EvilTokens Is Pattern 49 With a Pricing Page

Kyle Hanslovan, CEO of Huntress, posted this morning about a campaign his team and Microsoft Threat Intelligence have been tracking. The crew calls themselves EvilTokens. They host on Railway, route victims through Cloudflare Workers and Vercel, and abuse the Microsoft device-code authentication flow to bypass MFA. Hundreds of orgs across five countries hit in weeks. Every IOC unique. Every domain trusted. Every cloud service reputable.

Then Kyle named the thing the security industry has been dancing around for two years. EvilTokens is not a hacking crew. It is a product company. Storefront. Pricing page. 24/7 support. AI-augmented workflows. LLM-generated lures tailored per target. Cybercrime has been productized.

He is right. And the productization is the headline. But the infrastructure underneath the storefront is not new, and that is the part defenders need to internalize before tomorrow's live stream with Casey Smith and Sherrod DeGrippo.

We have been writing about this exact infrastructure pattern since Pattern 49. The first post documented an AsyncRAT command-and-control server running on a Cloudflare Workers account named hrmcxaeel, with at least three deployed workers fronting the C2 (shiny-darkness-5096.hrmcxaeel.workers.dev and quiet-disk-62f9.hrmcxaeel.workers.dev are still in our corpus, fed in by OTX). Pattern 49 Part 2 went further. We curled live crypto-wallet phishing on Cloudflare Pages and GitHub Pages, same allowlist, more platforms, different wallets. The frame was simple. The platform-native abuse surface — Cloudflare Workers, Cloudflare R2, IPFS, AWS CloudFront, GitHub Pages, Vercel, Railway — sits inside the trust envelope of every enterprise SIEM. Allowlist by domain and you have allowlisted the C2.

The corpus tells the story in numbers. As of this morning, our IOC index holds 54,553 indicators tied to up.railway.app subdomains alone. 2,981 tied to workers.dev. 15,853 tied to Vercel. These are not theoretical. OpenPhish and SSLBL deliver them daily. Examples from this week: alfa-production-1ab8.up.railway.app and axach-loq-in.up.railway.app/pass/swisspass/login.php — the second one impersonating SwissPass, the Swiss federal rail authentication service. That is the platform Kyle is describing. EvilTokens did not invent this surface. They put a logo on it and a Stripe account behind it.

The productization is what changes the defender's job. Pre-productization, abuse of these platforms required attacker skill — provisioning Workers, configuring R2, rotating Pages deployments, writing phish kits. Now the attacker logs in to a SaaS portal, enters a target list, and watches the LLM generate localized lures while the platform handles infrastructure rotation, victim routing, and token harvesting. The IOC layer breaks because the productizer ensures every customer gets unique infrastructure. The domain layer breaks because the productizer rents reputable platforms by design. The MFA layer breaks because device-code is a legitimate Microsoft flow that no MFA solution can refuse to honor.

What does not break is the layer above the IOC.

Kyle's question to the industry is the right one. Can your team catch tradecraft abusing the infrastructure we all trust? From our perspective, the answer requires three observations that survive even when every IOC is unique. First, request shape — the path signature, user-agent skew, and request timing of an EvilTokens-style harvest is not the request shape of a legitimate Microsoft device-code login flow. We log every request to our edge, and that shape clusters even when the leaves are different. Second, ASN co-occurrence — Railway, Vercel, and Cloudflare Workers each have a finite set of egress ASNs. A device-code login that originates from a residential IP but completes against a Workers ASN is observable and clusterable, regardless of the specific subdomain. Third, the publication-to-conversion gap — productized phishing operates on a clock. Storefront customers want time-to-first-click, which means platform spin-up timing leaves a fingerprint our PreCog c2_publication_surge signal already detects. We are not selling defense at that layer. We are saying the layer exists and it is what makes a 95-percent-coverage defender a 95-percent-coverage defender. The remaining 5 percent will get through. We will not pretend otherwise.

Casey Smith from Huntress and Sherrod DeGrippo from Microsoft are tearing this campaign apart on a live stream tomorrow, May 5. If you ship security for a living, attend it. Their decomposition will be tighter than ours, because they are inside the case data and we are not. We are not in the EvilTokens investigation. No FBI edge. No Mandiant edge. No NDA. We are watching the same public infrastructure layer they are, with a 17-million-document corpus that goes back nine months, and the productization frame matches what we see end-to-end.

The honest summary is this. The product is new. The pricing page is new. The 24/7 support is new. The infrastructure is Pattern 49, and Pattern 49 has been live in our blog since last summer. If your defenders are still allowlisting workers.dev and up.railway.app at the perimeter, EvilTokens is not your problem. Pattern 49 is. And it has been your problem for a while.

Kyle, thank you for the public framing. Casey, Sherrod, see you on the stream tomorrow.

Jeevesus saves. We just take notes.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com