Device Code Phishing Attacks Surge 37x With 11 New Kits, China-Linked TA416 Targets European Governments, LinkedIn BrowserGate Scans 6,000+ Extensions, Qilin Ransomware Hits German Political Party
OAuth device code phishing attacks have exploded 37x in 2026 as at least 11 phishing-as-a-service kits democratize the technique. China's TA416 APT resumes aggressive espionage against European governments with updated PlugX. LinkedIn caught covertly scanning over 6,000 browser extensions. Qilin ransomware steals data from Germany's Die Linke party. SparkCat crypto-stealing malware returns to iOS and Android app stores.
1. Device Code Phishing Attacks Surge 37x — 11 PhaaS Kits Now Available
⚠ CRITICAL — OAuth Device Flow Widely Weaponized
Device code phishing attacks abusing the OAuth 2.0 Device Authorization Grant flow have surged 37.5x in 2026. At least 11 phishing kits now offer this capability as a service, making the technique accessible to low-skilled attackers.
Security researchers at Push Security have documented an explosive increase in device code phishing, a technique that abuses the OAuth 2.0 Device Authorization Grant flow designed for input-constrained devices like smart TVs and IoT hardware. The attack tricks victims into entering an attacker-generated device code on a legitimate Microsoft login page, unknowingly granting the attacker persistent access via valid tokens.
How the Attack Works
The threat actor sends a device authorization request to the identity provider and receives a code. This code is delivered to the victim via phishing lures — typically SaaS-themed pages mimicking DocuSign, SharePoint, Microsoft Teams, or Adobe. When the victim enters the code on the legitimate login page, the attacker's device receives valid access and refresh tokens, bypassing MFA entirely.
11 Competing Phishing Kits
The EvilTokens phishing-as-a-service platform, documented by Sekoia earlier this week, has been the primary driver of mainstream adoption. However, Push Security identified 10 additional competing kits:
- VENOM — Closed-source kit offering both device code phishing and AiTM capabilities; appears to be an EvilTokens clone
- SHAREFILE — Citrix ShareFile-themed lures with node-based backends
- CLURE — SharePoint-themed with rotating API endpoints on DigitalOcean
- LINKID — Microsoft Teams and Adobe-themed lures with Cloudflare challenges
- AUTHOV — Hosted on workers.dev with popup-based device code entry
- DOCUPOLL — GitHub Pages-hosted DocuSign workflow replicas
- FLOW_TOKEN — Tencent Cloud backend with HR-themed lures
- PAPRIKA — AWS S3-hosted Microsoft login clones with fake Okta footer
- DCSTATUS — Minimal kit with generic Microsoft 365 lures
- DOLCE — PowerApps-hosted, likely red-team implementation
Defensive Recommendations
- Disable the Device Authorization Grant flow via conditional access policies where not needed
- Monitor for unexpected device code authentication events in identity provider logs
- Alert on sessions originating from unusual IP addresses or geolocations
- Implement FIDO2/passkey-based authentication where possible
- Train users to recognize device code phishing lures
2. China-Linked TA416 Resumes European Government Espionage With PlugX
🔶 HIGH — State-Sponsored Espionage Campaign Against EU & NATO
The TA416 APT group (overlapping with RedDelta, Vertigo Panda) has resumed aggressive targeting of European government and diplomatic organizations after a two-year pause, deploying updated PlugX backdoors via OAuth redirect abuse.
Proofpoint researchers have documented TA416's renewed espionage campaign against European government and diplomatic organizations since mid-2025. The China-aligned group — which overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda — targeted diplomatic missions to the EU and NATO across multiple European countries.
Evolving Attack Chain
TA416 has continuously evolved its infection techniques throughout the campaign:
- Cloudflare Turnstile abuse — Using legitimate CAPTCHA challenge pages to gate malware delivery
- OAuth redirect exploitation — Abusing Microsoft Entra ID cloud applications and OAuth authorization endpoints to redirect victims to attacker-controlled domains
- C# project file abuse — Using MSBuild to automatically compile malicious CSPROJ files that act as PlugX downloaders
- Cloud hosting diversification — Hosting malicious archives on Azure Blob Storage, Google Drive, and compromised SharePoint instances
Middle East Expansion
Beyond Europe, TA416 has also launched campaigns targeting diplomatic and government entities in the Middle East following the U.S.-Israel-Iran conflict in late February 2026, likely seeking regional intelligence.
Technical Details
The February 2026 attack chain downloads archives from Google Drive or compromised SharePoint instances containing a legitimate MSBuild executable and a malicious C# project file. The CSPROJ file decodes three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, executing PlugX via the group's characteristic DLL side-loading technique.
Indicators & Mitigations
- Monitor for unexpected MSBuild executions outside development environments
- Block known TA416 C2 infrastructure at the network level
- Review OAuth application permissions in Entra ID for unauthorized third-party apps
- Enable web bug tracking detection in email security gateways
- Alert on DLL side-loading patterns involving legitimate executables
3. LinkedIn "BrowserGate" — Microsoft Platform Scans 6,000+ Chrome Extensions
🔶 HIGH — Privacy Concerns Over Covert Browser Fingerprinting
LinkedIn has been caught injecting JavaScript that scans visitors' browsers for over 6,000 Chrome extensions and collecting detailed device fingerprinting data, linking results to identifiable user profiles.
