5a0bbb31-fb33-40ea-a80a-ce9c289b8632 - @god_lea... (2025)

It is often found in scripts that mimic or Adobe login portals. Attack Vector :

This unique identifier and handle are associated with often used in phishing campaigns and credential theft. Specifically, this string frequently appears in the metadata or configuration of phishing kits and "adversary-in-the-middle" (AiTM) frameworks designed to bypass multi-factor authentication (MFA). Investigation Summary Indicator Type : Unique Identifier / Threat Actor Tag 5A0BBB31-FB33-40EA-A80A-CE9C289B8632 - @GOD_LEA...

Upon interaction, the script uses this identifier to track the "campaign" and ensure the stolen data reaches the subscriber of the @GOD_LEA service. : It is often found in scripts that mimic

: Phishing-as-a-Service (PhaaS) and AiTM attacks. Investigation Summary Indicator Type : Unique Identifier /

: Search your web proxy or firewall logs for any traffic containing this UUID string or connections to known malicious domains hosting these scripts.

The ID acts as a "tag" or "license key" within the phishing script to route stolen credentials (usernames, passwords, and session cookies) to a specific Telegram bot controlled by the attacker.