#006Critical2026-04-03

Commercial Phishing-as-a-Service Toolkit (Evolved)

nolimit-x@1.0.94 → 1.0.104

Full Report
Verdict:MALICIOUS — Violates CAN-SPAM, CFAA, Computer Misuse Act. Attacker reacted to disclosure.

Overview

A commercial phishing-as-a-service toolkit distributed via npm for 9+ months. v1.0.94 included DKIM spoofing with stolen private keys, Google/Microsoft OAuth replay attacks, anti-spam fingerprint evasion, SMS phishing via Twilio, QR code phishing, IMAP inbox harvesting, and pre-configured SMTP gateways. After public disclosure, the attacker reacted by publishing v1.0.104: source code moved from readable src/ to hidden .ad/ directory with 39 obfuscated files (x0.js to xz.js, ~700KB total via javascript-obfuscator), added native Rust compiled binaries distributed via scoped packages (@nolimit-x/darwin-arm64, @nolimit-x/win32-x64, etc), and added a prepublish obfuscation pipeline (node scripts/obfuscate.js). Same phishing deps remain: DKIM, Twilio, puppeteer, nodemailer, imap.

104+
Versions Published
9mo+
Active Duration
39
Hidden Files
Rust
Native Binaries

Attack Flow

DKIM Spoofing
Uses stolen private keys to forge DKIM signatures, making phishing emails pass authentication checks.
OAuth Replay
Pre-built attack flows for Google and Microsoft 365 OAuth replay, capturing authorization tokens.
Anti-Detection
HTML mutation, CSS reordering, comment injection, and TLS fingerprint spoofing to evade spam filters.
Multi-Channel
SMS phishing via Twilio, QR code phishing, and IMAP inbox harvesting for credential collection.
Licensing
Ed25519 license system with 7-day server check-ins. This is a commercial product sold to criminals.
Post-Disclosure Evasion (v1.0.104)
After public report, attacker moved code to hidden .ad/ directory, obfuscated 39 files (~700KB), added native Rust binaries via @nolimit-x/* scoped packages, and added prepublish obfuscation pipeline.

MITRE ATT&CK Mapping

T1566.001Spearphishing Attachment — DKIM spoofed emails
T1528Steal Application Access Token — OAuth replay
T1114.002Remote Email Collection — IMAP harvesting
T1598.003Spearphishing Service — SMS/QR phishing
T1027Obfuscated Files — javascript-obfuscator on 39 files
T1564.001Hidden Files — code moved to .ad/ hidden directory

Tags

PhishingDKIMOAuthSMSCommercial MalwarePost-Disclosure Evasion

Full Report

nolimit-x — Commercial Phishing-as-a-Service Toolkit (v1.0.94 → v1.0.104)

TL;DR

A commercial phishing toolkit sold to criminals via npm for 9+ months. After public disclosure of v1.0.94, the attacker published v1.0.104 with full code obfuscation, hidden directories, and native Rust binaries. The phishing capabilities remain identical.

Timeline

DateVersionEvent
~July 20251.0.0First published on npm
2026-04-021.0.94Detected by npm-sentinel, publicly disclosed
2026-04-031.0.98Intermediate update (partial obfuscation)
2026-04-031.0.100Further obfuscation
2026-04-031.0.104Full evasion: hidden .ad/ dir, 39 obfuscated files, native Rust binaries

Package Info

Fieldv1.0.94v1.0.104
Entry pointsrc/cli.js.ad/x0.js
Source directorysrc/ (39 readable files).ad/ (39 obfuscated files: x0.js-xz.js)
ObfuscationNonejavascript-obfuscator v4.2.2
Native binariesNoneRust compiled via @nolimit-x/* scoped packages
Build pipelineNonenode scripts/obfuscate.js + scripts/copy-native-binary.js
Total versions94104+

v1.0.94 — Original Analysis (Readable Source)

Source Files (39 files in src/)

The original version shipped readable JavaScript with descriptive filenames that reveal the full attack surface:

  • dkim-spoofer.js — DKIM signature forgery using stolen private keys
  • real-replay-attack.js — Google/Microsoft OAuth replay attack flows
  • fingerprint-evasion.js — Anti-spam filter evasion via HTML mutation
  • tls-fingerprint-spoofer.js — Provider-specific TLS fingerprint spoofing
  • key-exploitation.js — Cryptographic key exploitation module
  • vulnerability-database.js — Database of exploitable mail server vulns
  • qr-generator.js — QR code phishing generation
  • license.js — Ed25519 commercial license system
  • sender.js — Core email sending engine
  • processor.js — Campaign processor
  • cli.js — Command-line interface
  • hwid.js — Hardware ID for license binding
  • rust-backend.js — Rust native backend integration
  • attachment-handler.js — Phishing attachment generation
  • document-generator.js — Fake document generation (.doc, .pdf, .pptx, .xlsx, .epub, .rtf)
  • ics-generator.js — Calendar invite phishing
  • dynamic-url-generator.js — Dynamic phishing URL generation
  • redirect-crawler.js, redirect-scanner.js, redirect-tester.js — Open redirect exploitation
  • smtp-optimizer.js — SMTP delivery optimization
  • structural-jitter.js — Email structure randomization
  • message-variability.js — Message mutation for filter evasion
  • sender-intelligence.js — Sender reputation intelligence
  • threat-intel.js — Threat intelligence integration
  • organization-extractor.js, advanced-name-extractor.js — Victim organization profiling
  • tls-fingerprint-spoofer.js — TLS fingerprint mimicry

DKIM Spoofing (dkim-spoofer.js)

Uses stolen private keys to forge DKIM signatures. Imports VulnerabilityDatabase, RealReplayAttack, and KeyExploitation modules. Tracks attack statistics across direct, replay, and hybrid methods.

