Central to the attacks is a commercial phishing kit called 0ktapus, which offers pre-made templates to create realistic fake authentication portals and ultimately harvest credentials and MFA codes. It also has a built-in C2 channel via Telegram.