What Is CuddlePhish?

CuddlePhish is a weaponized Browser-in-the-Middle (BitM) tool that uses WebRTC to intercept and relay user sessions between a victim's browser and an attacker-controlled Chrome instance. Released by security researcher Forrest Kasler as a red team tool for penetration testing, CuddlePhish was not initially designed as a threat actor tool but demonstrates advanced phishing capabilities. The tool was presented at Black Hat USA 2023 Arsenal and subsequently published through SpecterOps to raise awareness of this attack vector (SpecterOps, 2023).

How Does CuddlePhish Work?

Session interception pairs phishing site visitors with an automated Chrome browser running on the phishing server according to GitHub and SecurityOnline. Video feed of the attacker-controlled Chrome instance is streamed to the phishing victim over WebRTC. WebRTC streaming and input relay deliver video feeds via WebRTC, a technology designed for real-time communication and screen sharing. User mouse movements and keyboard inputs are forwarded from victim's browser to attacker's Chrome instance via WebSocket connections. Server uses WebSockets to track victims, pair them with browsers, and broker WebRTC video feeds.

Credential extraction enables attackers to extract session cookies using Chrome DevTools Protocol CDP APIs. Specifically leverages "Storage.getCookie" APIs to harvest session tokens after victim logs in. Records full keystrokes in keylog.txt files in each user data directory. Attacker control override allows attackers to intervene at any point and directly control the Chrome instance using the same mechanism that allows victims remote control but redirected for attacker advantage.

Technical Architecture

CuddlePhish relies on three core technologies working in concert according to the SpecterOps technical analysis (SpecterOps, 2023). The browser runs inside Xvfb (X virtual framebuffer), an X11 server commonly used for headless client testing, which provides a virtual display environment for the Chrome instance without requiring a physical monitor. Puppeteer, a Node.js library for browser automation, drives each Chrome instance using functions like mouse.move() and keyboard.down() to replicate victim inputs on the attacker-controlled browser. WebRTC, the same protocol used for legitimate video conferencing and screen sharing, broadcasts the visual output of the attacker's browser to the victim in real-time.

The attack flow follows three steps according to SpecterOps. First, WebRTC broadcasts the attacker's Chrome browser display to the victim. Second, JavaScript event listeners built into the phishing page capture mouse movements (mousemove events) and keyboard activity (keyDown events) from the victim's browser. Third, Puppeteer mirrors all captured victim inputs on the attacker's automated Chrome instance in real-time, creating the illusion that the victim is interacting directly with the legitimate website.

Multi-User Scaling and Session Management

CuddlePhish supports simultaneous multi-user sessions by automatically spawning new browser instances and assigning unique tracking IDs to each victim according to the GitHub documentation. This means multiple victims can be phished concurrently, each paired with their own dedicated Chrome instance. The server orchestrates all WebRTC connections, WebSocket channels, and browser instances through a centralized management layer.

TURN Server Requirements

For reliable video feed establishment across network boundaries, the tool documentation recommends deploying a self-hosted TURN (Traversal Using Relays around NAT) server according to SpecterOps. While public STUN servers are available for basic WebRTC negotiation, trustworthy public TURN servers do not exist, requiring administrators to self-host using tools like coturn. This adds infrastructure complexity but ensures reliable operation across diverse network configurations.

Cookie and Token Extraction

Beyond basic credential capture, CuddlePhish leverages Chrome DevTools Protocol functions including Storage.getCookies and DOMStorage.getDOMStorageItems to extract all cookies and local storage items, including JSON Web Tokens, from authenticated sessions (SpecterOps, 2023). These extracted artifacts can subsequently be injected into separate browser sessions for persistent account impersonation, even after the victim has closed their session.

What Are CuddlePhish's Limitations?

Requires victim click-through because victim must click initial phishing link and voluntarily view what appears to be screen sharing, creating higher friction than direct form submission. Browser detection risk arises because running Chrome on backend and streaming video is resource-intensive and may be detectable to sophisticated EDR. Latency and UX issues occur because video feed introduces lag compared to native browser interactions, with poor experience potentially triggering suspicion. Bandwidth cost means WebRTC streaming consumes significant server resources per victim. WebRTC fingerprinting enables WebRTC APIs themselves to be detected and analyzed by defensive tools. Post-exploitation complexity requires attacker presence to extract cookies in real-time rather than passive harvesting.

How Does CuddlePhish Compare to Other Phishing Approaches?

Unlike traditional phishing kits that clone HTML login forms and harvest static credentials, CuddlePhish provides a fundamentally different attack model according to Quarkslab. Traditional reverse proxy kits like Evilginx intercept traffic at the network layer, which security tools are increasingly designed to detect. CuddlePhish operates at the browser rendering layer instead, using a legitimate communication protocol (WebRTC) that is difficult to distinguish from normal video conferencing traffic.

The tool requires no special per-target configuration, functioning as a "point-and-shoot" solution against virtually any website that uses traditional authentication mechanisms (SpecterOps, 2023). This universality is a significant advantage over template-based phishing kits that require custom HTML clones for each target. Additionally, CuddlePhish can deliver file payloads to victims through JavaScript-based file transfer capabilities during the session, extending its utility beyond pure credential theft.

How Can You Defend Against CuddlePhish?

Detection methods monitor WebRTC usage in phishing context, analyze video stream patterns in suspicious traffic, detect abnormal Chrome DevTools Protocol activity, and look for WebSocket connections paired with WebRTC data channels. Defensive tools and strategies include EDR solutions with WebRTC protocol anomaly detection, disabling WebRTC in browsers where possible or limiting to secure contexts, monitoring for processes spawning automated Chrome instances, email filtering to block known CuddlePhish distribution vectors, WebRTC leak detection tools during security assessments, and behavioral analysis for unusual input and output patterns on login pages. Organizational controls deploy browser isolation and containment solutions, geofencing and IP-based restrictions on login attempts, MFA on all accounts to reduce session value even if compromised, session timeout enforcement, and user training on legitimate versus suspicious screen share requests.

Hardware Authentication and Client Certificates

The most effective defenses against CuddlePhish are hardware security keys and client certificate authentication according to SpecterOps (2023). Hardware authentication devices such as YubiKeys implement domain-bound authentication that will not recognize the phishing domain, preventing the authentication flow from completing through the proxy. Client certificate authentication similarly binds the authentication process to a specific cryptographic identity that cannot be relayed through the BitM attack. JavaScript-based domain validation checks embedded within authentication flows also provide protection by verifying the browser is communicating with the expected domain.