Skip to content

🚀 Create IOK: fortnite-locker-checker-phishing-kit-4e7c91a2 #271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChrisPalm04 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🚀 Create IOK: fortnite-locker-checker-phishing-kit-4e7c91a2 #271

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions indicators/fortnite-locker-checker-phishing-kit-4e7c91a2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
title: Fortnite Locker Checker Phishing Kit 4e7c91a2
description: |
Detects an Epic Games / Fortnite phishing kit conducting an OAuth
authorization-code grab attack that bypasses 2FA. The kit directs victims
to authenticate on the legitimate epicgames.com OAuth endpoint, then
instructs them to paste the resulting authorization code back into the
phishing page where the kit exchanges it for a valid access_token via
Epic's API. The user's password never leaves Epic and 2FA is genuinely
passed, but the attacker captures a fully-authenticated session.

Identified by its proprietary `/.merc/captcha` anti-bot framework, the
`anubis_token` cookie (operator-rebranded fork of TecharoHQ/anubis), the
`/lupidrupigang/locker/` paths, and shared third-party asset hosting on
postimg.cc with Russian-transliteration filenames (`vhodebat` = login,
`shekeli` = money). Active across 65+ domains as of April 2026 spanning
V1, V2, V2 sub-variant, and V3 kit variants.
references:
- https://urlscan.io/result/019dcad8-85fb-75e8-9a05-bb1e8c0b9110/
- https://urlscan.io/result/019dcad9-3b19-7052-a735-e93678117d7c/
- https://urlscan.io/result/019dcad9-af6b-7475-b75a-0df543b29fab/
- https://urlscan.io/result/019dcadc-ee18-724a-bc90-3e8c38ed79aa/
- https://urlscan.io/result/019dcadd-f5b5-70bb-8934-7dda9efc5e9d/
detection:
mercCaptchaPath:
requests|contains: '/.merc/captcha'
anubisCookie:
cookies|contains: 'anubis_token='
challengeText:
html|contains: 'Click the shapes in order shown below'
oauthGrabFlow:
html|contains|all:
- 'Click on the Get Code button below to generate an authorization code'
- 'paste your authorization code to validate'
epicOAuthRedirect:
html|contains: 'epicgames.com/id/api/redirect?clientId=fortnitePCGameClient'
sharedAssets:
requests|contains:
- 'i.postimg.cc/DzGdT9Hg/vhodebat.png'
- 'i.postimg.cc/Z5B6PkbY/shekeli.png'
- 'i.postimg.cc/zBVNvkwF/locker1ver.png'
- 'raw.githubusercontent.com/sios-v/wolk/master/fonts/'
lupidrupigangPath:
requests|contains: '/lupidrupigang/locker/'
condition: mercCaptchaPath or (challengeText and anubisCookie) or (oauthGrabFlow and epicOAuthRedirect) or sharedAssets or lupidrupigangPath
tags:
- kit
- target.epic-games
- target.fortnite
- oauth