The FlowerStorm phishing operation has weaponized KrakVM to create a fundamental blind spot in email security architectures. When victims open HTML attachments disguised as voicemail notices, invoices, or vendor communications, embedded JavaScript launches KrakVM—a browser-based virtual machine that transforms readable malicious code into encrypted bytecode before execution. (Source: Csoonline)
Traditional email gateways scan attachments for known malicious patterns, JavaScript functions, and suspicious URLs. KrakVM defeats these detection methods by compiling its credential-stealing payload into unreadable bytes that execute through a virtualized interpreter running entirely within the victim's browser. The malicious code never exists in a form that signature-based scanners can recognize.
This virtualization approach exploits a fundamental assumption in email security: that JavaScript threats can be identified through static analysis. Security tools typically examine code structure, API calls, and behavioral patterns to flag malicious scripts. KrakVM's bytecode compilation breaks this analysis chain—the actual phishing logic remains hidden behind layers of virtual machine interpretation that only resolve at runtime.
Key Insight: This virtualization approach exploits a fundamental assumption in email security: that JavaScript threats can be identified through static analysis.
The timing of FlowerStorm's adoption proves particularly concerning. KrakVM appeared on GitHub as an open-source project, and within a month, this phishing-as-a-service operation integrated it into production attacks. Both KrakVM and FlowerStorm operate close to their default configurations, indicating that threat actors don't need advanced technical skills to deploy VM-based obfuscation. This accessibility means organizations could face a wave of similar attacks as other phishing operations recognize the technique's effectiveness.
Email sandboxes face unique challenges detecting these attacks. When security systems execute the HTML attachment in an isolated environment, they encounter JavaScript that appears to perform legitimate virtual machine operations. The actual credential theft only occurs after multiple layers of deobfuscation and runtime interpretation—processes that may exceed sandbox analysis timeframes or appear benign to behavioral monitoring.
The attack's sophistication extends beyond initial evasion. After bypassing email defenses, the phishing kit dynamically adapts to each victim's environment. It determines which authentication provider to impersonate, preloads victim email addresses into fake login pages, and customizes branding elements including company logos and backgrounds. This personalization happens through the same VM-obfuscated code that defeated perimeter defenses.
FlowerStorm's framework also enumerates MFA methods registered on victim accounts—Microsoft Authenticator push notifications, TOTP codes, SMS authentication, and voice verification flows. When victims enter credentials, the kit forwards them to command-and-control servers that attempt real logins against Microsoft 365, Hotmail, GoDaddy, and other targeted services. If MFA prompts appear, the kit presents matching prompts to victims, captures responses, and completes the attacker's authenticated session in real-time.
This adversary-in-the-middle capability means that even organizations with comprehensive MFA deployment remain vulnerable. The VM obfuscation ensures the attack reaches users' browsers, while the AiTM interception defeats authentication protections that would normally prevent credential theft from succeeding. Email security investments that organizations rely on—gateway scanners, attachment analysis, sandboxing—fail to detect or prevent these attacks because they cannot interpret the virtualized payload before it executes in the victim's browser.
FlowerStorm KrakVM Attack Chain
Five Targeted Industries and Why FlowerStorm Chose Them
The FlowerStorm operation's selection of communications, local government, logistics, real estate, and retail sectors reveals a calculated strategy targeting organizations with high-value data flows, limited security budgets, and critical operational dependencies. Each sector offers distinct exploitation opportunities that maximize financial return while minimizing detection risk.
Communications companies represent the ultimate prize for credential harvesters. These organizations manage authentication infrastructure for millions of users, making a single compromised administrator account exponentially valuable. When FlowerStorm captures communications provider credentials through their KrakVM-obfuscated phishing pages, they gain potential access to customer databases containing phone numbers, billing addresses, and service authentication tokens. A compromised telecom employee account enables attackers to conduct SIM swapping at scale, bypassing SMS-based MFA for banking and cryptocurrency platforms. The April campaign's ability to enumerate and intercept SMS authentication flows suggests FlowerStorm specifically engineered their toolkit to exploit this sector's unique attack surface.
