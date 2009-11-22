Robin Banks, the phishing-as-a-service (PHaaS) platform that was kicked off Cloudflare for malicious activity, is back in action with a Russian service provider and new tools to make it easier to bypass security measures.

IronNet's Threat Research unit first wrote about Robin Banks in July, detailing a threat group that was selling phishing kits to cybercriminals who then would use those tools to steal credentials and financial data of people in the US, the UK, Canada, and Australia.

Additionally, the attackers worked to steal Google and Microsoft credentials, indicating Robin Banks was also interested in establishing initial access that could then be used by other cybercriminals for advanced attacks like ransomware.

The crew has been operating since at least March 2022, researchers said. A major campaign in July targeted information relating to Citibank and Microsoft.