Ghost AiTM Campaign – How Attackers Hijack Fintech Sessions After MFA
Your bank's login page looks exactly right. The URL seems correct. Your OTP arrives on your phone. You enter it. The page confirms you're logged in.
And somewhere between your phone and your bank's server, an attacker just received a perfect copy of your session — the digital key that proves you're already authenticated. They don't need your password. They don't need your OTP. They have something more valuable: proof that you already logged in successfully.
This is not a hypothetical. A campaign targeting Indian fintech companies, neobanks, and UPI-integrated platforms — tracked under the name "Ghost" — has been doing exactly this since early 2026. It is not a basic phishing kit. It is a purpose-built attack framework designed specifically around how Indian financial authentication works.
- Campaign name: "Ghost" — a custom variant of Tycoon2FA and Evilginx3
- Attack type: Adversary-in-the-Middle (AitM) — transparent reverse proxy
- Primary targets: Indian neobanks, UPI-integrated portals, fintech backend systems
- Delivery method: Spearphishing via LinkedIn and corporate Slack — impersonating RBI compliance notices
- What it steals: Session tokens and JWTs issued after biometric or OTP authentication — not passwords
- Why MFA doesn't stop it: The attack captures the authenticated session — after MFA has already been passed
- New 2026 features: Dynamic device detection, QR code baiting, AI-driven IP rotation every 3 seconds
- Wider context: AitM attacks surged 46% in 2025 — now the dominant MFA bypass technique globally
- Connection: Credential access techniques used in Ghost may mirror how Handala obtained Microsoft Intune admin credentials in the Stryker attack
Root Cause — Why MFA Is No Longer Enough
For years, the security industry told everyone the same thing: enable two-factor authentication and you're protected. That advice was right — until attackers stopped trying to steal passwords and started stealing something more powerful instead.
When you log into your bank or any web application, the server doesn't keep checking your password every time you click something. That would be slow and annoying. Instead, after you log in successfully, the server issues a session token — a small piece of data that says "this person already proved who they are, trust them." Every action you take after logging in uses that token silently in the background.
AitM attacks don't target your password. They don't even target your OTP. They let you complete the entire login process normally — and then steal the session token that gets issued at the end of it.
The session token is the master key. Once an attacker has it, your password is irrelevant. Your OTP is irrelevant. Even resetting your password won't help — because the attacker isn't using your password. They're using proof that you already authenticated successfully.
This is the root cause of why Ghost is dangerous. It doesn't attack the lock. It waits for you to open the door yourself, then copies the key as you walk through.
AitM attacks surged by 46% in 2025 because the Phishing-as-a-Service model became industrialised — making it easier for attackers to rent ready-made attack kits that automate complex proxying and session-harvesting without developing custom exploits. Ghost goes further — it was custom-built for India's specific financial authentication architecture.
Attack Surface — Who Is Exposed
Ghost is not a generic attack. It was specifically designed around three characteristics of Indian financial infrastructure:
UPI authentication flows — India's Unified Payments Interface uses a specific sequence of authentication steps that Ghost's proxy is built to mirror exactly. The victim sees a real-looking UPI portal. The session token issued at the end goes to the attacker.
Neobank login architecture — Digital-only banks that rely heavily on OTP and biometric authentication are specifically targeted. Ghost intercepts the JSON Web Token (JWT) issued after biometric verification — the most trusted form of authentication these platforms use.
Corporate fintech employees on LinkedIn and Slack — The delivery method targets professionals, not consumers. RBI compliance notices sent via LinkedIn or internal Slack impersonations reach finance, compliance, and IT staff — the people with the highest-value access credentials.
The exposure is broad. Any Indian fintech employee who clicks a link in what appears to be an RBI compliance notice, any neobank customer directed to what looks like their bank's portal, any UPI user following a "verification" QR code — all are potential victims. And because the attack works after MFA passes, organisations that believe MFA protects them are specifically the ones Ghost is designed to fool.