Key Insight: A compromised telecom employee account enables attackers to conduct SIM swapping at scale, bypassing SMS-based MFA for banking and cryptocurrency platforms.
Local government agencies operate with constrained IT budgets and aging infrastructure, creating perfect conditions for phishing success. Municipal employees often lack comprehensive security awareness training, while government email addresses remain publicly accessible through official directories. FlowerStorm's infrastructure includes domains designed to resemble court systems, indicating deliberate targeting of judicial and administrative functions. Compromised government accounts provide access to citizen records, tax information, and payment card data from utility billing systems. More critically, these credentials enable business email compromise schemes where attackers redirect property tax payments, vendor invoices, and grant disbursements—transactions that routinely exceed six figures and face minimal verification due to established trust relationships.
Logistics companies process thousands of shipment notifications daily, making phishing emails disguised as invoices or vendor communications blend seamlessly into normal operations. FlowerStorm's adversary-in-the-middle capabilities become particularly devastating here—intercepting authenticated sessions to shipping platforms grants real-time visibility into cargo manifests, delivery schedules, and customer databases. Attackers monetize this access through cargo theft coordination, where they redirect high-value shipments to alternate addresses before companies detect the breach. The campaign's geographic infrastructure spanning Singapore, Bangkok, Frankfurt, Tokyo, Seoul, Jakarta, and Ashburn aligns precisely with major logistics hubs, suggesting targeted reconnaissance of international shipping corridors.
Real estate firms handle wire transfers worth hundreds of thousands to millions of dollars per transaction, with closing deadlines creating pressure that overrides security caution. FlowerStorm's ability to dynamically customize phishing pages with company logos and backgrounds proves especially effective against real estate agents accustomed to receiving documents from unfamiliar parties. Once attackers compromise a realtor's Microsoft 365 account through the KrakVM-delivered payload, they monitor email threads for pending transactions, then inject fraudulent wiring instructions at the critical moment before closing. The German-language domains assembled from English words that researchers identified suggest FlowerStorm may be testing international real estate markets where language barriers further complicate fraud detection.
Retail organizations maintain extensive customer databases and payment processing credentials that translate directly to financial fraud. FlowerStorm's enumeration of Microsoft Authenticator, TOTP codes, and voice verification methods indicates sophisticated preparation for bypassing retail point-of-sale authentication systems. Compromised retail accounts enable gift card fraud, loyalty point theft, and access to stored payment methods across customer accounts.
Detecting FlowerStorm: Behavioral Signals Beyond Signature Detection
Security teams hunting FlowerStorm infections face a fundamental challenge: the attack's virtual machine obfuscation renders signature-based detection ineffective. Yet the campaign's operational requirements create distinctive behavioral patterns that defenders can leverage for detection even after initial compromise.
The moment a victim opens FlowerStorm's HTML attachment, their browser spawns unusual process chains that deviate from normal web browsing behavior. Monitor process creation events for browsers launching with command-line arguments pointing to local HTML files, particularly when those processes immediately generate high CPU usage—a telltale sign of KrakVM's bytecode interpreter churning through obfuscated JavaScript. PowerShell logging reveals another detection opportunity: watch for browsers spawning child processes that query system information, enumerate network shares, or attempt to access credential stores.
Network traffic analysis provides the most reliable detection signals for active FlowerStorm infections. The phishing kit's real-time adversary-in-the-middle capabilities require constant communication with command-and-control infrastructure to relay authentication attempts. Configure your security information and event management (SIEM) platform to alert on browsers establishing persistent HTTPS connections to newly registered domains, especially those hosted on cloud object storage services in Singapore, Bangkok, Frankfurt, Tokyo, Seoul, Jakarta, or Ashburn regions. These connections exhibit distinctive timing patterns: initial beacon within seconds of HTML file opening, followed by burst transmissions coinciding with user credential entry.
Browser developer tools and debugging interfaces offer unexpected detection vectors. KrakVM's virtual machine execution creates memory artifacts that persist even after the phishing page closes. Hunt for JavaScript heap snapshots containing encrypted bytecode arrays or unusual function naming patterns associated with virtualized execution environments. Security teams with endpoint detection and response (EDR) capabilities should create custom detection rules targeting browsers with abnormally large JavaScript heap allocations combined with network connections to domains mimicking Microsoft services.