A report dubbed "BrowserGate" by Fairlinked e.V. reveals that Microsoft's LinkedIn is using hidden JavaScript to scan visitors' browsers for installed extensions and collect device data. BleepingComputer independently confirmed the claims, observing a JavaScript file with a randomized filename loaded by LinkedIn's website that checked for 6,236 browser extensions.
What LinkedIn Collects
- Browser extensions — Scans for 6,236 extensions including 200+ competing sales tools (Apollo, Lusha, ZoomInfo)
- CPU core count and available memory
- Screen resolution and timezone
- Language settings and battery status
- Audio information and storage features
Growing Scope
The extension scanning has been escalating: from approximately 2,000 extensions in 2025, to 3,000 two months ago, to the current 6,236. Beyond LinkedIn-related extensions, the script also detects language tools, grammar extensions, tax professional tools, and seemingly unrelated features.
Competitive Intelligence Concerns
The report alleges that LinkedIn uses this data to map which companies use competing products, effectively extracting competitor customer lists from users' browsers. LinkedIn reportedly sent enforcement threats to users of third-party tools based on data obtained through covert scanning.
LinkedIn's Response
LinkedIn does not dispute detecting extensions but claims the practice is for platform protection. The company states the report author's account was banned for scraping and violating terms of service. LinkedIn says extension detection helps identify tools that scrape data without member consent.
4. Qilin Ransomware Steals Data From German Political Party Die Linke
⚠ CRITICAL — Political Party Data Breach With Geopolitical Implications
The Qilin ransomware group has compromised Germany's Die Linke political party, stealing sensitive internal data and employee personal information. The party suggests the attack may be politically motivated.
The Qilin ransomware group has claimed responsibility for an attack against Die Linke (The Left), a German democratic socialist political party currently represented in the Bundestag with 64 members and 123,000 registered members. The attack on March 27 forced an IT systems outage at party headquarters.
What Was Stolen
- Sensitive internal data from party organization systems
- Personal information of headquarters employees
- The membership database was not compromised — attackers failed to obtain member data
Political Dimensions
Die Linke described the attackers as Russian-speaking cybercriminals with both financial and political motivations, stating the attack "does not appear to be coincidental." The party characterized ransomware attacks against political organizations as "part of hybrid warfare" and "an attack on critical infrastructure." Russia-linked groups have previously targeted German political parties — in 2024, APT29 targeted CDU with the WineLoader backdoor.
Response Actions
- German authorities notified and criminal complaint filed
- Independent IT experts engaged for system restoration
- Qilin listed Die Linke on its leak site on April 1 without publishing data samples
- Data leak threat being used as pressure to extract ransom payment
5. SparkCat Crypto-Stealing Malware Returns to iOS and Android App Stores
🔶 HIGH — Official App Stores Compromised Again
A new, more sophisticated variant of SparkCat has been discovered in the Apple App Store and Google Play Store, using OCR to steal cryptocurrency wallet recovery phrases from victims' photo galleries.
Kaspersky researchers have discovered a new version of SparkCat malware on both the Apple App Store and Google Play Store, more than a year after the trojan was first documented. The malware hides within seemingly benign apps — enterprise messengers and food delivery services — while silently scanning victims' photo galleries for cryptocurrency wallet recovery phrases.
Technical Evolution
- Code virtualization — New obfuscation layers make analysis significantly harder
- Cross-platform languages — Sidesteps traditional analysis tools
- OCR-based extraction — Uses optical character recognition to identify wallet seed phrases in screenshots
- Multilingual targeting — Android version scans for Japanese, Korean, and Chinese keywords; iOS variant scans English mnemonic phrases for broader reach
Scope & Attribution
Kaspersky found two infected apps on the App Store and one on Google Play, primarily targeting cryptocurrency users in Asia. The operation is attributed to a Chinese-speaking operator. The iOS variant's English-language scanning makes it potentially broader in reach, affecting users globally regardless of region.
User Protections
- Never screenshot or photograph cryptocurrency wallet recovery phrases
- Review app permissions — be suspicious of photo gallery access requests from unrelated apps
- Use mobile security solutions that scan for known malware signatures
- Store seed phrases offline using physical media only
Threat Landscape Summary
| Threat | Severity | Action Required |
|---|---|---|
| Device code phishing (11 kits) | CRITICAL | Disable device auth grant, monitor auth logs |
| TA416 PlugX against EU/NATO | HIGH | Review OAuth apps, block known C2 infrastructure |
| LinkedIn BrowserGate | HIGH | Review extension exposure, consider browser profiles |
| Qilin ransomware vs Die Linke | CRITICAL | Political orgs: review ransomware readiness |
| SparkCat crypto stealer | HIGH | Never photograph seed phrases, review app permissions |
Stay Ahead of the Threat Curve
Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.
Explore KENSAI— KENSAI Security Intelligence · Published April 4, 2026