Exploit Chain — How Ghost Works Step by Step
Ghost operates as a transparent reverse proxy. This is the key technical concept: it does not host a fake website. It tunnels the real one — sitting invisibly between the victim and the actual bank or fintech portal, reading everything that passes through.
Step 1 — The lure arrives
A targeted employee receives a message on LinkedIn or Slack. It appears to be an official RBI compliance notice or an internal IT infrastructure upgrade alert. The message includes a link to what looks like a legitimate portal — something like portal.fintech-auth[.]in. The domain looks plausible. The message is professionally written. There is no obvious red flag.
Step 2 — The proxy activates
The victim clicks the link and lands on the Ghost server. The Ghost server immediately fetches the real bank or fintech portal and displays it to the victim in real time — perfectly rendered, fully functional. The victim sees their actual bank. Every element is real because it is being pulled live from the real site.
Step 3 — Authentication completes normally
The victim enters their credentials. Their OTP arrives on their phone. They enter it. Their biometric verification passes. From the victim's perspective, everything worked exactly as normal. They are now logged in.
Step 4 — The session token is stolen
As the real server issues the session token — the JWT or Session ID that confirms successful authentication — Ghost intercepts it from the response headers before passing it to the victim's browser. The victim gets a copy. The attacker gets a copy. Both appear to be logged in.
Step 5 — Account takeover begins
The attacker's copy of the session token works immediately and silently. No password needed. No OTP needed. No biometric needed. They access the victim's account as a fully authenticated user — because from the server's perspective, they are.
This is why a password reset does nothing after a Ghost attack. The attacker is not using a password. They are using a valid, authenticated session. The only effective response is to revoke all active sessions globally — invalidating every token currently in use across the entire platform.
Three advanced features added in 2026 make Ghost significantly harder to detect:
Dynamic device detection — Ghost detects whether the victim is on a mobile phone or desktop computer and automatically adjusts the displayed interface in real time. Security-aware employees who look for "something slightly off" about a login page find nothing — because the page matches their device perfectly.
QR code baiting — Lures now include a QR code labelled "Update your Auth App." This moves the victim from a corporate laptop — which may have security monitoring — to a personal smartphone, which almost certainly does not. The attack continues on a less-monitored device.
AI-driven IP rotation — An AI agent rotates the proxy's IP address across a residential Indian IP pool every three seconds. Traditional security tools that block known malicious IPs or flag foreign IP addresses find nothing suspicious — the traffic appears to come from ordinary Indian residential internet connections, changing constantly.
The Stryker Connection
This is the detail that elevates Ghost from a regional fintech problem to a broader threat intelligence concern.
When Handala wiped 200,000 Stryker devices on March 11, 2026, the working theory is that they obtained administrator credentials to Microsoft Intune through credential theft — most likely via a phishing or AitM attack against a privileged account. We covered the Stryker attack in full here.
The credential access techniques Ghost uses — session token theft from authenticated admin accounts, targeting of identity providers, post-authentication session hijacking — are functionally identical to the technique that almost certainly gave Handala access to Stryker's cloud management console.
Ghost may represent the reconnaissance and credential harvesting phase of a larger campaign. Indian fintech infrastructure — handling trillions of rupees in daily transactions through UPI alone — is not a small target. A successful AitM campaign that harvests admin-level session tokens from fintech platforms could enable the kind of destructive, large-scale attack that hit Stryker, replicated against Indian financial infrastructure.
