<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>EvilTokens on Detection.FYI</title>
    <link>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/eviltokens/</link>
    <description>Recent content in EvilTokens on Detection.FYI</description>
    <generator>Hugo -- gohugo.io</generator>
    <copyright> </copyright>
    <lastBuildDate>Wed, 01 Jul 2026 09:39:33 +0000</lastBuildDate><atom:link href="https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/eviltokens/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>EvilTokens PhaaS Kit Phishing Related Request - Proxy</title>
      <link>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/eviltokens/proxy_eviltokens_cloudflare_worker_request/</link>
      <pubDate>Wed, 01 Jul 2026 09:39:33 +0000</pubDate>
      
      <guid>https://detection.fyi/sigmahq/sigma/emerging-threats/2026/malware/eviltokens/proxy_eviltokens_cloudflare_worker_request/</guid>
      <description>
        
          
            Detects outbound web proxy requests to URLs matching the EvilTokens Phishing-as-a-Service (PhaaS) kit infrastructure.
Specifically Cloudflare Workers and Railway.app domains used in OAuth device code authorization phishing attacks.
This indicates a user has clicked a phishing link.

          
          
        
      </description>
    </item>
    
  </channel>
</rss>