Authentication logs become critical when FlowerStorm successfully harvests credentials. The campaign's MFA interception creates a specific pattern: legitimate user authentication attempts from unexpected geographic locations occurring simultaneously with local browser activity. Configure identity and access management systems to flag authentication events where the source IP differs from the user's typical locations but matches regions hosting known FlowerStorm infrastructure. Pay particular attention to authentication flows that enumerate multiple MFA methods in rapid succession—a behavior consistent with the kit's MFA discovery capabilities.
Windows Management Instrumentation (WMI) event subscriptions reveal FlowerStorm's persistence mechanisms when operators attempt to maintain access beyond initial credential theft. Query WMI for event consumers linked to browser processes or HTML file associations, particularly those triggering on user logon events. The campaign's reliance on browser-based execution means any WMI persistence must ultimately launch a browser instance, creating a detection opportunity through process genealogy analysis.
Email gateway administrators should implement content inspection rules that flag HTML attachments containing specific JavaScript patterns: look for files with obfuscated code blocks exceeding standard complexity thresholds, references to ArrayBuffer or Uint8Array objects (used for bytecode storage), or JavaScript files that dynamically construct and evaluate code strings. While KrakVM's obfuscation prevents direct signature matching, the structural requirements of virtual machine implementation create consistent patterns that advanced email filters can identify through heuristic analysis.
Immediate Actions: Hardening Email and Authentication Against This Campaign
Organizations must immediately block HTML attachments containing JavaScript at the email gateway level. Configure your email security platform to quarantine messages with HTML files that execute any form of scripting, particularly those arriving from external senders. Since FlowerStorm delivers KrakVM through HTML attachments disguised as voicemail notices and invoices, this single control disrupts their primary delivery mechanism.
Within the next 48 hours, audit your authentication logs for any references to Rockstar2FA infrastructure. The FlowerStorm kit emerged following disruption to the Rockstar2FA phishing service in December 2024, and operators may still leverage residual infrastructure. Search authentication event logs for connection attempts to domains containing variations of "rockstar," "2fa," or similar patterns that mimic legitimate MFA services.
Deploy content disarmament and reconstruction (CDR) technology specifically configured to strip JavaScript from HTML files before delivery. Unlike traditional sandboxing that executes files to observe behavior, CDR removes potentially malicious elements while preserving document structure. This prevents KrakVM's encrypted bytecode from ever reaching user browsers, regardless of how the virtual machine evolves.
Configure your email platform to enforce stricter attachment policies for the five sectors FlowerStorm actively targets: communications, local government, logistics, real estate, and retail. These organizations should implement allowlisting for HTML attachments, permitting only files from verified business partners while blocking all others. The administrative burden of maintaining allowlists becomes justified when your sector faces active targeting.
Within one month, implement browser isolation for users who regularly interact with external attachments. Browser isolation executes web content in remote containers, preventing malicious JavaScript—including KrakVM's virtual machine—from running on endpoint devices. Even if users open FlowerStorm's phishing pages, the credential theft code executes in an isolated environment without access to corporate credentials or session cookies.
Establish DMARC enforcement at the reject level for all inbound email, particularly for domains impersonating Microsoft services, GoDaddy, and Hotmail—FlowerStorm's primary targets. Configure SPF and DKIM validation to block messages from cloud object storage subdomains in Singapore, Bangkok, Frankfurt, Tokyo, Seoul, Jakarta, and Ashburn, where researchers identified FlowerStorm infrastructure clusters.
For the next quarter, develop phishing simulation campaigns that specifically test employee response to HTML attachments claiming to contain voicemails, invoices, or vendor communications. Traditional phishing tests focus on link clicks; your simulations must measure how users handle attachments that open directly in browsers. Track which departments most frequently open these files and provide targeted training emphasizing the risks of browser-executed content.