The pattern is consistent with what Okta and independent security researchers confirmed in January 2026 — a surge in highly targeted AitM phishing attacks against fintech, wealth management, and financial organisations, combining real-time social engineering with dynamic phishing sites to harvest credentials and MFA codes.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | How It Applies |
|---|---|---|---|
| Reconnaissance | T1591 | Gather Victim Org Information | Targets identified via LinkedIn — role, employer, authentication systems researched before attack |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | RBI compliance lures via LinkedIn and corporate Slack — highly targeted, professionally crafted |
| Initial Access | T1566.004 | Phishing: Spearphishing via Service | Slack impersonation of internal IT communications — trusted channel exploited |
| Credential Access | T1539 | Steal Web Session Cookie | Core Ghost capability — JWT and Session ID intercepted from Set-Cookie headers post-authentication |
| Credential Access | T1111 | Multi-Factor Authentication Interception | OTP and biometric authentication completed by victim — session token stolen after MFA passes |
| Defense Evasion | T1090 | Proxy | Transparent reverse proxy tunnels real site — no fake page to detect, AI rotates residential IPs every 3 seconds |
| Defense Evasion | T1036 | Masquerading | Dynamic phishlets swap mobile/desktop UI in real time — no visual discrepancy for victim to notice |
| Collection | T1185 | Browser Session Hijacking | Stolen session token used to access authenticated fintech and UPI sessions directly |
| Lateral Movement | T1550.004 | Use Alternate Authentication Material: Web Session Cookie | Stolen JWT replayed across platforms — attacker moves through authenticated sessions without credentials |
| Impact | T1657 | Financial Theft | Authenticated UPI and neobank sessions accessed — direct financial transaction capability |
Indicators of Compromise (IOCs)
Ghost's AI-driven IP rotation makes traditional IP-based blocking ineffective. Detection must focus on behavioral anomalies — particularly session and authentication patterns that don't fit normal user behaviour.
# Ghost AitM Campaign — Detection Indicators
# Domain pattern blacklist (pattern-based blocking)
*-verification-rbi.in
*-fintech-portal.net
support-compliance-[ID].cloud
internal-gateway-auth.io
# Proxy latency signature
Alert: Login redirect phase showing 200–500ms additional latency
compared to baseline for the same authentication endpoint
(Ghost proxy processing overhead — subtle but measurable)
# Session anomaly indicators — highest priority
Alert: Successful authentication from legitimate user IP (e.g. Bengaluru)
followed within 60 seconds by session activity from cloud IP
(AWS, DigitalOcean, Azure) — session clone pattern
Alert: Same session token used from two different User-Agent strings
or two different device fingerprints simultaneously
Alert: Authenticated session from residential Indian IP
immediately followed by account action from VPN/proxy IP
# Header anomalies
Alert: Unexpected Referer headers from subdomains not matching
primary corporate SSO domain
Alert: Set-Cookie response headers intercepted or absent
in authentication flow where they are normally present
# QR code baiting indicators
Alert: Authentication flow initiated on corporate device
completed on unregistered personal mobile device
Alert: New device enrollment for MFA from device not in MDM inventory
within same session as QR code scan event
# Credential access post-compromise
Alert: Admin-level session token used outside business hours
from residential IP not matching user's known location
Alert: JWT decoded and replayed — token issued to one device
appearing in requests from different device fingerprint
SOC Alert Priorities
Alert Priority 1 — Monitor for simultaneous session use from different IPs: The clearest Ghost detection signal is a session token appearing from two different locations at once or in rapid succession. A legitimate user in Bengaluru logs in — their session should only appear from Bengaluru. If the same session appears from an AWS or DigitalOcean IP seconds later, that is a confirmed session clone. This single rule will catch the majority of active Ghost attacks. Build it today if it doesn't exist in your SIEM.
Alert Priority 2 — Revoke all sessions immediately on suspected compromise — not just passwords: The most critical operational lesson from Ghost is that password resets do nothing. In AitM attacks, since the sign-in session is compromised, password reset is not an effective solution — the attacker can set up persistence methods to sign in despite conventional remediation. The only effective response is a global session revocation — force logout all active users on the affected platform simultaneously to invalidate every stolen token currently in use.
Alert Priority 3 — Block and alert on domain patterns matching Ghost infrastructure: The known Ghost domain patterns use consistent naming conventions — RBI verification themes, fintech portal themes, compliance and support prefixes. Implement pattern-based domain blocking at your DNS and proxy layer for the patterns listed in the IOC section. Monitor new domain registrations matching these patterns via your threat intelligence feed.
