Mimecast Logo
Richiedi un preventivo

    Phishing Kits Using Bitwise Operations to Evade Detection

    17 March 2026

    By David Johnson and the Mimecast Threat Research Team

    Key Points
    • Phishing kit operators are implementing obfuscation techniques using bit control operations to collapse traditional control flow logic
    • This technique significantly increases analysis time by transforming readable conditional statements into compressed mathematical operations
    • Attackers use bit operations to filter unwanted visitors including security tools, mobile devices and headless browsers

    What We're Seeing

    Threat actors are using bit control operations to obscure web pages predominantly leading to credential harvesting. Instead of straightforward conditional statements, they're compressing multiple checks into complex bitwise operations. This makes the code substantially harder to analyze and increases the time detection systems need to fingerprint these kits.

    The attackers use these operations for a number of reasons including to filter out unwanted visitors—security researchers, automated scanners, mobile devices, headless browsers—while making it very difficult for incident response teams to understand what the code actually does when they do find it.

    How Control Flow Works and Why It Matters

    Control flow describes how a program moves from one instruction to the next. In everyday terms, control flow mirrors human decision-making processes.

    Consider the decision to carry an umbrella: the action depends on whether it's raining. This logic translates to: IF it is raining outside THEN take an umbrella.

    In programming, this same conditional logic determines what actions the code will execute based on variable states. Control flow encompasses three primary categories:

    • Conditional statements (if-else, switch) — decisions based on conditions
    • Looping statements (for, while, do-while) — repeated actions
    • Jump statements (break, continue, return, goto) — redirecting program execution

    In the context of phishing kits, this means conditional logic that decides how the web page interacts with the victim.

    How Attackers Collapse Control Flow

    In an attempt to obscure control flow, phishing kit authors collapse multiple conditional statements using bit operations. Rather than creating separate if-else statements for each condition, they assign bit values that can be retrieved and evaluated collectively.

    Example scenario:I A phishing kit designed to target desktop users in a specific organization might filter out connections from mobile devices. This concept extends to numerous conditions around expected versus unexpected visitor characteristics.

    The goal is limiting interaction from unintended individuals or machines—particularly security researchers and automated scanning tools. Additionally, these checks monitor user behavior on the phishing page, detecting whether text entry speed appears inhuman or whether the visitor attempts to open developer tools.

    By using bit operations, phishing kits significantly hamper analysis efforts, making it difficult for security teams to understand the code's true functionality.

    Three Obfuscation Levels We're Observing

    Level 1: Standard Readable Code

    In typical phishing kit implementations, conditional checks appear as straightforward code:
    var isMobile = /Mobile|Android|iPhone|iPad/i.test(navigator.userAgent); var isHeadless = navigator.webdriver; if (isMobile) { if (isHeadless) { console.log("mobile, headless"); } else { console.log("mobile, not headless"); } } else { if (isHeadless) { console.log("desktop, headless"); } else { console.log("desktop, not headless"); } }

    This code is immediately readable. An analyst can quickly identify that the kit checks for mobile devices and headless browser indicators, using nested if-statements to handle four possible combinations. The logic flow remains transparent and easily traceable.

    Level 2: Introduction of Bit Flags

    The next level of obfuscation introduces bit operations while maintaining some readability:

    var isMobile = /Mobile|Android|iPhone|iPad/i.test(navigator.userAgent); var noCookies = document.cookie === ""; var hasAutomationAPIs = !!window.callPhantom || !!window._phantom; var isHeadless = !!navigator.webdriver; var flags = 0; if (isMobile) { flags = flags | 1; // Set bit 0 } if (noCookies) { flags = flags | 2; // Set bit 1 } if (hasAutomationAPIs) { flags = flags | 4; // Set bit 2 } if (isHeadless) { flags = flags | 8; // Set bit 3 }

    The code remains partially readable but introduces bit manipulation. Each condition sets a specific bit within the flags variable. We have 4 variables that we can set to bit values:

    • isMobile = 0001 (bit 0)
    • noCookies = 0010 (bit 1)
    • hasAutomationAPIs = 0100 (bit 2)
    • isHeadless = 1000 (bit 3)

    These four binary conditions create 16 possible states (0000 through 1111), to represent none of the variables matching, all of the variables matching, and any combination of them. An analyst can still identify the conditional checks but understanding how the flags variable is used later requires additional investigation.

