Kubernetes accelerates large-scale phishing operations
Security firm Flare has published research that links Kubernetes deployments to large-scale phishing-as-a-service operations, including infrastructure that can expand from dozens to hundreds or thousands of phishing endpoints within seconds.
The research examines how phishing operators use cloud-native tooling and commercialised services to run campaigns that target common consumer and workplace login services. It describes live operations aimed at Gmail, Facebook, and Microsoft O365.
Flare said its investigators started with Russian-language forum posts that advertised phishing outcomes rather than named tools. The research then traced those claims to active infrastructure observed online.
Phishing techniques
The research argues that modern phishing kits focus on authentication workflows rather than simple credential collection. It cites tactics such as Browser-in-the-Browser, Adversary-in-the-Middle, and reverse-proxy approaches.
Flare said those methods change the objective of many campaigns. The focus shifts towards session takeover and the capture of real-time authentication artefacts, rather than harvesting usernames and passwords for later use.
The report highlights real-time session cookie theft and MFA relay as features of these platforms. It also points to SMS-based one-time passcode interception and fake SSO and OAuth flows.
The research describes an underground market where operators advertise results. It says listings tend to promise "MFA bypass," "live validation," or "proxy login." It states that the underlying tooling often gets repackaged and resold.
Cloud-native infrastructure
A central finding concerns the use of containerised services and Kubernetes clusters for phishing operations. Flare said it observed deployments that resemble modern application hosting patterns.
The report states that Kubernetes can speed up provisioning and standardise environments. It also states that operators can reuse infrastructure across campaigns.
The research links this approach to resilience under takedown pressure. It says Kubernetes-based deployment allows operators to scale from dozens to hundreds or thousands of phishing endpoints within seconds. It also says operators can rotate IP addresses automatically and continue operating after disruptions.
Flare also points to a change in concealment tactics. The report argues that attackers increasingly prioritise hiding the phishing backend itself. It cites blank pages, delayed rendering, anti-debugging logic, and infrastructure-level evasion.
Market monitoring
The report frames cybercrime intelligence as an early warning signal for defenders. It says monitoring underground markets can indicate what may appear in live campaigns before victims report incidents or email security tools flag activity.
Flare positions the investigation as an example of how analysts can move from forum advertising to deployed infrastructure. The company said the approach supports identification of phishing environments across multiple platforms.
"Cybercrime intelligence is predictive, not retrospective: Monitoring underground markets offers early visibility into what will be deployed next, often before campaigns are detected by email security tools or reported by victims," said Flare.
The research forms part of a wider programme by Flare on phishing-kit economics in underground markets. Flare said it plans to publish that broader report in early 2026.