Platform capability

Kit intelligence and weakness discovery

Kit intelligence turns repeated attacker tooling into evidence, clustering and CERT-safe next actions.

Request demoRead researchOpen dashboard

Direct answer

Can this expose attackers? It can support lawful investigation through operator-style clusters and preserved evidence, but not public attribution by itself.

Research framing

Kit intelligence sits between malware analysis, OSINT and evidence preservation. It studies the repeated artifacts that make campaigns scalable while keeping public output defensive and safe.

Attack mechanism

Workers analyze HTML, JS, screenshots, redirects, headers, PDFs, APK metadata, kit ZIP references and public repo/paste references. They look for exposed panels, open directories, backup artifacts, leaked config metadata, webhook reuse, AiTM markers and panel path reuse.

Evidence and source model

Normal UI shows kit family, weakness category, severity, confidence, fingerprints, safe excerpts, evidence readiness and CERT-safe next action. Raw sensitive artifacts stay restricted.

Belgian and European relevance

Belgian cases often use generic kits with local brands, Dutch/French lures, Belgian phone/IBAN routes and public-service narratives. Kit context must therefore be fused with local relevance.

How PhishNet operationalizes this

PhishNet links kit weakness intelligence to Campaign DNA, Fusion Graph, Evidence and CERT Handoff Pack so analysts can move from pattern to preserved proof.

Analyst implications

The operational question is not whether an isolated row looks interesting. The question is whether the signal is fresh, provenance-rich, corroborated, evidence-ready and connected to brands, sectors, infrastructure, kits, mule routes or public-warning context. PhishNet therefore presents confirmed, corroborated suspicious, review-candidate and context-only states separately.

Limits and uncertainty

The platform does not provide exploit instructions. It supports lawful defensive analysis, evidence preservation and authorized handoff.

Research takeaway

Phishing intelligence becomes valuable when repeated structure appears: the same brand on new infrastructure, the same kit across domains, the same phone or IBAN route after takedowns, the same ad/search pathway, or the same evidence pattern in multiple independent source families.

How PhishNet uses this

Inside PhishNet this topic is treated as operational graph context: observations are linked to sources, evidence, Belgian relevance, confirmation state, liveness, campaigns and exports. Public pages explain the method; authenticated users can pivot into the full platform workflow when a signal needs investigation or handoff.

Selected sources and research

These pages combine PhishNet platform knowledge with public research, official Belgian sources and open OSINT documentation.

MITRE ATT&CK: Phishing MITRE ATT&CK: Adversary-in-the-Middle OWASP Phishing guidance The Impact of Emerging Phishing Threats, quishing and LLM phishing urlscan.io API documentation Microsoft Ad Library API Common Crawl CDX Index

Common questions

Can this expose attackers?

It can support lawful investigation through operator-style clusters and preserved evidence, but not public attribution by itself.

Does PhishNet provide exploit instructions?

No. It provides defensive summaries and safe next actions.

Related reading

Knowledge

Phishing attack kits

How phishing kits work, what they leak, and why kit intelligence is a high-value OSINT layer.
Knowledge

AiTM and reverse-proxy phishing

A careful overview of adversary-in-the-middle phishing and the indicators defenders can track safely.
Knowledge

Phishing kit families and campaign DNA

How kit fingerprints, AiTM markers, panel paths and safe weakness intelligence connect campaigns.