFA does not stop session/token theft.
  • Subscription + “leads” economy. Kit access ~$250 (BTC/USDT/LTC/XMR); parallel bulk-sale market in stolen-token “lines,” consistent with an initial-access-broker model. Telegram-centric ecosystem with frequent rebrand/infrastructure churn.
  • Victimology revised. The previously cited “four active victims” were derived from a fake / testing panel and are no longer treated as real compromises. This report therefore avoids confirmed victim-count claims unless supported by independently validated telemetry.
  • Defensive output provided. File hashes, network/host IOCs, and Entra ID / network / endpoint detection logic.

Scope & Methodology

This report draws on three distinct evidence streams:

  • Acquired client sample: we obtained the Kali365 operator client (kali365.exe) and fully unpacked it, reconstructing source from compiled debug maps.
  • Purchased web-panel access: access to a legitimate Kali365 web UI was obtained through the actor’s sales channel for controlled threat-intelligence collection, providing direct visibility into the current operator onboarding and lure-management workflow. The access was used to document operator workflow and infrastructure configuration only; we did not access, validate, use, download, redistribute, or act on victim data, credentials, OAuth tokens, mailboxes, or third-party accounts.
  • Fake / testing panel: we also analysed an exposed panel that initially appeared to provide lure, token-store, sender, and campaign telemetry. Later review showed this was fake / non-production, so its records are retained only as tooling / data-model context and excluded from victimology.

These evidence streams are related, but not identical: the reverse-engineered client, the purchased web UI, and the fake / testing panel are treated separately wherever provenance matters. We did not possess server-side capture code, so mechanism statements are labelled confirmed (from client and purchased-access artifacts) vs modelled / tooling context (from the fake panel) vs inferred throughout.

Assessment Confidence

Assessment areaConfidenceBasis
Kali365 operator-client functionalityHighDirect reverse engineering of the acquired kali365.exe sample, including unpacked Electron/ASAR contents and reconstructed TypeScript source maps.
OAuth device-code capture modelHighThe acquired client, purchased web UI, and device-code-shaped panel artifacts consistently support OAuth device-code phishing as the core workflow. Production server-side capture code was not recovered.
n8n workflow use in lure orchestrationMedium–HighMultiple screenshots/artifacts show n8n Cloud webhook infrastructure and redirects into Kali365-linked lure-supporting domains. We did not recover webhook payload bodies or server-side workflows.
Confirmed victim impactLow / not assessed from fake-panel dataThe previously cited four-victim token-store records came from a fake / testing panel and are no longer treated as confirmed compromises. Real victim telemetry requires independent validation outside that panel.
Web-panel workflowHighAccess obtained through the actor sales channel exposed the current web UI, onboarding, infrastructure setup, and lure-management workflow.
Wallet/payment routeHigh for confirmed purchase address; moderate for broader clusteringPayment to TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuA resulted in confirmed Kali365 access. Broader revenue, buyer clustering, ETH/TRON bridge interpretation, and geography remain analytic assessments.
Operator attribution / geographyLow to moderateOperator-candidate IPs, Telegram handles, swap/offramp patterns, and language/community signals are useful leads but insufficient for firm attribution without provider or legal-process returns.

Part I — Overview & Operator Ecosystem

kali365.exe is the operator-facing client application for a Microsoft 365 Phishing-as-a-Service (PhaaS) platform. Operators who have purchased access to a token-harvesting campaign use it to browse stolen M365 accounts and open any victim’s Outlook or Admin Center with a single click. Token capture is out-of-scope for this binary — it assumes tokens already exist in the panel backend at https://v2.duemineral.uk. The tool’s own source states: “Tokens will appear here once captured by your lures.”

Telegram channel

The operator ecosystem also maintains a Telegram channel (t.me/Kali0365). The channel name was recently changed to “World Cup 2026”, likely reflecting opportunistic campaign theming toward World Cup-related phishing lures targeting victims seeking streams, tickets, or schedules.

Telegram: t.me/Kali0365

Telegram channel info for Kali365 (renamed World Cup 2026)

Figure: Telegram channel t.me/Kali0365 renamed to “World Cup 2026”, consistent with opportunistic campaign theming.

Campaign evolution: n8n automation (clicking + workflow orchestration)

ANY.RUN TI Lookup results showing use of app.n8n.cloud

Figure: ANY.RUN TI Lookup results showing use of app.n8n[.]cloud, confirming n8n Cloud infrastructure in the lure-orchestration chain.

We observed evidence that the campaign has evolved to incorporate n8n automation workflows as part of the operational chain, using what appears to be an HR / customer service-themed lure. In this instance, webhook endpoints were identified that appear to support click-handling and/or downstream automation:

  • https://wirelesscommunicaton.app.n8n[.]cloud/webhook/e3111a1d-7e3c-4677-a706-8fb9b77535c6
  • https://wirelesscommunicaton.app.n8n[.]cloud/webhook/2900de16-3266-4f64-95b2-831dfd17e9bc
  • https://wirelesscommunicaton.app.n8n[.]cloud/webhook/43f3e967-8a09-4bbe-9e62-dbae14225dd9

Additional HR-themed n8n infrastructure was also observed:

  • hrverify.app.n8n[.]cloud — observed 2026-06-24
  • hrservices.app.n8n[.]cloud — observed 2026-06-19
ANY.RUN infrastructure pivot for HR-themed n8n Cloud lure-orchestration activity

Figure: ANY.RUN infrastructure pivot screenshot for observed HR-themed n8n Cloud lure-orchestration activity.

Additional n8n Cloud and HR-themed lure infrastructure pivot material

Figure: Additional n8n Cloud and HR-themed lure infrastructure pivot material.

Additional observed HR-themed n8n Cloud infrastructure

Figure: Additional observed HR-themed n8n Cloud infrastructure supporting the lure-orchestration assessment.

The webhook redirected to the following lure URL:

  • https://wt9g8o5634.guardiansofassets[.]de/l/HFWGIacFYeE
Redirect artifact showing the n8n workflow forwarding traffic to a Kali365-linked lure URL

Figure: Redirect artifact showing the n8n workflow forwarding traffic to a Kali365-linked lure URL.

Further related webhook infrastructure was also observed:

  • https://wirelesscommunicaton.app.n8n.cloud/webhook/778336db-eae2-4483-b6ee-a6bc7cd70eb0M1 (also redirected to guardiansofassets[.]de)

Figure: n8n webhook and redirect artifacts showing click-handling infrastructure feeding Kali365-linked lure domains.

These artifacts indicate the actor may be using n8n to orchestrate click-handling, tracking, and redirection into Kali365-linked lure infrastructure. We did not recover webhook payload bodies or server-side workflows, so we do not assess n8n as the capture point—only as observed orchestration/redirect infrastructure.

Telegram ecosystem (accounts + bots)

We observed multiple Telegram accounts/bots used for distribution, “results,” and operator workflow. The primary channel t.me/Kali0365 remains assessed as likely active / relevant to the Kali365 operator ecosystem, and the separately observed “5000 lines” sales interaction is treated as legitimate operator-facing sales evidence. The other observed accounts/bots are assessed as likely fraudulent, scam-related, impersonation/takeover artifacts, or no longer active, and should be treated as ecosystem pivots rather than authoritative Kali365 operator contacts:

Do not treat the bots/accounts below as legitimate Kali365 sales channels or “results” endpoints unless independently validated against the confirmed purchase route and/or the legitimate web UI.

  • Channel: t.me/Kali0365 — likely active / relevant Kali365 ecosystem channel
  • https://t.me/KALI365resultbot — likely fraudulent/scam-related or no longer active
  • https://t.me/KALI365TOKENAMIGORESULTSBot — likely fraudulent/scam-related or no longer active
  • https://t.me/fundbot1470_bot — likely fraudulent/scam-related or no longer active
  • https://t.me/kali365sbot — likely fraudulent/scam-related or no longer active
  • https://t.me/Kali365z_bot — likely fraudulent/scam-related or no longer active
  • https://t.me/Andresultz_bot — likely fraudulent/scam-related or no longer active
  • https://t.me/kali365_liink — likely fraudulent/scam-related or no longer active
  • https://t.me/tentacle_network — “Octopus King” account linked to panel access / onboarding; retain as a pivot, but treat cautiously unless independently validated
Telegram ecosystem pivot material

Figure: Telegram ecosystem pivot material. Treat non-Kali0365 bots/accounts as likely scam, inactive, or impersonation artifacts unless independently validated.

Observed lure + panel URLs (transient)

  • Phishing lure: https://auth.loadingdocuments.uk/lp
  • Panel access (now offline): http://66.179.30.87/login
  • KaliV2 panel URL (operator-advertised): https://v2.duemineral.uk:8443/

Admin panel (operator view)

  • Panel access (now offline): http://66.179.30.87/login

KaliV2 feature advertising (operator claims)

Operators advertised a “KALI365 v2.0” release with:

  • Multilingual lures (14 languages, 4 layouts)
  • “Real Outlook Access” desktop app (Windows + macOS)
  • Learner mode (in-product guidance)
  • “Email Extractor 10x” (bulk harvesting + verification/classification)
  • Multiple lure-domain setup paths (Cloudflare-linked, custom DNS, and provider-agnostic)
  • Roadmap: Admin Exchange Centre + P2P marketplace (“boxes” trading)

These are operator claims observed in their own messaging; we have not validated each capability in this report.

“Leads” economy (stolen OAuth tokens at scale)

Operator messaging and adjacent reporting indicate an active “leads” economy: bulk sales of stolen Microsoft 365 OAuth token leads, advertised as “5k lines” for as little as $350. We also observed this directly when probing the Kali365 Telegram handle: the actor was offering “5000 lines” of Kali365 output at that price point.

Operator sales material advertising bulk lines

Figure: Operator sales material advertising bulk “lines”, supporting the stolen-token resale / initial-access-broker assessment.

Assuming “lines” correlates to unique victim token records, this pricing strongly implies high-volume capture and surplus stolen outputs (i.e., a successful, scalable harvesting operation rather than sporadic one-off compromises), and suggests the operator is functioning as an initial access broker in addition to selling the tooling itself.

