What Is Gabagool?

Gabagool is a sophisticated Adversary-in-the-Middle (AiTM) phishing kit that uses JWT-based session management for credential and authentication token capture, targeting corporate and government employees through leveraging trusted cloud platforms to bypass security filters and exfiltrate login credentials alongside multi-factor authentication tokens. According to TRAC Labs and Lumma Labs analysis published on Medium in 2024, the platform employs advanced evasion techniques including split QR codes divided into two image files that appear as a single QR code when rendered together in email clients, URL shorteners including tiny.cc and tiny.pl for obfuscation, and abuse of legitimate cloud services including SharePoint, SugarSync, and Box before routing to phishing pages hosted in Cloudflare R2 buckets to exploit trusted CDN infrastructure for bypassing reputation filters.

The attack methodology begins with threat actors compromising employee email accounts then using those compromised accounts to send phishing emails to other employees within the same organization, creating internal trusted sender relationships that evade external sender filtering. According to Security Online and Barracuda technical analysis from 2024, harvested credentials are encrypted using AES before exfiltration, JWT tokens are recorded with timestamps documenting issuance and expiration periods, and bot evasion techniques ensure only legitimate users encounter full credential harvesting forms. Gabagool represents part of a wave of new AiTM kits that emerged in late 2024 alongside Sneaky 2FA, CEPHAS, Legions 2FA, and Saiga 2FA according to Sekoia.io global AiTM analysis.

How Does Gabagool Work?

Gabagool operates through a multi-stage attack chain beginning with email account compromise. According to TRAC Labs analysis published on Medium, threat actors first compromise an employee's email account through separate phishing attacks, credential stuffing, or other compromise vectors. Once controlling an internal email account, attackers use this compromised account to send phishing emails to other employees within the organization. This internal-sender approach bypasses email security gateway filters that primarily target external senders, significantly improving delivery rates and victim trust.

The obfuscation layer employs split QR codes as a novel evasion technique. According to Barracuda and TRAC Labs analysis, Gabagool divides QR codes into two separate image files that appear as a single QR code when rendered together in email clients. Victims scanning what appears to be a unified QR code unwittingly trigger malicious URLs. Additionally, embedded URL shorteners including tiny.cc and tiny.pl obscure final destinations, preventing URL reputation analysis before victims click. Image attachments disguised as documents contain embedded URLs that further obfuscate phishing infrastructure.

Infrastructure abuse leverages legitimate cloud services to bypass security filtering. According to TRAC Labs and Security Online analysis, Gabagool redirects victims through SharePoint, SugarSync, and Box before routing to actual phishing pages. These legitimate platforms provide trusted domain reputations that email gateways and web filters allow, enabling phishing content delivery that would be blocked if hosted on known malicious infrastructure. The final phishing page hosting in Cloudflare R2 buckets provides additional legitimacy through Cloudflare's CDN reputation while making actual backend servers difficult to identify.

JWT session hijacking forms the core technical capability. According to TRAC Labs analysis, Gabagool harvests JWT (JSON Web Token) tokens used for maintaining authenticated sessions, encrypts stolen credentials using AES encryption before exfiltration, and records JWT tokens with precise timestamps including issuance times (example: November 17, 2024) and expiration times (example: November 18, 2024). This token capture enables attackers to replay authenticated sessions without requiring password or MFA re-entry, as JWT tokens themselves prove that authentication already occurred.

Bot evasion ensures only legitimate victims encounter credential harvesting. According to TRAC Labs and Barracuda analysis, Gabagool implements checks detecting automated scanners, sandboxed analysis environments, and security researcher tools. Only users passing these checks encounter the full phishing form, while automated systems see benign content or error messages. This evasion substantially complicates threat intelligence gathering as security vendors struggle to catalog Gabagool characteristics through automated analysis.

What Are the Limitations of Gabagool?

Initial Email Compromise Requirement

Gabagool's attack methodology requires prior email account compromise for internal sender spoofing. According to TRAC Labs analysis, this dependency means attackers must successfully compromise at least one organizational email account before launching Gabagool campaigns. This prerequisite attack adds complexity and risk compared to external phishing campaigns, though the improved delivery rates and victim trust from internal senders may justify the additional effort for sophisticated operators.

