Researchers Uncover Advanced Phishing Operation Harvesting Camera, Audio, and Device Data

Researchers have uncovered a large-scale and ongoing social engineering campaign that is mainly hosted on infrastructure associated with edgeone[.]app. This operation uses deceptive web pages to trick users into granting access to sensitive device features.

Unlike typical phishing attacks that focus on stealing usernames and passwords, this campaign takes a different approach. It convinces users to allow browser permissions such as camera and microphone access by presenting fake verification or recovery scenarios (for example, “ID Scanner,” “Telegram Account Freeze,” or “Health Fund AI”).

Once a user allows access, malicious scripts begin collecting real-time data from the device. This includes images, videos, audio recordings, device details, and approximate location. The collected data is then sent to attacker-controlled systems, enabling the theft of personally identifiable information (PII) and other sensitive context.

Key Findings

Hosting Infrastructure: The campaign heavily relies on edgeone.app to deploy scalable phishing pages.
Permission Abuse: Attackers misuse legitimate browser APIs to access camera, microphone, and system data after user consent.
Data Exfiltration Channel: Stolen data is transmitted using the Telegram Bot API, avoiding the need for complex backend servers.
Multiple Lures: Various themes such as “ID verification,” “health services,” and “account recovery” are used to target different users.
Brand Impersonation: Fake pages mimic well-known platforms like TikTok, Telegram, Instagram, and Google services to build trust.

Campaign Overview

Attribute	Details
First Observed	Early 2026
Primary Goal	Collection of multimedia and device-level data
Infrastructure	edgeone.app (multiple subdomains)
Impersonated Services	TikTok, Telegram, Instagram, Google Chrome/Drive, Flappy Bird
Core Technique	Abuse of browser permissions for data capture

This campaign operates as a browser-based phishing framework. Instead of asking users to input credentials, it relies on convincing them to grant hardware access permissions.

Attack Workflow

1. Initial Access

Users are redirected to phishing pages disguised as:

Account verification portals
Service recovery tools
Reward or promotional platforms

These pages prompt users to allow access to device features.

2 Permission Exploitation

Once permission is granted:

The browser activates the device camera and microphone
A live media stream is initiated
Scripts begin extracting frames, audio, and metadata

3 Data Collection

The campaign gathers a wide range of information, including:

Photos from front and rear cameras
Short video recordings
Microphone audio samples
Device specifications (OS, RAM, CPU, browser type)
Network and battery details
Contact information (if permitted)
Approximate geolocation

4 Data Exfiltration

All collected data is sent directly to attackers using the Telegram Bot API. This allows operators to receive files instantly without maintaining dedicated servers.

Technical Analysis

1. Browser-Based Image Capture

The phishing pages use JavaScript to access the camera via browser APIs. After permission is granted:

A video stream is initialized
A frame is captured and drawn onto an HTML5 canvas
The image is converted into a JPEG file
The file is transmitted to attacker infrastructure

2. Device Fingerprinting

Before collecting media, the script profiles the device using browser APIs such as:

navigator.userAgent
navigator.platform
navigator.deviceMemory
navigator.hardwareConcurrency
navigator.connection
navigator.getBattery()

This helps attackers understand the victim’s environment, including system type, performance, and network conditions.

3. Location Tracking

The script retrieves:

Public IP address via external services
Location details such as country, city, and coordinates

This adds contextual intelligence to the stolen data.

4. Audio and Video Recording

Using browser media APIs:

Audio is recorded through the microphone
Video clips are captured using MediaRecorder
Files are stored in formats such as WebM and JPEG
Data is uploaded through Telegram API endpoints

5. Contact Harvesting

In some cases, the script attempts to access user contacts using the Contacts Picker API. If successful, it extracts:

Names
Phone numbers
Email addresses

6. User Interface Deception

The phishing pages display messages like:

“Capturing photo”
“Uploading data”
“Verification successful”

These messages imitate legitimate verification processes and reduce user suspicion.

Indicators of AI-Assisted Development

Analysis of the scripts suggests possible use of generative AI tools during development. Observations include:

Structured and well-formatted code patterns
Emoji usage embedded within operational messages
Consistent and templated logic across multiple phishing pages

This reflects a growing trend where attackers use AI to speed up phishing kit development.

Business Impact and Risk Assessment

1. Identity Fraud

Captured images, videos, and audio can be used to bypass identity verification systems such as:

Video KYC
Facial recognition checks

2. Targeted Social Engineering

Collected data enables attackers to:

Build detailed victim profiles
Launch personalized phishing attacks
Impersonate victims in communication platforms

3. Extortion Risks

Because multimedia data is collected, attackers may:

Threaten to release sensitive recordings
Demand payment in exchange for silence

4. Organizational Impact

For businesses, the risks include:

Account takeover attempts
Fraud using stolen biometric data
Targeted attacks on employees and customers
Brand impersonation and reputational damage
Compliance and regulatory exposure

This campaign shows a clear shift in phishing tactics. Instead of focusing only on credentials, attackers are now targeting biometric and device-level data.

Such data is far more dangerous because:

It cannot be easily changed (e.g., face, voice)
It can be reused for deepfake and impersonation attacks
It enables advanced fraud techniques

This evolution increases the threat level across industries such as banking, fintech, telecom, and digital services.

Infrastructure Observations

Phishing pages are mainly hosted on edgeone[.]app
Multiple templates share the same underlying logic
No dedicated backend servers are required
Telegram is used for direct data delivery

This setup allows attackers to quickly deploy and rotate phishing pages.

MITRE ATT&CK Mapping

Tactic	Technique	Description
Initial Access	T1566 – Phishing	Fake pages used to lure victims
Execution	T1059.007 – JavaScript	Malicious scripts run in browser
Collection	T1125 – Video Capture	Camera used for image/video capture
Collection	T1123 – Audio Capture	Microphone used for recording
Collection	T1005 – Local Data	Device information collected
Collection	T1213 – Repositories	Contacts accessed from device
Discovery	T1082 – System Info	Device profiling
Discovery	T1614 – Location	IP-based geolocation
Exfiltration	T1567 – Web Services	Data sent via Telegram API

Security Recommendations

To reduce exposure to such threats, the following steps are recommended:

Avoid granting camera or microphone access to untrusted websites
Monitor browser traffic communicating with Telegram APIs
Use browser security tools that detect phishing pages
Track suspicious domains hosting phishing content
Educate users about permission-based phishing techniques

Conclusion

This campaign highlights how phishing techniques are evolving beyond simple credential theft. By abusing browser permissions, attackers can directly collect sensitive multimedia and device data from victims.

The use of lightweight infrastructure and services like Telegram makes these attacks easy to deploy and scale. Additionally, signs of AI-assisted development indicate that such campaigns may become more advanced and widespread.

Organizations should strengthen detection mechanisms around browser-based threats and focus on preventing misuse of device permissions. Early awareness and proactive defense are critical to minimizing risk.