Executive Summary
Over the past several months, the urlscan Threat Research Team has conducted extensive research to identify, cluster, and track some of the most impactful Chinese-language phishing-as-a-service (PhaaS) ecosystems operating at a global scale. This research combines large-scale telemetry, infrastructure analysis, and campaign tracking to better understand how these services are structured, operated, and deployed.
Beginning May 4th, we will publish a series of linked Threat Intelligence reports focused on the most prominent Chinese-language phishing frameworks currently active. Each report will examine a specific framework or activity cluster, providing detailed insights into campaign scale, infrastructure design, operational workflows, tracking mechanisms, and the detection methodologies developed by the urlscan.io team.
Collectively, this series aims to provide a comprehensive view of the ecosystems underpinning a significant portion of global phishing activity today, with a particular focus on the services enabling large-scale, cross-border campaigns.
During routine monitoring of malicious web activity on the urlscan platform, the urlscan Threat Research Team identified a phishing campaign abusing the Ultraviolet (UV) client-side proxy framework. This framework was being leveraged to obscure attacker infrastructure, evade traditional detection methods, and deliver high-fidelity credential harvesting content.
We are excited to be heading to PIVOTcon, where we will host a hands-on
workshop focused on hunting phishing pages and infrastructure. If you are
attending the conference, this is a great opportunity to connect with us and
learn how to take make full use of our community and urlscan Pro platforms.
Workshop: Uncovering Phishing Infrastructure
A Hands-On Workshop with urlscan.io
In this interactive workshop, we will show how analysts can transform a single
suspicious URL into a deep investigation - uncovering entire phishing
campaigns and the infrastructure behind them. Whether you’re new to urlscan.io
or already using it in your workflow, this session is designed to give you
practical techniques you can apply immediately.
Over the last couple of years, the urlscan Threat Research Team have observed repeated, near-identical “live support” webpages used to socially-engineer victims into installing legitimate remote access tools (AnyDesk, ConnectWise/ScreenConnect, TeamViewer, etc.). Threat actors pair these pages with cold calls impersonating banks, telcos, or crypto services and attempt to install screen sharing software. Once connected they take control of sessions and facilitate fraudulent transfers.
Today we are announcing a new API endpoint for looking up observables on
urlscan.io: The Malicious Lookup API. This new endpoint enables
fast checks against our database of malicious websites and is meant to answer a
simple question:
Has this hostname/domain/IP/URL been observed hosting malicious content?
The API answers this question efficiently with predictable performance.
We have made significant improvements to our core AI features on the urlscan Pro
platform: Brand AI allows users search for brand abuse using the visual
representation of a website, ML verdicts deliver a score for the
trustworthiness of a website and the new AI summaries help users understand
the content of a website in a foreign language.
Starting May 4th, 2026 some of the publicly accessible API endpoints on
urlscan.io will only respond to authenticated requests. An authenticated
request is a request with a valid API key or by a signed-in user. The API
endpoints affected are:
GET /api/v1/result/{scanId}/GET /dom/{scanId}/GET /responses/{fileHash}/
Make sure all of your API integrations are sending the
urlscan API key via the appropriate api-key HTTP request header today.
Make sure to send API key headers for all requests against urlscan.io, even
for API paths that do not require authentication today.
API Calls
This is what an authenticated API call looks like:
curl -i -X GET \
'https://urlscan.io/api/v1/result/{scanId}/' \
-H 'api-key: YOUR_API_KEY_HERE'
For more details please check the API docs.
Background
These changes are necessary to curb abuse of our platform and ensure its
stability and availability for legitimate users.
We are excited to announce the launch of Data Dumps, a new feature that
allows customers to bulk-download scan data from urlscan.io without making
individual API calls for each result.
We are excited to announce new releases of our official CLI and Python library. These updates bring new features and improvements to help you integrate urlscan.io into your workflows more effectively.
Today we are announcing detailed activity insights for teams and API keys. The
activity insights show users the quota consumption of each API key,
and whether any of these API keys are generating errors when calling our APIs.
urlscan API key activity tracking
