Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
OpenAI Introduces GPT-4o and ChatGPT-4o, Its New Flagship AI Models
July 10, 2026
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
Home/Threats/New AI vishing tool ATHR enables large-scale credential theft
Threats

New AI vishing tool ATHR enables large-scale credential theft

Key Takeaways A sophisticated AI-powered vishing platform named ATHR has emerged, enabling large-scale credential theft. ATHR automates the entire attack chain, from email delivery to AI-driven voice...

Marcus Rodriguez
Marcus Rodriguez
April 17, 2026 4 Min Read
38 0

Key Takeaways

  • A sophisticated AI-powered vishing platform named ATHR has emerged, enabling large-scale credential theft.
  • ATHR automates the entire attack chain, from email delivery to AI-driven voice interaction and real-time credential harvesting, making it highly scalable and accessible to less-skilled attackers.
  • The platform leverages the Telephone-Oriented Attack Delivery (TOAD) method, sending seemingly innocuous emails containing only a phone number, bypassing many traditional email security filters.
  • Organizations and individuals are at risk of account compromise across major platforms like Google, Microsoft, Yahoo, AOL, and cryptocurrency exchanges such as Coinbase and Binance.

A new, highly automated cybercrime platform, dubbed ATHR, is enabling threat actors to conduct large-scale credential theft through AI-powered vishing. This sophisticated tool streamlines the entire attack process, from initial contact to harvesting sensitive user data, posing a significant challenge to conventional cybersecurity defenses.

Table Of Content

  • Key Takeaways
  • Abnormal Security Uncovers ATHR Operations
  • ATHR’s AI Vishing Agent: The Core of the Attack
  • What You Should Do

Unlike traditional phishing campaigns that rely on malicious links or attachments, ATHR employs a method known as Telephone-Oriented Attack Delivery (TOAD). This tactic involves sending simple emails containing only a phone number, which targets are prompted to call. The dangerous interaction unfolds over the phone, where an AI-driven agent manipulates the victim into divulging sensitive information or installing remote access software.

Because the initial email contains no overtly malicious elements, it often sails past standard security filters, making ATHR particularly insidious. The platform is now available on underground cybercrime forums for a price of $4,000, plus a 10% share of any profits generated from its use.

Abnormal Security Uncovers ATHR Operations

Analysts and researchers at Abnormal Security first identified the ATHR platform while monitoring illicit cybercrime activities. Their detailed findings, published on April 16, 2026, shed light on the sophisticated nature of this new threat. Researchers Aaron Orchard, Callie Baron, and Piotr Wojtyla highlighted that ATHR is not merely another phishing kit but a comprehensive, integrated attack system.

The platform features four core components: a built-in email mailer, an AI-powered voice agent, a real-time credential harvesting panel, and a unified operator workspace. These components operate in concert, managed through a single browser-based interface, simplifying the execution of complex vishing campaigns.

ATHR supports credential harvesting for eight prominent brands, including Google, Microsoft, Yahoo, AOL, and major cryptocurrency exchanges like Coinbase, Binance, Gemini, and Crypto.com. During a call with the AI agent, operators can simultaneously direct victims to a deceptive login page, capturing their email addresses and passwords in real time. Abnormal’s observations revealed a live dashboard displaying 243 total interactions, 12 active sessions, and 87% campaign utilization, underscoring the platform’s active deployment and effectiveness.

What differentiates ATHR from previous TOAD operations is its unparalleled level of automation. Historically, executing a TOAD attack required manual coordination of disparate tools for email delivery, phone interactions, and data capture. ATHR eliminates this complexity, consolidating all functionalities into one platform, allowing even a single individual with limited technical expertise to orchestrate full-scale vishing campaigns.

ATHR’s AI Vishing Agent: The Core of the Attack

The most distinctive and dangerous feature of ATHR is its integrated AI vishing agent, which conducts voice-based social engineering without human intervention. When a target dials the number provided in a phishing email, the AI agent answers and follows a meticulously crafted, multi-step script. This script guides the victim through a deceptive process, starting with verifying the callback, describing fabricated suspicious account activity, requesting phone number confirmation, initiating a fake recovery process, and ultimately soliciting a six-digit verification code. The script encompasses 10 distinct sections, as detailed in Abnormal’s analysis.

The AI agent employs a custom text-to-speech engine, ATHR TTS, powered by a model named Sonic 3. This engine produces a clear, natural-sounding voice designed to mimic a legitimate support representative from a trusted company. This highly convincing voice, combined with email lures that include specific timestamps, locations, and IP addresses for alleged suspicious activity, leaves victims with little reason to doubt the authenticity of the alert.

The email lures themselves are generated using an NFA mailer capable of spoofing sender names to appear as legitimate brands. For instance, a pre-configured template for Google sends a “Security Alert: Account Temporarily Locked” email, offering 10 customizable fields to enhance its authenticity.

What You Should Do

  • Educate Users: Train employees and users to never call phone numbers provided in unexpected security alert emails. Emphasize the importance of verifying any such alerts by directly visiting the official website of the service or company in question, using known contact information.
  • Monitor Email Activity: Security teams should implement and monitor for unusual patterns in incoming email traffic, specifically looking for multiple recipients within the organization receiving messages with the same embedded phone number in a condensed timeframe.
  • Enhance Detection Capabilities: Since ATHR lures can successfully pass SPF, DKIM, and DMARC checks, relying solely on these technical authentication signals is insufficient. Deploy behavioral AI-based detection systems that can analyze and map normal communication patterns for individual users and senders to identify and flag anomalous activities before a call is placed.
  • Implement Multi-Factor Authentication (MFA): Ensure strong MFA is enforced across all accounts and services, as it adds an essential layer of security that can prevent unauthorized access even if credentials are compromised.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerphishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CISA Warns of Critical Apache ActiveMQ RCE Bug Exploited in Attacks

Next Post

Anthropic Claude Opus 4.7 Enhances Cybersecurity with Real-Time Safeguards

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI-Powered Attack Breaches AWS Cloud Environment in 72 Hours
July 9, 2026
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us