Delivery also appears highly flexible: operator-facing materials and templates indicate multiple lure/payload packaging options (e.g., HTML “letters” with themed templates such as DocuSign/Outlook-style content), enabling the same stolen-token “output” to be operationalized through diverse initial-access delivery paths.

Operator-facing lure / payload packaging options

Figure: Operator-facing lure / payload packaging options, showing how stolen-token output can be paired with multiple delivery templates.

The sample contains a recursive self-embedding structure: the outer installer embeds a second, older version of itself inside the application’s resource directory, revealing two distinct development builds separated by six days with meaningfully different token abuse techniques — evidence of active, iterative development.

What follows:

  • What the operator sees (lure + client UI)
  • How the executable is packaged (NSIS/Squirrel/Electron)
  • How the token-abuse techniques evolved between builds
  • Infrastructure pivots and IOCs for hunting

Monitoring kali0365 also provided a fresh infrastructure update: the actor removed “octopuslink,” and the message contained a Workers redirect URL: eager-cedar-377[.]allcompredirectportalshare[.]workers[.]dev.

Fresh Telegram infrastructure update referencing a Cloudflare Workers redirect URL

Figure: Fresh Telegram infrastructure update referencing a Cloudflare Workers redirect URL.

The associated Telegram profile displayed the handle Hartman Michael, providing an additional operator-ecosystem pivot.

What SpyCloud adds (wallets + brand churn)

SpyCloud’s writeup provides two notable additions beyond what we can prove purely from reverse engineering the Electron client:

  • Monetization / wallet activity: SpyCloud reports that Kali365 advertised BTC + USDT (TRON) payment addresses, and that those addresses resolve into an interconnected wallet cluster with hundreds of inbound counterparties and consolidation into centralized exchanges (suggesting meaningful revenue and a subscription/renewal model). SpyCloud did not publish the addresses in the public post, so we cannot include them as IOCs here without separate sourcing.
  • Rebrand / infrastructure churn: SpyCloud also documents repeated “Octopus” branding shifts (octopi365/kali365.xyz → “Green Octopus”), consistent with the operator messages we observed in Telegram, and the kit’s tendency to rotate panels/domains while keeping the same operator ecosystem.

Part II — Monetization and Payment Infrastructure

This part separates confirmed payment evidence from broader wallet analysis and scam-bot artifacts. The confirmed USDT TRC-20 address below is the strongest payment IOC; the older bot payment interface later in this section is assessed separately as a scam / takeover artifact and should not be used for Kali365 revenue estimates.

Wallet Analysis

Confirmed Kali365 purchase address — USDT TRC-20

This USDT TRC-20 address was used in a live Kali365 purchase flow that resulted in confirmed access to the kit:

  • TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuA
Confirmed Kali365 USDT TRC-20 purchase address

Figure: Confirmed Kali365 USDT TRC-20 purchase address. This supports the payment-route assessment, but does not by itself prove operator identity, total revenue, or buyer geography.

Overview of the confirmed TRON address breakdown

Figure: Overview of the confirmed TRON address breakdown for TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuA, showing purchase-sized inbound activity and downstream flow context used to support the Kali365 payment-route assessment.

Unlike the recycled BTC placeholder address discussed below, this address is not a decoy, placeholder, or generic example wallet. Payment to this address was directly associated with successful Kali365 access, making it a confirmed payment IOC. It should be preserved and enriched for wallet clustering, transaction tracing, service-provider legal process, and broader infrastructure pivoting. We still avoid inferring total revenue, operator identity, or buyer attribution from this address alone.

Closed-source payment intelligence

Closed-source reporting linked this confirmed purchase address to an instant-swap flow currently under enquiry with the relevant swap provider. The available transaction context indicates that at least part of the payment path likely terminated in Monero (XMR), suggesting the operator may be converting visible USDT TRC-20 receipts into a privacy-preserving asset shortly after payment.

The associated request metadata included:

FieldValue
Request IP185.220.101.99
AssessmentTOR exit node / anonymizing proxy infrastructure
ASNAS60729 — Stiftung Erneuerbare Freiheit
OrganizationDigitalcourage e.V.
InfrastructureDatacenter
LocationBerlin, State of Berlin, Germany
Observed user agentMozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Locale / languageEN; en-US,en;q=0.5
Reported country / timezoneT1; Atlantic/Reykjavik (GMT+0000)

Raw enrichment supplied with the closed-source lead classified the client as proxy/anonymizer infrastructure, including OPEN_PROXY_USER behaviour, datacenter hosting, proxy/tunnel risk labels (LOGIN_BRUTEFORCE, CALLBACK_PROXY, TUNNEL), and a tunnel classification of TOR_PROXY.

On-chain purchase and swap analysis

Follow-on on-chain analysis of the confirmed Kali365 purchase address identified roughly 138 purchase-sized inbound events in the $300–$500 range, consistent with the observed access-pricing band. Because this address was used in a purchase flow that resulted in confirmed Kali365 access, these transactions are assessed as likely buyer payments or renewals, rather than placeholder, decoy, or test activity.

Key observations:

  • Purchase volume: approximately 138 buyer-sized inbound events in the $300–$500 range.
Inbound payments to the confirmed TRON purchase address cluster around $300-$500

Figure: Inbound payments to the confirmed TRON purchase address cluster around the $300–$500 range, matching the observed Kali365 access-pricing band and supporting the assessment that these were likely buyer payments or renewals.

Purchase-sized inbound activity clustered around the observed Kali365 access-pricing band

Figure: Purchase-sized inbound activity clustered around the observed Kali365 access-pricing band.

  • Timezone signal: timing is fuzzy, but activity skews toward UTC-positive timezones rather than UTC-negative timezones, suggesting fewer North American buyers or buyers operating late relative to local time.
Time-distribution view used as a weak buyer-timezone signal

Figure: Time-distribution view used as a weak buyer-timezone signal. Treat as directional only, not attribution.

  • Funding pattern: early purchases, particularly from early to late May, clustered below the later quoted price band. By late June, payments had shifted toward the $300–$350 range. The highest-volume period was the week beginning 11 May, with 54 observed purchases.
Weekly purchase-volume and pricing-band pattern

Figure: Weekly purchase-volume and pricing-band pattern, including the high-volume week beginning 11 May.

  • Funding sources: repeated use of cross-chain bridges and common swap sources. One plausible pattern is buyers funding from ETH-side wallets and swapping into USDT TRC-20 before payment, which preserves the same approximate payment amount even when the source chain differs.
  • Primary ETH-side source: 0x2b621e950f19373578da0523be19e93405927ba4 appears as a major upstream source for many payments that ultimately reached the TRON-side purchase address. This may indicate that Kali365 also accepted payment through Ethereum-compatible rails, with bridge/swap infrastructure normalizing receipts into USDT TRC-20. An alternative explanation is that this address belongs to a reseller, broker, or payment intermediary aggregating buyer payments before bridging them into the TRON address.
Aggregate graph view showing how ETH-side source relates to the broader TRON-side Kali365 payment flow

Figure: Aggregate graph/path view showing how ETH-side source 0x2b621e950f19373578da0523be19e93405927ba4 relates to the broader TRON-side Kali365 payment flow, including visible bridge and swap intermediaries used to normalize funds into the confirmed USDT TRC-20 purchase address.

Aggregate ETH/TRON relationship view

Figure: Aggregate ETH/TRON relationship view showing 0x2b621e950f19373578da0523be19e93405927ba4 within the broader upstream/source pattern for TRON-side Kali365 payment flows. Treat this as graph-level enrichment for bridge/swap routing, not standalone attribution.

  • Buyer geography signal: this ETH-side source appears more US-weighted than the broader TRON-side flow. This may reflect different buyer populations, different sales channels, a reseller/intermediary, or deliberate wallet segmentation by language or region. The signal is not sufficient for attribution, but it is a useful collection question.
  • Destinations: a meaningful share of flows appears to route to FixedFloat and then swap onward into XMR, reinforcing the privacy-asset settlement pattern noted above.
Wallet activity pattern showing the confirmed TRON purchase address receiving repeated purchase-sized inbound payments

Figure: Wallet activity pattern showing the confirmed TRON purchase address TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuA receiving repeated purchase-sized inbound payments from the same funding address, consistent with recurring buyer, reseller, or intermediary payment activity rather than a single isolated transaction.

  • BitcoinVN usage: BitcoinVN appears in the swap/offramp picture. It is an instant-swap service and is notable because it appears to be popular with Russian-speaking users, although this is not sufficient by itself for geographic attribution.

Analytic implications:

  • The operator appears to be selling broadly to buyers and leaving downstream operational risk with the customer, rather than tightly controlling who receives access.
  • Offramp tradecraft appears generally competent, but there are enough observable errors and service touchpoints that they may provide useful leads for law enforcement follow-up.
  • The offramp pattern does not provide a clean geography signal. In some cases, dominant rails such as RUB-facing services can strongly indicate Russia/CIS exposure; that is not clearly the case here.
  • Use of FixedFloat, XMR settlement, cross-chain bridges, BitcoinVN, and the ETH-side source 0x2b621e950f19373578da0523be19e93405927ba4 should be treated as enrichment and pivot points, not standalone attribution.
  • The apparent US focus around the ETH-side source raises a useful collection question: whether Kali365 operators segment payment wallets by buyer nationality, region, language, or sales channel.

Analytic note: payment to TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuA resulted in confirmed Kali365 access, making it a confirmed payment IOC. The TOR exit node, purchase-sized payment clustering, cross-chain swaps, FixedFloat routing, and likely XMR settlement strengthen the assessment that this was an operational purchase route rather than a placeholder. These indicators do not, by themselves, prove operator identity, total revenue, or buyer geography.

Swap-provider enrichment

Closed-source payment-intelligence enrichment associated the confirmed TRON purchase route with a request from 185.220.101.99. The IP resolves to a TOR exit-node / anonymizing-proxy environment rather than a reliable end-user location. The request metadata also indicated a Linux Firefox user agent and an Atlantic/Reykjavik (GMT+0000) timezone value, which should be treated as client-supplied context rather than attribution.

