Payroll Pirate Hijacks Sessions to Steal Paychecks

by ddos · June 17, 2026

Payroll Pirate AiTM phishing diagram showing session hijacking and payroll redirect attack flow bank phishing reimbursement Nova ransomware apology StablR stablecoin depeg hack

Payroll systems rarely attract attention until a single edited bank detail quietly turns a routine paycheck into a direct transfer to criminals. Researchers at BushidoToken Threat Intel have detailed a new financially motivated campaign called Payroll Pirate, in which attackers bypass multi-factor authentication entirely and reroute payroll payments by hijacking already-authenticated sessions.

Who’s Being Targeted

The campaign targets payroll portals and HR systems at mid-sized and large companies. The attack begins with careful reconnaissance, during which criminals identify accounting and HR staff using open sources, corporate career pages, and LinkedIn. Victims then receive phishing emails designed to mimic legitimate notifications from real payroll services. In some cases, attackers add voice messages or text messages to make the request feel more convincing and urgent.

The AiTM Technique at the Heart of the Attack

The campaign’s defining feature is its use of an Adversary-in-the-Middle, or AiTM, technique. Attackers position a phishing relay server between the employee and the legitimate service, so one-time codes, MFA confirmations, and login credentials all pass directly through attacker-controlled infrastructure in real time. This differs meaningfully from simply replaying a stolen code, since the attackers immediately establish a fully valid session from their own remote device. You can find a detailed technical breakdown in BushidoToken’s research on the campaign.

Redirecting Payroll Once Access Is Gained

Once inside, Payroll Pirate operators move quickly. They alter payment details, add fraudulent recipients, modify bank account information tied to payroll transfers, or trigger unscheduled payments outright. According to the researchers, attackers favor the window just before payroll runs and tend to target smaller payment amounts, deliberately staying under simple threshold-based monitoring rules.

Covering Their Tracks

After completing a transfer, the attackers work to erase any trace of their presence. They rename fraudulent recipients, delete notifications, archive logs using whatever built-in application features are available, and restore certain visible settings back to their original state. The stolen funds then move through chains of money mules and cryptocurrency platforms, making recovery and attribution considerably harder.

How Organizations Can Defend Against It

The report’s authors recommend going well beyond standard MFA to reduce risk. Administrators of payroll systems should adopt phishing-resistant multi-factor authentication, rely on hardware security keys, require additional verification before any change to payment details, and implement dual approval for high-risk transactions. Organizations should also maintain immutable audit logs and actively monitor for signs of AiTM activity within their environment.