    Level 3: Advanced Obfuscation

    This final stage of obfuscation employs heavy obfuscation through hex arrays, unusual variable naming and complex bit operations:

    var _0xf = [0x0, 0x1, 0x2, 0x3, 0x4, 0x8, "webdriver", "cookie", "", "userAgent", "test", "callPhantom", "_phantom"]; var _0xa, _0xb, _0xc, _0xd, _0xe; (function(_0x1, _0x2, _0x3) { _0xa = /Mobile|Android|iPhone|iPad/i[_0xf[0xa]](navigator[_0xf[0x9]]) << _0xf[_0xf[0x0]]; _0xb = (document[_0xf[0x7]] === _0xf[0x8]) << _0xf[_0xf[0x1]]; _0xc = (!!window[_0xf[0xb]] | !!window[_0xf[0xc]]) << _0xf[_0xf[0x2]]; _0xd = !!navigator[_0xf[0x6]] << _0xf[_0xf[0x3]]; _0xe = _0xa | _0xb | _0xc | _0xd; })(); var _0x10 = (_0xe >>> _0xf[0x0]).toString(_0xf[0x2]).split(String.fromCharCode(0x31)).length - _0xf[0x1]; var _0x11 = [ function() { return _0xf[0x0]; }, function() { return _0xe & _0xf[0x1]; }, function() { return _0xe >> _0xf[0x1] & _0xf[0x1]; }, function() { return _0xe & _0xf[0x3]; }, function() { return _0xe >> _0xf[0x2] & _0xf[0x1]; }, function() { return _0xe & _0xf[0x4] | _0xf[0x1]; }, function() { return _0xe >> _0xf[0x1]; }, function() { return _0xe & ~_0xf[0x5]; }, function() { return _0xe >> _0xf[0x3]; }, function() { return _0xe; }, function() { return _0xe ^ _0xf[0x2]; }, function() { return _0xe | _0xf[0x1]; }, function() { return _0xe >> _0xf[0x2]; }, function() { return _0xe & _0xf[0x5] | _0xf[0x4]; }, function() { return _0xe ^ _0xf[0x4]; }, function() { return _0xe; } ]; var _0x12 = (_0xe & ~_0xf[0x3]) !== _0xf[0x0]; var _0x13 = (_0x10 & ~_0xf[0x1]) !== _0xf[0x0];

    This code looks much more complex but is essentially doing the same as the second example (with some slightly expanded combinations).

    • Declares variables for checks such as isMobile, Cookies, AutomationAPIs.
    • Checks each of the variables and sets a corresponding bit to 0 or 1 (true or false) and saves them all together in a new variable `_0xe`. The function also has some values referenced that are not used elsewhere, this is to confuse analysts and take more of their time.
    • A popcount is done in variable `_0x10`. Popcount is a method of counting how many 1s are present (this will be used to see how many total variables are present).
    • Variable `_0x11` handles the combinations of 0000 -> 1111, every possible combo is looked at here.
    • The two remaining variables `_0x12` and `_0x13` do what was discussed above, one checks if higher bit values are set and the other looks at the value as a whole to see if it above a certain amount.

    The underlying logic for all examples are similar - checking visitor characteristics and deciding what to display. The complexity exists purely to waste analyst time and frustrate automated detection.

    What Happens in the Wild

    Based on examples investigated by the Mimecast Threat Research team, when deployed in campaigns that result in credential harvesting pages, this obfuscated logic predominantly determines whether to display the phishing form or redirect to innocuous content.

    If the code detects automation tools, headless browsers, missing cookies or mobile devices (depending on the target profile), it silently redirects the visitor to a legitimate website, leaving no evidence of malicious intent. Security researchers scanning the URL encounter benign content, while intended targets see the credential harvesting form.

    This selective presentation significantly extends the operational lifespan of phishing campaigns, as automated security systems fail to identify malicious behavior during initial scans.

    Targets

    Global- technique observed across multiple phishing kit families targeting various industries and regions

    Detection Considerations

    The usage of bitwise operations on a site can be viewed as unusual in the context of a typical webpage. When bitwise operations are observed other indicators (domain age, cert, delivery details, etc.) should be considered when determining if a site is legitimate or not.

     

    Keep your edge in threat intelligence

    Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.

    Sign up successful

    Thank you for signing up to receive updates for our threat intelligence notifications.

    We will be in touch!

    Back to Top