FieldObserved value
Request IP185.220.101.99
AssessmentTOR exit node / anonymizing proxy
ASNAS60729 — Stiftung Erneuerbare Freiheit
OrganizationDigitalcourage e.V.
Location reported by enrichmentBerlin, State of Berlin, Germany
User agentMozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Locale / languageEN; en-US,en;q=0.5
Reported timezoneAtlantic/Reykjavik (GMT+0000)
Risk labelsOPEN_PROXY_USER, LOGIN_BRUTEFORCE, CALLBACK_PROXY, TUNNEL
Tunnel classificationTOR_PROXY

The swap-provider context reportedly indicates that the downstream transaction path likely involved XMR, consistent with the broader assessment that visible USDT TRC-20 receipts were being routed through instant-swap infrastructure toward privacy-asset settlement. This lead is useful for provider follow-up and preservation, but it does not identify the operator or establish a reliable geographic attribution.

VirusTotal enrichment for 185.220.101.99 indicating TOR exit-node infrastructure

Figure: VirusTotal enrichment for 185.220.101.99, indicating TOR exit-node / anonymizing-proxy infrastructure associated with the closed-source swap-provider lead.

Scam bot takeover: advertised payment options and placeholder-wallet assessment

This payment interface is assessed as a scam path, not a reliable Kali365 operator payment route. The most likely explanation is that an older Kali0365-related bot was taken over or repurposed by an opportunistic scammer, who then used it to present generic cryptocurrency payment options for “adding funds” to an operator account:

Operational takeaway: treat any “balance”, “funds”, or “add funds” prompts from these bots as scam/impersonation activity; do not use them as evidence of Kali365 revenue or legitimate sales workflow.

Kali365-themed bot payment interface assessed as a scam / takeover artifact

Figure: Kali365-themed bot payment interface assessed as a scam / takeover artifact, not authoritative operator payment infrastructure.

The interface presented BTC as the primary payment option:

BTC option shown by the scam-bot flow

Figure: BTC option shown by the scam-bot flow. Do not attribute the displayed wallet balance or transaction history to Kali365.

https://www.blockchain.com/explorer/addresses/btc/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

The other options were:

Blockchain / assetAddress
BTCbc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
USDT (TRON)TAEKv6p5wjDuoGe91dETGFENf1iS5sku9g
LitecoinLRjXxtQXcXwepEeTW23uzziKtR3ttMdmZ9
Monero (XMR)4JLWErW3wTPUSamk2RkHj7GiPag8xUosggmqGK53FB2XSdq1EVmsdtwdp2dqKeUo8FeqNjybTwfx2KL5L7pcpRbkjVkFTXDGtF29jLWCfc

The displayed BTC address shows a historical peak balance of approximately $400,000:

Historical BTC balance for the recycled address shown by the scam-bot flow

Figure: Historical BTC balance for the recycled address shown by the scam-bot flow. This is not assessed as Kali365 revenue.

At the time of writing, the same BTC address showed a balance of roughly $250,000 and no outgoing transactions in 2026:

Current BTC balance view for the same recycled address

Figure: Current BTC balance view for the same recycled address. Retained as scam-bot context only.

Address association assessment:

This bot flow should be treated as a scam / takeover artifact rather than authoritative Kali365 payment infrastructure. Although Kali365 access is priced at approximately $250 and legitimate payment routes exist elsewhere in this report, the addresses displayed by this bot are not assessed to be genuine operator collection wallets. The displayed BTC address in particular belongs to a recycled placeholder / historically abused scam address, so its on-chain balance and transaction history should not be attributed to Kali365. We draw no revenue, laundering, or operator-wallet inference from this bot flow.

The Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh is not a campaign-specific wallet but a long-running placeholder / scam-associated address that has circulated for years in technical examples and abuse reporting. Its appearance here is therefore best interpreted as evidence that the bot flow was not a legitimate Kali365 payment rail. Rather than linking the address to Kali365 revenue, the stronger assessment is that an old or abandoned Kali365-themed bot was likely taken over or repurposed by a separate scammer, who left or generated low-quality placeholder payment content. In short, this section is useful as a warning about ecosystem impersonation and scam-bot reuse, but the displayed BTC balance should not be treated as Kali365 funds or operator-controlled infrastructure.

Part III — Attack Technique: How Tokens Are Stolen

How it steals (OAuth device-code phishing)

Primary capture model: OAuth device-code phishing. The acquired client, purchased web UI, and panel-shaped artifacts consistently point to device-code abuse: user_code-style lure flows, verification_uri = login.microsoft.com/device, Microsoft Office client_id usage (d3590ed6…), and backend refresh-token handling. The victim is steered to Microsoft’s genuine device-login page and approves an attacker-initiated device session, so MFA is satisfied legitimately rather than “bypassed.”

OAuth device-code phishing, also known as device authorization grant phishing, abuses a legitimate OAuth 2.0 flow defined in RFC 8628. The flow was designed for devices with limited input capability, but attackers can weaponize it by initiating the device-code request themselves and socially engineering the victim into approving it. There is no attacker look-alike login domain in the evidence set. An AiTM/reverse-proxy reading was an earlier hypothesis from the client-side artifacts alone; it is not supported by the current evidence.

OAuth device-code phishing flow diagram showing attacker initiation, victim approval, and token return

Figure: OAuth device-code phishing flow diagram showing attacker initiation, victim approval, and token return.

We have not seen the production server-side capture code — that would live on the backend — so the report should avoid claiming direct capture-code recovery. The available evidence supports the device-code workflow through client behaviour, purchased web UI workflow, and device-code-shaped panel objects. There is no credential-relay evidence in this set; the assessed abuse depends on the victim approving a legitimate Microsoft device session.

The OAuth Device Authorization Flow – How It Normally Works

The Device Authorization Grant allows devices with limited input capabilities (e.g., smart TVs, gaming consoles, IoT devices, command-line tools) to authenticate without a full web browser or keyboard.

Step-by-step legitimate process:

  1. An application on the constrained device requests authorization from Microsoft Entra ID (Azure AD) using a pre-registered client ID.
  2. Microsoft returns:
    • A short user code (e.g., XYZ8-4AB2).
    • A verification URI (always https://microsoft.com/devicelogin).
    • A longer device code (kept secret by the app).
    • An expiration time (usually 15 minutes).
  3. The device displays instructions: “Go to microsoft.com/devicelogin on another device, enter code XYZ8-4AB2, and sign in.”
  4. The user visits the real Microsoft page on their phone or computer, enters the code, authenticates (including MFA if enabled), and explicitly approves the requested permissions (scopes like Mail.Read, Files.Read.All, etc.).
  5. Microsoft issues an access token and refresh token directly to the original app/device.
  6. The app now has delegated access to the user’s resources.

This flow is secure when used as intended because the user consciously approves access on a trusted Microsoft domain.

How Attackers Weaponize the Device Code Flow

Attackers abuse the exact same legitimate flow to steal long-lived OAuth tokens without ever needing the victim’s password. The attacker initiates a device-code authorization on their own infrastructure, then tricks the victim into completing and approving it on the real Microsoft device page.

The attack chain

sequenceDiagram
	participant A as Attacker backend
	participant M as Microsoft login
	participant V as Victim

	A->>M: POST device-code request using Office client ID
	M-->>A: Return user code, verification URI, and device code
	A->>V: Lure presents user code and sign-in instruction
	V->>M: Opens Microsoft device-login page and enters user code
	V->>M: Authenticates, completes MFA, and approves request
	A->>M: Backend polls token endpoint with device code
	M-->>A: Return access token and refresh token
	A->>A: Store refresh token and auto-refresh every 15 minutes

Evidence boundary: the client and purchased web UI support the device-code phishing assessment; the fake / testing panel provides only data-model context and is excluded from victimology. The Electron client and web panel consume captured tokens; they are not, by themselves, the capture point.

Defensive implication: this is not an attacker-hosted login-page problem. Detections need to focus on unexpected device-code approvals, suspicious refresh-token use, first-party Microsoft client IDs in abnormal contexts, and downstream token reuse.

Step 1 — Attacker initiates a device-code request

The operator’s backend requests a device-code authorization from Microsoft using the legitimate Microsoft Office client_id. Microsoft returns a user_code, a verification_uri (https://login.microsoft.com/device), and a device_code the backend keeps.

Step 2 — Victim receives the lure

The operator sends a phishing message instructing the victim to enter the supplied user_code at login.microsoft.com/device.

Step 3 — Victim authenticates and approves

The victim enters the code, signs in, completes MFA, and approves the requested permissions. Microsoft validates the session because the authentication is legitimate — the abuse is in who initiated the device session and who receives the resulting tokens.

Step 4 — Backend polls for and receives the tokens

While the victim approves, the attacker backend polls Microsoft’s token endpoint with the device_code. On approval, Microsoft issues an access_token and a long-lived refresh_token, bound to the Office client_id.

Step 5 — Tokens stored and auto-refreshed in the panel

The refresh token is stored in the panel database with the lure/user association, tenant_id, user_email, and mfa_roles, then auto-refreshed on a ~15-minute cycle to keep it alive. The Electron client retrieves exactly these fields from /dash/tokens; captured_at marks when the victim approved the device session.

Why MFA doesn’t stop this

MFA protects the sign-in step, but it does not automatically protect against token/session theft after a user approves the wrong device session. In this flow, the attacker does not need to defeat MFA; they obtain the refresh token issued after the victim completes it.

From the panel’s token data structure recovered from the client:

  • captured_at → when the victim approved the device-code session
  • mfa_roles ["Global Administrator"] etc — post-MFA Entra ID roles
  • refresh_token → long-lived credential, valid for weeks/months

A refresh token is not a password. It doesn’t necessarily expire when the victim changes their password. It can survive MFA policy changes. It can be used to generate new access tokens silently — which is exactly what serviceWindow.js does when an operator clicks Outlook.

What the operator sees

The moment the victim authenticates, the Kali365 Live panel updates within 30 seconds (next poll cycle), the window title flashes "(1 new) Kali365 Live", and a new row appears in the table showing the victim’s email, display name, capture time, and role. If that role includes Global Administrator, the amber Admin button appears immediately.

One click. Full inbox access. No credentials required.

