Ultimate Comprehensive Guide to the NakedPages Phishing Kit

[Student]

NakedPages (sometimes stylized as Naked Pages or referenced by its binary component nkp.app) is a mature, highly evasive Phishing-as-a-Service (PhaaS) platform and Adversary-in-the-Middle (AiTM) reverse proxy phishing kit. It first appeared on underground forums and Telegram channels around mid-2022 and has maintained steady prevalence through 2025, consistently ranking in the top five most active AiTM kits according to monitoring by Sekoia, ANY.RUN, and Barracuda Networks.

NakedPages is primarily written in Node.js with JavaScript-heavy execution and binary components for core proxy operations. It is marketed as a fully automated, "plug-and-play" solution requiring minimal technical expertise, making it attractive to a broad spectrum of cybercriminals — from low-skilled affiliates to organized groups conducting business email compromise (BEC) and initial access brokering. The kit is sold via subscription or one-time licenses on exclusive Telegram channels and Russian-language forums, with historical pricing around $800–$1,200 for full access (often requiring forum reputation or referrals). Developers provide ongoing updates, new templates, and customer support.

As of late 2025, NakedPages sustains an average of approximately 220 active phishing servers per month (per Sekoia.io tracking), powering thousands of campaigns targeting Microsoft 365, Google Workspace, Azure, AWS, VPN services, and various SaaS platforms.

Detailed Technical Architecture​

NakedPages employs a classic reverse proxy AiTM model to intercept authentication flows while remaining transparent to both victim and legitimate service.

Core Components:

1. Reverse Proxy Engine:
   • Node.js-based with custom binary relays (e.g., "nkp.relay-proxy" or "nkp.app").
   • Handles full traffic relaying, including POST data, headers, cookies, and WebSocket connections.
2. Session Cookie and Token Capture:
   • Primary MFA bypass: Steals authenticated session cookies immediately after successful login.
   • Also captures OAuth tokens where applicable.
3. Real-Time MFA Relaying:
   • Forwards all 2FA methods (SMS, TOTP, push notifications, authenticator apps) live to the backend service.
4. Dynamic Phishing Page Generation:
   • Clones legitimate login portals by fetching live assets (CSS, JS, images) from the target domain.
   • Adapts prompts dynamically based on real service responses.
5. Extensive Preloaded Template Library:
   • Ships with over 50 ready-to-deploy phishing projects covering major cloud providers and enterprise services.
   • Templates updated regularly via developer channels.

Advanced Evasion and Anti-Detection Features​

NakedPages is renowned for its multi-layered evasion tactics, which have been refined continuously since 2023.

Key Evasion Techniques Observed in 2025:

• Multi-Stage Redirection Chains:
  • Up to 9 sequential redirects observed, often leveraging services like href.li (to mask referrers) or legitimate URL shorteners.
• Domain and URL Randomization:
  • Generates unique alphanumeric subdomains/paths for each campaign to defeat signature-based blocking.
• Anti-Bot and Researcher Protections:
  • Geofencing (blocks access from over 120 countries commonly used by researchers).
  • Browser fingerprinting (canvas, WebGL, fonts, plugins) to detect sandboxes/VMs.
  • Redirects suspected analysts to benign pages.
• Code Obfuscation:
  • Dynamic JavaScript generation, whitespace encoding, and encrypted payloads.
• Traffic Distribution:
  • Load balancing across multiple backend servers to avoid rate-limiting and detection.
• CAPTCHA and Filter Integration:
  • Optional deployment of CAPTCHA challenges to filter automated scanners.

Deployment Requirements:

• Linux VPS with specific file permissions (read/write/execute on deployment directories).
• Automated installation scripts provided.

Typical Attack Lifecycle Using NakedPages​

1. Setup and Configuration:
   • Subscriber deploys kit on infrastructure; selects template and targeting parameters.
2. Lure Distribution:
   • Common vectors: Spoofed emails (document shares, voicemail alerts), compromised cloud storage links (SharePoint/Google Drive), or malicious SVG/HTML attachments.
3. Victim Filtering:
   • Multi-stage redirects and anti-bot checks.
4. Phishing Execution:
   • Victim enters credentials and completes MFA on cloned page → traffic relayed live.
5. Data Harvesting:
   • Credentials, MFA responses, session cookies captured in real time.
6. Session Hijack:
   • Attacker imports cookies for persistent access.
7. Post-Compromise:
   • Inbox rule creation, data exfiltration, internal phishing, or sale of access.

Evolution and Prevalence Timeline​

• Mid-2022: Initial release and forum advertisements emphasizing "50+ templates" and automation.
• 2023–2024: Rapid growth; enhanced redirection chains and anti-analysis features.
• 2025: Sustained activity with average 220 servers monthly; integration into hybrid campaigns (email + cloud lures); minor market share behind Tycoon 2FA but ahead of newer kits.

Comparison to Other Major AiTM Kits (2025 Landscape)​

• vs. Tycoon 2FA: Tycoon dominates volume with superior obfuscation and anti-debugger tools; NakedPages excels in template breadth and redirection complexity.
• vs. EvilProxy: Similar longevity and proxy reliability; EvilProxy emphasizes geofencing and open redirect abuse.
• vs. Storm-1167/Sneaky 2FA: NakedPages is more established with larger template library; newer kits focus on specific innovations (e.g., QR code emphasis).

Threat Impact and Attribution​

• Enables widespread credential theft leading to BEC, ransomware deployment, and espionage.
• Lowers entry barrier for affiliates, contributing to PhaaS proliferation.
• Primarily used by Eastern European and Russian-speaking actors, with access sold to global affiliates.

Detection Indicators​

• Randomized alphanumeric domains/subdomains.
• Multi-stage redirect chains (especially via href.li).
• Traffic anomalies with proxy-like behavior.
• Specific binary paths (nkp.*) or server fingerprints.

Comprehensive Mitigation Recommendations​

1. Adopt Phishing-Resistant MFA:
   • FIDO2 hardware keys, passkeys, or certificate-based authentication (immune to AiTM relaying).
2. Strengthen Access Controls:
   • Enforce device compliance and managed endpoints via Conditional Access.
   • Block legacy authentication protocols.
3. Advanced Monitoring:
   • Detect session cookie replay and anomalous sign-ins (Microsoft Defender for Cloud Apps, similar tools).
4. Email and Attachment Filtering:
   • Block SVG/HTML attachments and multi-stage cloud shares.
   • Implement strict DMARC and URL rewriting.
5. User Education:
   • Train on avoiding unsolicited authentication flows.
   • Encourage direct access via official apps/bookmarks.

NakedPages exemplifies the resilience of well-maintained PhaaS platforms: its extensive template library, sophisticated evasion through redirection and randomization, and steady infrastructure ensure continued effectiveness despite competition. As with all AiTM kits, the most definitive defense is migration to authentication methods that cannot be relayed or replayed in real time. Organizations should prioritize phishing-resistant MFA and proactive monitoring to neutralize this persistent threat class.