Kit families

Phishing kit families and campaign DNA

Kit families make phishing repeatable. They also create fingerprints defenders can use to connect domains, campaigns and evidence.

Request demoRead researchOpen dashboard

Direct answer

How are phishing kits detected? By repeated page structure, assets, scripts, paths, redirects, panels, bot hooks and evidence artifacts.

Research framing

A phishing kit is both a tool and a research object. Its templates, scripts, paths, panels, logs, bot hooks and anti-analysis behavior can reveal campaign continuity.

Attack mechanism

M365/AiTM kits, banking kits, parcel/smishing kits, OTP bot workflows and crypto-drainer pages each leave different evidence. The goal is safe defensive fingerprinting, not exploit publication.

Evidence and source model

Evidence includes DOM and JS hashes, favicon hashes, screenshots, redirect chains, page titles, form fields, panel paths, webhook/bot reuse, leaked config metadata and safe weakness summaries.

Belgian and European relevance

Belgian campaigns may use generic kits but localize brands, language, payment routes and support narratives. That means kit analysis must be joined with Belgian relevance scoring.

How PhishNet operationalizes this

PhishNet's Kit Intelligence view stores safe summaries, severity, confidence, evidence readiness and CERT-safe next actions while restricted artifacts remain controlled.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

Kit weakness intelligence must avoid instructions that enable unauthorized access. Public content explains categories; authenticated CERT workflows preserve evidence under policy.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

APWG Phishing Activity Trends Reports ENISA Threat Landscape 2025 Why Phishing Works, Dhamija, Tygar and Hearst, CHI 2006 CCB Belgium: phishing messages surge MITRE ATT&CK: Phishing MITRE ATT&CK: Adversary-in-the-Middle OWASP Phishing guidance

Common questions

How are phishing kits detected?

By repeated page structure, assets, scripts, paths, redirects, panels, bot hooks and evidence artifacts.

Can kit intelligence identify attackers?

It can support inferred operational clusters, but legal attribution requires analyst-confirmed evidence.

Related reading

Knowledge

Phishing attack kits

How phishing kits work, what they leak, and why kit intelligence is a high-value OSINT layer.
Knowledge

AiTM and reverse-proxy phishing

A careful overview of adversary-in-the-middle phishing and the indicators defenders can track safely.
Knowledge

Phishing evidence and takedown

How evidence, provenance and human approval turn intelligence into safe action.