Example lure / payload appearance

Example of what an auth.duemineral.uk lure can look like in the browser (phishing interstitial + Cloudflare challenge):

Example auth.duemineral.uk lure appearance with phishing interstitial and Cloudflare challenge

Figure: Example auth.duemineral.uk lure appearance with phishing interstitial and Cloudflare challenge.

Kali365 Live operator client (executable UI)

What the operator sees after running the executable: panel URL prefilled (https://v2.duemineral.uk) with username/password fields and a Connect button.

Kali365 Live operator client UI

Figure: Kali365 Live operator client login UI with prefilled panel URL and operator authentication fields.

After authentication, the operator can access the web panel (purchased UI):

Kali365 web panel access after authentication

Figure: Kali365 web panel access after authentication, showing operator dashboard access in the purchased UI.

Kali365 Panel Evidence Streams

The following sections discuss two different panels. They are not equivalent:

  • Legitimate purchased Kali365 web panel (panel.privatetoken.app): real / production operator-workflow evidence obtained through the actor’s sales channel.
  • Fake/testing “Kali365 Lab Panel”: non-production test/demo-style panel; retained only as context and excluded from victimology or confirmed-impact claims.

Purchased web UI access: operator onboarding and lure management

Access to the Kali365 web UI was obtained through the actor’s Telegram sales channel for controlled threat-intelligence collection. This was separate from the acquired kali365.exe client sample and separate from the exposed panel telemetry recovered through digital footprinting. The access was used to document operator workflow and infrastructure configuration only; we did not access, validate, use, download, redistribute, or act on victim data, credentials, OAuth tokens, mailboxes, or third-party accounts. After authentication at panel.privatetoken.app, the web UI exposed the operator onboarding flow and initial dashboard shown below:

Purchased Kali365 web UI showing initial operator onboarding after panel authentication

Figure: Purchased Kali365 web UI showing initial operator onboarding after panel authentication.

The infrastructure configuration workflow gives operators a choice of backup destinations, including Backblaze B2, Wasabi, or AWS S3.

The onboarding flow then prompts the operator to choose an infrastructure deployment path, including DigitalOcean or a custom VPS:

Kali365 web UI infrastructure deployment selection

Figure: Kali365 web UI infrastructure deployment selection, including DigitalOcean and custom VPS options.

The panel then bootstraps the selected deployment and exposes the main configuration workflow:

Kali365 panel bootstrap and configuration workflow after infrastructure selection

Figure: Kali365 panel bootstrap and configuration workflow after infrastructure selection.

From there, the operator can configure phishing lures directly from the panel:

Kali365 lure-configuration interface exposed through the purchased web panel

Figure: Kali365 lure-configuration interface exposed through the purchased web panel.

The main dashboard provides access to the operator-facing workflow and campaign controls:

Kali365 main dashboard showing operator-facing workflow and campaign controls

Figure: Kali365 main dashboard showing operator-facing workflow and campaign controls.

Payload delivery is presented as a multi-option workflow, with several delivery modes available from the panel:

Figure: Kali365 panel recording showing the multi-option payload delivery workflow available to operators.

B2B Sender delivery mode:

B2B Sender delivery mode shown in the Kali365 web panel

Figure: B2B Sender delivery mode shown in the Kali365 web panel.

Alert delivery mode:

Alert delivery mode shown in the Kali365 web panel

Figure: Alert delivery mode shown in the Kali365 web panel.

Infrastructure configuration:

Infrastructure configuration view in the Kali365 web panel

Figure: Infrastructure configuration view in the Kali365 web panel. The screenshot shows s3.us-west-004.backblazeb2.com, indicating Backblaze B2 infrastructure is used.

Contact with the “Octopus King” Telegram account provided additional access and onboarding context:

Telegram contact with Octopus King providing panel-access and onboarding context

Figure: Telegram contact with “Octopus King” providing panel-access and onboarding context.

The purchased web UI also includes language/UI elements that imply collection may extend beyond OAuth tokens (operator-claimed capability shown in-panel; not independently validated in this report):

Kali365 panel view suggesting collection may extend beyond OAuth tokens

Figure: Kali365 panel view suggesting collection may extend beyond OAuth tokens.

Fake / testing panel (“Kali365 Lab Panel”) — excluded from victimology

A separate exposed panel (“Kali365 Lab Panel”) was initially reviewed because it presented lure, token, campaign, activity-log, and “Sender” views. Later review showed clear non-production indicators, including open access and admin / admin default credentials. The overall presentation and contents are consistent with a test/fake capability or demo environment, not production victim telemetry. Notably, the original Kali365 sellers’ purchased web UI does not appear to offer this kind of demo panel, so we treat it as separate from the legitimate operator workflow.

Fake/testing Kali365 panel cover page showing non-production indicators

Figure: Fake/testing Kali365 panel cover page showing non-production indicators (open access/default creds/testing language).

The fake panel is still useful as tooling context because its objects mirror the Kali365 workflow: /admin/lures records contain device-code-shaped fields (user_code, verification_uri = https://login.microsoft.com/device, Microsoft Office client_id), /admin/tokens records model stored refresh-token state, and /admin/campaigns models bulk lure management. However, organization-like entries, active token states, verified:true lure flags, campaign counters, visit logs, and apparent sender/operator IPs from this instance should be treated as seeded, simulated, or test data unless independently corroborated. “Exploitation attempts” and “successful” indicators shown in this panel are not confirmed to represent real successful compromises.

The fake panel also contains what look like stealer-style logs / “success” artifacts. Even if these artifacts resemble real stealer output, their presence in this instance does not confirm real victims or a live stealer pipeline. We assess them as most likely seeded/demo content or reused panel components, and we retain the screenshots for tooling/ecosystem context only (not victim telemetry).

This fake panel even included an activity log:

Fake/testing panel activity-log view retained as tooling/data-model context only

Figure: Fake/testing panel activity-log view retained as tooling/data-model context only (not victim telemetry).

The fake panel also displayed “successful” attempts/counters. It remains unknown whether any of these reflect real successes; in this instance they are treated as test/demo indicators and should not be used as evidence of real compromises:

Fake/testing panel success indicators/counters

Figure: Fake/testing panel “success” indicators/counters—examples of seeded/simulated data and not evidence of real compromises.

Do not use the fake panel for victim notification or impact counts. It can support understanding of panel structure and data fields, but it does not prove real captures, real victims, or operator identity.

Part IV — kali365.exe Binary Analysis (Reverse Engineering)

Kali365 Live operator client login screen with prefilled v2.duemineral.uk panel URL

Figure: Kali365 Live operator client login screen, showing the prefilled v2.duemineral.uk panel URL and operator authentication fields.

This section covers the reverse-engineering teardown of the operator client itself — how the executable is packaged, what actually runs, how the two builds differ in token-abuse technique, how it talks to the C2 panel, and the host/OAuth artifacts it leaves behind. The sample was obtained after earlier tracking of the group’s affiliate / customer-access program, where a client-side operator panel appeared to be available to affiliates or buyers. Everything in this part is derived directly from unpacking that acquired client sample (NSIS → Squirrel/Electron → ASAR) and reconstructing TypeScript source from retained debug maps — the highest-confidence material in this report. Covered below: packaging & distribution chain, NSIS structure, Electron/ASAR application architecture, the two builds and their token-abuse evolution, C2 panel communication, the victim-token data model, operator UI, hardcoded OAuth client IDs, and OPSEC failures.

Distribution Chain & File Structure

The nesting maps directly to how Squirrel.Windows (Electron’s auto-update framework) packages an application for distribution and self-updating.

flowchart TB
	A["kali365.exe - outer NSIS bootstrap"] --> B["PLUGINSDIR app-64.7z"]
	B --> C["Kali365 Live.exe - Electron runtime"]
	B --> D["resources/app.asar - outer app, Build 2"]
	D --> E["dist and node_modules - UI and main process"]
	D --> F["resources/Kali365 Live 1.0.0.exe - embedded Squirrel setup"]
	F --> G["PLUGINSDIR app-64.7z - inner package"]
	G --> H["resources/app.asar - inner app, Build 1"]
kali365.exe  (outer NSIS, 157 MB)
└── $PLUGINSDIR/app-64.7z  (150 MB)
    ├── Kali365 Live.exe  (181 MB — Electron 33.4.11 runtime)
    ├── [locales, DLLs, pak files]
    └── resources/
        ├── elevate.exe  (105 KB)
        └── app.asar  (75 MB — outer application, Build 2)
            ├── dist/  (compiled TypeScript/React)
            ├── node_modules/
            └── resources/
                ├── icon.png  (746 KB)
                └── Kali365 Live 1.0.0.exe  (71 MB — inner NSIS, Squirrel package)
                    └── $PLUGINSDIR/app-64.7z  (71 MB)
                        ├── Kali365 Live.exe  (181 MB — same runtime)
                        └── resources/
                            ├── elevate.exe
                            └── app.asar  (2.6 MB — inner application, Build 1)

The outer kali365.exe is the NSIS bootstrap. The resources/Kali365 Live 1.0.0.exe embedded in the outer asar is the Squirrel setup package used for future auto-updates. The inner app.asar (2.6 MB) is the lean application without recursive embedding — what actually runs once installed. The outer app.asar (75 MB) is inflated because it contains the 71 MB Squirrel package inside it.

Installer structure

Full NSIS installer internals have been moved to the appendix. The key analytical point for the main body is that kali365.exe is an NSIS/Squirrel/Electron package with a recursive embedded installer, exposing two builds six days apart and showing rapid iteration in post-capture token-abuse technique.

Client structure and recovered source evidence

The client is an Electron application packaged inside app.asar. Retained source-map references enabled reconstruction of the main-process TypeScript, including the panel HTTP client, IPC bridge, and serviceWindow.js token-abuse engine. This recovered source provides the evidentiary basis for the build comparison and token-abuse workflow analysis below. The full application-architecture breakdown has been moved to the appendix.

Two Builds: Technique Evolution

flowchart LR
	B1["Build 1 — Apr 5<br>Hidden BrowserWindow<br>ESTS cookie seeding<br>Graph fallback"] --> B2["Build 2 — Apr 11<br>MSAL.js intercept<br>Bearer injection<br>SSO cookie export"]

	B1 --> I1["Functional but brittle"]
	B2 --> I2["Faster, more reliable,<br>more portable token abuse"]

Figure: Kali365 build evolution over six days, showing a shift from browser-session seeding to more reliable request-layer token abuse and portable SSO-cookie export.