Split QR Code Image Metadata Detection

The split QR code obfuscation technique creates detectable patterns through image metadata analysis. According to Barracuda technical analysis, email security tools analyzing image properties can identify suspicious patterns including multiple sequential images rendering as unified QR codes, unusual image dimensions matching QR code specifications, and rapid sequential image display in email rendering. Advanced email gateways implementing image analysis can flag these patterns for quarantine or additional scrutiny.

Cloudflare R2 Abuse Reporting Vulnerability

Hosting phishing pages in Cloudflare R2 buckets creates exposure to Cloudflare's abuse reporting and takedown processes. According to Security Online analysis from 2024, Cloudflare responds to abuse reports documenting terms of service violations including phishing infrastructure. Organizations can report Gabagool phishing pages to Cloudflare for expedited removal, disrupting campaigns mid-execution. This legitimate platform dependency creates operational vulnerability absent from dedicated bulletproof hosting.

JWT Token Temporal Limitations

Captured JWT tokens maintain validity only for limited timeframes documented in token metadata. According to TRAC Labs analysis, observed tokens showed one-hour validity windows between issuance and expiration (November 17-18, 2024 timestamps). Attackers must exploit replayed tokens within these narrow windows or lose access when tokens expire. Organizations implementing aggressive JWT expiration policies of minutes rather than hours substantially reduce exploitation opportunities.

Network Segmentation Defeats Token Replay

Organizations with network-level segmentation and access control can prevent Gabagool token replay even when tokens remain technically valid. According to technical analysis, network policies requiring authentication from specific IP ranges, VPN connections, or managed devices block token replay from external attacker infrastructure. The JWT token validates authentication occurred but does not authenticate the network context, enabling network-layer defenses independent of token validity.

How Can Organizations Defend Against Gabagool?

Email Image-Based Phishing Detection

Email security gateways should implement image analysis flagging split QR codes and suspicious image-in-document patterns. According to Barracuda guidance, analysis should examine image metadata for QR code dimensions, sequential images rendering as unified codes, and unusual attachment-to-body ratios. Machine learning models trained on legitimate versus phishing email image patterns can identify Gabagool's distinctive split QR code approach. Suspicious emails should be quarantined for security analyst review before delivery.

URL Shortener Blocking or Scrutiny

Organizations should block URL shorteners including tiny.cc and tiny.pl at network perimeters if operationally feasible. According to security guidance, if business requirements prevent outright blocking, email gateways should flag emails containing URL shorteners for elevated scrutiny, perform real-time expansion of shortened URLs to analyze final destinations, and sandbox-detonate shortened URLs before allowing email delivery. Many phishing campaigns leverage URL shorteners for obfuscation, justifying aggressive defensive postures.

Hardware Security Key Deployment

FIDO2 hardware security keys provide effective protection against Gabagool's JWT token theft. According to security guidance, hardware keys use WebAuthn protocol cryptographically bound to legitimate domains. When Gabagool presents phishing pages from fraudulent domains hosted in Cloudflare R2 buckets, hardware keys detect domain mismatches and refuse authentication. This protection functions regardless of Gabagool's cloud platform abuse or obfuscation sophistication.

Internal Email Authentication Monitoring

Security operations should implement anomalous internal email pattern detection identifying compromised accounts used for Gabagool distribution. According to TRAC Labs and Barracuda guidance, monitoring should alert on unusual internal email volumes, atypical attachment types from specific accounts, and internal emails containing external authentication URLs. DMARC, SPF, and DKIM alignment checking should extend to internal senders to detect compromised account abuse.

Network Segmentation and Access Control

Organizations should implement network segmentation preventing JWT token replay from external infrastructure. According to technical guidance, policies should restrict access to sensitive applications from known corporate IP ranges or trusted VPN endpoints, require device compliance before granting access to corporate resources, and implement continuous authentication re-verification for sensitive operations. These network-layer controls block token replay attempts even when tokens remain cryptographically valid.