Update incident response runbooks to include procedures for investigating browser-based virtual machines. Security teams need documented workflows for analyzing JavaScript bytecode, identifying KrakVM signatures in browser memory, and tracing credential theft attempts through browser developer tools. Standard malware investigation procedures won't detect virtualized execution environments running entirely within browser sandboxes.
Most critically, implement conditional access policies that require reauthentication when users access Microsoft 365, Hotmail, or GoDaddy from new locations or devices—even with valid MFA tokens. FlowerStorm's adversary-in-the-middle capabilities capture both credentials and MFA codes, but conditional access creates additional authentication barriers that session hijacking alone cannot bypass.
Incident Response: What to Do If FlowerStorm Breaches Your Organization
When FlowerStorm compromises an organization through their KrakVM-obfuscated attacks, the virtual machine's bytecode execution leaves forensic artifacts that traditional incident response playbooks don't address. Your response team needs specialized procedures to contain the breach while preserving evidence of browser-based virtual machine activity.
The first 24 hours determine whether FlowerStorm operators maintain persistent access to your authentication infrastructure. Begin by isolating any systems where users reported opening HTML attachments containing voicemail notifications, invoice documents, or vendor correspondence—the campaign's primary disguises.
First 24 Hours: Containment and Evidence Preservation
Immediately capture browser memory dumps from affected workstations before users close their browsers or restart systems. The KrakVM interpreter leaves bytecode fragments in browser heap memory that disappear upon process termination. Use tools like Process Monitor to capture browser process trees showing JavaScript compilation into encrypted bytecode—critical evidence for understanding which credentials FlowerStorm harvested.
Search proxy logs for connections to cloud object storage subdomains in Singapore, Bangkok, Frankfurt, Tokyo, Seoul, Jakarta, and Ashburn regions. FlowerStorm infrastructure uses these geographic distribution points to host credential-harvesting pages that impersonate Microsoft 365, Hotmail, and GoDaddy login portals.
Review Microsoft Authenticator logs, TOTP generation timestamps, SMS authentication records, and voice verification attempts from the past 72 hours. The phishing kit enumerates all MFA methods registered on victim accounts before presenting matching prompts to capture authentication codes. Any successful MFA challenge during the incident window indicates FlowerStorm operators gained authenticated session access.
24-72 Hours: Threat Hunting and Scope Assessment
Deploy memory analysis across your environment to identify additional KrakVM execution patterns. The virtual machine operates close to default configurations, creating consistent memory allocation patterns when interpreting obfuscated JavaScript. Hunt for browser processes with abnormally high CPU utilization that correlates with HTML file access—a signature of bytecode interpretation.
Analyze email gateway logs to identify other recipients of HTML attachments with similar characteristics. FlowerStorm targets multiple users within organizations, particularly in communications, government, logistics, retail, and real estate sectors. Cross-reference attachment hashes with Sublime Security's published 153 indicators of compromise.
Examine domain controller authentication logs for anomalous session tokens generated through adversary-in-the-middle interception. When FlowerStorm captures credentials and MFA codes, operators establish authenticated sessions that bypass normal login workflows. These sessions appear legitimate but originate from unexpected geographic locations matching FlowerStorm's infrastructure regions.
Post-Incident Recovery and Hardening
Reset credentials for all accounts that accessed email during the compromise window, regardless of whether they reported suspicious activity. FlowerStorm's ability to dynamically adapt phishing pages with preloaded email addresses and customized company branding means victims often don't recognize the attack.
Implement conditional access policies that block authentication attempts from the specific cloud storage regions identified in your investigation. While FlowerStorm will likely rotate infrastructure, temporarily blocking these regions disrupts active operator sessions.
Document German-language domains assembled from English words in your threat intelligence platform. FlowerStorm uses these naming patterns to mimic legitimate business services, court systems, and enterprise portals. Share these indicators with peer organizations in your sector, as FlowerStorm systematically targets specific industries.
Preserve all browser cache directories, temporary internet files, and JavaScript console logs as evidence. These artifacts contain deobfuscated payload fragments that reveal how FlowerStorm enumerated your authentication providers and customized their attack based on your environment's specific configuration.