Build 1 — April 5 (Inner asar, 2.6 MB)

Outlook technique — auth.owa POST + hidden BrowserWindow ESTS seeding:

  1. POST stolen access token to https://outlook.office365.com/owa/auth.owa with flags=4&trusted=0. If OWA accepts and redirects to /mail/, done.
  2. On failure: intercept the login redirect via will-navigate/will-redirect and call exchangeTokenInBrowser().
  3. exchangeTokenInBrowser() spawns a hidden 1×1 invisible BrowserWindow (show: false) in the same session partition and loads the token endpoint as a real page:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
  grant_type=refresh_token
  scope=openid profile offline_access            [first call]
  scope=https://outlook.office365.com/.default   [second call]

Loading this as a real Chromium page — not via net.Request — causes Microsoft’s ESTS to set ESTSAUTH session cookies in the partition’s cookie jar. After 15 seconds the hidden window closes.

  1. The main window reloads the original login URL. Microsoft sees the ESTS cookies, silently authenticates, redirects to OWA.

Service scopes (Build 1):

ServiceScope
Outlookhttps://outlook.office365.com/.default offline_access
Admin Centerhttps://admin.microsoft.com/.default offline_access
OneDrive/SharePointhttps://{spHost}/.default or https://graph.microsoft.com/.default offline_access (fallback)
Unknownhttps://graph.microsoft.com/.default offline_access

The Microsoft Graph fallback is the most significant Build 1 capability: if the panel omits spHost, the tool requests a Graph token granting programmatic access to email, calendar, contacts, files, Teams, and user directory — substantially broader than browser-session access.

Login URL detection (Build 1): url.includes("login.microsoftonline.com") — substring search, vulnerable to false positives on error pages.

Session clear (Build 1): ses.clearStorageData({ storages: ["cookies"] }) — cookies only.

Build 2 — April 11 (Outer asar, 75 MB)

The hidden-window approach was abandoned entirely. Build 2 intercepts at the Electron request layer — before requests leave the machine — which is faster, more reliable, and removes the ESTS cookie timing dependency.

Outlook — four-stage chain:

Stage 1 — Token upgrade. Exchange stored RT for fresh OWA-scoped AT + id_token:

POST https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
  grant_type=refresh_token
  client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c
  scope=https://outlook.office365.com/.default offline_access openid profile
  refresh_token=<stolen RT>

Stage 2 — MSAL.js intercept. Before navigating to OWA, ses.webRequest.onBeforeRequest is registered on the session partition watching all traffic to login.microsoftonline.com, login.microsoft.com, and login.windows.net. OWA’s embedded MSAL.js fires a silent GET /oauth2/v2.0/authorize. The interceptor catches this before it leaves the machine and returns a redirect to the OAuth callback with stolen tokens in the fragment:

callback({ redirectURL:
  "https://outlook.office365.com/owa/…
   #access_token=<AT>&id_token=<idToken>
   &token_type=Bearer&expires_in=3600
   &state=<state>&session_state=<nonce>"
})

MSAL.js processes this as a legitimate Azure AD response. OWA loads.

Stage 3 — Bearer injection. ses.webRequest.onBeforeSendHeaders injects Authorization: Bearer <owaToken> on every request to outlook.office365.com/*, outlook.office.com/*, and substrate.office.com/*.

Stage 4 — CSP strip. ses.webRequest.onHeadersReceived removes content-security-policy and x-frame-options from OWA responses.

Fast-path: Before the intercept chain, a POST to auth.owa with flags=0&trusted=1 (upgraded from Build 1’s trusted=0) is attempted. After 4 seconds, if the URL contains /mail/ the chain is skipped.

SSO Cookie Export (Build 2 only):

generateCookieScript() converts any stored RT into a browser-pasteable console snippet:

  1. Fetch ESTS nonce:
POST https://login.microsoftonline.com/common/oauth2/token
  grant_type=srv_challenge
  1. Build unsigned JWT (alg:none):
{
  "refresh_token": "<stolen RT>",
  "is_primary": "false",
  "request_nonce": "<nonce>"
}

Cookie value: 1.<b64header>.<b64payload>.

  1. Script copied to clipboard via electron.clipboard.writeText():
document.cookie = "x-ms-RefreshTokenCredential=1.eyJ…; path=/; secure; samesite=none";
var w = window.open(
  "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?" +
  "client_id=4765445b-32c6-49b0-83e6-1d93765276ca" +
  "&response_type=code+id_token" +
  "&redirect_uri=https://www.office.com/landing" +
  "&prompt=none&[email protected]" +
  "&domain_hint=organizations…",
  "_blank", "width=1,height=1,left=-100,top=-100"
);
setTimeout(() => {
  try { if (w && !w.closed) w.close() } catch(e) {}
  window.location.href = "https://outlook.office.com/mail/";
}, 5000);

Pasting this in any browser console while on login.microsoftonline.com authenticates the victim’s account in that browser. The Electron app is no longer needed afterward.

Other changes in Build 2 vs Build 1:

  • Login URL detection upgraded from substring to hostname check (new URL(url).hostname)
  • Session clear upgraded from cookies-only to full storage wipe
  • Graph API scope dropped (MSAL intercept makes it unnecessary)
  • Extensive [K365-SVC] / [K365-API] debug logging added
  • did-navigate + did-fail-load handlers added for navigation tracking

C2 Panel Communication

Panel URL

Hardcoded default: https://v2.duemineral.uk — appears as both the pre-filled input value and placeholder text on the login screen. Stored in localStorage under k365_panel_url after first use. Configurable by the operator.

API Endpoints

MethodEndpointPurpose
POST/dash/authOperator login — sets session= cookie
GET/dash/meOperator profile
GET/dash/tokensAll captured victim tokens (polled every 30 s)
POST/dash/token/{id}/refreshForce-refresh a stored victim token
POST/dash/token/{id}/service-tokenExchange stored token for service AT+RT

Session cookie is held in memory only — never written to disk.

Polling

  • Token list: every 30 seconds
  • Timestamp ticker: every 10 seconds
  • New victim notification: window title changes to "(N new) Kali365 Live" for 5 seconds when active token count increases
  • Manual refresh: Ctrl+R via app menu

Victim Token Data Model

Token list record (/dash/tokens)

FieldDescription
idPanel-internal token record ID
user_emailVictim UPN (e.g. [email protected])
user_nameVictim display name
statusactive / revoked / expired — only active shown
captured_atISO timestamp of capture
last_refreshedISO timestamp of last refresh
mfa_rolesArray of Entra ID role assignments

mfa_roles is checked for "Global Administrator". If present, an amber Admin button appears — one-click access to admin.microsoft.com. High-value targets are immediately visually distinct.

Service token record (/dash/token/{id}/service-token)

FieldDescription
access_tokenFresh AT for requested service
refresh_tokenCurrent RT
client_idOAuth client ID used during capture
user_emailVictim UPN
urlService entry URL
tenant_idVictim’s Entra tenant ID
sp_hostSharePoint hostname (e.g. contoso.sharepoint.com)

Operator UI

Login screen: Panel URL input (pre-filled v2.duemineral.uk), username, password, Connect button. “Open Panel in Browser” link opens the panel URL in the default browser.

Dashboard table columns: Email + last-refreshed sub-label | Username | Status badge | Captured timestamp | Actions

Per-row action buttons:

ButtonStyleConditionAction
OutlookGreenAlwaysOpens OWA via token injection
AdminAmbermfa_roles includes Global AdministratorOpens admin.microsoft.com
Copy SessionBlueAlwaysGenerates SSO cookie script → clipboard
RefreshGreen/loadingAlwaysForce-refreshes stored token via panel

Token status badges: active (green #22c55e) / revoked (red #ef4444) / expired (grey #555555)

OneDrive and SharePoint are fully implemented in serviceWindow.js (both builds) but have no UI buttons. They are supported server-side but not exposed to the operator in the current release — possible unreleased feature or tier separation.

Hardcoded OAuth Client IDs

Client IDRegistered ApplicationUsage
d3590ed6-52b3-4102-aeff-aad2292ab01cMicrosoft OfficeRT exchange, all services, both builds
4765445b-32c6-49b0-83e6-1d93765276caOffice.comSSO cookie authorize call (Build 2 only)

Both are legitimate Microsoft first-party registrations. Token exchange requests appear in Azure AD sign-in logs attributed to Microsoft’s own applications.

Part V — Threat Landscape, IOCs & Detection

Scope of Infection:

Observed Microsoft 365 victims (recovered panel telemetry)

No confirmed real-victim count is asserted from the fake / testing panel. The previously cited exposed-panel token store is now excluded from victimology because it was non-production. Real victim telemetry is still useful if independently validated — for example from provider logs, victim reports, seized backend data, Microsoft tenant sign-in logs, or corroborated incident-response findings — but this report should not present the fake-panel records as actual compromises.

Real victim telemetry — collection requirement

Real victim telemetry is still valuable, but it should be treated as a collection requirement, not as a conclusion from the fake panel. Useful sources would include:

  • Microsoft Entra ID sign-in logs showing unexpected device-code approvals or suspicious refresh-token use.
  • Victim incident-response reports confirming mailbox / tenant access.
  • Provider, hosting, or seized-backend records that can be tied to production Kali365 infrastructure.
  • Independently corroborated campaign telemetry from legitimate lure infrastructure.

Until such data is available, this report should describe capability and operator workflow rather than confirmed victim counts.

Separate product line — MAX messenger (Russian-speaking targets)

Separate reporting also links Kali365 branding to Russian-speaking forum activity and MAX messenger phishing. This appears to be a distinct product line or campaign stream from the Microsoft 365 device-code activity analysed above:

Separate reporting on Kali365-branded MAX messenger phishing activity targeting Russian-speaking users

Figure: Separate reporting on Kali365-branded MAX messenger phishing activity targeting Russian-speaking users.

