Executive Summary

• Primary Name: “Sailor Framework”

Targeting

Regions: North America (Dominant) · Europe · Asia-Pacific (APAC) · Latin America · Middle East

→ Read the rest of this post...

Phishing campaigns that impersonate a single brand are often assumed to come from a single source, but that assumption rarely holds up. Calendly is a widely used scheduling platform for booking meetings and interviews, making it a highly believable lure in phishing campaigns.

Calendly-themed phishing shows how one trusted workflow can be abused by multiple, unrelated phishing kits at the same time. While the pages may look similar, the underlying infrastructure and tooling often differ significantly.

→ Read the rest of this post...

Executive Summary

Over the past several months, the urlscan Threat Research Team has conducted extensive research to identify, cluster, and track some of the most impactful Chinese-language phishing-as-a-service (PhaaS) ecosystems operating at a global scale. This research combines large-scale telemetry, infrastructure analysis, and campaign tracking to better understand how these services are structured, operated, and deployed.

Beginning May 4th, we will publish a series of linked Threat Intelligence reports focused on the most prominent Chinese-language phishing frameworks currently active. Each report will examine a specific framework or activity cluster, providing detailed insights into campaign scale, infrastructure design, operational workflows, tracking mechanisms, and the detection methodologies developed by the urlscan.io team.

Collectively, this series aims to provide a comprehensive view of the ecosystems underpinning a significant portion of global phishing activity today, with a particular focus on the services enabling large-scale, cross-border campaigns.

→ Read the rest of this post...

During routine monitoring of malicious web activity on the urlscan platform, the urlscan Threat Research Team identified a phishing campaign abusing the Ultraviolet (UV) client-side proxy framework. This framework was being leveraged to obscure attacker infrastructure, evade traditional detection methods, and deliver high-fidelity credential harvesting content.

→ Read the rest of this post...

We are excited to be heading to PIVOTcon, where we will host a hands-on workshop focused on hunting phishing pages and infrastructure. If you are attending the conference, this is a great opportunity to connect with us and learn how to take make full use of our community and urlscan Pro platforms.

Workshop: Uncovering Phishing Infrastructure
A Hands-On Workshop with urlscan.io

In this interactive workshop, we will show how analysts can transform a single suspicious URL into a deep investigation - uncovering entire phishing campaigns and the infrastructure behind them. Whether you’re new to urlscan.io or already using it in your workflow, this session is designed to give you practical techniques you can apply immediately.

→ Read the rest of this post...

Over the last couple of years, the urlscan Threat Research Team have observed repeated, near-identical “live support” webpages used to socially-engineer victims into installing legitimate remote access tools (AnyDesk, ConnectWise/ScreenConnect, TeamViewer, etc.). Threat actors pair these pages with cold calls impersonating banks, telcos, or crypto services and attempt to install screen sharing software. Once connected they take control of sessions and facilitate fraudulent transfers.

→ Read the rest of this post...

Today we are announcing a new API endpoint for looking up observables on urlscan.io: The Malicious Lookup API. This new endpoint enables fast checks against our database of malicious websites and is meant to answer a simple question:

Has this hostname/domain/IP/URL been observed hosting malicious content?

The API answers this question efficiently with predictable performance.

→ Read the rest of this post...

We have made significant improvements to our core AI features on the urlscan Pro platform: Brand AI allows users search for brand abuse using the visual representation of a website, ML verdicts deliver a score for the trustworthiness of a website and the new AI summaries help users understand the content of a website in a foreign language.

→ Read the rest of this post...

Starting May 4th, 2026 some of the publicly accessible API endpoints on urlscan.io will only respond to authenticated requests. An authenticated request is a request with a valid API key or by a signed-in user. The API endpoints affected are:

• GET /api/v1/result/{scanId}/
• GET /dom/{scanId}/
• GET /responses/{fileHash}/

Make sure all of your API integrations are sending the urlscan API key via the appropriate api-key HTTP request header today.

Make sure to send API key headers for all requests against urlscan.io, even for API paths that do not require authentication today.

API Calls

This is what an authenticated API call looks like:

curl -i -X GET \
  'https://urlscan.io/api/v1/result/{scanId}/' \
  -H 'api-key: YOUR_API_KEY_HERE'

For more details please check the API docs.

Background

These changes are necessary to curb abuse of our platform and ensure its stability and availability for legitimate users.

We are excited to announce the launch of Data Dumps, a new feature that allows customers to bulk-download scan data from urlscan.io without making individual API calls for each result.

→ Read the rest of this post...