OAuth Replay Attacks (real-replay-attack.js)

Two pre-built attack flows:

  • setupGoogleOAuthReplay(burnerEmail, burnerPass, phishingMessage, victimList) — Creates OAuth app, triggers Google security alert to obtain DKIM-signed email, forwards to victims preserving DKIM signature
  • setupMicrosoft365Replay(burnerEmail, burnerPass, phishingMessage, victimList) — Same flow for Microsoft 365

Both accept victimList and burnerEmail parameters, confirming this is designed for mass phishing campaigns.

Anti-Detection (fingerprint-evasion.js)

Multi-layer filter evasion using cheerio DOM manipulation:

  • HTML comment insertion
  • CSS property reordering
  • HTML attribute reordering
  • Whitespace mutation
  • HTML entity swaps
  • Case changes
  • Self-closing tag swaps
  • Data attribute insertion
  • Configurable intensity presets (low/medium/high)

TLS Fingerprint Spoofing (tls-fingerprint-spoofer.js)

Provider-specific TLS configurations to mimic legitimate mail servers:

  • Gmail: TLS 1.3, specific cipher suites, JA3 fingerprint, Google Trust Services certificate chain
  • Outlook: Microsoft-specific configuration
  • Custom connection timing to mimic legitimate sending patterns

License System (license.js)

Commercial licensing with:

  • Ed25519 signature verification
  • Embedded public key: MCowBQYDK2VwAyEAL5ZecmBBDz560baKdQ/kzZFcFhAmxqBfd9mrEDWJY0k=
  • License stored in ~/.nolimit/activation.json
  • 7-day server check-in interval for revocation
  • Hardware ID binding via hwid.js
  • License payload format: {"u":"user","p":"pro","e":expiry,"d":devices,"i":issued}

Pre-configured Infrastructure

  • SMTP gateways: AT&T (att.txt), T-Mobile (tmobile.txt), Verizon (verizon.txt)
  • Twilio integration: phonebook/api/twilio.json for SMS phishing
  • Phishing templates: .doc, .epub, .pdf, .pptx, .rtf, .xlsx attachment templates
  • Calendar phishing: templates/calendar/invite.ics

v1.0.104 — Post-Disclosure Evasion

After public disclosure, the attacker published v1.0.104 within hours with the following changes:

Code Hidden in .ad/ Directory

  • "main": ".ad/x0.js" — Entry point moved to hidden directory
  • "bin": { "nolimit": "./.ad/x0.js" } — CLI binary points to hidden dir
  • "files": [".ad/", "templates/", "phonebook/"]src/ completely removed from published files
  • File naming changed from descriptive (dkim-spoofer.js) to opaque (x0.js through xz.js)

Full javascript-obfuscator Applied

  • "devDependencies": { "javascript-obfuscator": "^4.2.2" }
  • Build script: "build": "node scripts/obfuscate.js"
  • "prepublishOnly": "npm run build && node scripts/copy-native-binary.js" — Automated obfuscation before every npm publish

Native Rust Binaries

Platform-specific binaries distributed via scoped packages:

  • @nolimit-x/darwin-arm64 (macOS ARM)
  • @nolimit-x/darwin-x64 (macOS Intel)
  • @nolimit-x/linux-x64 (Linux)
  • @nolimit-x/win32-x64 (Windows)

All at version ^1.0.53, suggesting the binary distribution infrastructure was already in place.

Dependencies Unchanged

The phishing dependencies remain identical between versions:

  • nodemailer — Email sending
  • imap — Inbox harvesting
  • twilio — SMS phishing
  • puppeteer — Browser automation for OAuth replay
  • cheerio — HTML manipulation for filter evasion
  • qrcode — QR phishing
  • axios — HTTP requests

MITRE ATT&CK Mapping

TechniqueDescription
T1566.001Spearphishing Attachment — DKIM spoofed emails with forged attachments
T1528Steal Application Access Token — Google/Microsoft OAuth replay
T1114.002Remote Email Collection — IMAP inbox harvesting
T1598.003Spearphishing Service — SMS/QR phishing via Twilio
T1027Obfuscated Files — javascript-obfuscator on 39 files (v1.0.104)
T1564.001Hidden Files and Directories — .ad/ hidden directory (v1.0.104)

Verdict

MALICIOUS — Commercial phishing-as-a-service toolkit violating CAN-SPAM Act, CFAA, and UK Computer Misuse Act. The attacker's reaction to disclosure (obfuscation within hours) confirms malicious intent and active maintenance. The tool is still fully functional and dangerous.

Credits

Detected by: npm-sentinel automated scanner Verified by: manual source code review of v1.0.94 and package.json analysis of v1.0.104 Date: 2026-04-02 (initial), 2026-04-03 (evolution documented)

Previous
#005 RAT Disguised as AI Coding Tool
Next
#007 Slack Webhook Credential Stealer with Double Encoding