Arctic Wolf researchers have identified a new phishing campaign run through Kali365 (aka K365), a commercial phishing-as-a-service platform that surfaced in April 2026 and is sold by subscription via Telegram. It gives low-skill criminals ready-made infrastructure to hijack accounts on the Russian messenger MAX. The attack works by social-engineering the victim through a fake “you’ve won a prize” page: the target enters their phone number, MAX sends a legitimate one-time login code to their device, and the victim is tricked into typing that code (plus their 2FA password, if enabled) into the phishing site. The captured credentials are relayed to the attackers through a Telegram bot. With those details, the attackers log into the real MAX app and gain full access to the victim’s messages, files, and contacts.

MAX messenger phishing lure artifact associated with the separate Kali365-branded campaign stream

Figure: MAX messenger phishing lure artifact associated with the separate Kali365-branded campaign stream.

Additional MAX messenger phishing artifact showing account-compromise and propagation context

Figure: Additional MAX messenger phishing artifact showing account-compromise and propagation context.

The compromised account is then weaponized: the same prize-link lure is blasted out to all the victim’s contacts. The key effectiveness factor is trust — recipients see the message coming from someone they actually know whose account was already breached, which lowers their guard and drives them to click, continuing the cycle. This separate MAX-related activity is retained as a related Kali365-branded campaign stream and as a pivot for infrastructure and ecosystem tracking.

Indicators of Compromise

Priority IOCs for defenders

The table below highlights the highest-value indicators for triage and hunting. It is not a replacement for the full IOC tables that follow; it is intended to give defenders a fast starting point.

IndicatorTypeWhy it matters
v2.duemineral.ukPanel / backendHardcoded default Kali365 panel used by the operator client.
panel.privatetoken.appWeb panelSeparately accessed Kali365 web UI / onboarding panel.
18.117.247.159Fake / testing panel IPOpen non-production panel; retain as tooling context only, not victim telemetry.
TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuAUSDT TRC-20 walletConfirmed Kali365 purchase address; payment to this address resulted in confirmed access.
0x2b621e950f19373578da0523be19e93405927ba4ETH-side wallet / upstream sourceMajor upstream source in purchase-flow analysis; possible alternate payment rail, reseller, broker, or bridge/swap intermediary.
wirelesscommunicaton.app.n8n[.]cloudn8n hostObserved lure-orchestration / webhook infrastructure.
wt9g8o5634.guardiansofassets[.]deLure-supporting FQDNObserved downstream lure domain reached from n8n workflow.
Kali365Sender/2.1.0User agentCompanion sender / delivery-component IOC.
d3590ed6-52b3-4102-aeff-aad2292ab01cMicrosoft OAuth client IDLegitimate Microsoft Office client ID; suspicious in the described device-code / refresh-token abuse context.
4765445b-32c6-49b0-83e6-1d93765276caMicrosoft OAuth client IDLegitimate Office.com client ID; suspicious in the described SSO-cookie activation flow.
179.43.146.227Operator-candidate IPRecurring self-visits to reusable lures; attribution lead only, pending enrichment.
151.240.101.0/24Operator-candidate rangeStrong self-visit cluster shortly after lure creation; attribution lead only, pending enrichment.

Handling note: the priority list mixes confirmed IOCs, hunting behaviours, and attribution leads. Microsoft OAuth client IDs and login.microsoft.com/device are legitimate Microsoft infrastructure and should be hunted in context, not blocklisted blindly. Operator-candidate IPs are leads, not confirmed identity. Scam-bot wallet artifacts are retained in the full wallet table but should not be used for Kali365 revenue attribution.

File Hashes

SHA-256FileBuild
648effef6d43fa0687d0a46ace404bf706640752142dbef3a5811c865f45ff62kali365.exe (outer NSIS)B2
5241347b76737d4d32d87a52153169ef8f4e11168f83979397d275e4ca0e4a34app.asar (outer, 75 MB)B2
edbf3c81fee33e611053b7c50b488b54a42b692b2d8ae942b652dbf47f2226faKali365 Live.exe (Electron runtime)Both
80872910195c154e8ed5f905b1eaf58fc33beeeb372c10e7104966358f4c9535app-64.7z (outer)B2
46ece525e6a28cfd7176a3d537e80427639578937d2b9a5dc3aa6056cad35cb4Kali365 Live 1.0.0.exe (inner NSIS)B1
57df2753c7fe8f7198f530712dfafae2a484d54ff1943a83275a99fbc4303808app.asar (inner, 2.6 MB)B1
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37elevate.exeBoth
d9a3296aa6cc359ac3b690af629167921a113984eedbada9c661913c2a88c1d6icon.png

MD5 (kali365.exe): fd91018c1b0cc23672c9ed06cd93470a

Pivoting / Infrastructure Discovery (urlscan.io)

The panel domain (duemineral.uk) has additional subdomains and related infrastructure visible via urlscan searches:

urlscan.io search results screenshot for duemineral.uk

Figure: urlscan.io pivot results for duemineral.uk, showing related subdomains and infrastructure.

Pivot IOCs (filtered)

The following URLs/domains were observed in urlscan results, with obvious non-IOC items removed:

Core / high-signal pivotsType
v2.duemineral.ukPanel / backend
api.duemineral.ukAPI subdomain
auth.duemineral.ukLure / redirector (example path: /l/lCroPrIMsiU)
duemineral.ukRoot domain
v2.octopi365.comRelated hostname
v2.kali365.xyzRelated hostname
t.me/Kali0365Telegram channel — likely active / relevant Kali365 ecosystem channel
https://t.me/KALI365resultbotTelegram bot — likely fraudulent/scam-related or no longer active
https://t.me/KALI365TOKENAMIGORESULTSBotTelegram bot — likely fraudulent/scam-related or no longer active
https://t.me/fundbot1470_botTelegram bot — likely fraudulent/scam-related or no longer active
https://t.me/kali365sbotTelegram bot — likely fraudulent/scam-related or no longer active
https://t.me/Kali365z_botTelegram bot — likely fraudulent/scam-related or no longer active
https://t.me/Andresultz_botTelegram bot — likely fraudulent/scam-related or no longer active
https://t.me/kali365_liinkTelegram account/link — likely fraudulent/scam-related or no longer active
https://t.me/tentacle_networkTelegram account — “Octopus King” / panel-access pivot; treat cautiously unless independently validated

FQDNs supporting lures

The following FQDNs were reported as infrastructure intended to support Kali365 lure delivery. Treat these as lure-supporting FQDN IOCs and pivot/enrich accordingly:

#FQDNType
14vot51j9qe.opentransparencytrade.deLure-supporting FQDN
2ewo7pdwau5.memorablemark.deLure-supporting FQDN
3ccmuwz8rs4.adaptabletechsolutions.deLure-supporting FQDN
4hsyl4nksdn.increaseengagementnow.deLure-supporting FQDN
5cj9xx0ficw.consistentdigitaltrust.deLure-supporting FQDN
66i8n1rvmy2.clearmessagemedia.deLure-supporting FQDN
7cu7zlb56fy.clearcommbrands.deLure-supporting FQDN
8o4d01vr9uv.futurereadytech.deLure-supporting FQDN
98gpb0t0dk5.scalablebusinesses.deLure-supporting FQDN
10xz7yx2rf4a.clearbusinessmetrics.deLure-supporting FQDN
11szpg1mm0uf.adaptabletechsolutions.deLure-supporting FQDN
128bbft5jzmb.stableprogress.deLure-supporting FQDN
13cgsgynd5v7.quality-assured.deLure-supporting FQDN
14yw41yw9hqo.userfriendlyinterfaces.deLure-supporting FQDN
15607wz1hnyl.operationalexcellenceframework.deLure-supporting FQDN
16yxmh7yx50d.easytecdigital.deLure-supporting FQDN
178w69xalsmw.steadfastweb.deLure-supporting FQDN
187rr869v5ef.businesssecuretech.deLure-supporting FQDN
19w14x5vwpfv.operationalexcellenceframework.deLure-supporting FQDN
20d31hhai17a.modernecosystemhub.deLure-supporting FQDN
21y175x2nx5s.provenperformance.deLure-supporting FQDN
22m9yp7adzsv.frameworksthatwork.deLure-supporting FQDN
23roty0ray48.scalableenterprise.deLure-supporting FQDN
24by1zhf5939.confidencefirst.deLure-supporting FQDN
25mjfmo1k96j.efficientframeworks.deLure-supporting FQDN
26pq4fkq4sg2.precisionandclarity.deLure-supporting FQDN
27ks39dmitgq.scalableenterprise.deLure-supporting FQDN
28ch7bc4rveg.execclarity.deLure-supporting FQDN
29b6zr6q4ew6.hjwopemansw.comLure-supporting FQDN
303cwy5ly93.essencedesigns.deLure-supporting FQDN
313nlxyr0jqr.growthdrivestrategy.deLure-supporting FQDN
32xdz0nbs1qe.adaptandexpand.deLure-supporting FQDN

