Full Report
A new cybercrime platform called ATHR can harvest credentials via fully automated voice phishing attacks that use both human operators and AI agents for the social engineering phase. [...]
Analysis Summary
# Tool/Technique: ATHR (Vishing-as-a-Service)
## Overview
ATHR is a sophisticated, all-in-one cybercrime platform designed to conduct Telephone-Oriented Attack Delivery (TOAD) at scale. It automates the entire phishing and voice phishing (vishing) lifecycle—from initial email lure delivery to technical credential harvesting. Its primary differentiator is the integration of AI-driven voice agents that interact with victims to extract sensitive information, such as two-factor authentication (2FA) codes, without requiring a constant human presence.
## Technical Details
- **Type**: Vishing-as-a-Service (VaaS) Platform / Tool
- **Platform**: Multi-platform (Targets Google, Microsoft, Coinbase, Binance, Gemini, Crypto.com, Yahoo, AOL)
- **Capabilities**: AI Voice Agents, Email Automation, WebRTC routing, Asterisk integration, Real-time dashboards.
- **First Seen**: Observed in April 2026 (Reported by Abnormal Security).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566.001 - Phishing: Spearphishing Email]**: Using brand-specific, customized templates.
- **[TA0007 - Discovery]**
- **[T1204.001 - User Execution: Malicious Link/Action]**: Inducing the victim to call a provided phone number.
- **[TA0006 - Credential Access]**
- **[T1566.004 - Phishing: Voice]**: Utilizing AI agents to harvest credentials and OTPs via phone calls.
- **[T1111 - Two-Factor Authentication Interception]**: Specifically designed to extract six-digit verification codes.
- **[TA0005 - Defense Evasion]**
- **[T1564 - Hide Artifacts]**: Using generic lures to bypass content-based security filters.
## Functionality
### Core Capabilities
- **Automated Email Distribution**: Generates and sends lures designed to pass technical authentication checks (SPF/DKIM/DMARC) using spoofing mechanisms.
- **Infrastructure Orchestration**: Integrates Asterisk (VoIP) and WebRTC to route victim calls to the attacker's infrastructure.
- **Brand-Specific Templating**: Pre-configured lures for financial institutions and major tech providers.
- **Real-time Monitoring**: A centralized dashboard provides operators with live updates on call status and harvested data logs.
### Advanced Features
- **AI Voice Agent Script Builder**: Allows attackers to create AI personas with specific tones, behaviors, and professional scripts to mimic support staff.
- **Dynamic 2FA Harvesting**: AI agents guide victims through a "security recovery" simulation to extract real-time verification codes.
- **Hybrid Operator Mode**: Offers the ability to switch between fully automated AI agents and manual human operator intervention if necessary.
## Indicators of Compromise
*Note: As this is a service-based platform, specific file hashes are often unavailable; detection relies on behavioral and network patterns.*
- **Network Indicators**:
- Communications involving specific WebRTC or Asterisk signaling protocols from non-standard or newly created domains.
- C2/Panel Domains: [h]xxps[:]//athr[.]sh (Hypothetical example based on naming).
- **Behavioral Indicators**:
- Inbound emails containing urgent "account security" alerts that lack traditional malicious links/attachments but emphasize a phone number.
- Multiple users within a single organization receiving the same phone number lure simultaneously.
- Use of high-pressure social engineering tactics regarding account recovery for Gemini, Coinbase, or Microsoft.
## Associated Threat Actors
- Currently categorized as a "Productized" cybercrime offering available to various low-to-mid-tier threat actors via underground forums ($4,000 entry fee + 10% commission).
## Detection Methods
- **Behavioral Detection**: Monitoring for "Burst" email patterns where a single phone number is distributed across an organization.
- **AI-Powered Identity Modeling**: Analyzing communication patterns to identify deviations from legitimate service provider notification styles.
- **Natural Language Processing (NLP)**: Scanning email bodies for high-pressure language associated with TOAD attacks (e.g., "unauthorized access," "call immediately to secure").
## Mitigation Strategies
- **Prevention**: Implement security awareness training specifically focusing on "TOAD" attacks and the reality of AI-generated voices.
- **Policy**: Establish a firm policy that legitimate support organizations (Google, Microsoft) will never call or ask for a 2FA code over the phone.
- **Technical**: Use advanced email security layers that can analyze the reputation and history of phone numbers included in email bodies.
## Related Tools/Techniques
- **BazarCall**: An earlier, prominent TOAD-based campaign.
- **Vastflux / Vishing Kits**: General category of toolsets used to automate fraudulent calls.
- **Deepfake Audio**: Emerging technology used to enhance the social engineering aspect of these platforms.