Alert Priority 4 — Enforce FIDO2 hardware keys for all privileged accounts: FIDO2 is the one authentication method Ghost cannot bypass. The hardware key performs a cryptographic handshake directly between the key and the legitimate browser — the proxy cannot intercept or replay this. For admin accounts, finance system access, and any role with access to customer data or payment infrastructure, hardware keys should be mandatory, not optional.
Alert Priority 5 — Implement device fingerprint binding for all authenticated sessions: Bind every authenticated session to a combination of User-Agent, IP, and Device ID. If any of the three change mid-session, kill the session immediately and require re-authentication. This directly defeats the session clone technique Ghost relies on — a stolen token replayed from a different device will trigger an immediate session termination.
What Organisations Should Do Now
Within 24 hours: Add the Ghost domain patterns to your DNS blocklist and proxy filters. Enable alerts for simultaneous session use from different IPs or device fingerprints. Brief your security team on the QR code baiting technique — employees should be warned that QR codes in "auth app update" messages are a known attack vector right now.
Within one week: Audit all privileged accounts for session binding policies. If admin sessions are not bound to device fingerprint and IP, implement this immediately. Review your incident response playbook — add a "global session revocation" step as the first action for any suspected AitM compromise, before password reset.
Within one month: Begin migration to FIDO2 hardware keys for all accounts with access to payment infrastructure, customer data, or administrative systems. Implement latency monitoring on your authentication endpoints — the 200–500ms Ghost proxy overhead is a detectable signature if you have a baseline to compare against.
The Ghost campaign sits within the same attack pattern we've been tracking across every major incident this month. The Stryker attack almost certainly began with credential theft from a privileged account:
→ The Stryker Cyberattack: How Iran-Linked Hackers Turned a Medical Giant's Own Tools Against It
And the same identity-first attack logic connects to the broader wave of AitM and session hijacking we covered in this month's Chrome zero-day analysis:
→ Chrome Zero-Day Alert: CVE-2026-3909 & CVE-2026-3910 Actively Exploited
The ZyberWalls Perspective
The security industry spent a decade telling people to enable two-factor authentication. That advice saved countless accounts from basic credential theft. It was the right advice for its time.
Ghost represents what happens after defenders win a battle. Attackers stopped trying to steal passwords. They started stealing the proof that you already authenticated. The session token. The JWT. The thing that says "this person is logged in" — not the password that got them there.
This is not a technical edge case. Phishing kit developers standardised AitM techniques in 2025, professionalized their tooling, and focused on stealth — with kits increasingly capturing session tokens in addition to passwords and supporting faster post-compromise automation. Ghost is the Indian fintech specialisation of a global industrialised attack capability.
What makes Ghost specifically alarming for India is the targeting logic. UPI processed over 18 billion transactions in a single month in 2025. The neobanks Ghost targets collectively hold hundreds of millions of customer accounts. The RBI compliance lure is not random — it exploits a specific anxiety that Indian fintech employees have about regulatory communication. The attack was designed by someone who understands how Indian financial infrastructure works and how Indian finance professionals think.
The connection to Stryker is the thread that should concern every security team in India's financial sector. Ghost looks like a credential harvesting campaign. Stryker started the same way — someone, somewhere, obtained admin credentials through a method that left no obvious trace. Then 200,000 devices were wiped simultaneously.
Indian fintech infrastructure handling trillions of rupees in daily transactions is a far more strategically valuable target than a medical device company. The Ghost campaign may be building toward something significantly larger than account takeovers.
The defences exist. FIDO2 hardware keys. Session binding. Global revocation capabilities. Latency monitoring. None of them are exotic. All of them require a decision to prioritise identity security as seriously as endpoint security.
The question is whether that decision gets made before or after the incident.
Stay Alert. Stay Human. Stay Safe.— ZyberWalls Research Team