Long-tail lure infrastructure (Cloudflare Workers/Pages + other sites):

eager-cedar-377[.]allcompredirectportalshare[.]workers[.]dev
vault-cloud-maou.p-afw8621d.workers.dev/l/z3YFwNRctTw
form-cloud-t655.p-oejdzrsz.workers.dev/lp/7NSnHwLNjJ8/
mail-link-zkfq.p-qjt4uz2n.workers.dev/l/V06q2hmIJ-Y
app-store-0jqn.p-z8jo6y1y.workers.dev/l/AekOFPv1ilo
base-mail-w7v5.p-onnw7z7w.workers.dev/l/HIsIZyFiqps
secure-form-cjz1.p-ipu8i7d1.workers.dev/l/DP5lvgT64Vw
note-access-nj2w.rob-c2d.workers.dev/l/bcEdwLEphuE
hub-app-8ee1.p-kegps6il.workers.dev/l/AtcCcZ3tV4s
file-share-9p2m.papastrious.workers.dev/l/1RODBvTAc3Y
store-open-rc2p.p-ko5g87h5.workers.dev/l/iIgFmVLBjlU
drive-mail-wmou.pwyv30sj.workers.dev/l/KAOnR4myuFY/
sync-vault-lpwq.p-zhge84gd.workers.dev/l/sIybf8w5PYI/
core-box-iz5s.reckagrace.workers.dev/l/patso9cz1r4
cloud-open-9trq.p-oqmylewv.workers.dev/l/9jf_45ayooi
page-sync-4pib.p-qtlv10l7.workers.dev/l/yeOLM21hQWw
flow-open-7ff0.p-ygj98iy2.workers.dev/l/bjmyolsr_sg
link-vault-2szn.p-bkdpo331.workers.dev/l/Zb7Fk2BIrHA
edge-file-p7l9.p-qh8ohgh5.workers.dev/l/CiE8EM0yKZE
file-base-ggoa.p-yxcqepyg.workers.dev/l/5Cvu94zNhHE
net-web-qo53.p-2f5hwpkd.workers.dev/l/FevTyhNqzpg
page-core-sv2l.p-anmh2mbc.workers.dev/l/xvB3qKdkYSg
data-form-f5at.p-lvqyivvk.workers.dev/l/bFOZ7agg5l8
ecobondcleaning.com.au/wp-includes-admindocument/docureview.html
view-sync-9r5b.p-y9fhvs2p.workers.dev/l/nBSXQnAvcx0
view-base-5vpr.3mdcy99f8511wpsebllpbkjizyg3run6.workers.dev/l/ru0nJ6NBBco
access-file-z1or.steve-c57.workers.dev/l/eJF8Ve1f1-Y
data-doc-sfym.p-50ds7vs5.workers.dev/l/UJrK5Zc-5dk
file-doc-uhug.p-ao3eomo9.workers.dev/l/MY0ha4IP6lw
drive-edge-lzl0.p-8pd549l5.workers.dev/l/Wa0AXYOdntM
access-base-yz6o.p-uhv4e1ee.workers.dev/l/laAK1jg6Qyo
cloud-link-j46j.p-zltii3tp.workers.dev/l/OX4r08F3TXA
share-portal-r6le.p-deum4gog.workers.dev/l/NitAfLazuUs
sync-store-ur85.p-lboid22u.workers.dev/l/JIbiLPICsHY
open-share-njlb.p-l4yg6fjb.workers.dev/l/Cl6sYcCRkmc
app-edge-8bqf.p-j65j3f1q.workers.dev/l/IXJUMoeq0ic
data-drive-bd71.p-4bpdi3hp.workers.dev/l/5qhZDv0UZmU
flow-store-gyoz.p-o9vztksz.workers.dev/l/ihMSvhlRZ5Q
link-app-jhzt.p-ux0nzmb5.workers.dev/l/9aEX7wE12bs
tryingdocusign.pages.dev
view-open-jiif.bryanray1104.workers.dev/l/7HnRz5CMeLY
net-open-55eu.p-r3k6zulh.workers.dev/l/gBGcrlwf8ls
file-drive-g180.p-lmilwl5o.workers.dev/l/EnkroyM94a4
sync-link-z79k.bartlett-pamela.workers.dev/l/DYPrxZQRORg
core-portal-g1cv.ran04don.workers.dev/l/hwsYxYkFsUE
view-portal-exuw.b875e3d068d947ba88099fe9.workers.dev/l/MJpqVX0wvR8
portal-cloud-cs2c.p-ewgaj1gg.workers.dev/l/eZgYsEfbCa8
sync-page-pwra.p-rrw76os2.workers.dev/l/UsHxPxzUahE
vault-access-pg0o.misty-pine-60bb.workers.dev/l/v7fTQbmS7MM
flow-sync-vjhf.p-czbkshn2.workers.dev/l/cwymbcH91pk
net-web-wnqd.p-8r4315uz.workers.dev/l/NslVm
doc-open-z062.p-4510rez0.workers.dev/l/fiQMGw28iOg
hub-flow-2qs3.p-qn7zcudl.workers.dev/l/gSKcsTisxDk
sync-portal-jumn.p-ajmeubmp.workers.dev/l/soOoLaXc9iU
form-hub-lfct.p-utpgo2kb.workers.dev/l/3zoIMa0mmDc
web-drive-6ev0.blaicardsipnegt.workers.dev/l/ter-DfgZTXw
web-secure-gbjk.p-mz12fq2s.workers.dev/l/nyvfopbmydc
cloud-access-03pv.bdeda974c99320a3040456b8.workers.dev/l/0OjJIYgYK60
note-web-9m59.p-4j0jjjw0.workers.dev/l/7OdC22x1uEM
page-flow-l3el.p-wl1eedzp.workers.dev/l/QpJOH9wcgUI
box-vault-ysqk.sureplugmarket.workers.dev/l/t-353BE4Duk
page-mail-vm24.p-8xzcvt1x.workers.dev/l/BmUsz-rr6K0
cloud-access-uc53.p-vy4za09n.workers.dev/l/yEKVP_qdMtY
vault-secure-mlqj.p-07sfg681.workers.dev/l/KrFFoVjVhUs
doc-note-82oj.p-ll66wpsr.workers.dev/l/1f5rYY6r1wg
file-sync-tczr.p-77iqt3w6.workers.dev/l/cQC9aInBHJI
cloud-view-hb2b.boom-book.workers.dev/l/KCo1oWa6nFQ
web-secure-c0k3.p-4mq7w20w.workers.dev/l/IWuaepZ1xUc
gayafores.co/l/lSI9MSbnb_4/

Based on the Kali365 Live Panel CN proceseq[.]net, the following domains were likely formal panels. Subdomains have been truncated/rolled up to reduce volume (examples shown per base domain):

Base domain / hostEntries in CSVExample subdomains (truncated)
hoosiermachlnery.com45accdn, ajax, aria, cyberark, device, duo, duoapi, duobase
proceseq.net26aadcdn, aria, clientcfg, device, duobase, gdacct, gui, img6
18.117.247.1591(IP)

Notes:

  • Many of the *.workers.dev / *.pages.dev items are likely disposable lure infrastructure; treat as pivot points rather than “core” C2.
  • Use urlscan “Collapsed by Hostname” view + certificate/ASN pivots to find additional hostnames tied to the same operator clusters.

Payment / wallet indicators

IndicatorTypeAssessment / handling note
TZ37na7tafkhBfkft2ujRx8PHAB9eBmjuAUSDT TRC-20 walletConfirmed Kali365 purchase address; payment to this address resulted in confirmed access.
0x2b621e950f19373578da0523be19e93405927ba4ETH-side wallet / upstream sourceMajor upstream source observed in purchase-flow analysis; possible alternate payment rail, reseller, broker, or bridge/swap intermediary.
185.220.101.99Request IP / TOR exit nodeClosed-source payment-intelligence lead associated with the confirmed purchase route; TOR / anonymizing proxy infrastructure.
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlhBTC walletScam-bot / placeholder artifact; do not attribute balance or revenue to Kali365.
TAEKv6p5wjDuoGe91dETGFENf1iS5sku9gUSDT TRON walletScam-bot / placeholder artifact; not assessed as authoritative Kali365 operator payment infrastructure.
LRjXxtQXcXwepEeTW23uzziKtR3ttMdmZ9Litecoin walletScam-bot / placeholder artifact; not assessed as authoritative Kali365 operator payment infrastructure.
4JLWErW3wTPUSamk2RkHj7GiPag8xUosggmqGK53FB2XSdq1EVmsdtwdp2dqKeUo8FeqNjybTwfx2KL5L7pcpRbkjVkFTXDGtF29jLWCfcMonero walletScam-bot / placeholder artifact; not assessed as authoritative Kali365 operator payment infrastructure.
FixedFloatSwap/offramp serviceObserved downstream service in purchase-flow analysis; enrichment / legal-process lead, not an IOC to block by name alone.
BitcoinVNSwap/offramp serviceObserved in the swap/offramp picture; enrichment / legal-process lead, not an IOC to block by name alone.

n8n and lure-orchestration indicators

IndicatorTypeAssessment
wirelesscommunicaton.app.n8n[.]cloudn8n cloud hostObserved lure-orchestration / webhook infrastructure.
https://wirelesscommunicaton.app.n8n[.]cloud/webhook/e3111a1d-7e3c-4677-a706-8fb9b77535c6n8n webhook URLObserved click-handling / downstream automation endpoint.
https://wirelesscommunicaton.app.n8n.cloud/webhook/778336db-eae2-4483-b6ee-a6bc7cd70eb0M1n8n webhook URLObserved related webhook endpoint redirecting to guardiansofassets[.]de.
wt9g8o5634.guardiansofassets[.]deLure-supporting FQDNObserved downstream lure domain reached from n8n workflow.
https://wt9g8o5634.guardiansofassets[.]de/l/HFWGIacFYeELure URLObserved lure URL reached from n8n workflow.

Panel, access and exposed-test-panel indicators

IndicatorTypeAssessment
panel.privatetoken.appWeb panelReal (production) — purchased access to Kali365 web UI / onboarding panel.
18.117.247.159Fake / testing panel IPFake / testing (non-production) — retain as tooling context only; not victim telemetry.
http://18.117.247.159/admin/luresFake-panel endpointFake / testing (non-production) — lure-record-shaped endpoint from the exposed fake panel.
http://66.179.30.87/loginPanel login URLUnclear / historical — observed panel access endpoint; now offline (treat as pivot, not confirmed production).
https://auth.loadingdocuments.uk/lpPhishing lure URLReal (campaign artifact) — observed lure URL.
proceseq.netPanel / certificate pivotReal (infrastructure pivot) — prior panel CN / certificate pivot (treat as related infra, not necessarily current).
hoosiermachlnery.comRelated panel infrastructureReal (infrastructure pivot) — related infrastructure via certificate/subdomain pattern; spelling preserved as observed.

Real vs fake handling: indicators explicitly labelled Fake / testing came from the exposed mock panel and should not be used for victimology or impact counts. Items labelled Real are supported by operator-client reverse engineering, purchased web-panel access, or campaign artifacts.

