3. Detection of developer tools

The Saiga 2FA framework detects when browser developer tools are opened and immediately redirects the user to a benign page such as Google search. This prevents security teams from inspecting and analyzing the pages.

4. Dynamic page delivery using Next.js

Rather than using simple, fixed web pages, Saiga delivers its phishing pages as a full web application built with Next.js. The phishing content is generated on the fly using JavaScript, which makes it much harder for basic security scanners to spot anything malicious by simply inspecting the page source.

5. Selective content delivery and traffic filtering

Saiga uses built-in configuration settings, such as IP-based filtering, to decide who is shown the real phishing content. Based on factors like location or browsing environment, the framework can hide its malicious pages from security researchers and automated analysis tools, while still showing them to intended victims.

6. URL structure analysis

Initial URL: