Dralvia logo
DralviaAutonomous Security
Dralvia Research
Archive/weekly

This week in phishing: who attackers impersonated, who they targeted, and what to check now

June 10, 2026

Reporting window: 2026-06-03 to 2026-06-10

Why this page exists

each post has its own canonical slug so the blog archive does not collapse into one repeated URL
metadata is rendered from the post itself so search and sharing surfaces see the actual title and summary
brand references describe impersonation targets and copied trust cues, not confirmed compromises
Back to archiveRun a scan

Impersonated brands

Mixed attacker brand pressure

Common lure

Password reset or account verification prompt, Wallet recovery or seed-phrase lure

Teams to brief

SOC, incident-response, endpoint, and email-security teams, IAM, helpdesk, and cloud identity administrators

Attack path

Staged payload or malware-delivery links, Redirect chains into the final lure

Processing snapshot

In plain English, this was a day where attacker-controlled web content remained visible enough to analyze directly. That usually means the risk was not only raw feed noise, but also live lure pages, credential-harvesting flows, or impersonation infrastructure that a real user could encounter.

Feed records

25,659,947

Unique suspicious URLs

28,229

Enriched observations

2,958

Notable findings

124

Delivery URLs

24,087

What stood out

  • - Impersonation pressure centered on email identity login, credential harvesting. That means these themes appeared more often than others in the enriched portion of the window, not that every suspicious URL was part of the same campaign.
  • - Targeting pressure concentrated on identity, credential harvesting. In practice, this suggests attackers were reusing lure ideas and infrastructure around those sectors more often than around others.
  • - 24,087 of the unique suspicious URLs looked like delivery infrastructure. In practice, that means the URL or its feed context pointed more strongly to payload delivery or staged malware distribution than to a normal browsing flow.

What to watch for

  • - Direct download links ending in .sh, .exe, .dll, especially when a user is pushed toward the file before any believable account, payment, update, or support workflow is established.
  • - Raw IP or IP:port download hosts serving scripts, binaries, or archives without a normal branded website around them. These are often disposable delivery points rather than legitimate customer-facing services.
  • - Lure pages or messages that lean on email identity login, credential harvesting themes while also pushing an urgent verification step, software update, wallet action, or downloaded archive. That blend of impersonation and delivery is often what gets people to click.

This Week In Phishing

Reporting window: 2026-06-03 to 2026-06-10

Impersonation activity remained active in this reporting window; Dralvia observed 672 suspicious pages across 28,229 unique suspicious URLs and 2,958 enriched observations.

Processing Snapshot

  • Feed records processed: 25,659,947
  • Unique suspicious URLs: 28,229
  • Enriched page observations: 2,958
  • Suspicious pages: 672
  • Notable observations: 124
  • Delivery URLs: 24,087
  • Source count: 2

What This Window Means

In plain English, this was a day where attacker-controlled web content remained visible enough to analyze directly. That usually means the risk was not only raw feed noise, but also live lure pages, credential-harvesting flows, or impersonation infrastructure that a real user could encounter.

What We Processed

  • Dralvia ingested 25,659,947 raw feed records from urlhaus (25257347), openphish (402600). These are sightings and submissions from external feeds, so repeated sightings of the same target can appear more than once at this stage.
  • After normalization and deduplication, those raw records collapsed into 28,229 unique suspicious URLs for the reporting window. This is the cleaner count of distinct suspicious destinations, not the noisier feed-ingest total.
  • Dralvia completed 3,184 scans across 3,034 targets and extracted 2,958 enriched observations. 124 of those observations were strong enough to promote into analyst-facing notable findings.

Executive Takeaway

Attackers most often leaned on unknown. Common lures included password reset or account verification prompt. Defenders should review suspicious sign-ins, password resets, and MFA or account-verification events tied to the impersonated workflows.

Top Impersonation / Targeting Themes

  • Unknown (2741 observed pages)
  • Email, SSO, and account-login impersonation (173 observed pages)
  • Credential-harvesting login flows (38 observed pages)
  • Web3 wallet and token lures (6 observed pages)

What Stood Out

  • Impersonation pressure centered on email identity login, credential harvesting. That means these themes appeared more often than others in the enriched portion of the window, not that every suspicious URL was part of the same campaign.
  • Targeting pressure concentrated on identity, credential harvesting. In practice, this suggests attackers were reusing lure ideas and infrastructure around those sectors more often than around others.
  • 24,087 of the unique suspicious URLs looked like delivery infrastructure. In practice, that means the URL or its feed context pointed more strongly to payload delivery or staged malware distribution than to a normal browsing flow.
  • The most common payload types were .sh, .exe, .dll. These extensions matter because they often map to shell scripts, archives, or Windows executables that are used as first-stage delivery mechanisms.
  • Feed labeling was dominated by malware download. That does not prove every sample is identical, but it does indicate that the external feeds themselves mostly saw this window as a delivery-oriented or malware-oriented day.
  • 16,831 delivery URLs were served directly from raw IP hosts rather than named domains. That pattern is common in throwaway hosting and short-lived delivery chains because it avoids the work of standing up a believable branded site.

Who Should Care

  • IAM, helpdesk, and Microsoft 365 / Google Workspace administrators
  • SOC, IAM, and incident-response teams
  • Web3 security, wallet-support, and community operations teams
  • IAM, helpdesk, and cloud identity administrators
  • SOC, endpoint, and email-security teams watching staged payload delivery

Common Lure Patterns

  • Password reset or account verification prompt (289 observed pages)
  • Wallet recovery or seed-phrase lure (7 observed pages)

Initial Access / Technique Notes

  • Credential-harvesting flows were present through login or password-entry pages.
  • Wallet-connect prompts appeared in suspicious pages, suggesting Web3 account-takeover or approval lures.
  • Seed-phrase or wallet-recovery harvesting signals were observed.
  • Suspicious delivery URLs pointed to staged payload, loader, or malware-delivery infrastructure.
  • Redirect chains were used to move users toward the final lure or delivery destination.

How To Read The Numbers

  • `Feed records processed` means the raw feed sightings Dralvia pulled in from urlhaus (25257347), openphish (402600). Multiple feeds, repeated submissions, or repeated sightings can all raise this number without creating a new destination.
  • `Unique suspicious URLs` means the deduplicated set after normalization. In this window, 25,659,947 feed records reduced to 28,229 distinct suspicious URLs that were worth tracking as separate destinations.
  • `Scans completed` means Dralvia actually inspected 3,184 targets or pages in this window instead of only storing feed hits.
  • `Enriched observations` means Dralvia extracted usable page or infrastructure evidence from 2,958 scans, such as redirect behavior, page traits, hosting data, hashes, or classification signals.
  • `Notable findings` means 124 observations were strong enough to promote into evidence worth showing to analysts, reports, or screenshots, instead of being left as background telemetry.

What To Watch For

  • Direct download links ending in .sh, .exe, .dll, especially when a user is pushed toward the file before any believable account, payment, update, or support workflow is established.
  • Raw IP or IP:port download hosts serving scripts, binaries, or archives without a normal branded website around them. These are often disposable delivery points rather than legitimate customer-facing services.
  • Lure pages or messages that lean on email identity login, credential harvesting themes while also pushing an urgent verification step, software update, wallet action, or downloaded archive. That blend of impersonation and delivery is often what gets people to click.
  • Multi-stage lures that mix impersonation language with payload delivery, update prompts, archive downloads, or fake troubleshooting steps. The combination is often more important than any single indicator.

What Defenders Should Do This Week

  • review suspicious sign-ins, password resets, and MFA or account-verification events tied to the impersonated workflows
  • review browser, email, and proxy telemetry for unexpected .exe, archive, script, or direct-download activity
  • hunt for new messages, domains, and pages reusing the dominant theme around unknown
  • check redirect chains and short-lived destinations that move users from a lure page into a final login or download step

Next Steps For Teams

  • Review browser, email, chat, and proxy telemetry for unexpected .sh, .exe, .dll downloads delivered outside normal software-distribution channels.
  • Alert on direct-to-IP downloads and direct-to-IP redirects, especially when the destination serves an archive, script, or executable instead of a normal application page.
  • Treat 'urgent update', 'verification required', and 'document package' download lures as possible first-stage delivery chains, not just harmless file-sharing events.

Analyst Notes

  • abuse pressure on .lat
  • shared favicon reuse across suspicious pages
  • ASN overlap across suspicious infrastructure
  • Reused TLD pressure centered on .lat, .com, .dev.
  • Delivery-tag overlap included elf, mozi, mirai.
  • Identity provider overlap included sso, microsoft.
This week in phishing: who attackers impersonated, who they targeted, and what to check now | Dralvia Research