IP indicators and attribution leads

IndicatorTypeAssessment / handling note
179.43.146.227Operator-candidate IPRecurring self-visits to reusable “Universal” lures; attribution lead pending enrichment.
151.240.101.0/24Operator-candidate rangeStrongest operator-candidate source range; multiple addresses hit a target’s lures shortly after creation.
151.240.101.2Operator-candidate IPPart of the 151.240.101.0/24 self-visit cluster.
151.240.101.68Operator-candidate IPPart of the 151.240.101.0/24 self-visit cluster.
151.240.101.78Operator-candidate IPPart of the 151.240.101.0/24 self-visit cluster.
151.240.101.152Operator-candidate IPPart of the 151.240.101.0/24 self-visit cluster.
65.38.123.17Sender egress IPDelivery-component egress; not operator-attribution.
54.197.104.174Sender egress IPDelivery-component egress; not operator-attribution.
3.218.165.207Sender egress IPDelivery-component egress; not operator-attribution.
3.x, 18.x, 34.x, 44.x, 54.x, 98.xAWS / scanner rangesExclude from attribution where visit-log pattern matches email-security link scanning.

User-agent and OAuth indicators

IndicatorTypeAssessment / handling note
Kali365Sender/2.1.0User agentCompanion sender / delivery-component IOC.
Electron/33.4.11User agent / runtimeElectron runtime observed in Kali365 client and sender context.
Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0User agentObserved in closed-source payment-intelligence request metadata.
d3590ed6-52b3-4102-aeff-aad2292ab01cMicrosoft OAuth client IDLegitimate Microsoft Office client ID; suspicious only in the described device-code / refresh-token abuse flow.
4765445b-32c6-49b0-83e6-1d93765276caMicrosoft OAuth client IDLegitimate Office.com client ID; suspicious only in the described SSO-cookie activation flow.
login.microsoft.com/deviceOAuth device-code verification URILegitimate Microsoft endpoint; hunt for misuse in context with unexpected device-code approvals and the above client IDs.
grant_type=srv_challengeOAuth behaviourBuild 2 SSO-cookie nonce behaviour.
grant_type=refresh_tokenOAuth behaviourSuspicious when paired with the above client IDs, unusual hosts, or no corresponding legitimate Office client activity.

Network Indicators

IndicatorTypeBuild
v2.duemineral.ukDomain — C2 panel serverBoth
https://v2.duemineral.uk/dash/authURL — operator loginBoth
https://v2.duemineral.uk/dash/tokensURL — token poll (30 s)Both
https://v2.duemineral.uk/dash/token/*/refreshURL — token refreshBoth
https://v2.duemineral.uk/dash/token/*/service-tokenURL — service token exchangeBoth
grant_type=srv_challenge POST to login.microsoftonline.com/common/oauth2/tokenBehavior — SSO cookie nonceB2 only
client_id=d3590ed6… + grant_type=refresh_token + UA Electron/33.4.11Behavior — RT exchangeBoth
client_id=4765445b… + prompt=none + redirect_uri=https://www.office.com/landingBehavior — SSO cookie activationB2 only
Hidden BrowserWindow POST to login.microsoftonline.com/common/oauth2/v2.0/tokenBehavior — ESTS cookie seedingB1 only
scope=https://graph.microsoft.com/.default offline_accessBehavior — Graph API accessB1 fallback
fonts.googleapis.com + v2.duemineral.uk in same sessionCorrelation — operator fingerprintBoth

Microsoft service endpoints observed in token-abuse workflow (legitimate infrastructure; hunt in context)

These hosts/paths are legitimate Microsoft services observed in the Kali365 client’s token-abuse workflow (e.g., OWA access and MSAL intercept). They are included here for completeness and hunting context; they are not appropriate for blanket blocklisting:

IndicatorTypeNotes
outlook.office365.comMicrosoft service hostOWA target used by the client for mailbox session takeover.
outlook.office.comMicrosoft service hostAlternate OWA host referenced in the workflow.
substrate.office.comMicrosoft service hostReferenced in the client for bearer injection.
admin.microsoft.comMicrosoft service hostTarget for one-click Admin Center access when high-privilege roles are present.
login.microsoftonline.comMicrosoft identity hostToken endpoint + MSAL authorize traffic observed/intercepted by the client.
login.microsoft.comMicrosoft identity hostReferenced in the client’s intercept scope and device-code flow (/device).
login.windows.netMicrosoft identity hostReferenced in the client’s intercept scope (legacy identity hostname).

Host Artifacts

ArtifactValue
Process nameKali365 Live.exe
Window titlesKali365 Live / (N new) Kali365 Live / <email> - OWA
localStorage keyk365_panel_url
Session partition namespersist:svc-<tokenId>-outlook / persist:svc-<tokenId>-admin
Version infoKali365 Live Browser / Copyright © 2026 Kali365 Live
Electron version33.4.11
Runtime compile timestamp2025-04-15 14:03:27
Outer build timestamp2026-04-11 15:58:22
Inner build timestamp2026-04-05 03:47:02

Detection Guidance

Entra ID / Azure AD Sign-In Logs

  • Non-interactive RT refresh for client_id=d3590ed6-52b3-4102-aeff-aad2292ab01c scoped to https://outlook.office365.com/.default with no preceding interactive session from the same IP or ASN.
  • prompt=none authorize from client_id=4765445b-32c6-49b0-83e6-1d93765276ca with redirect_uri=https://www.office.com/landing — exclusively the Build 2 SSO cookie activation.
  • grant_type=srv_challenge POST — no legitimate Microsoft first-party app uses this in normal operation.
  • grant_type=refresh_token + scope https://graph.microsoft.com/.default offline_access from client_id=d3590ed6… without a Desktop Office application present — Build 1 Graph fallback.
  • Successful RT grants from a new country or ASN following a phishing session.

Network / Proxy

  • DNS or HTTP to v2.duemineral.uk from any internal host.
  • Any host connecting to both fonts.googleapis.com and v2.duemineral.uk in the same session.
  • Outbound POST body containing grant_type=srv_challenge to login.microsoftonline.com.

Endpoint

  • Process Kali365 Live.exe or installers kali365.exe / Kali365 Live 1.0.0.exe.
  • Hash match on either app.asar — most stable indicator across installer repackaging.
  • Electron session directories named persist:svc-* in the app’s Chromium profile.

Appendix — NSIS installer structure

NSIS installers concatenate three components: a runtime stub, a compressed payload archive, and compiled script bytecode.

The stub is the x86 PE that executes when the file is run. The two builds have different stub sizes — 77,824 bytes (outer) vs. 38,400 bytes (inner) — indicating different NSIS build configurations. Both declare asInvoker (no UAC prompt). SubType = NSIS-3 Unicode BadCmd=11 means the script contains 11 plugin-call opcodes mapping to the three bundled DLLs.

Plugin DLLs extracted to $PLUGINSDIR before the install script runs:

DLLPurpose
nsis7z.dll7-Zip extraction — decompresses app-64.7z to install destination
System.dllWin32 API bridge for the NSIS script
StdUtils.dllString manipulation and process management

The payload archive stores app-64.7z uncompressed (Method = Copy — re-compressing a 7z yields nothing). The actual install directory and registry keys are in compiled NSIS bytecode and are not recoverable via 7-Zip. String extraction confirms the installer references:

  • Software\Microsoft\Windows\CurrentVersion — standard uninstaller entry
  • \Microsoft\Internet Explorer\Quick Launch — shortcut placement

No startup persistence (Run key, scheduled task, service) was found. This is a tool the operator runs manually.

Appendix — Application architecture

The ASAR format is Electron’s archive container: a Chromium Pickle header followed by a JSON file index, then concatenated file data. The outer asar’s index is 231,716 bytes — unusually large because node_modules contains 637 JS/JSON files.

Source layout:

flowchart TB
	subgraph ASAR["app.asar (Build 2)"]
		D["dist/"] --> M["main/"]
		M --> I["index.js<br>(bootstrap)"]
		M --> IPC["ipc.js<br>(IPC handlers)"]
		M --> API["panelApi.js<br>(panel HTTP client)"]
		M --> P["preload.js<br>(contextBridge)"]
		M --> SW["serviceWindow.js<br>(token injection engine)"]
		D --> R["renderer/"]
		R --> H["index.html<br>(React shell)"]
		R --> A["assets/<br>JS + CSS bundles"]
		NM["node_modules/<br>(electron-store + deps)"]
		PJ["package.json<br>(kali365-live 1.0.0)"]
	end
dist/
  main/
    index.js          (3.7 KB)  — app bootstrap, BrowserWindow creation
    ipc.js            (2.4 KB)  — IPC handler registration
    panelApi.js       (4.5 KB)  — C2 panel HTTP client
    preload.js        (0.9 KB)  — contextBridge exposure
    serviceWindow.js  (17.7 KB) — token injection engine (Build 2)
  renderer/
    index.html                  — React app shell
    assets/
      index-sVdHJZvc.js (205 KB) — minified React UI (Build 2)
      index-BgQT_DqV.css (1.9 KB)
node_modules/                   — electron-store and dependencies
package.json                    — name: "kali365-live", version: "1.0.0"

Process model: The renderer has no Node.js access (contextIsolation: true, nodeIntegration: false). All network calls go through the IPC bridge to Electron’s net.Request in the main process — bypassing Chromium’s sandbox and the renderer’s own CSP (connect-src 'self').

Source maps (.js.map references) are present for all dist/main/ files — the TypeScript was compiled with debug output, enabling full source reconstruction.

Appendix — Build Comparison Summary

CapabilityBuild 1 (April 5)Build 2 (April 11)
Outlook techniqueauth.owa POST + hidden BrowserWindow ESTS seedingMSAL.js intercept + RT upgrade + Bearer injection + CSP strip
auth.owa trust leveltrusted=0trusted=1
Login URL detectionSubstring (url.includes)Hostname check (new URL().hostname)
Session clearCookies onlyFull storage
SSO cookie exportNoYes (x-ms-RefreshTokenCredential)
Graph API accessYes (OneDrive/unknown fallback)No
Debug loggingMinimalExtensive ([K365-SVC], [K365-API])
MSAL.js interceptNoYes
CSP strippingNoYes
NSIS stub size38,400 bytes77,824 bytes
app.asar size2.6 MB75 MB (includes Squirrel package)
Renderer bundleindex-B7I9PjVu.jsindex-sVdHJZvc.js

Found this article helpful?

Share it with your network

Continue Reading

Explore more expert insights and threat intelligence from the Ransom-ISAC community