FlowerStorm phishing gang adopts virtual-machine obfuscation to evade email defenses

FOE CSO Online May 14, 2026

Summary

The FlowerStorm phishing-as-a-service operation has begun using KrakVM, an open-source JavaScript virtual machine, to obfuscate malicious code in phishing emails. This escalation in sophistication aims to evade traditional email and static analysis defenses by executing obfuscated JavaScript within a browser-based virtual machine.

IFF Assessment

FOE

The adoption of advanced obfuscation techniques like virtual machines by phishing gangs makes their attacks harder to detect and block, posing a greater threat to defenders.

Defender Context

Defenders should be aware that phishing campaigns are increasingly employing sophisticated obfuscation techniques, including virtual machines, to bypass traditional security controls. This necessitates enhanced detection methods that can analyze dynamic execution and code behavior rather than relying solely on static analysis.

Read Full Story →