Canadian Phishing-as-a-Service Background
In the first half of 2024, the Phishing-as-a-Service (PhaaS) ecosystem was shaken by the shutdown of LabHost after international law enforcement arrested several key operators. Following the takedown in April, many leading PhaaS providers adapted by narrowing their marketing efforts and limiting access to smaller, more carefully vetted customer bases.
Fortra’s data shows LabHost’s closure had an immediate effect on phishing targeting Canadian financial institutions. LabHost was a major supplier of phishing kits impersonating multiple Canadian banks via Interac-branded pages and lures. Within three months of the shutdown, phishing attacks against Canadian banks dropped by 50%.
While the decline in Interac phishing volume was significant, it wasn’t as steep as initially expected. In the months leading up to the shutdown, LabHost was responsible for roughly 75% of Interac-branded phishing attacks. However, the overall attack volume didn’t drop as sharply because many of LabHost’s customers quickly sought alternative sources for Interac phishing kits. Within this shifting landscape, Fortra identified one threat actor, SheByte, standing out for openly positioning itself as LabHost’s successor. Although SheByte hasn’t yet become the largest phishing group targeting Canadian banks, its aggressive marketing marks it as a notable contender.
SheByte Logo/Mascot seen in all materials.
SheByte Threat History & Impact
The threat actor behind SheByte officially launched their services on Telegram in May 2024, teasing features ahead of a full platform release in mid-June. While SheByte-related Interac phishing attacks were detected in very small numbers before LabHost’s shutdown, activity surged quickly once the opportunity arose.
SheByte initially mirrored many of LabHost’s features, positioning itself as the natural successor for customers seeking a replacement service.
Notably, SheByte claims to be operated by a single developer, addressing concerns raised after LabHost’s complications stemming from developer exposure. The platform also asserts it keeps no logs and employs end-to-end encryption to secure stolen data.
Phishing pages linked to SheByte rapidly grew to represent a significant share of the Canadian phishing threat landscape: accounting for 8% of Interac-branded phishing attacks during its limited launch in May 2024, and rising to 10% by the platform’s full release in June.
Interac phishing attacks generated by SheByte platform, 2024-2025.
After peaking in July 2024, the volume of detected phishing attacks matching SheByte declined for four straight months. During this period, SheByte faced attacks on their reputation from longtime PhaaS platform Frappo. Volume trends turned around and began to climb in December when the platform began to release their new customizable “v2” phishing pages, even though Canadian-targeted Interac pages would not be added to the page builder until early 2025.
PhaaS Analysis
SheByte offers a single package of premium features for $199 a month, with discounts offered for longer subscription periods. This subscription package grants the user permission to make an unlimited number of phishing attacks using every available static or customizable phishing kit. As of March 2025, customizable phishing pages are available targeting 17 Canadian banks, four U.S.-based banks, email providers, telecom companies, toll road collections, and crypto services.
Monthly subscriptions offered by SheByte phishing service.
Additionally, these premium phishing pages include access to the platform’s LiveRAT admin dashboard and are fortified with an advanced anti-detection suite. The platform’s evasion settings let threat actors block traffic from specific regions, known VPNs, proxies, and potential virtual machines. If IP blocking isn’t enough, various CAPTCHA options can be added at the start of the phishing process.
LiveRAT replicates many of the powerful features that made LabHost’s LabRAT a popular scamming tool. It enables threat actors to monitor phishing page visits in real time, intercept MFA codes, request additional victim information, or present custom security questions to increase success rates.
Demonstration of live panel monitoring victim inputs.
The threat actors that migrated to SheByte from LabHost primarily utilize the multi-branded Interac kits targeting 17 Canadian banks simultaneously. In February 2025, SheByte released a new V2 version of its Interac kit for the page builder tool, triggering a noticeable spike in phishing attacks targeting Canadian banks. The updated package includes several ready-made Interac phishing templates, each featuring a distinct lure, while also allowing customers to customize pages further as needed.
Interac phishing kit templates.
Indicators of SheByte Interac Content
Trait | Description |
start.php in /go/ directory | Interac landing page in now retired V1 Interac phishing kit. |
{8 randomized alphanumeric characters}.php | Landing page for V2 kits.
Default randomization is not unique for each phish. Likely randomized per template or campaign. Assumed that threat actors can change the name manually in page builder tool. |
Further randomized patterns. | V2 Files utilize random names in a similar fashion to page files. Directories use the same 8 character pattern while from receiver and live RAT files use 7 or 9 character names. |
Screenshot of Interac landing page.