A new campaign uses fake CAPTCHA verification pages to trick Windows users into executing PowerShell commands that install the StealC information‑stealer malware. These pages mimic legitimate site checks (e.g., Cloudflare), creating trust that leads to malicious actions. This kind of social engineering bypasses technical defenses by exploiting user trust and routine behavior. [1] Organizations can simulate similar verification-themed lures using the PhishingBox Phishing Simulator to condition employees to question unexpected prompts before interacting.
Security researchers uncovered “Starkiller,” a new phishing framework that loads real login pages inside a proxy, harvesting credentials in real time and evading multi‑factor authentication defenses. Its SaaS‑like interface makes it easy for attackers to launch convincing credential theft campaigns. [2]
Attendees of the India AI Impact Summit were warned of phishing scams on WhatsApp soliciting financial and sensitive details. These attacks prey on post‑event communication trust, leveraging the assumption that follow‑up messages from event organizers or peers are legitimate. [3] Event-based templates available within the PhishingBox Template Library allow security teams to recreate timely, context-driven scenarios like these in a controlled setting.
Broader industry reporting indicates AI and deepfake tactics are fueling more advanced fraud, including voice and video impersonation in phishing and investment scams. These techniques blur the line between legitimate and fake content, and are likely to escalate in 2026. [4]
As AI-driven deception evolves, organizations need ongoing visibility into how employees respond to real-world phishing tactics — an approach supported by PhishingBox’s Human Risk Management platform.
[1] Windows Central – Windows PC targeted by hackers in a fake CAPTCHA scam
[2] ITPro – Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pages
[4] Accio – Phishing Scams: AI-Enhanced Threats Targeting Digital Commerce in 2026
Explore the latest phishing threats, including MFA bypass kits, fake CAPTCHA malware, and AI-driven scams, and how organizations can reduce social engineering risk.
Social engineering is accelerating in 2026, with attackers shifting from malware to manipulating people through voice calls, phishing emails, and AI-powered deception. From enterprise vishing campaigns stealing SSO and MFA credentials to global cyberespionage operations and large-scale breaches triggered by a single employee interaction, trust exploitation remains the primary entry point. As emerging economies and cloud-driven organizations expand their digital footprint, identity deception, impersonation, and voice-based attacks are becoming dominant threats—proving that the human element is still the most targeted vulnerability in cybersecurity.
Deep dive into password manager phishing campaigns targeting LastPass, 1Password, and Bitwarden, including MFA bypass tactics and modern mitigation strategies.
